https://gdpr-info.eu/art-7-gdpr/1If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
Joomla User Management and GDPR
- abernyte
- Joomla! Virtuoso
- Posts: 4189
- Joined: Fri May 15, 2009 2:01 pm
- Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड
Re: Joomla User Management and GDPR
@ Per My reading of Article 7 GDPR is that the consent has to be obtained separately from any other TOS.
"Those who expect to reap the blessings of freedom must, like men, undergo the fatigue of supporting it." Thomas Paine
- abernyte
- Joomla! Virtuoso
- Posts: 4189
- Joined: Fri May 15, 2009 2:01 pm
- Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड
Re: Joomla User Management and GDPR
Is allowing the User to delete their own data desirable? GDPR does not require it, it only mandates that it should be as easy to withdraw consent as it is to give it.
"Those who expect to reap the blessings of freedom must, like men, undergo the fatigue of supporting it." Thomas Paine
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Joomla User Management and GDPR
exactly. and the way it reads is the existing consent should only be re obtained if consent was not obtained pre 2505 in a compliant way.abernyte wrote:Is allowing the User to delete their own data desirable? GDPR does not require it, it only mandates that it should be as easy to withdraw consent as it is to give it.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla User Management and GDPR
Apparentyly notpe7er wrote:...
You could just use Joomla's default registration process with added "I agree to the Terms of Service" checkbox.
And change in the language file for the notification email that if the user agrees with the Terms of Service, they can click the activation link to acknowledge their registration + the TOS.
https://issues.joomla.org/tracker/jooml ... ent-331828brianteeman wrote:the core TOS option doesnt satisfy the GDPR regulations as you have to display the information on the page not in a seperate link
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Joomla User Management and GDPR
I still haven't found where it says it must be on the same page... only..
Unbundled — Consent should be presented separately in a distinguishable manner from other content such as general terms and conditions, privacy notices
Unbundled — Consent should be presented separately in a distinguishable manner from other content such as general terms and conditions, privacy notices
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla User Management and GDPR
According to mbabker deleting the user alone can't be done without causing havocabernyte wrote:Is allowing the User to delete their own data desirable? GDPR does not require it, it only mandates that it should be as easy to withdraw consent as it is to give it.
https://issues.joomla.org/tracker/jooml ... ent-338377This is not a problem unique to Joomla and not one that is just solved by slapping a plugin on a site or adding a delete button to the core edit profile page because the user account is tied to a lot of things
Various solutions have been suggested on https://issues.joomla.org/tracker/joomla-cms/19023 including blocking the deletion if the user has added content. IMHO adding a default user (unknown) is the best option for the end user.
However I fell this discussion is redundant because the 'powers that be' in in the issue tracker appear to either not want to bother at all or just pay lip service to the GDPR. And at least one other user used the discussion to promote his commercial plugin !
It took 10 days before the 'powers that be' to be persuaded the mail field (in J4 install) needed to be above the password https://github.com/joomla/joomla-cms/pull/18911 . I don't hold up much hope of anything significant being added to Joomla core for GDPR.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla User Management and GDPR
That could be taken as meaning unbundle it from a link and display it. Or it could mean Unbundled from T&C. I suspect the latter but Brian appears to be interpreting it as the former.mandville wrote:...
Unbundled — Consent should be presented separately in a distinguishable manner from other content such as general terms and conditions, privacy notices
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
Re: Joomla User Management and GDPR
Please stop spreading FUD about "powers that be". Contrary to your opinion, people are taking GDPR compliance seriously not just in the core distribution but in how our joomla.org network is managed as well (and to be frank I feel like "lip service" is being paid moreso on the latter than the former).Webdongle wrote:Various solutions have been suggested on https://issues.joomla.org/tracker/joomla-cms/19023 including blocking the deletion if the user has added content. IMHO adding a default user (unknown) is the best option for the end user.
However I fell this discussion is redundant because the 'powers that be' in in the issue tracker appear to either not want to bother at all or just pay lip service to the GDPR.
