What are
/r/gdpr's
favorite Products & Services?
From 3.5 billion Reddit comments
The most popular Products mentioned in /r/gdpr:
The most popular Services mentioned in /r/gdpr:
WordPress
ProtonMail
Have I been pwned?
Piwik PRO Analytics Suite
Matomo
FusionAuth
The Next Web
phpBB
Privacy Badger
Cloudflare
Postmark
Wiktionary
Brave
TeamSpeak
IPFS
The most popular reviews in /r/gdpr:
The songs themselves are not personal data, obviously. But information that says that you have added certain songs to a playlist (e.g. the playlist itself) is information relating to you, and therefore personal data.
Spotify recognises that playlists are personal data - see their privacy policy: https://www.spotify.com/uk/legal/privacy-policy/#4-personal-data-we-collect-from-you
The beta is limited to the top tiers of paid users, and there's no indication that they plan to open it up to free users later. From How to get the import-export tool:
> If you are a free user, you can upgrade your account now through Settings -> Dashboard while logged in at mail.protonmail.com and be the first to know when the import-export tool is available to all paid users.
Really depends on your needs...
Unless you really need fancy features, I think Matomo is more than sufficient...
AND there are plugins (some paid) for about anything
Plus... Here's a nice walkthrough on how to configure it so it doesn't track any personal data:
https://matomo.org/blog/2018/04/how-to-not-process-any-personal-data-with-matomo-and-what-it-means-for-you/
Thankfully, no! If a US company has gotten EU-US Privacy Shield certified, then data can be transferred to their services without additional consent because they have promised that their privacy protection is as strong as if they were in the EU and that they will be subject to fines by the US Federal Trade Commission (FTC) (or in some rare cases, DOT) if they do not.
https://postmarkapp.com/eu-privacy#privacy-shield
https://www.privacyshield.gov/participant_search (search for Wildbit to confirm for Postmark as that's the name of the company that runs Postmark)
Source: Did GDPR compliance for my organization and just read details on Postmarkapp.com to find specifics for them.
I'm struggling to work out the implications as well. I think that spliceuk is right, but I don't know what a web host would be supposed to do in this situation. How can a host comply with the requirement to have a contract with their client which lists out the type of data processed if they are not aware of the nature of the data that their clients may be storing?
Digital Ocean seem to have made it their customer's responsibility in their DPA: https://www.digitalocean.com/security/gdpr/data-processing-agreement/ (Section 2)
I wonder if we can do the same thing
Not much I can add as u/latkde has given you clear guidance. The GDPR makes it slightly more difficult for small organizations and individuals wishing to develop an online audience.
Take things slow and not just install every single plug-in you think you need (e.g. start with your blog and a privacy policy). If you are using a hosting provider or a CMS system, they likely have some guidance that you need to review surrounding how to manage the GDPR rights of your visitors e.g. WordPress has published some information (including links to site that appear to create GDPR compliant privacy polices) and there is also a page on WPBeginner. Depending on the level of your WordPress subscription you may be able to specify to only show you plug-ins that have declared they are GDPR Ready - however I will caution you to make sure you research their information and not just take it at face value as many have different creative "interpretations" on what is takes to adhere to the regulation.
You‘ll need to provide your own GDPR-compliant privacy policy. WP only acts as a transparent platform provider here: https://wordpress.com/support/your-site-and-the-gdpr/ - have a look at the parts containing "you" =]
Are you in the EU?
If not, it doesn't apply to you. Don't worry about it/bother with it.
If you are, you could argue that a forum does not contain information likely to harm a person's "rights and freedoms," and that by nature, nothing in a forum should be construed as personally identifying as it can easily be falsified. Also, given the nature of what you're oing, you could very much argue that you overrule their right to erasure through the archiving exemptions.
See https://www.phpbb.com/community/viewtopic.php?f=64&t=2473146 for details.
What are the other big problems with GDPR?
Is this a cookiebox you would think is GDPR proof? https://piwik.pro/gdpr-consent-manager/
It does use a trick in making most people think you'd just accept two options while you actually 'Accept All' but it's so obvious that this OK for GDPR?
Seems like this is good for getting the most consents while still making it so obvious what you're choosing to make it 100% GDPR proof.
