Joomla User Management and GDPR

Relax and enjoy The Lounge. For all Non-Joomla! topics or ones that don't fit anywhere else. Normal forum rules apply.
User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4189
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: Joomla User Management and GDPR

Post by abernyte » Mon Apr 02, 2018 9:29 am

@ Per My reading of Article 7 GDPR is that the consent has to be obtained separately from any other TOS.
1If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
https://gdpr-info.eu/art-7-gdpr/
"Those who expect to reap the blessings of freedom must, like men, undergo the fatigue of supporting it." Thomas Paine

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4189
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: Joomla User Management and GDPR

Post by abernyte » Mon Apr 02, 2018 9:39 am

Is allowing the User to delete their own data desirable? GDPR does not require it, it only mandates that it should be as easy to withdraw consent as it is to give it.
"Those who expect to reap the blessings of freedom must, like men, undergo the fatigue of supporting it." Thomas Paine

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla User Management and GDPR

Post by mandville » Mon Apr 02, 2018 9:47 am

abernyte wrote:Is allowing the User to delete their own data desirable? GDPR does not require it, it only mandates that it should be as easy to withdraw consent as it is to give it.
exactly. and the way it reads is the existing consent should only be re obtained if consent was not obtained pre 2505 in a compliant way.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla User Management and GDPR

Post by Webdongle » Mon Apr 02, 2018 1:47 pm

pe7er wrote:...
You could just use Joomla's default registration process with added "I agree to the Terms of Service" checkbox.
And change in the language file for the notification email that if the user agrees with the Terms of Service, they can click the activation link to acknowledge their registration + the TOS.
Apparentyly not
brianteeman wrote:the core TOS option doesnt satisfy the GDPR regulations as you have to display the information on the page not in a seperate link
https://issues.joomla.org/tracker/jooml ... ent-331828
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla User Management and GDPR

Post by mandville » Mon Apr 02, 2018 2:11 pm

I still haven't found where it says it must be on the same page... only..

Unbundled — Consent should be presented separately in a distinguishable manner from other content such as general terms and conditions, privacy notices
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla User Management and GDPR

Post by Webdongle » Mon Apr 02, 2018 2:13 pm

abernyte wrote:Is allowing the User to delete their own data desirable? GDPR does not require it, it only mandates that it should be as easy to withdraw consent as it is to give it.
According to mbabker deleting the user alone can't be done without causing havoc
This is not a problem unique to Joomla and not one that is just solved by slapping a plugin on a site or adding a delete button to the core edit profile page because the user account is tied to a lot of things
https://issues.joomla.org/tracker/jooml ... ent-338377

Various solutions have been suggested on https://issues.joomla.org/tracker/joomla-cms/19023 including blocking the deletion if the user has added content. IMHO adding a default user (unknown) is the best option for the end user.

However I fell this discussion is redundant because the 'powers that be' in in the issue tracker appear to either not want to bother at all or just pay lip service to the GDPR. And at least one other user used the discussion to promote his commercial plugin !

It took 10 days before the 'powers that be' to be persuaded the mail field (in J4 install) needed to be above the password https://github.com/joomla/joomla-cms/pull/18911 . I don't hold up much hope of anything significant being added to Joomla core for GDPR. :'(
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla User Management and GDPR

Post by Webdongle » Mon Apr 02, 2018 2:21 pm

mandville wrote:...
Unbundled — Consent should be presented separately in a distinguishable manner from other content such as general terms and conditions, privacy notices
That could be taken as meaning unbundle it from a link and display it. Or it could mean Unbundled from T&C. I suspect the latter but Brian appears to be interpreting it as the former.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

deleted user

Re: Joomla User Management and GDPR

Post by deleted user » Mon Apr 02, 2018 2:41 pm

Webdongle wrote:Various solutions have been suggested on https://issues.joomla.org/tracker/joomla-cms/19023 including blocking the deletion if the user has added content. IMHO adding a default user (unknown) is the best option for the end user.

