Announcement

  •  » Miscellaneous
  •  » General Data Protection Regulation (GDPR)

#1 2018-05-01 16:29:15

Ralf
Member
Dorsten-Lembeck
2012-05-08
154

General Data Protection Regulation (GDPR)

Hi,

are there any plans to make Piwigo GDPR compliant?

In my opinion there are some things that are needed to be updated.
For example:
-Commenting function
-cookie acceptance
-contact form

Cheers
Ralf


There are only two kinds of music:
Rock and Roll

Offline

 

#2 2018-05-01 17:00:53

flop25
Piwigo Team
2006-07-06
6811

Re: General Data Protection Regulation (GDPR)

Hello
could you be more specific?
does it applies to individual too or only companies?


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#3 2018-05-01 17:05:41

flop25
Piwigo Team
2006-07-06
6811

Re: General Data Protection Regulation (GDPR)

we will certainly follow the examples of the main CMS such as Wordpress

oh and since piwigo.com runs in EU plg will have to work on that


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#4 2018-05-01 17:06:06

Zentalquabula
Member
2014-05-10
87

Re: General Data Protection Regulation (GDPR)

Users do not need to consent to cookies, neither with the current regulation nor with GDPR. Any function that by its very nature implies user consent is exempted.

Offline

 

#5 2018-05-01 17:08:18

flop25
Piwigo Team
2006-07-06
6811

Re: General Data Protection Regulation (GDPR)

maybe
i also read about "exporting and anonymizing of personal data" also


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#6 2018-05-01 17:10:50

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13145

Re: General Data Protection Regulation (GDPR)

Ralf, you're right, at one point we need to talk about the GDPR. I'm already working on it for Piwigo.com, but it should also be discussed at Piwigo level.

1) Cookies

There is no personal data attached to Piwigo cookies, only the Piwigo session id + a few display preferences. This is not related to GDPR as far as I understand.

2) Comment/Contact

Here we're talking about the email address given by the poster.

The email address is not mandatory on the comment form.

The email address is mandatory on the contact form, but it's quite obvious why we need it.

The GDPR doesn't say "you can't store personal data, such as an email address" but "only ask personal data when necessary".

3) IP address

This is maybe the most complex question. Piwigo stores the IP address in the visit history table. The IP address is now considered as a personal data (which is a bad idea in my opinion...). We don't ask for it and we don't really "need" it. We'll have to find a way to "anonymize" the IP address to avoid any problem.

Of course, avoiding to store the IP address in the database won't fix another major issue: your web server, be it Apache or Nginx, writes visitors IP address in log files.


Latest blog post (May 3rd 2018) New subscription form

Offline

 

#7 2018-05-01 17:11:47

Ralf
Member
Dorsten-Lembeck
2012-05-08
154

Re: General Data Protection Regulation (GDPR)

Hi Flog,

by default Piwigo submits the full IP Adress with a comment (stored in database).
This should not be the case with the GDPR.

Users have to confirm that they agree with data storage when using a contact form.

It will not be sufficient to display a general "we use cookies" banner - it has to be more specific and list what cookies are used by the site.
As far as i can see it is only the pwg_id cookie Piwigo uses.

Cheers
Ralf


There are only two kinds of music:
Rock and Roll

Offline

 

#8 2018-05-01 17:14:49

flop25
Piwigo Team
2006-07-06
6811

Re: General Data Protection Regulation (GDPR)

@Plg what about Piwigo registering the View history for registered users too?
And also about the webmaster registering himself users for email notification?


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#9 2018-05-01 17:18:03

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13145

Re: General Data Protection Regulation (GDPR)

flop25 wrote:

@Plg what about Piwigo registering the View history for registered users too?

The only "personal data" associated to a user is the email_address (not mandatory by default).

The problem is the column history.IP : it is considered as a personal data, and we need either to ask for consent before storing it (which is quite annoying in my opinion) or finding a way to anonymize it.


Latest blog post (May 3rd 2018) New subscription form

Offline

 

#10 2018-05-01 17:21:14

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13145

Re: General Data Protection Regulation (GDPR)

But overall I think the target of GDPR is more Piwigo.com and not self-hosted Piwigo :-) And I can tell you Piwigo.com perfectly fits into the "spirit" of the GDPR. We just have a few small things (like the IP address issue) to fix.


Latest blog post (May 3rd 2018) New subscription form

Offline

 

#11 2018-05-01 17:22:40

flop25
Piwigo Team
2006-07-06
6811

Re: General Data Protection Regulation (GDPR)

yes for sure it's more about the use of Piwigo and the addition of specific third party plugins


To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website

Offline

 

#12 2018-05-01 17:29:19

Ralf
Member
Dorsten-Lembeck
2012-05-08
154

Re: General Data Protection Regulation (GDPR)

Hi PLG,

to anonymize the visitors IP it might be an idea to add some code to the functions.php file - if there will be no option in the backend.

Just add a few lines of code arround line 455:
  function getAnonymIp( $ip ) {   
    return preg_replace('/[0-9]+\z/', '0', $ip);
    }

  $ip = $_SERVER['REMOTE_ADDR'];
   $ip = getAnonymIp( $ip );

The same can be done with the comments in functions_comment_inc.php.
Adding this code before line 221 (//perform more spam check):
 
   function getAnonymIpadresse( $ipadresse ) {   
    return preg_replace('/[0-9]+\z/', '0', $ipadresse);
    }

  $ipadresse = $_SERVER['REMOTE_ADDR'];
   $ipadresse = getAnonymIpadresse( $ipadresse );
   $comm['ip'] = $ipadresse;




I am already using it to anonymize ip adresses.

Because it is not the most elegant way to edit core files it would be greate to have options for it in the backend.

Cheers
Ralf

Last edited by Ralf (2018-05-01 17:31:19)


There are only two kinds of music:
Rock and Roll

Offline

 

#13 2018-05-01 17:55:37

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13145

Re: General Data Protection Regulation (GDPR)

Yes Ralf, we will certainly do something like that.

The rating system stores a piwigo_rate.anonymous_id which is basically the 3 first part of the IPv4 IP address. It's fine for rates to avoid double rates from the same person, but I'm not sure it would be fine for piwigo_history.IP because it would not match an IPv4 address pattern.

As far as I remember, the piwigo_history.IP used for:

1) filter the history
2) find the geolocation of the visitor


Latest blog post (May 3rd 2018) New subscription form

Offline

 

#14 2018-05-01 18:24:27

plg
Piwigo Team
Nantes, France, Europe
2002-04-05
13145

Re: General Data Protection Regulation (GDPR)

Another point regarding GDPR: subscription to Piwigo.org newsletter. For now, on Piwigo installation form, we have a checkbox "subscribe to our newsletter", which is checked by default. Then the user has to validate subscription by clicking a link in an email. It drives ~70% of newsletter subscriptions. Maybe we'll have to uncheck it by default.


Latest blog post (May 3rd 2018) New subscription form

Offline

 

#15 2018-05-17 19:46:34

TheDoc
Member
2015-10-18
122

Re: General Data Protection Regulation (GDPR)

Hi,

just wanted to check if there are any updates on this? With 25.05. coming up it would be shame to having to disable piwigo on my site just to avoid any cease-and-desist from some German scaming lawyers :-(

Thanks,
Thomas

Offline

 
  •  » Miscellaneous
  •  » General Data Protection Regulation (GDPR)

Board footer

Powered by FluxBB

github twitter facebook google+ newsletter Donate Piwigo.org © 2002-2018 · Contact