We adjusted EQdkp Plus for the General Dat Protection Regulation (GDPR) of the European Union, which entered into force on May 25. In this article we will cover frequently asked questions about the topic GDPR. Please keep in mind that only a lawyer can give you legal hints.
Am I affected by the GDPR?
The GDPR does not apply to "a natural person in the course of a purely personal or household activity". Therefore, running an EQdkp Plus should fall under "purely personal activity". But as soon as you combine it with economic activities (e.g. Ads, affiliate links, donations etc.), it must be assumed that you are subject to the GDPR.
What personal data is processed?
We've always tried to make EQdkp Plus as data-sparing as possible. In addition, we used external services that will get personal data as sparingly as possible.
The following services of a EQdkp Plus installation are directly embedded (and therefore will receive personal data like IP addresses):
- Google Recaptcha (if activated and keys have been inserted)
- Google Maps (at calenderevents; will be replaced in long term by Openstreetmap)
- Social networks like Twitter, Facebook, Google+ (if enabled)
- Other services like Discord, Teamspeak etc., if the portal module is enabled
- Gravatar (if enabled, the Email-address is transmitted as MD5 hash)
You see, many services are only active if the administratior enables them, like the social sharing functions or the login using a social network. Plugins might use additional external services.
We also use external services, like Youtube to convert links into Videos. But here the EQdkp Plus is used as a Proxy, means that the services won't get no personal user data.
Which personal data is saved?
An EQdkp Plus installation saves the following personal user data:
- E-Mail address
- Additional personal user data like Town, Phone numbers etc., if the user has added them into his userprofile
- IP-address of the user for the session management (required)
- IP-address of the user at the actionlog (since EQdkp Plus 2.2.21 only anonymized)
How must I adjust my EQdkp Plus installation?
The long-term storage of IP-addresses is legally questionable. Only at the actionlog IP-addresses are stored for long-term. You can delete this IP-addresses by executing the following SQL Query (mabye adjust the table prefix):
UPDATE eqdkp22_logs SET log_ipaddress = '127.0.0.1';
Also, the GDPR requires appropriate measures to protect the data entered from being access by third parties. Therefore you should secure the communication of the users with your EQdkp Plus installation by using a secure connection (HTTPS). The encrypted communication is controlled by your webserver, therefore you should ask your Hoster for assitance regarding this topic. EQdkp Plus supports encrypted communications and no additional settings have to be made.
What do you have changed at EQdkp Plus?
We have adjusted EQdkp Plus to store less personal data.
- IP-addresses at the action log will be saved only anonymized (to be no personal data anymore)
- Plugins now delete more user data when a user gets deleted
- Administrators can now export personal user data of a user (at the userlist at ACP)
Which personal data are processed by the EQdkp Plus Project?
The principle of data economy also applies for the EQdkp Plus Project. We host at a german Hoster, which anonymizes the access logs automatically.
If a EQdkp Plus installation connects to us to receive the Extensionlist, we will add this into a log. We will anonymize the IP address of your Server (althoug this is not a personal data). Also, we get your current version and the release channel - all data we need to deliver the extensionlist to you.