Data Processing Agreeent needed

Hi Klaus,
Wordfence has a slightly different setup. They collect personal information such as email addresses from the people using their plugin, eg, cases such as activating their premium features etc.
My understanding is that they would need to have a data processing agreement between WordFence (or the company owning it) and the users of their plugin from whom they collect the personal data.

AIOWPS does not collect any information (personal or otherwise) from the website owners who use this plugin.
Any data which is recorded as a result of this plugin is done by you for your own site and for your security purposes. Thus you can include your own disclaimer in your terms page to make this clear to people visiting the site.

(As far as I understand there are provisions in the GDPR for data collected for security purposes)

AIOWPS does not collect any information (personal or otherwise) from the website owners who use this plugin.

There would be a need for a data processing agreement if the developers were controllers or processors (as defined by GDPR). If they only developed the plugin (the coding) and the plugin functions as a stand alone piece of software (eg. does not send any data information to the development team and/or their data servers, no screening by servers of the developers etc.), in that case I don’t see the need of an agreement.

To assess the need of an agreement I would appreciate if the team can answer the following questions; Does the plugin sends data of my website visitors (eg. IP addresses, user-agent) to the servers of the developers?

Greetings,

Hi @ognid,

Does the plugin sends data of my website visitors (eg. IP addresses, user-agent) to the servers of the developers?

No.

Hi @wpsolutions,

Thank you for your quick response! You are an angel (and not a controller or processor).

You have provided me the most compelling argument to ditch Wordfence, and to activate AIOWPS ??

I have checked the plugin for cookies, and the plugin does not set cookies for visitors either.
So, as far as I know, your plugin is “GDPR compliant” and GDPR does not apply to the developers (no controllers/processors). You simply made available the code to ‘do it yourself’. Conclusion, no Data Processing Agreement needed.

GDPR does apply to website owners if they use the plugin (whitelisting, lock out function), but as you mentioned before, GDPR allows controllers (eg. website owners) to process personal data for security reasons.

(49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

Disclaimer: I am human and not error-proof. Therefore the text above can not be seen as legal advice. But you get the picture ??

Have a nice weekend!

Greetings,
Ognid

• This reply was modified 6 years, 8 months ago by ognid. Reason: Addition of extra background information regarding GDPR

Forget to edit this part:

So, as far as I know, your plugin is “GDPR compliant” and GDPR does not apply to the developers (no controllers/processors).