Since you care to bring up off topic issues here, the order of fields did not NEED to be changed. However, not changing it resulted in unwelcome behaviors because some browsers are making some unfavorable assumptions about the order of form fields and how it should input data with their autofill/autocomplete features (though if the wall of text of console warnings I've started getting recently in Chrome is any clue, apparently at least they are working on ways to improve the autofill/autocomplete features). At least on my part, I'm getting sick and tired of patches just being pushed through because someone wants to see a change, any change proposal in software should be clearly explained and contrary to what you may feel I know it took me several days based on what continued to be posted to actually understand what the issue you were trying to describe actually was so that it could be addressed.Webdongle wrote:It took 10 days before the 'powers that be' to be persuaded the mail field (in J4 install) needed to be above the password https://github.com/joomla/joomla-cms/pull/18911 . I don't hold up much hope of anything significant being added to Joomla core for GDPR.
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla User Management and GDPR
If it didn't need to be changed then it would no have. Obviously there was a NEED. It is not off topic (as such) because it demonstrates the effort needed just to get a small change.mbabker wrote:...
Since you care to bring up off topic issues here, the order of fields did not NEED to be changed. However, not changing it resulted in unwelcome behaviors because some browsers are making some unfavorable assumptions about the order of form fields and how it should input data with their autofill/autocomplete features ...
If that is so and everything (except deleting a user) can be be easily done with a plugin like you said https://issues.joomla.org/tracker/jooml ... ent-338373 . Why has no core plugin been written in the last 3 and 1/2 months since the issue https://issues.joomla.org/tracker/joomla-cms/19078 ?mbabker wrote:Contrary to your opinion, people are taking GDPR compliance seriously not just in the core distribution
Please point me to the PR(s) ... if there are no PR(s) (other than the 2 stagnant ones)then please apologise for accusing me of spreading fud. My comments are valid and on topic ... nothing significant in Joomla core is evident in respect of GDPR !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Addendum
Brian has produced a plugin https://issues.joomla.org/tracker/joomla-cms/20051
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
Re: Joomla User Management and GDPR
Newsflash. Core development doesn't move fast unless you bypass the process. And even then you're lucky if it moves. I've been dealing with people groaning about something in the 4.0 development branch being broken for 9 months, I can count on one finger the number of people who have stepped up to work on a solution to that issue: me, myself, and I.
You may think something is a small change, you may think something is easy. That doesn't mean everyone is going to drop everything and either implement the change at once (again, change management techniques otherwise I'll just go onto GitHub right now and merge all 400 open pull requests because someone proposed a change so it should be accepted no questions asked) or at all (how many valid feature requests are there that are floating around that have zero code proposals, or even better how many things do we know are broken in Joomla and just accept it because the number of true coders contributing to core is such a small number that if it's not a pure user interface change the odds of the change getting tested/reviewed/merged are slim to none?).
I've been working for over 18 months to fix the core database API to bring about much needed security improvements in the API and I still have zero pull requests in the CMS actually fixing any of the hundreds of queries being built to utilize those API changes. If you really want to talk about "lip service" being paid, I have asked for help on that work numerous times and in 18 months all I have gotten are repeated tester comments saying "this is broken", three comments on one GitHub issue about the need for an API middle layer to parse things, and a 0.6% clickthrough rate on the last tweet to that GitHub issue (meaning 99.4% of people whom according to Twitter's analytics had seen the tweet if I understand impressions correctly couldn't even be bothered to open the issue to either provide feedback or offer to work on a solution). You think it's bad that a plugin hasn't been written in 3 months?
So yeah, I'm annoyed when people come onto these forums and make claims that the core contributors don't care about something, or come onto these forums and complain because something didn't happen fast enough for them. Meanwhile, those same people doing the groaning don't see the people who are overworked and under appreciated working their backsides off to provide major improvements in core entirely on their own effort because nobody gives a damn enough to contribute to core; everyone wants but nobody is willing to give. Larry's got it right, open source is awful - https://steemit.com/opensource/@crell/o ... e-is-awful
You may think something is a small change, you may think something is easy. That doesn't mean everyone is going to drop everything and either implement the change at once (again, change management techniques otherwise I'll just go onto GitHub right now and merge all 400 open pull requests because someone proposed a change so it should be accepted no questions asked) or at all (how many valid feature requests are there that are floating around that have zero code proposals, or even better how many things do we know are broken in Joomla and just accept it because the number of true coders contributing to core is such a small number that if it's not a pure user interface change the odds of the change getting tested/reviewed/merged are slim to none?).
