Hello
could you be more specific?
does it applies to individual too or only companies?

Users do not need to consent to cookies, neither with the current regulation nor with GDPR. Any function that by its very nature implies user consent is exempted.

Ralf, you're right, at one point we need to talk about the GDPR. I'm already working on it for Piwigo.com, but it should also be discussed at Piwigo level.

1) Cookies

There is no personal data attached to Piwigo cookies, only the Piwigo session id + a few display preferences. This is not related to GDPR as far as I understand.

2) Comment/Contact

Here we're talking about the email address given by the poster.

The email address is not mandatory on the comment form.

The email address is mandatory on the contact form, but it's quite obvious why we need it.

The GDPR doesn't say "you can't store personal data, such as an email address" but "only ask personal data when necessary".

3) IP address

This is maybe the most complex question. Piwigo stores the IP address in the visit history table. The IP address is now considered as a personal data (which is a bad idea in my opinion...). We don't ask for it and we don't really "need" it. We'll have to find a way to "anonymize" the IP address to avoid any problem.

Of course, avoiding to store the IP address in the database won't fix another major issue: your web server, be it Apache or Nginx, writes visitors IP address in log files.

@Plg what about Piwigo registering the View history for registered users too?
And also about the webmaster registering himself users for email notification?

But overall I think the target of GDPR is more Piwigo.com and not self-hosted Piwigo :-) And I can tell you Piwigo.com perfectly fits into the "spirit" of the GDPR. We just have a few small things (like the IP address issue) to fix.

Hi PLG,

to anonymize the visitors IP it might be an idea to add some code to the functions.php file - if there will be no option in the backend.

Just add a few lines of code arround line 455:
  function getAnonymIp( $ip ) {   
    return preg_replace('/[0-9]+\z/', '0', $ip);
    }

  $ip = $_SERVER['REMOTE_ADDR'];
   $ip = getAnonymIp( $ip );

The same can be done with the comments in functions_comment_inc.php.
Adding this code before line 221 (//perform more spam check):
 
   function getAnonymIpadresse( $ipadresse ) {   
    return preg_replace('/[0-9]+\z/', '0', $ipadresse);
    }

  $ipadresse = $_SERVER['REMOTE_ADDR'];
   $ipadresse = getAnonymIpadresse( $ipadresse );
   $comm['ip'] = $ipadresse;




I am already using it to anonymize ip adresses.

Because it is not the most elegant way to edit core files it would be greate to have options for it in the backend.

Cheers
Ralf

Last edited by Ralf (2018-05-01 17:31:19)

Another point regarding GDPR: subscription to Piwigo.org newsletter. For now, on Piwigo installation form, we have a checkbox "subscribe to our newsletter", which is checked by default. Then the user has to validate subscription by clicking a link in an email. It drives ~70% of newsletter subscriptions. Maybe we'll have to uncheck it by default.