Depends if the feature is critical or optional nice to have
If it's a critical service for your product to work then you don't need consent but you do need to declare it in your privacy notice. I would also consider asking them about a DPA (Data Processing Agreement) Since you would be the data controller and them the data processor, the DPA can govern how they can use your personal data and cannot sell or using it outside what they already said they do with it. Several of my services I use already offer DPA for their clients to use. https://rollbar.com/ is one of them
If it's an optional feature/service where the user doesn't need to use that feature to make your product work. Then I would have a option for the user to turn that feature on and have consent request stating that using this optional feature shares data with Imgix giving the user the choice.
This thread has some answers. I have no idea how accurate they are though: https://www.vbulletin.com/forum/forum/general/chit-chat/4376685-gdpr-and-vbulletin
Relevant:
> Threads and posts wouldn't be considered "personal data" under this regulation unless they specifically contained publicly accessible personal identifying information. Real Name, Physical Address, Telephone Number(s), E-mail address(es), IP Addresses, Credit Card or Banking Information, etc.
No, GDPR will not start to apply to a US-company that only offers services in the US merely because you travel to the EU and cannot pay your bill. GDPR is also not meant as a recourse for such problems, even if it would apply. The right to deletion wouldn't be applicable in this situation.
Practically speaking, your best bet is downloading a VPN and trying to pay your bill that way. Try ProtonVPN that has free US servers - do not use any other 'free' VPN, because you are the product in that case. Proton however is well trusted.
> Firstly, the manager has asked for all emails that even mention her name so that they can be passed on to her. If this is correct, how redacted do they have to be?
No that is not correct, those emails do not have to be supplied.
https://thenextweb.com/eu/2018/05/03/no-gdpr-wont-let-you-read-your-bosss-emails-about-you/
The SAR (Subject Access Request) is to request -your- personal data that is being processed, not to request other people's data that might contain your name.
https://haveibeenpwned.com/Passwords
You have more than likely read articles where the owner of the site has been quoted, he is the expert every legitimate news source out there will interview after a password breach. The passwords are provided as hashes, it’s not a plain text comparison. It’s downloadable and done locally, not via a third party.
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity
We were thinking of implementing this. You can use an API for that from haveibeenpwned: https://haveibeenpwned.com/API/v2
We did a reference implementation and decided that it would come on quite invasive for the users, so we abandoned it. If your userbase is a little (or a lot) more technical than ours, by all means go for it!
Correct!
The data breaches data will also be available as an API and RSS feed.
Training: what are the advantages of having this in an app, opposed to offering the material via a website or existing video platform? ---> We can do both. A mobile app doesn't require us to store any PII and login data. So I prefer to use this channel from a privacy-first standpoint.
Signaling: again, why an app? An email alert service would do just as well. --> Push notifications are better suited for this, and it doesn't require us to store your email.
Signaling: I use a password manager (1Password) which flags password entries for websites where data may have been compromised. What will be the added value of Your Privacy? ---> 1Password is indeed doing a badass job at this + informing when MFA is available. This feature is in partnership with https://haveibeenpwned.com/. These are the tools we want to recommend using inside the app so people can easily find tools like VPNs, browsers, password managers. I think the education process is going to be very important.
In the future, please prefer original sources over blogs with thin content.
The original is here: https://brave.com/google-internal-data-free-for-all/
I‘ve seen your post history. In case you are not simply trolling, I hope that you are doing better.
Anyway: https://www.slideshare.net/mobile/CarolineBoscher/gdpr-for-dummies
GDPR is about protecting other people's personal information, not your own. Hence GDPR doesn‘t care about your blog, but whether you are tracking your visitor. Wordpress? Activate some popular EU-cookie plug-in. Visit a site similar to yours and look at their privacy/data protection/GDPR section - ideallly a UK one.
DocHub checking in-
So there have been some changes to GDPR recently and we’re working on updating our site to better comply.
Ideally, it would be cool to create an isolated EU server stack, but doing so may not be practical. Alternatively, and at least in the short term, I believe we will still manage to be compliant with GDPR by (1) maintaining appropriate security measures and (2) adding EU approved standard contractual clauses (SCC) and other legal features. Here’s an example of what we’re aiming for: https://stripe.com/privacy-center/legal#data-transfers
We should have all the updates to our privacy/legal pages released in the next 60 days or hopefully sooner.
-Chris
yuuup their tech is awesome. Their CDN is great, their DNS is great, they massively increased the level of data protection on the internet by offering free certificates before Let's Encrypt was a thing, and their Workers platform is the best use of serverless computing I've seen to date.
They have started to offer data localization tools, but they only offer them to enterprise customers :/
Ah ok. So companies do not have to list it publicly in the Privacy Policy, but can keep an *internal list * for Data Controller to request?