I've been working for over 18 months to fix the core database API to bring about much needed security improvements in the API and I still have zero pull requests in the CMS actually fixing any of the hundreds of queries being built to utilize those API changes. If you really want to talk about "lip service" being paid, I have asked for help on that work numerous times and in 18 months all I have gotten are repeated tester comments saying "this is broken", three comments on one GitHub issue about the need for an API middle layer to parse things, and a 0.6% clickthrough rate on the last tweet to that GitHub issue (meaning 99.4% of people whom according to Twitter's analytics had seen the tweet if I understand impressions correctly couldn't even be bothered to open the issue to either provide feedback or offer to work on a solution). You think it's bad that a plugin hasn't been written in 3 months?
So yeah, I'm annoyed when people come onto these forums and make claims that the core contributors don't care about something, or come onto these forums and complain because something didn't happen fast enough for them. Meanwhile, those same people doing the groaning don't see the people who are overworked and under appreciated working their backsides off to provide major improvements in core entirely on their own effort because nobody gives a damn enough to contribute to core; everyone wants but nobody is willing to give. Larry's got it right, open source is awful - https://steemit.com/opensource/@crell/o ... e-is-awful
Last edited by deleted user on Mon Apr 02, 2018 6:23 pm, edited 1 time in total.
- abernyte
- Joomla! Virtuoso
- Posts: 4189
- Joined: Fri May 15, 2009 2:01 pm
- Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड
Re: Joomla User Management and GDPR
Well that was from the heart and I suspect that it was only a brief flash of the kimono opening. Please do not underestimate the regard that the peasantry, toiling daily in the mud, have for those who inhabit the sunny uplands of Olympus!
I, for what it is worth, am in awe of the ability of that small band of core developers. I hope and expect we all are.
Perhaps it is a tribute to your skills and how you have consistently delivered real improvements every year that the expectation is so high.
So duly chastened we must try to "hold our water" and make those bricks without straw a wee while longer.
I, for what it is worth, am in awe of the ability of that small band of core developers. I hope and expect we all are.
Perhaps it is a tribute to your skills and how you have consistently delivered real improvements every year that the expectation is so high.
So duly chastened we must try to "hold our water" and make those bricks without straw a wee while longer.
"Those who expect to reap the blessings of freedom must, like men, undergo the fatigue of supporting it." Thomas Paine
- brian
- Joomla! Master
- Posts: 12787
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: Joomla User Management and GDPR
For the record a plugin was submitted to the core of joomla for testing yesterday - although with the attitude expressed here I feel like just removing it and doing something else with my holiday
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla User Management and GDPR
For the record I mentioned your plugin in viewtopic.php?p=3519522#p3519495 . I had previously missed it because it was not referenced in the tracker I was following. And I tested it as soon as I found it. FYI I spent a whole Easter weekend not so long ago testing a new feature. With the attitude that is aimed at me perhaps I should just do something else with my holiday.brian wrote:For the record a plugin was submitted to the core of joomla for testing yesterday - although with the attitude expressed here I feel like just removing it and doing something else with my holiday
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Champion
- Posts: 5950
- Joined: Tue Aug 23, 2005 1:56 pm
- Location: South coast, UK
- Contact:
Re: Joomla User Management and GDPR
Its not just joomla having fun with GDPR, take a look at https://www.theregister.co.uk/2018/04/1 ... s_debacle/
https://gadsolutions.biz Electrical services
https://electrical-testing-safety.co.uk Testing services
https://electrical-testing-safety.co.uk Testing services
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla User Management and GDPR
Individuals who register a .uk site can opt out of whois provided their site is not commercial. No reason why other tld cant act the same.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- pe7er
- Joomla! Master
- Posts: 24986
- Joined: Thu Aug 18, 2005 8:55 pm
- Location: Nijmegen, Netherlands
- Contact:
Re: Joomla User Management and GDPR
Interesting. So a person in the UK who has a non-commercial website can hide their information (name / address) from the domain registration information (whois).Webdongle wrote:Individuals who register a .uk site can opt out of whois provided their site is not commercial. No reason why other tld cant act the same.
However when that person collects any personal data (e.g. a contact form on their website), according to the GDPR, they have to specify the "controller" ( = their own name) and their contact information ( = probably their private address / private phone / private e-mail).
Seems like you have to give away some of your own privacy in order to protect the privacy of your visitors / website users
Kind Regards,
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
- brian
- Joomla! Master
- Posts: 12787
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: Joomla User Management and GDPR
> Individuals who register a .uk site can opt out of whois provided their site is not commercial. No reason why other tld cant act the same.