However I fell this discussion is redundant because the 'powers that be' in in the issue tracker appear to either not want to bother at all or just pay lip service to the GDPR.
Please stop spreading FUD about "powers that be". Contrary to your opinion, people are taking GDPR compliance seriously not just in the core distribution but in how our joomla.org network is managed as well (and to be frank I feel like "lip service" is being paid moreso on the latter than the former).
Webdongle wrote:It took 10 days before the 'powers that be' to be persuaded the mail field (in J4 install) needed to be above the password https://github.com/joomla/joomla-cms/pull/18911 . I don't hold up much hope of anything significant being added to Joomla core for GDPR. :'(
Since you care to bring up off topic issues here, the order of fields did not NEED to be changed. However, not changing it resulted in unwelcome behaviors because some browsers are making some unfavorable assumptions about the order of form fields and how it should input data with their autofill/autocomplete features (though if the wall of text of console warnings I've started getting recently in Chrome is any clue, apparently at least they are working on ways to improve the autofill/autocomplete features). At least on my part, I'm getting sick and tired of patches just being pushed through because someone wants to see a change, any change proposal in software should be clearly explained and contrary to what you may feel I know it took me several days based on what continued to be posted to actually understand what the issue you were trying to describe actually was so that it could be addressed.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla User Management and GDPR

Post by Webdongle » Mon Apr 02, 2018 3:17 pm

mbabker wrote:...
Since you care to bring up off topic issues here, the order of fields did not NEED to be changed. However, not changing it resulted in unwelcome behaviors because some browsers are making some unfavorable assumptions about the order of form fields and how it should input data with their autofill/autocomplete features ...
If it didn't need to be changed then it would no have. Obviously there was a NEED. It is not off topic (as such) because it demonstrates the effort needed just to get a small change.


mbabker wrote:Contrary to your opinion, people are taking GDPR compliance seriously not just in the core distribution
If that is so and everything (except deleting a user) can be be easily done with a plugin like you said https://issues.joomla.org/tracker/jooml ... ent-338373 . Why has no core plugin been written in the last 3 and 1/2 months since the issue https://issues.joomla.org/tracker/joomla-cms/19078 ?

Please point me to the PR(s) ... if there are no PR(s) (other than the 2 stagnant ones)then please apologise for accusing me of spreading fud. My comments are valid and on topic ... nothing significant in Joomla core is evident in respect of GDPR !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Addendum
Brian has produced a plugin https://issues.joomla.org/tracker/joomla-cms/20051
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

deleted user

Re: Joomla User Management and GDPR

Post by deleted user » Mon Apr 02, 2018 5:05 pm

Newsflash. Core development doesn't move fast unless you bypass the process. And even then you're lucky if it moves. I've been dealing with people groaning about something in the 4.0 development branch being broken for 9 months, I can count on one finger the number of people who have stepped up to work on a solution to that issue: me, myself, and I.

You may think something is a small change, you may think something is easy. That doesn't mean everyone is going to drop everything and either implement the change at once (again, change management techniques otherwise I'll just go onto GitHub right now and merge all 400 open pull requests because someone proposed a change so it should be accepted no questions asked) or at all (how many valid feature requests are there that are floating around that have zero code proposals, or even better how many things do we know are broken in Joomla and just accept it because the number of true coders contributing to core is such a small number that if it's not a pure user interface change the odds of the change getting tested/reviewed/merged are slim to none?).

I've been working for over 18 months to fix the core database API to bring about much needed security improvements in the API and I still have zero pull requests in the CMS actually fixing any of the hundreds of queries being built to utilize those API changes. If you really want to talk about "lip service" being paid, I have asked for help on that work numerous times and in 18 months all I have gotten are repeated tester comments saying "this is broken", three comments on one GitHub issue about the need for an API middle layer to parse things, and a 0.6% clickthrough rate on the last tweet to that GitHub issue (meaning 99.4% of people whom according to Twitter's analytics had seen the tweet if I understand impressions correctly couldn't even be bothered to open the issue to either provide feedback or offer to work on a solution). You think it's bad that a plugin hasn't been written in 3 months?

