Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to comply with the GDPR ? #207

Open
urien opened this issue Jan 14, 2021 · 1 comment
Open

How to comply with the GDPR ? #207

urien opened this issue Jan 14, 2021 · 1 comment

Comments

@urien
Copy link

urien commented Jan 14, 2021

Semantic forms allows personal data to be collected and linked. People should be informed when they create an account, procedures should be put in place to prohibit the collection of sensitive data (within the meaning of GDPR), and GDPR compliance documented.
@jmvanel
Copy link
Owner

jmvanel commented Jan 28, 2021
edited
Loading

Account creation warning

When the user creates an account, is it enough to display a suitable text, and which one ?
Text would include "using this site implies acceptation of the following."

Collection of sensitive data

By design, SF collects RDF data that is already publicly available on the Web.
But this is not OK with the GDPR. The data about a person other than the user should not be stored, even if that comes from FOAF profiles that are meant for sharing.
This contradicts what is the essence of Linked Open Data, but we must comply ! :( .
However, it is OK to have a triple with foaf:knows , and to display the remote person profile, but this data should not stored in database except with an explicit permission of the person publishing the FOAF profile. To enforce this, I see two possible mechanisms:

  • ask the persons publishing a FOAF profile to create a SF account, and then they will associate the FOAF profile with their account
  • keep track of the permission by email to be able to prove to regulation authority (CNIL in France) that the storage of personal is legitimate

Also, a user with a valid email ( see issue #208 ) can only publish one FOAF person: himself.

Besides data already publicly available on the Web, and data entered in forms by users, other mechanisms to load data in SF are:

  • the /load service , not part of the web pages, which will be restricted to site administrator
  • loading data directly in command line with the database scripts, of course restricted to the server administrator
  • to be complete, it's also possible to add data with SPARQL UPDATE, although it's not convenient at all; this will be restricted to site administrator

GDPR compliance documented

Take inspiration from:

  • CMS
  • social media
  • wikis
  • GrottoCenter.org
    NOTE: there are 2 documents: one for the user, one for the regulation authority .

Search background information on GDPR & LOD

I found few things by searching the web for LOD linked data + "GDPR" , except these pages :

  • (PDF) Legal aspects of linked data – The European frameworkhttps://www.researchgate.net ›
    27 sept. 2020 — Linked data is configuring a global data space of high ... The General Data Protection Regulation (GDPR) passed on 2016 April 14 in ...
  • (PDF) Intellectual Property Linked Open Data Building Bridges ...https://www.researchgate.net
    19 août 2020 — patent documents to other linked open data (LOD) sources available on ... to potential General Data Protection Regulation (GDPR) restrictions.
  • The Linked Data Showcase (LDS) pilot: the value of ...https://joinup.ec.europa.eu

@jmvanel jmvanel mentioned this issue Jan 30, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmvanel @urien