Anyone can use a domain privacy service on any domain commercial or not. It is usually a paid service offered by the domain registrar. Its just that its free from nominet (the .uk registrar) for certain uses
Anyone can use a domain privacy service on any domain commercial or not. It is usually a paid service offered by the domain registrar. Its just that its free from nominet (the .uk registrar) for certain uses
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Joomla User Management and GDPR
none of the sites i am involved with has specified online an actual person or private contact details of a DPO (where required), DC/DP . imagine asking google as a DP of email or analytics for a specific person to be posted online!
for optouts "Opt-out can only be set for domains where the registrant type is set as "UK Individual"
To qualify for opting out of having address details published, the domain name must not be used for any commercial activity and be unconnected with any business, trade or profession" so if you shove google adverts on your widget hobby website you become a commercial website.
which as Brian says is different from Domain Privacy companies (wonder how they are getting on with WP29 stuff)
for optouts "Opt-out can only be set for domains where the registrant type is set as "UK Individual"
To qualify for opting out of having address details published, the domain name must not be used for any commercial activity and be unconnected with any business, trade or profession" so if you shove google adverts on your widget hobby website you become a commercial website.
which as Brian says is different from Domain Privacy companies (wonder how they are getting on with WP29 stuff)
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla User Management and GDPR
I suspect there are few individuals with personal sites that would need to collect personal data from others. If it were a club site then their details are in the public domain anyway.pe7er wrote:...
However when that person collects any personal data (e.g. a contact form on their website), according to the GDPR, they have to specify the "controller" ( = their own name) and their contact information ( = probably their private address / private phone / private e-mail).
...
It does appear to be an oxymoron.pe7er wrote:...
Seems like you have to give away some of your own privacy in order to protect the privacy of your visitors / website users
Yes they can but no need for that if the registrar's for other tld's do the same as Nominet.brian wrote:Anyone can use a domain privacy service on any domain commercial or not. It is usually a paid service offered by the domain registrar. Its just that its free from nominet (the .uk registrar) for certain uses
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla User Management and GDPR
Thanks for expanding on that. However that will be changing. Nominent will no longer publish the Registrants name and address unless they are given express permission to do so. No distinction of non commercial sites is mentioned (by Nominet) in their changes. https://www.nominet.uk/nominet-opens-co ... hanges-uk/mandville wrote:...
for optouts "Opt-out can only be set for domains where the registrant type is set as "UK Individual"
To qualify for opting out of having address details published, the domain name must not be used for any commercial activity and be unconnected with any business, trade or profession" ...
I would suspect that publishing the name and address of anyone (who is in an EU country) would be against the GDPR ... regardless of tld. One wonders if publishing the name and address of anyone (regardless of tld or country of origin) would be contrary to the GDPR because it could be seen in an EU country) ?
Certainly be a mishmash if .com etc tld's needed the Registrant to pay to remain private while .uk domains hid it for free.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- reddeer
- Joomla! Apprentice
- Posts: 41
- Joined: Fri Jan 21, 2011 7:05 pm
Re: Joomla User Management and GDPR
mandville wrote:I still haven't found where it says it must be on the same page... only..
Unbundled — Consent should be presented separately in a distinguishable manner from other content such as general terms and conditions, privacy notices
Friend Mandville, et al,
I appreciate the core folks more than they'll ever know (shout out to Brian ). The ability for the subject to remove his account is great because we should be able to send a message back to the non-website CRM. Hoping some third party extension developers see an opportunity there...
Regarding consent, in our Joomla implementation, users cannot self-register due to our local rules not related to GDPR (all accounts created by Joomla admin from backend). So we take in data by a form and used to email an acknowledgement, then contact using the subject's preferred method as indicated in that form.
Now we also have a form to verify with the subject who submitted the first form that he gives permission to be contacted in one or more capacities. And a third form to enable opt-out of the data entered in the first form or subscribed to in the second form.
Is there a definitive statement somewhere from someone in the know (or at least not selling marketing mailing lists) as to whether we are permitted to have one form to rule them all (indicate personal professional data but not personally sensitive data, specify opt-in in explicit categories or opt-out) or whether that violates the spirit of "distinguishable manner from other..."?
