Platform compatibility with the GDPR
Is your feature request related to a problem? Please describe.
Decidim currently violates the GDPR because it publishes user data on a website when it is not absolutely necessary to perform a certain task on the website. According to the Finnish Deputy Data Protection Ombudsman’s interpretation, Decidim violates GDPR articles 25(2) & 32(1).
Art. 25 GDPR: Data protection by design and by default
(2) 1 The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. 2 That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. 3 In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
Art. 32 GDPR: Security of processing
(1) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Describe the solution you'd like
Decidim should respect the GDPR with its default configuration and require users to give their consent for publishing their personal details on a website. This cannot be done through the terms of service because there is a wide variety of use cases and not all of them require publishing user’s personal details on the website.
Implement similar improvements as in the Privacy module to the Decidim core or find alternative ways for a proper participant consent for publishing their personal data on a website. Or reconsider whether publishing this information is even necessary most of the times to make participation easier for normal citizens who most of the times are not experts with digital services.
Describe alternatives you've considered
Using the Privacy module but privacy and GDPR compliance should be a default feature rather than an add-on.
Additional context
This issue came out of a conversation with a customer last year.
Other proposals that are related to this:
User privacy options and ability to disable public profiles - Implemented as a module
Archiving and anonymising processes [admin comfort + traceability + GDPR] - The anonymization part
GDPR Compliance - Automate deletion of inactive users' accounts - Implemented as a module but not as a core feature
Automatically deleting inactive users (if the admin chooses to do so) - Same as above
GDPR - Right to be forgotten - Ability for admins to delete user accounts
Does this issue could impact on users private data?
Yes, in a positive way.
Funded by
N/A
(it's complicated as we have previously offered to implement these features to the core but it has not been accepted in the way that was proposed, there is also one outstanding PR for this issue that would make it easier to implement something like the Privacy module but it does not solve the full context of the problem)
Compartir