Joomla User Management and GDPR

[pe7er]

I was wondering if will be required to place some form of GDPR compliance regulations into and onto my contact form that uses a forms component such as ChronoForms or form component.

Regarding the form itself:

• Do you use the the principle Privacy by design?
  What information (personal data) do you ask for in your form?
  Only information that is needed to contact the person that uses the contact form?
• Do you use the the principle Privacy by default (opt-in by default, not opt-out)?
  If you add options like "subscribe to newsletter", are the options unchecked by default (so they have to opt-in if they want to)
• What do you do with the information? Send it to your own email address?
  Do you store it in your Joomla database? If you store it, how long will you keep it?
• What do you do to protect the transport of information from the visitor to your server?
  Do you use TLS (previously SSL; the tiny lock in the address bar of your browser) to protect the communication from your visitor to your server?

Some general GDPR things to consider regarding your website:

• Do you have a privacy statement on your website?
• Do you describe what personal data you process (gather, user and store), how long you keep it, with whom you share it, etc?
• Do you describe which Technical and Organisational Measures you take to protect that data?

[Webdongle]

Given none of the above but only the persons name and email are requested ... does the site owner need to display Privacy Policy when the visitor (obviously) knowing supplies their email address to receive a reply to their contact message?

[JJSJJS]

Hi there,
I was wondering if will be required to place some form of GDPR compliance regulations into and onto my contact form that uses a forms component such as ChronoForms or form component.

Thanks and very best to you,
J

That depends on what you are going to do with the data.
Is it single use and nothing is stored, then i don't think there is any issue.
But if you going to store it, then it has to be safely stored, perhaps even encrypted, in case of databreach.
Also if you plan on using this data to send emails or whatever out to the people who registered, then you need to get consent of them. And you need to explain what exactly you do with the data.

[mandville]

[Humour] to receive our latest newsletter and brochure ... send a stamped addressed envelope to.... [/Humour]

[abernyte]

Given none of the above but only the persons name and email are requested ... does the site owner need to display Privacy Policy when the visitor (obviously) knowing supplies their email address to receive a reply to their contact message?

Possibly! The requirement for Privacy Notices actually arose in the DPA but has been extended by GDPR.

The relevant sections are Article 12, 13, 14 .

TLDR;

The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing......

In the circumstances that you posit it could be argued either way.

[abernyte]

That depends on what you are going to do with the data.
Is it single use and nothing is stored, then i don't think there is any issue.

This view is wrong. If you are collecting personal data you must comply with GDPR.

[Webdongle]

Registration with the ICO

If you handle personal data, you may need to register as a data controller with the Information Commissioner’s Office. Registration is a statutory requirement and every organisation that processes personal information must register with the ICO, unless they are exempt. Failure to register is a criminal offence.

https://ico.org.uk/for-organisations/business/

https://ico.org.uk/for-organisations/re ... ssessment/ will help with knowing if you need to register with the ICO. They have info on GDPR as well https://ico.org.uk/for-organisations/bu ... usinesses/ https://ico.org.uk/for-organisations/bu ... retailers/

[GPixels]

I just read an article on the WPTavern website of what WordPress is implementing, which seems like a nice thing to do for users that own and manage a WP site. I am curious if Joomla core will do something like this:

https://wptavern.com/wordpress-4-9-6-be ... compliance

[Webdongle]

.... I am curious if Joomla core will do something like this:
...

https://github.com/joomla/joomla-cms/issues/20281 not sure what features will be in it .

[deleted user]

https://developer.joomla.org/news/725-g ... a-3-9.html

[JJSJJS]

Very good news!
Thank you!

[Ch1vpH]

Is there going to be a Joomla Update that covers sites in the EU?

i personally dont see any reason or need for an update to joomla. you already have custom fields that can be used for the explicit consent on the registration. what more do you need?

Just getting back on to this GDPR situation and not surprised there's going to be a GDPR update...glad to see!

[mandville]

As I said. I personally don't see any need.
I have managed to gdpr several sites without core changes.
If 3.9 is not ready and released by next week is the wp29 process going on hold ?

[deleted user]

No, it's not going to be ready next week.

No, core doesn't NEED to do anything about providing these types of resources.

The intent here is to have one common way of handling it all throughout the ecosystem, with the same flexibility and extensibility that exists elsewhere. So instead of me as an extension vendor having to provide a solution that fits into the J!Extensions model, or the PixPro model, or the Akeeba model, or the RicheyWeb model, I provide one solution that works for all Joomla sites with the requisite version installed.

The end result is not going to be much different than what WordPress has done for its platform. It gives tools to make things easier for everyone, it's not a one-size-fits-all solution.

[JJSJJS]

Many many thanks for the effort you people put in to this!