So yeah, I'm annoyed when people come onto these forums and make claims that the core contributors don't care about something, or come onto these forums and complain because something didn't happen fast enough for them. Meanwhile, those same people doing the groaning don't see the people who are overworked and under appreciated working their backsides off to provide major improvements in core entirely on their own effort because nobody gives a damn enough to contribute to core; everyone wants but nobody is willing to give. Larry's got it right, open source is awful - https://steemit.com/opensource/@crell/o ... e-is-awful
Last edited by deleted user on Mon Apr 02, 2018 6:23 pm, edited 1 time in total.

User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4189
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: Joomla User Management and GDPR

Post by abernyte » Mon Apr 02, 2018 5:25 pm

Well that was from the heart and I suspect that it was only a brief flash of the kimono opening. Please do not underestimate the regard that the peasantry, toiling daily in the mud, have for those who inhabit the sunny uplands of Olympus!
I, for what it is worth, am in awe of the ability of that small band of core developers. I hope and expect we all are.
Perhaps it is a tribute to your skills and how you have consistently delivered real improvements every year that the expectation is so high.
So duly chastened we must try to "hold our water" and make those bricks without straw a wee while longer.
"Those who expect to reap the blessings of freedom must, like men, undergo the fatigue of supporting it." Thomas Paine

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12781
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Joomla User Management and GDPR

Post by brian » Mon Apr 02, 2018 5:31 pm

For the record a plugin was submitted to the core of joomla for testing yesterday - although with the attitude expressed here I feel like just removing it and doing something else with my holiday
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla User Management and GDPR

Post by Webdongle » Mon Apr 02, 2018 11:29 pm

brian wrote:For the record a plugin was submitted to the core of joomla for testing yesterday - although with the attitude expressed here I feel like just removing it and doing something else with my holiday
For the record I mentioned your plugin in viewtopic.php?p=3519522#p3519495 . I had previously missed it because it was not referenced in the tracker I was following. And I tested it as soon as I found it. FYI I spent a whole Easter weekend not so long ago testing a new feature. With the attitude that is aimed at me perhaps I should just do something else with my holiday.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

gws
Joomla! Champion
Joomla! Champion
Posts: 5886
Joined: Tue Aug 23, 2005 1:56 pm
Location: South coast, UK
Contact:

Re: Joomla User Management and GDPR

Post by gws » Thu Apr 19, 2018 1:36 pm

Its not just joomla having fun with GDPR, take a look at https://www.theregister.co.uk/2018/04/1 ... s_debacle/

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla User Management and GDPR

Post by Webdongle » Thu Apr 19, 2018 6:17 pm

Individuals who register a .uk site can opt out of whois provided their site is not commercial. No reason why other tld cant act the same.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 24929
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, Netherlands
Contact:

Re: Joomla User Management and GDPR

Post by pe7er » Fri Apr 20, 2018 10:25 am

Webdongle wrote:Individuals who register a .uk site can opt out of whois provided their site is not commercial. No reason why other tld cant act the same.
Interesting. So a person in the UK who has a non-commercial website can hide their information (name / address) from the domain registration information (whois).

However when that person collects any personal data (e.g. a contact form on their website), according to the GDPR, they have to specify the "controller" ( = their own name) and their contact information ( = probably their private address / private phone / private e-mail).

Seems like you have to give away some of your own privacy in order to protect the privacy of your visitors / website users :)
Kind Regards,
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12781
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Joomla User Management and GDPR

Post by brian » Fri Apr 20, 2018 10:53 am

> Individuals who register a .uk site can opt out of whois provided their site is not commercial. No reason why other tld cant act the same.

Anyone can use a domain privacy service on any domain commercial or not. It is usually a paid service offered by the domain registrar. Its just that its free from nominet (the .uk registrar) for certain uses
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla User Management and GDPR

Post by mandville » Fri Apr 20, 2018 12:19 pm

none of the sites i am involved with has specified online an actual person or private contact details of a DPO (where required), DC/DP . imagine asking google as a DP of email or analytics for a specific person to be posted online!
for optouts "Opt-out can only be set for domains where the registrant type is set as "UK Individual"
To qualify for opting out of having address details published, the domain name must not be used for any commercial activity and be unconnected with any business, trade or profession" so if you shove google adverts on your widget hobby website you become a commercial website.
which as Brian says is different from Domain Privacy companies (wonder how they are getting on with WP29 stuff)
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla User Management and GDPR