It’s going to part of my data inventory anyway.
I stumbled upon some companies that do publish it on their website, such as this: https://www.cloudflare.com/gdpr/subprocessors/
There are two different kinds of companies, those who got breached and those who think they didn’t get breached.
Shodan is a web crawler looking for open ports and vulnerabilities. It only takes a matter of days for a configuration mistake, failed system update, or lack of experience to know you’re doing it wrong before the vulnerability is detected then exploited. Most companies can’t afford the rock star security expert or the infrastructure to fight off the attacks.
I would not place this in the newsletter itself - you put yourself at risk of having something that is purely informational and of reasonably expected interest to the customer (as a user of the product) being pivoted more in the direction of direct marketing, which would increase the risk of legitimate interests being insufficient.
On the ICO link you can also find some text on this scenario:
> It is sometimes suggested that marketing is in the interests of individuals, for example if they receive money-off products or offers that are directly relevant to their needs. This is unlikely however to add much weight to your balancing test, and we recommend you focus primarily on your own interests and avoid undue focus on presumed benefits to customers unless you have very clear evidence of their preferences.
I would instead simply list the different types of purposes/newsletters at the point of newsletter registration. You can look at how MailChimp does this, for example, if you want some design inspiration:
I'd suggest starting a detailed conversation with the third party. As the primary controller of the data chain, if they aren't compliant, neither are you and you can both get in trouble. Here's a post with a few questions to start with: https://fusionauth.io/blog/2018/05/17/data-partners-gdpr-questions-to-ask
Check out this paper. Good overview and lots of reference links at the end. GDPR covers EU citizens and their data, so it can still affect businesses regardless of their physical location. It's still a murky issue tho, and will almost assuredly be challenged in courts. https://fusionauth.io/blog/2018/03/23/white-paper-developers-guide-gdpr
This should help. https://fusionauth.io/blog/2018/03/23/white-paper-developers-guide-gdpr It gives a summary as well as a bunch of links to other resources.
It’s probably the most straightforward way, just playing devil’s advocate here but by the time someone asks for it you’ve probably missed the most opportune time to sort this out.
For the reasons you mentioned archive.org probably shouldn’t be your Plan A. Unless you’re one of the largest services on the web you won’t be included in something like https://tosdr.org/#
> You don't need to "set a trap", you can simply check if they do device fingerprinting or/and show targeted ads or something.
Lots of finger printing can be passive.
> > How can I prove that I didn't click in some form? - Next to impossible. > > Reproduce the steps to get tracked without consent.
It will be fun to watch, I really hope the gdpr to be a success, just think the advertisers will get creative. Let's wait and see if the bureaucracy can keep up (I mean bureaucracy in a good way).
> Also I'm not really sure how you think that testing Do Not Track compliance is trivial.
We were talking about tracking cookies (the topic of this post). It's trivial to test if tracking cookies are set even if the "do not track header" is set. Other than tracking cookies the difficulty to prove Do Not Track compliance is as hard as proving that I'm being tracked and flipped a bit somewhere stating that i don't want to be tracked.
I just use Privacy Badger and call it a day.
Since Matomo uses cookies by default, I don't think that the use of Matomo would change whether a site would have to obtain consent. The analysis ends up being the same as for Google Analytics, with the slight difference that Matomo makes it easier to disable cookies.
So far I could only find this: https://matomo.org/gdpr/
Does it mean, that if I it's configured to automatically anonymise data I don't need to get explicit user consent?
> Also, the provider/host is the processor. You are the controller who owns the data.
I won't be sure on that. Looks like Teamspeak hasn't updated yet their privacy policy.
https://postmarkapp.com/eu-privacy#gdpr hth
I'm not a laywer, but afaik your data privacy policy should inform your customers that you use that service.
/u/gdffff : the GDPR does not require a service to be located in the EU (although the privacy shield shield framework is not really adequate imho).
be aware: they rip all your contacts to add to their database! So you share your contacts lists with them.
​
I don't know if they are on Apple devices
European Data Protection Law: General Data Protection Regulation 2016 https://www.amazon.co.uk/dp/1533170835/ref=cm_sw_r_cp_api_JiBtBb1GF5NWX
If you can handle the small type.
The CIPP/E exam is more based on the IAPP’s own notes/course and documentation than text straight from the GDPR. Expect scenario questions and application of knowledge rather than questions about the exact articles or recitals.