Haven't seen this addressed much yet, or maybe I am looking in the wrong place as it doesn't seem to be plainly stated in the GDPR since it's a policy not a coding spec, I suppose. We're not in the EU or UK, so we're doing the best we can to follow the rules without having expert guidance.
I was hoping some of the third party Joomla extension developers would create a click-wrap extension so we could get out of form hell, but seems like that's a way off.
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla User Management and GDPR
You would be best to seek specific legal advice about that.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Fledgling
- Posts: 2
- Joined: Sat Jun 27, 2015 8:27 pm
Re: Joomla User Management and GDPR
Hi all,
First, as always, a big thank you to the Joomla team, extension developers, heroes all-around. I for one, never say this enough, so now is as good a time as any.
In relation to the GDPR thing, with the help of Joomla web content management system, some great extensions, and of course making some changes, the solution I've put in place looks like it will meet the GDPR and is compatible with what I do.
For me, the "fix" is a combination of legal text changes and of course technical Joomla updates, as outlined below.
I've basically se the website up so that from now on, no one can contact me via website without first registering, or send me an email directly.
I appreciate, not everyone will want to force people to register on a website before they can use a contact form. It seems contrary to doing business. But I serve a relatively limited number of customers and clients so it works for me.
When someone chooses to register, they must first choose to accept my privacy policy and website terms of use document (these must be separate to meet the GDPR conditions).
So even registration isn't possible until a user accepts my privacy policy and website terms of use right from the outset (I prefer to deal with these hurdles early on). Additional terms are available for different services accessible only from deeper in the website.
Also, when someone registers, their details are recorded. If a user changes any of their details, those changes are also recorded, along with the IP address, what change was made, by whom, and the date and time of the change. With those records, on request, I can easily provide a PDF that shows all of the registration data and a log of the changes users or I made.
In addition, the following options become available after registering:
- (a) website users get access to my contact form (courtesy of those nice folks at RSJoomla.com, their RSForms!Pro, and their helpful blog article at: https://www.rsjoomla.com/blog/view/433- ... rmpro.html.
- (b) Registering is separate from being able to use my contact form. For someone to actually use my contact form, they must first give express permission (click a check box) for me to collect their details through the contact form - otherwise, the user can't contact me that way. When users choose my check box called "I give InternetTIPS.com permission to collect my details through this form", that too of course gets recorded in the database (date, time, who, etc).
- (c) A submissions directory. When someone sends me a message via the contact form, that message and key details gets put into the submissions directory. When a registered user logs in, they can see copies of all of the messages they have sent to me, and optionally download a copy of one or all of those messages, and / or delete one or all of those messages.
---
In addition, for any other data I may hold about someone, all they have to do is contact me and I'll delete any email messages in my inbox - providing they're not related to any purchases. For products and services purchased, naturally, I need to keep business records for about 7 years (6 years for those who are pedantic: I prefer to include a little more leeway).
The only key item not yet covered concerns deleting a Joomla registration account. Of course, I can just do this manually after checking whether the data is needed to be retained "for business accounts purposes". For me, that's the preferred route for now.
So while of course, Joomla account deletion can be built into Joomla itself, for me, it would not be wise to turn that functionality on even if it were available, especially if account deletion is instantly permanent. Why: naturally, you don't want to give users the option to delete their own accounts if doing so damages your business records for sales, etc. For that, we business or organisation owners should control that step.
The extensions I've used to cover the GDPR include:
- RSForms!Pro: https://extensions.joomla.org/extension/rsform-pro/
- The GDPR Bundle from RicheyWeb.com (3 plugins): https://www.richeyweb.com/software/joom ... dpr-bundle
---
All of the extensions I've used are also available for download from the Joomla.org "Download & Extend" section.
---
For the updated legal text, I've adapted text from: https://simply-docs.co.uk/Business_Documents.
Of course, before or after May 25, 2018, the EU / ICO may still change or modify the GDPR requirements. I just hope it's not going to be another cookies-law type debacle (though I suspect we're already in that space).
Hope that helps.
First, as always, a big thank you to the Joomla team, extension developers, heroes all-around. I for one, never say this enough, so now is as good a time as any.
In relation to the GDPR thing, with the help of Joomla web content management system, some great extensions, and of course making some changes, the solution I've put in place looks like it will meet the GDPR and is compatible with what I do.