Post by Webdongle » Fri Apr 20, 2018 6:19 pm

pe7er wrote:...
However when that person collects any personal data (e.g. a contact form on their website), according to the GDPR, they have to specify the "controller" ( = their own name) and their contact information ( = probably their private address / private phone / private e-mail).
...
I suspect there are few individuals with personal sites that would need to collect personal data from others. If it were a club site then their details are in the public domain anyway.

pe7er wrote:...
Seems like you have to give away some of your own privacy in order to protect the privacy of your visitors / website users :)
It does appear to be an oxymoron.


brian wrote:Anyone can use a domain privacy service on any domain commercial or not. It is usually a paid service offered by the domain registrar. Its just that its free from nominet (the .uk registrar) for certain uses
Yes they can but no need for that if the registrar's for other tld's do the same as Nominet.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla User Management and GDPR

Post by Webdongle » Fri Apr 20, 2018 6:31 pm

mandville wrote:...
for optouts "Opt-out can only be set for domains where the registrant type is set as "UK Individual"
To qualify for opting out of having address details published, the domain name must not be used for any commercial activity and be unconnected with any business, trade or profession" ...
Thanks for expanding on that. However that will be changing. Nominent will no longer publish the Registrants name and address unless they are given express permission to do so. No distinction of non commercial sites is mentioned (by Nominet) in their changes. https://www.nominet.uk/nominet-opens-co ... hanges-uk/

I would suspect that publishing the name and address of anyone (who is in an EU country) would be against the GDPR ... regardless of tld. One wonders if publishing the name and address of anyone (regardless of tld or country of origin) would be contrary to the GDPR because it could be seen in an EU country) ?

Certainly be a mishmash if .com etc tld's needed the Registrant to pay to remain private while .uk domains hid it for free.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

User avatar
reddeer
Joomla! Apprentice
Joomla! Apprentice
Posts: 41
Joined: Fri Jan 21, 2011 7:05 pm

Re: Joomla User Management and GDPR

Post by reddeer » Sat Apr 21, 2018 12:24 am

mandville wrote:I still haven't found where it says it must be on the same page... only..

Unbundled — Consent should be presented separately in a distinguishable manner from other content such as general terms and conditions, privacy notices

Friend Mandville, et al,

I appreciate the core folks more than they'll ever know (shout out to Brian 8) ). The ability for the subject to remove his account is great because we should be able to send a message back to the non-website CRM. Hoping some third party extension developers see an opportunity there...

Regarding consent, in our Joomla implementation, users cannot self-register due to our local rules not related to GDPR (all accounts created by Joomla admin from backend). So we take in data by a form and used to email an acknowledgement, then contact using the subject's preferred method as indicated in that form.

Now we also have a form to verify with the subject who submitted the first form that he gives permission to be contacted in one or more capacities. And a third form to enable opt-out of the data entered in the first form or subscribed to in the second form.

Is there a definitive statement somewhere from someone in the know (or at least not selling marketing mailing lists) as to whether we are permitted to have one form to rule them all (indicate personal professional data but not personally sensitive data, specify opt-in in explicit categories or opt-out) or whether that violates the spirit of "distinguishable manner from other..."?
Haven't seen this addressed much yet, or maybe I am looking in the wrong place as it doesn't seem to be plainly stated in the GDPR since it's a policy not a coding spec, I suppose. We're not in the EU or UK, so we're doing the best we can to follow the rules without having expert guidance.

I was hoping some of the third party Joomla extension developers would create a click-wrap extension so we could get out of form hell, but seems like that's a way off.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla User Management and GDPR

Post by Webdongle » Sat Apr 21, 2018 1:14 am

You would be best to seek specific legal advice about that.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

itips102
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Sat Jun 27, 2015 8:27 pm

Re: Joomla User Management and GDPR

Post by itips102 » Tue Apr 24, 2018 11:42 am

Hi all,

First, as always, a big thank you to the Joomla team, extension developers, heroes all-around. I for one, never say this enough, so now is as good a time as any.

