GDPR-compliant

[dannycolin]

Describe the bug
Website isn't GDPR-compliant

Expected behavior
it should be?

Additional context
Here's an example of a privacy policy : https://www.fosteropenscience.eu/privacy-policy

[Protohedgehog]

Oh man. Do we need to draft something equivalent to this? We don't gather any user data do we?

[tosteiner]

Unfortunately, we do, yes... thanks, @dannycolin for sorting the issue into here :) @Protohedgehog If you want, I can dig into the topic, (have recently gone through all the pains for my uni... it's not too hard, might have to poke around a bit on what services we use - if we do)

[Protohedgehog]

Okie dokie. @tosteiner do you want to crack open a Gdoc or something and we can hammer this out together? We would probably have to indicate the sort of stuff that Eliademy requires too, right?

[tosteiner]

Hum, I suppose we might be lucky and don't have to, because eliademy is external... we need do describe what the web page itself offers, and as long as we don't embed eliademy stuff directly, we might be able to steer clear of that...

So, here's a HackMD to get the ball rollin': https://hackmd.io/s/ryOsCT7YV#

Will have to postpone this a bit, though, am currently in the midst of a job application 😉

[Protohedgehog]

OK, sweet! Will have a play with that soon, never used the platform. Have fun with the job application! Something in Berlin? ;)

[tosteiner]

No, the US - never figured I might consider this, but New England looks like a nice option :)

[dannycolin]

At the moment, the new website doesn't use cookies and every libraries are loaded from the same location as where the website is hosted. That means no user data is leaking to a third-party CDN.

Count me in to help as much as I can on that issue :).

[tosteiner]

@dannycolin @Protohedgehog alrighty, then - first rudimentary draft here https://hackmd.io/s/ryOsCT7YV#

I've made use of one of those free generators and further trimmed the result down to only consider server-side logging (IP address collection and all that really basic stuff, but no cookies, not tracking via Google or Matomo/Piwk etc.) - feel free to revise & change stuff ;)

Do you guys maybe know somebody working in the legal sector who could maybe take a cursory peek at this? I guess this here is better than having nothing whatsoever, but some sort of legal advice might be better with such matters

[dannycolin]

I've made use of one of those free generators and further trimmed the result down to only consider server-side logging (IP address collection and all that really basic stuff, but no cookies, not tracking via Google or Matomo/Piwk etc.) - feel free to revise & change stuff ;)

Technically, GitLab/GitHub is collecting the data not us.

In the policy it's mentionned that

These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Does the privacy policy of GitLab/GitHub is compatible with that statement? I wouldn't be suprise that GitLab/GitHub use their data for other purpose than.

[Protohedgehog]

Thanks for this @tosteiner! I'll have an edit when I get the chance. The link for the Slack group is: https://osmooc.herokuapp.com/ but it's interesting to see that the old one is working again now for some reason?? I don't know many legal people to have a peak though, sadly.

[Protohedgehog]

Suggested text for plain language summary:

Plain-Language Summary

We highly value your privacy. We don't just say so. In fact the Open Science MOOC was built around giving people the freedom to do what they want in research, and we never had any intent for obtaining or using user data. All personal data stays on your computer, and we do not touch a thing. We were GDPR compliant from the beginning.

Your data is not our business model. We want to provide services valuable enough and provide free features without the need to trade-off your data ownership and privacy. This is almost an entirely volunteer-driven project with minimal sponsorship, and that is our business model.

We don't take venture capital funding to never fall into the trap of trading off your privacy and freedom to move for growth. Instead we choose the harder route of sustaining our project through alternative means, such as volunteers and small grants.

And then also some indication of what Slack, GitHub, and Eliademy might do too.

[dannycolin]

Any update regarding that issue?