Not GDPR Compilant

  • fs5ve

    (@fs5ve)


    5 years, 1 month ago

    Dear Concern,

    We, a group of researchers from University of Virginia and Johns Hopkins University, are analyzing the GDPR compliance in different plugins. From our analysis we found that you are storing ’firstname, lastname, username, email, nickname’ (PII information) information in the database. Neither you mentioned in your privacy policy that the data will be stored. According to GDPR, whenever you store PII, you need to provide user the data access and data deletion functionality and clearly mention this in privacy policy. Not doing so will violate GDPR law.

    Can you please take a look at this issue? If needed we can provide more information on this.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author CreativeMindsSolutions

    (@creativemindssolutions)

    5 years ago

    We saved all user related data into “wp_users” and “wp_usermeta” table only and do not use any other custom tables which is not part of WP core tables

    Not sure what you are referring then to

    Thread Starter fs5ve

    (@fs5ve)

    5 years ago

    Hi,

    Thanks a lot for the reply. We understand you are not storing any sensitive information in your database, instead on the wordpress database. But according to GDPR, whenever you collect personal data (Art. 4 GDPR – Definitions) from the user, you should provide them the following functionalities:
    1. Right of Erasure (Art. 17): User should be able to delete data whenever they wish to.
    2. Right of Access (Art. 15): User should be able to access their data (e.g. export in PDF format) to see which personal data is being collected so far.
    3. Privacy Policy (Art. 12 & 13): User should know about such data collection beforehand. And you should get the consent from the user before collecting those.

    We are willing to help you more if needed. Please, let us know what do you plan.

    Thanks!

    Plugin Author CreativeMindsSolutions

    (@creativemindssolutions)

    5 years ago

    Let me clarify again

    We are not adding add any new table not externally or internally to what WordPress already stores in the wp users tables therefore my answers are related to that

    Right of Erasure (Art. 17): User should be able to delete data whenever they wish to.
    >> User can delete his profile using using WP built in functionality to delete his profile. This is related to WordPress core features which are there anyway and we are not overriding them or interfering with

    2. Right of Access (Art. 15): User should be able to access their data (e.g. export in PDF format) to see which personal data is being collected so far.
    >> Again we are using WP core functionality and not adding anything to it other than an interface on top of the regular functionality. If there is a need to such functionality it should be addressed as part of WP platform core releases

    3. Privacy Policy (Art. 12 & 13): User should know about such data collection beforehand. And you should get the consent from the user before collecting those.
    >> If a website is collecting information from the user he should include such statement in his terms of service. We as plugins developer are not collecting any information from registrants to the site which installs our plugin. What we do is based on what WordPress already does as a platform.

    Altogether not sure how this is related to our product unless you claim that we take data elsewhere without the user notice which is not the case.

    Adding to what I have already written above – your claim sounds like WordPress platform is not GDPR Compliant as we in this plugin are not doing anything additional on top of what WordPress is already offering in terms of data collection nor storing it on another table or location that the regular one WP is using

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Not GDPR Compilant’ is closed to new replies.