In relation to the GDPR thing, with the help of Joomla web content management system, some great extensions, and of course making some changes, the solution I've put in place looks like it will meet the GDPR and is compatible with what I do.

For me, the "fix" is a combination of legal text changes and of course technical Joomla updates, as outlined below.

I've basically se the website up so that from now on, no one can contact me via website without first registering, or send me an email directly.

I appreciate, not everyone will want to force people to register on a website before they can use a contact form. It seems contrary to doing business. But I serve a relatively limited number of customers and clients so it works for me.

When someone chooses to register, they must first choose to accept my privacy policy and website terms of use document (these must be separate to meet the GDPR conditions).

So even registration isn't possible until a user accepts my privacy policy and website terms of use right from the outset (I prefer to deal with these hurdles early on). Additional terms are available for different services accessible only from deeper in the website.

Also, when someone registers, their details are recorded. If a user changes any of their details, those changes are also recorded, along with the IP address, what change was made, by whom, and the date and time of the change. With those records, on request, I can easily provide a PDF that shows all of the registration data and a log of the changes users or I made.

In addition, the following options become available after registering:

- (a) website users get access to my contact form (courtesy of those nice folks at RSJoomla.com, their RSForms!Pro, and their helpful blog article at: https://www.rsjoomla.com/blog/view/433- ... rmpro.html.

- (b) Registering is separate from being able to use my contact form. For someone to actually use my contact form, they must first give express permission (click a check box) for me to collect their details through the contact form - otherwise, the user can't contact me that way. When users choose my check box called "I give InternetTIPS.com permission to collect my details through this form", that too of course gets recorded in the database (date, time, who, etc).

- (c) A submissions directory. When someone sends me a message via the contact form, that message and key details gets put into the submissions directory. When a registered user logs in, they can see copies of all of the messages they have sent to me, and optionally download a copy of one or all of those messages, and / or delete one or all of those messages.

---

In addition, for any other data I may hold about someone, all they have to do is contact me and I'll delete any email messages in my inbox - providing they're not related to any purchases. For products and services purchased, naturally, I need to keep business records for about 7 years (6 years for those who are pedantic: I prefer to include a little more leeway).

The only key item not yet covered concerns deleting a Joomla registration account. Of course, I can just do this manually after checking whether the data is needed to be retained "for business accounts purposes". For me, that's the preferred route for now.

So while of course, Joomla account deletion can be built into Joomla itself, for me, it would not be wise to turn that functionality on even if it were available, especially if account deletion is instantly permanent. Why: naturally, you don't want to give users the option to delete their own accounts if doing so damages your business records for sales, etc. For that, we business or organisation owners should control that step.

The extensions I've used to cover the GDPR include:

- RSForms!Pro: https://extensions.joomla.org/extension/rsform-pro/

- The GDPR Bundle from RicheyWeb.com (3 plugins): https://www.richeyweb.com/software/joom ... dpr-bundle

---

All of the extensions I've used are also available for download from the Joomla.org "Download & Extend" section.

---

For the updated legal text, I've adapted text from: https://simply-docs.co.uk/Business_Documents.

Of course, before or after May 25, 2018, the EU / ICO may still change or modify the GDPR requirements. I just hope it's not going to be another cookies-law type debacle (though I suspect we're already in that space).

Hope that helps.
Last edited by toivo on Tue Apr 24, 2018 7:28 pm, edited 1 time in total.
Reason: mod note: changed the link to point to JED - please read the forum rules at https://forum.joomla.org/viewtopic.php?f=8&t=65

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla User Management and GDPR

Post by mandville » Tue Apr 24, 2018 4:20 pm

basically you have done what most of those preparing have done.
I have not gone to the extent of making people register to contact, but i have split a rsform into two pages with page one having the name/email/message and then a conditional select box that then goes to page two if YES with the send button.
several of the sites i look after would not suit your format as they are NHW sites (and they are heading for the ostrich and chicken farms) so registering would give them access to special category information unless people got bumped up.
the rsjoomla blog post is good but as said a while ago, a simple contact form does it really need registration? The VEL site has had a gdpr ready reporting form for ages.
T&C - if your site uses them can be on the same page as the DPol but not mixed in with it.
Cookies tech specs really need to be re written to comply . how are you dealing with your hosts compliance?

