Project

General

Profile

DSGVO

Added by Richard Rauch over 6 years ago

Hello,

today I shut down my Redmine Server, which had public access.

The reason:
It does not fullfill the rules of the DSGVO, which is valid since today.
I do not want to have letters from lawyers who have the business model of writing such warning letters.

With the new DSGVO it's a European problem, not only a German (my server is located in Germany).

Are the any activities to improve Redmine to fullfill the DSGVO?

Thanks
Richard


Replies (14)

RE: DSGVO - Added by Richard Rauch over 6 years ago

by the way...

redmine.org itself will run in same problems! I do not find any imprint or privacy policy!!!

RE: DSGVO - Added by Bernhard Rohloff over 6 years ago

What do you think is necessary to fullfill the rules of the DSGVO/GDPR?
For my understanding this could be all handled by a policy inside or next to the legal notice you already need.
And this could be accomplished easily by a wiki article which is linked on the welcome page.

Regards,
Bernhard

RE: DSGVO - Added by Bernhard Rohloff over 6 years ago

Perhaps you can find some useful information at the Planio guys place as they use Redmine commercially...
https://plan.io/data-protection/

RE: DSGVO - Added by Richard Rauch over 6 years ago

many thanks for your hints!

initially I was thinking about a static page for imprint/policy.
but putting the imprint and policy inside a wiki article is actually a good idea!
but it is not sufficient to have a link only on the welcome page.
better to make it available on every page.
For imprint I have already extended the site footer with a fixed coded link to my primary website's imprint. But a link to wiki article, which is located on the redmine server site, is a better idea!

Further a double opt in method for registration is necessary. Additionally the consent of the user must be saved anyhow.

This is, what I have found out right now, I am not sure, what else is necessary!

RE: DSGVO - Added by Bernhard Rohloff over 6 years ago

Richard Rauch wrote:

by the way...

redmine.org itself will run in same problems! I do not find any imprint or privacy policy!!!

You're right. I haven't found anything of that nature, too.
I've raised an issue for that as i think this can cause huge trouble to my #1 project management tool!

This is, what I have found out right now, I am not sure, what else is necessary!

Do you use Redmine for private or commercial purpose?
Is Redmine hosted on your physically own server?

RE: DSGVO - Added by Richard Rauch over 6 years ago

Bernhard Ganslmeier:

I have a small company (one man show ;) ), and I am using redmine for managing customer specific projects and some public projects.
It is hosted on a physically server at my site. The server is accessible by IP-address or subdomain name.

Of course, the new DSGVO is not exactly written in each detail, so I am not sure, what are my concrete duties.

e.g. I found information, that I need to provide the privacy policy in each language, my website is providing.

Most content on my site is English or German, but you know the internals of redmine? It supports up to 100 languages, depending on the user location or settings ...do I need to provide privacy policy in each of this languages? :(

RE: DSGVO - Added by Richard Rauch over 6 years ago

here is a link regarding the languages, which are necessary.
the explanation is aimed to websites, which are located in Germany.
Further the explanation is in German (sorry! ):

https://www.twigg.de/dsgvo-datenschutzerklaerung-englisch/

it says, that - depending on your audiance and content - you need to provide the policy in the language of your audiance too, not only in the language, your server/company is located

RE: DSGVO - Added by Jens Krämer over 6 years ago

Richard Rauch wrote:

by the way...

redmine.org itself will run in same problems! I do not find any imprint or privacy policy!!!

So what.

redmine.org is not a commercial offering, nothing is sold here. If you create an account that is entirely up to you, and if the lack of a privacy statement bothers you, well, don't do so. No reason to panic.

RE: DSGVO - Added by Bernhard Rohloff over 6 years ago

Jens Krämer wrote:

Richard Rauch wrote:

redmine.org is not a commercial offering, nothing is sold here. If you create an account that is entirely up to you, and if the lack of a privacy statement bothers you, well, don't do so. No reason to panic.

I would like to cite an article on opensource.com

...One of the biggest changes that comes with the GDPR is an increased territorial scope. The GDPR applies to all organizations processing >the personal data of data subjects residing in the European Union, irrelevant to its location.
...

So I think this applies to the Redmine project, too. No matter if it's commercial or not.

RE: DSGVO - Added by Jens Krämer over 6 years ago

Bernhard Rohloff wrote:

So I think this applies to the Redmine project, too. No matter if it's commercial or not.

Yes, by the letter of the word it may apply to every single web site that exists if it can be accessed by a single European. That only shows how overreaching this whole thing has become. I for my part won't jump through hoops that were put up for Facebook and Google.

The intention of the law appears to be a bit different (as in, not intended to hassle small scale sites) anyway, so hopefully it will be fixed in the near future to make that more clear. In case you understand German I'd like to point you to https://ditze.net/datenschutzerklaerung/ , especially "§7 Abmahnungen".

In the end it's up to Jean Philippe how he handles this on redmine.org, and up to you how you handle it in your installation of Redmine. If you want to put up a nice and legally waterproof (probably, who knows for sure...) privacy statement in 24 languages that nobody is ever going to read, by all means do so. I just wanted to put this a bit into perspective and add my 0.02$.

RE: DSGVO - Added by Bernhard Rohloff over 6 years ago

Jens Krämer wrote:

The intention of the law appears to be a bit different (as in, not intended to hassle small scale sites) anyway, so hopefully it will be fixed in the near future to make that more clear.

Yes it indeed lets very much room for interpretation. The time will show us how things will move. I hope the waters on that topic will calm down very quickly as these data protection regulation thingy is getting really annoying. Also on the consumer side!

In case you understand German...

Yes, and Bavarian, too. ;-)

I'd like to point you to https://ditze.net/datenschutzerklaerung/ , especially "§7 Abmahnungen".

Oh yeah it was really entertaining and worth reading. ==> Bookmarked! Thanks...

In the end it's up to Jean Philippe how he handles this on redmine.org, and up to you how you handle it in your installation of Redmine.

Yes, I think so, too. As I've written somewhere here, I've raised an issue for redmine.org so the team has it on their todo list. The rest is up to them...

RE: DSGVO - Added by Jan Niggemann (redmine.org team member) about 6 years ago

Thank you for pointing this out, we're working on it.

RE: DSGVO an update - Added by Richard Rauch about 6 years ago

Hi all,
after some month my redmine site was offline, I was forced to make it available again.

For a few things regarding DSGVO/GDPR I propose a workaround, as long there is no out-of-the-box solution:

Imprint, Privacy Policy

I created public project "Legal", which has just wiki.
Wiki has subpages with "Imprint", "Privacy Policy", "Contact",.....

I patched the footer definition of redmine in order to create links on site footer:


<div id="footer">
  <div class="bgl"><div class="bgr">
    <a href ="/projects/legal/wiki/imprint">Impressum</a> <a href ="/projects/legal/wiki/privacy-policy">Datenschutzhinweis</a> <a href ="/projects/legal/wiki/contact">Kontakt</a><br>
...

now on each page of my site a link is available to imprint, privacy policy,... (as common on commercial websites)

User Registration

I turned off self registration for new users completely! I cannot fullfill the new requirements (double opt-in, acceptance of privacy policy...)

Still unsolved:

query for user acceptance of cookies

Redmine is creating cookies. But there is no possibility for user to agree/deny

RE: DSGVO - Added by Richard Rauch about 6 years ago

Hi again,

I've found this plugin for cookie disclosure: http://www.redmine.org/plugins/cookie-disclosure
But code/download link is broken.
Who can help to find plugin?

Thanks
Richard

    (1-14/14)