For me, the "fix" is a combination of legal text changes and of course technical Joomla updates, as outlined below.
I've basically se the website up so that from now on, no one can contact me via website without first registering, or send me an email directly.
I appreciate, not everyone will want to force people to register on a website before they can use a contact form. It seems contrary to doing business. But I serve a relatively limited number of customers and clients so it works for me.
When someone chooses to register, they must first choose to accept my privacy policy and website terms of use document (these must be separate to meet the GDPR conditions).
So even registration isn't possible until a user accepts my privacy policy and website terms of use right from the outset (I prefer to deal with these hurdles early on). Additional terms are available for different services accessible only from deeper in the website.
Also, when someone registers, their details are recorded. If a user changes any of their details, those changes are also recorded, along with the IP address, what change was made, by whom, and the date and time of the change. With those records, on request, I can easily provide a PDF that shows all of the registration data and a log of the changes users or I made.
In addition, the following options become available after registering:
- (a) website users get access to my contact form (courtesy of those nice folks at RSJoomla.com, their RSForms!Pro, and their helpful blog article at: https://www.rsjoomla.com/blog/view/433- ... rmpro.html.
- (b) Registering is separate from being able to use my contact form. For someone to actually use my contact form, they must first give express permission (click a check box) for me to collect their details through the contact form - otherwise, the user can't contact me that way. When users choose my check box called "I give InternetTIPS.com permission to collect my details through this form", that too of course gets recorded in the database (date, time, who, etc).
- (c) A submissions directory. When someone sends me a message via the contact form, that message and key details gets put into the submissions directory. When a registered user logs in, they can see copies of all of the messages they have sent to me, and optionally download a copy of one or all of those messages, and / or delete one or all of those messages.
---
In addition, for any other data I may hold about someone, all they have to do is contact me and I'll delete any email messages in my inbox - providing they're not related to any purchases. For products and services purchased, naturally, I need to keep business records for about 7 years (6 years for those who are pedantic: I prefer to include a little more leeway).
The only key item not yet covered concerns deleting a Joomla registration account. Of course, I can just do this manually after checking whether the data is needed to be retained "for business accounts purposes". For me, that's the preferred route for now.
So while of course, Joomla account deletion can be built into Joomla itself, for me, it would not be wise to turn that functionality on even if it were available, especially if account deletion is instantly permanent. Why: naturally, you don't want to give users the option to delete their own accounts if doing so damages your business records for sales, etc. For that, we business or organisation owners should control that step.
The extensions I've used to cover the GDPR include:
- RSForms!Pro: https://extensions.joomla.org/extension/rsform-pro/
- The GDPR Bundle from RicheyWeb.com (3 plugins): https://www.richeyweb.com/software/joom ... dpr-bundle
---
All of the extensions I've used are also available for download from the Joomla.org "Download & Extend" section.
---
For the updated legal text, I've adapted text from: https://simply-docs.co.uk/Business_Documents.
Of course, before or after May 25, 2018, the EU / ICO may still change or modify the GDPR requirements. I just hope it's not going to be another cookies-law type debacle (though I suspect we're already in that space).
Hope that helps.
Last edited by toivo on Tue Apr 24, 2018 7:28 pm, edited 1 time in total.
Reason: mod note: changed the link to point to JED - please read the forum rules at https://forum.joomla.org/viewtopic.php?f=8&t=65
Reason: mod note: changed the link to point to JED - please read the forum rules at https://forum.joomla.org/viewtopic.php?f=8&t=65
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Joomla User Management and GDPR
basically you have done what most of those preparing have done.
I have not gone to the extent of making people register to contact, but i have split a rsform into two pages with page one having the name/email/message and then a conditional select box that then goes to page two if YES with the send button.
several of the sites i look after would not suit your format as they are NHW sites (and they are heading for the ostrich and chicken farms) so registering would give them access to special category information unless people got bumped up.
the rsjoomla blog post is good but as said a while ago, a simple contact form does it really need registration? The VEL site has had a gdpr ready reporting form for ages.
T&C - if your site uses them can be on the same page as the DPol but not mixed in with it.
