Effective date: May 25, 2018
pimentaCHAT has implemented various updates and changes to its codebase in preparation for GDPR enforcement on May 25th 2018.
Data Subject Rights:
[Right to Access] Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic fromat. This change is a dramatic shift to data transparency and empowerment of data subjects.
Method to loop all the user’s subscriptions and create a file per room containing the conversation (all messages or user’s messages only?) in human readable format
Notify via email with a link to download the zip containing the files
[Right to be Forgotten] Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subject withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
It should be an admin option so the work is:
[Data Portability] GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine readable format’ and have the right to transmit that data to another controller.
A summary of pimentaCHAT’s overall GDPR readiness strategy for this project can be found below:
Method to loop all the user’s subscriptions and create a file per room containing the conversation (all messages or user’s messages only?) in machine format
Notify via email with a link to download the zip containing the files
Our statement can also be found on pimentaGROUP.
The following are some of the more recent GDPR updates that are now part of the core codebase:
This PR adds an option for users to download all their data stored in the servers, in either JSON or HTML format. This funcionality can be enabled by an admin through a new page on the administration center.
Once enabled, two new buttons will be added to the user’s account page:
When the user clicks on one of those new buttons, the system will register the request on the new exportOperations collection. The server will then automatically export all the messages and attachments from every channel that the user has access to. When this operation is complete, the server will generate a zip file and send an email to the user with a download link.
Each button can only be used once per day. The download button will generate HTML files and the export button will generate JSON files.
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
This PR adds a new setting where the admin can choose what action to perfom with the user’s messages when an user is removed.
The possible options are: Keep (don’t remove any message), Delete (Removes all messages) and Unlink (Change the userId of all messages to the pimentaBOT user).
This PR adds an option for users to download all their data stored in the servers, in either JSON or HTML format. This funcionality can be enabled by an admin through a new page on the administration center.
Once enabled, two new buttons will be added to the user’s account page:
When the user clicks on one of those new buttons, the system will register the request on the new exportOperations collection. The server will then automatically export all the messages and attachments from every channel that the user has access to. When this operation is complete, the server will generate a zip file and send an email to the user with a download link.
Each button can only be used once per day. The download button will generate HTML files and the export button will generate JSON files.
Other rights for the data subjects are either covered by features already built into our codebase, or outside the scope of the open source software project, including:
The codebase can be configured to support user modification/correction/rectification of any data supplied (entered) by the user.
This is outside the scope of the open source software project, and is up to the controller ( administrator / deployer / operator of the the server system) to enforce.
This is outside the scope of the open source software project, and is up to the controller ( administrator / deployer / operator of the server system) to enforce.
The above will allow our community members to build and deploy GDPR compliant systems and services. We know and understand that all of you have custom installation, configuration and deployment environments and that you are working to ensure your own deployment of pimentaCHAT is compliant with GDPR if necessary.
Meanwhile, we would welcome any advice, input, or questions you may have regarding pimentaCHAT’s GDPR readiness. Please help us by emailing your thoughts to gdpr@pimenta.chat.
Thank you!
The pimentaCHAT Team