Main Menu

New EU privacy regulations (GDPR)

Started by Neys, May 10, 2018, 04:18:58 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

Neys

May 10, 2018, 04:18:58 PM
Hi,

some of you might already have heard about the GDPR (https://www.eugdpr.org/). I'm wondering if this affects the dead men walking community as well. Honestly I'm not a lawyer and I have only very slight ideas who is affected by this under which circumstances.

However, as the author of stracker, an Assetto Corsa statistics tracker, I have a feeling that running this service might be a problem in terms of the GDPR. I'm not sure if also running normal game servers and taking log files is already problematic.

Anyways, this is just a warning two weeks before the law is enforced. I think we should make a decision before the lawyers show up. At least here in Germany, there is a real threat for being penalized by random people ...

See also:
https://www.racedepartment.com/threads/stracker.93956/page-29#post-2745593
http://www.assettocorsa.net/forum/index.php?threads/new-eu-privacy-policy-a-show-stopper-for-tracking-apps.49496/

Greetings
Neys

TeaLeaf

#1
May 10, 2018, 04:25:19 PM
It's being and has been discussed at Council level.   The exemptions cover a lot of what we do, but we're also looking at other software options.  In addition to the exemptions, we already have permission to hold data due to our joining instructions offering us a perpetual licence on the content.   Whether that stands up in court is another matter.  We'll announce more when ready.
TL.
Wisdom doesn\'t necessarily come with age. Sometimes age just shows up all by itself.  (Tom Wilson)
Talent wins games, but teamwork and intelligence wins championships. (Michael Jordan)

TeaLeaf

#2
May 23, 2018, 05:13:07 PM
As this hits in a couple of days, I thought I would post up some generic stuff for GL's in case any questions get asked.  Keep in mind that vBulletin is absolutely bloody hopeless in respect of GDPR and we therefore have no facility to handle some of the more complex requirements of GDPR, so we are also looking at new forum software and will hang a privacy policy somewhere on the website shortly.    Remember that people elect to sign up, understand we need to process their data in order to run the forum and that most of what we hold is non-personal data and that we only some personal data because we have to do so to make the forum work.   Members have also granted us a a perpetual non-revocable licence as to all forum content as per our user agreement.

The Legitimate Interest bit of GDPR is what should allow us to carry on without too much hassle.  Legitimate interest is one of the six lawful bases for processing personal data and as we are non-commercial we should be relatively secure in using this section of the GDPR. The key elements of the legitimate interests provision can be broken down into a three-part test.

Purpose test â€" is there a legitimate interest behind the processing?   Yes, they elected to join our forum and provide their data to us.
Necessity test â€" is the processing necessary for that purpose? Yes, we can't operate the forum that they joined without being able to communicate with their computer when they post and know who they are.
Balancing test â€" is the legitimate interest overridden by the individual’s interests, rights or freedoms? In our opinion, no.

We believe that we meet this criteria.

If you get any more difficult questions, simply throw them at Council and we'll think about it and then come back to you with a completely incomprehensible answer, written in some sort of legalese, possiobly not in English though.

Be careful out there....................
TL.
Wisdom doesn\'t necessarily come with age. Sometimes age just shows up all by itself.  (Tom Wilson)
Talent wins games, but teamwork and intelligence wins championships. (Michael Jordan)

TwoBad

#3
May 23, 2018, 06:02:29 PM
Thanks TL
The Battle of Damnation Alley, 25th January 2015
\'You are hereby awarded the Military Cross, posthumously, for an act of exemplary gallantry during active operations against the enemy on land.\'
[SIGPIC][/SIGPIC]

Neys

#4
May 23, 2018, 07:50:52 PM
Thank you TL for these insights. I'm going to throw in some questions in as suggested:

Here at Dead Men Racing we are using stracker on a public Assetto Corsa server. stracker stores session statistics in a relational sqlite3 database on BA5, such as the Steam GUID, (nick-)name, race results, chat messages, lap statistics, collisions, and so on. The statistics is available on the internet here http://77.108.135.2:42223/lapstat and also directly in-game of assetto corsa. Current version of stracker doesn't store Steam ID's anymore, but cryptographic one-way hashes using sha256. Users are able to anonymize their statistics and delete their chat messages in-game (via chat messages).

Users are welcomed with the following chat message:
QuoteDead Men Racing / Dominant Monkeys [%(version)s]
Mature Clean Fair (http://www.deadmen.co.uk)
Your activities on this server are tracked. By driving on this server you give consent to store and process
information like your driver name, steam GUID, chat messages and session statistics. You can anonymize this
data by typing the chat message "/st anonymize on". You might not be able to join the server again afterwards.

What do you think about this? Is this acceptable for us to use, or do you want us to change this? Is running stracker ok at all?

Thank you :)

TeaLeaf

#5
May 23, 2018, 08:30:08 PM
Firstly, I'm not a lawyer.
Secondly, mostly lawyers are having trouble interpreting GDPR.

However, from what you said I would guess you are fine as users have all the control they need and we're only processing what we need.
TL.
Wisdom doesn\'t necessarily come with age. Sometimes age just shows up all by itself.  (Tom Wilson)
Talent wins games, but teamwork and intelligence wins championships. (Michael Jordan)

Neys

#6
May 23, 2018, 09:21:58 PM
Quote from: TeaLeaf;431554Firstly, I'm not a lawyer.

I can feel your pain - but thanks for the opinion... :)

smilodon

#7
May 24, 2018, 10:12:47 AM Last Edit: May 24, 2018, 10:14:19 AM by smilodon
Likewise.

It would be nice to assume with some confidence that anyone with responsibility for enforcing GDPR would see communities like ours as amateur groups of friends trying to have fun, engage in a community and play silly games, while making absolutely no money from any of it. Sensibly they would leave us be while they go rip chunks out of Facebook, Uber, Google, Cambridge Analytica (ohh they're already doing them) etc.

That's what it would be nice to assume :blink:

I think we (Tealeaf) have done as much as reasonably could be expected to do to deal with GDPR in as much as it probably/maybe affects us.
smilodon
Whatever's gone wrong it's not my fault.

albert

#8
May 24, 2018, 10:30:26 AM
In our case from a PII standpoint all members are asked what level of communications they wish to receive when they join and can change this at any time. We never ask the hated question "We might share your details with 3rd parties for marketing purposes" and in most cases we don't even know the members real name, address, credit card info, rarely do we even know their mobile number and if we do then it's in a forum post where members shared that info freely. I would if anything remove that post so we are totally covered.

All these emails about continuing to receive comms from certain companies is BS. If you did it right in the first place your will be GDPR compliant and if you didn't then you cannot rectify this with an opt in email.

My 2c worth from having read a digest of the directive.
Cheers, Bert
Print
Go Up Pages1
User actions