Cookies tech specs really need to be re written to comply . how are you dealing with your hosts compliance?
as i answered to day when some one asked for a good [blog tool] gdpr contact plugin, i responded "business card or SAE"
I have not gone to the extent of making people register to contact, but i have split a rsform into two pages with page one having the name/email/message and then a conditional select box that then goes to page two if YES with the send button.
several of the sites i look after would not suit your format as they are NHW sites (and they are heading for the ostrich and chicken farms) so registering would give them access to special category information unless people got bumped up.
the rsjoomla blog post is good but as said a while ago, a simple contact form does it really need registration? The VEL site has had a gdpr ready reporting form for ages.
T&C - if your site uses them can be on the same page as the DPol but not mixed in with it.
Cookies tech specs really need to be re written to comply . how are you dealing with your hosts compliance?
as i answered to day when some one asked for a good [blog tool] gdpr contact plugin, i responded "business card or SAE"
You do not have the required permissions to view the files attached to this post.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla User Management and GDPR
Displaying the GDPR on registration is easy but I have yet to see a 3rd party extension that:
- Allows the user to delete their account
- Notifies all users when the sites GDPR changes
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: Joomla User Management and GDPR
This extension has been around for years: https://extensions.joomla.org/extension ... y-account/Webdongle wrote:I have yet to see a 3rd party extension that:
- Allows the user to delete their account
Aside from my lack of awareness how this relates specifically to the GDPR policy, can you please advise what "third-party extension" should do to notify all uses whenever the site manager wants to notify them of something? This seems, to me, an unfair burden on the site owner that, when there's a change to the site's T&C (even if it's to correct a small typographical error), the need for the site owner to push the fact that there's been a change to the T&C to all users. Further, if a site has several hundred thousand members (e.g. https://forum.joomla.org) that may include old accounts with obsolete email addresses or that have been blocked from being able to login or view a website's content, why should a site owner have to inform everyone by email. Not to mention, it may be impractical from the mail server's end, to send several hundred thousand emails in one "hit".Webdongle wrote:[*] Notifies all users when the sites GDPR changes[/list]
If this is a requirement of the GDPR—notify everyone when a site's T&C policy is amended—then I think it's a bit of overreach.
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Joomla User Management and GDPR
didnt you know , you have to notify every site member when you sneeze or the cat climbs on the keyboard.
Obviously you could use the mass emailer BUT if you do have several thousand members then unless you use mailspammonkey or constantspamcontact you would max most mail server limits.
Obviously you could use the mass emailer BUT if you do have several thousand members then unless you use mailspammonkey or constantspamcontact you would max most mail server limits.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Joomla User Management and GDPR
http://www.privacy-regulation.eu/en/art ... g-GDPR.htmThe controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
http://www.privacy-regulation.eu/en/r43.htmConsent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations
Perhaps I am interpreting it incorrectly. However, it appears that if the site/company changes the way they process the information then they need to get consent (from the user) to use the information in a different way.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Intern
- Posts: 91
- Joined: Wed Jun 11, 2014 7:33 pm
Re: Joomla User Management and GDPR
I really don't know how you do that, i've read those documentation about it, but it is a useless extension of Joomla as far as i can see. Or they don't work, or you only get text on a page which i could have type myself also. It's hard and hardly to use.cyskye wrote:Hi, I'm using custom fields for joomla registration form, but my problem is that also if they accept privacy field (for example) there's no trace of that acceptance in the registration mail, so it could be difficult to demonstrate the acceptance in a simple way.
What really would have been good is a standard thing like JUforms or similair, Which you can really use to build a form, check in the backend the submissions, etcetera.
This is unusable for the GDPR to create a tick box, there is no tick box displayed for users.
Sorry for my acid on this.
-
- Joomla! Enthusiast
- Posts: 119
- Joined: Sun Apr 13, 2008 8:40 pm
GDPR Compliance on Joomla contact form using Chronoforms
Hi there,
I was wondering if will be required to place some form of GDPR compliance regulations into and onto my contact form that uses a forms component such as ChronoForms or form component.
Thanks and very best to you,
J
I was wondering if will be required to place some form of GDPR compliance regulations into and onto my contact form that uses a forms component such as ChronoForms or form component.
Thanks and very best to you,
J
Last edited by imanickam on Sat May 05, 2018 3:15 am, edited 1 time in total.
Reason: Merged with the topic https://forum.joomla.org/viewtopic.php?f=48&t=957357
Reason: Merged with the topic https://forum.joomla.org/viewtopic.php?f=48&t=957357