as i answered to day when some one asked for a good [blog tool] gdpr contact plugin, i responded "business card or SAE"
Clipboard01.jpg
You do not have the required permissions to view the files attached to this post.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla User Management and GDPR

Post by Webdongle » Tue Apr 24, 2018 7:36 pm

Displaying the GDPR on registration is easy but I have yet to see a 3rd party extension that:
  • Allows the user to delete their account
  • Notifies all users when the sites GDPR changes
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

sozzled
I've been banned!
Posts: 13639
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Joomla User Management and GDPR

Post by sozzled » Tue Apr 24, 2018 7:56 pm

Webdongle wrote:I have yet to see a 3rd party extension that:
  • Allows the user to delete their account
This extension has been around for years: https://extensions.joomla.org/extension ... y-account/
Webdongle wrote:[*] Notifies all users when the sites GDPR changes[/list]
Aside from my lack of awareness how this relates specifically to the GDPR policy, can you please advise what "third-party extension" should do to notify all uses whenever the site manager wants to notify them of something? This seems, to me, an unfair burden on the site owner that, when there's a change to the site's T&C (even if it's to correct a small typographical error), the need for the site owner to push the fact that there's been a change to the T&C to all users. Further, if a site has several hundred thousand members (e.g. https://forum.joomla.org) that may include old accounts with obsolete email addresses or that have been blocked from being able to login or view a website's content, why should a site owner have to inform everyone by email. Not to mention, it may be impractical from the mail server's end, to send several hundred thousand emails in one "hit".

If this is a requirement of the GDPR—notify everyone when a site's T&C policy is amended—then I think it's a bit of overreach.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Joomla User Management and GDPR

Post by mandville » Tue Apr 24, 2018 8:16 pm

didnt you know , you have to notify every site member when you sneeze or the cat climbs on the keyboard.
Obviously you could use the mass emailer BUT if you do have several thousand members then unless you use mailspammonkey or constantspamcontact you would max most mail server limits.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44024
Joined: Sat Apr 05, 2008 9:58 pm

Re: Joomla User Management and GDPR

Post by Webdongle » Tue Apr 24, 2018 10:59 pm

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
http://www.privacy-regulation.eu/en/art ... g-GDPR.htm
Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations
http://www.privacy-regulation.eu/en/r43.htm


Perhaps I am interpreting it incorrectly. However, it appears that if the site/company changes the way they process the information then they need to get consent (from the user) to use the information in a different way.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

JJSJJS
Joomla! Intern
Joomla! Intern
Posts: 91
Joined: Wed Jun 11, 2014 7:33 pm

Re: Joomla User Management and GDPR

Post by JJSJJS » Sat Apr 28, 2018 7:18 pm

cyskye wrote:Hi, I'm using custom fields for joomla registration form, but my problem is that also if they accept privacy field (for example) there's no trace of that acceptance in the registration mail, so it could be difficult to demonstrate the acceptance in a simple way.
I really don't know how you do that, i've read those documentation about it, but it is a useless extension of Joomla as far as i can see. Or they don't work, or you only get text on a page which i could have type myself also. It's hard and hardly to use.
What really would have been good is a standard thing like JUforms or similair, Which you can really use to build a form, check in the backend the submissions, etcetera.
This is unusable for the GDPR to create a tick box, there is no tick box displayed for users.
Sorry for my acid on this.

joknight
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 119
Joined: Sun Apr 13, 2008 8:40 pm

GDPR Compliance on Joomla contact form using Chronoforms

Post by joknight » Fri May 04, 2018 7:19 pm

Hi there,
I was wondering if will be required to place some form of GDPR compliance regulations into and onto my contact form that uses a forms component such as ChronoForms or form component.

Thanks and very best to you,
J
Last edited by imanickam on Sat May 05, 2018 3:15 am, edited 1 time in total.
Reason: Merged with the topic https://forum.joomla.org/viewtopic.php?f=48&t=957357


Locked

Return to “The Lounge”