Closed apripy closed 2 years ago
I will need to check this, the project has no company affiliated, so I'm unsure who should sign such an DPA.
I also need to check if legally IP addresses are still considered personal information, and check how others are handling this. I know of a case in Germany, where the (local) court ruled that this is not considered personal info: https://www.theregister.com/2008/10/15/ip_address_personal_data_ruling/
We could consider moving all servers to German jurisdiction if this is the case, but I'm unsure how it affects GDPR legislation in the rest of the EU.
Maybe it's easier to drop IP addresses from logs, but it's one of the few ways we can combat abuse.
In the meantime, please prevent any issues by hosting the source code yourself; in this way you're in full control of everything.
I've looked a bit deeper at this and I think my DPO is being overtly cautious: IP addresses can be considered personal information only if the handler is able to use it to identify the user (for example if you send it to Google and the user is likely to have a Google account, Google could use the IP to identify the user).
In the case of your services, I don't think it would be a problem. I'll check with my DPO and if he still wants a DPA, we'll host the service ourselves.
Thanks for your answer 🙂
Hi there,
My company uses the images.weserve.nl service to rescale some images for our users. Since the user's devices connect to images.weserv.nl, this means that some personal data from our users (their IP address) is sent to weserv where it is (according to your privacy policy) stored for 7 days.
According to our Data Protection Officer, this means that we need a Data Processing Agreement between my company and weserv in order to be compliant with data protection laws.
Would something like this be possible? From what the DPO said, this would be a requirement for you to be able to provide your service to companies in the EU.
Thank you.