lovinglyhappy

Hi @wpwhitesecurity,

Thank you for your extensive response. I had not worded my question correctly there. You are, of course, right about what you are saying about the compliance of software or plugins. In general, you are also right to remind that a lot is really about giving information.

However: As for the 1 month period: I think this is a point where it may or may not be enough to just tell users what one does. In the end, that – unfortunate for at least one of the participants, then – may be settled in court (hopefully, of course, by the formation of a general legal opinion before that). For the question is: what is the necessary period one needs to store a certain information. And to store it beyond that can be problematic. I have compared how sample privacy declarations, privacy declaration generators etc. generally select the period of time. While in certain, mostly special and security related cases, there may be a need for a lonoger period of storage, perhaps even to be decided after a careful weighing of all factors for each case according to the principle of proportionality, generally speaking, what I have found has varied from 7 days two roughly a month. Yet, one of the most famous academics in IT-privacy law in Germany, for example, has selected 7 days in his sample privacy declaration. In not wishing to take any risk, I have decided, for most use cases, to generally limit the storage to 7 days. As court rulings have been quite strict recently in the field of privacy, I believe it is better to wander on the less risky side of it.

Along these lines, I think it would be worth including such an option.

But as the data are stored in a database, maybe I can delete them simply there?

• This reply was modified 4 years, 6 months ago by lovinglyhappy.
• This reply was modified 4 years, 6 months ago by lovinglyhappy.

Thank you!

And thank you for the helpful explanation in the link.

Well, to my knowledge, Art. 4 I defines the term, however, not in that form that it would name everything that is to be considered personal data by name… On the contrary, the term appears to be meant to be rather encompassing, cf. https://gdpr-info.eu/issues/personal-data/.

What you then need to do is to take the norm, have a look at all the factors used for interpreting legal norms (which may include, history, motives, of course the wording etc., just the standard tools you use) and then, thus, subsume.

My conclusion would be that I would not see a way around having to see hostnames as personal data, but I am not an expert in IT law, and I have not dived into motives, history of the norm etc. But in reading it, and having a look at the explanation in the link above, well… Of course, I would not be unhappy if my assumption would be proven invalid, one problem less to take care of…

In any case, thank you for all your replies. If you disagree, I can only recommend to have a look at whether this topic would be decided by court one day, or whether somewhen someone will write an article about it in a legal journal. – Thank you for your patience, and all the best.

• This reply was modified 4 years, 6 months ago by lovinglyhappy.

Yes, thank you. But when I switch off security logging, under “Login Security” the hostnames are still shown.

Therefore, according to the line of argument I brought above, and as, as mentioned, it can happen that the hostname may allow to make conclusions about the IP address, I do not really see how that would help webmasters to to run into a trap.

By enabling the setting “GDPR Compliance on” for IP addresses, but not for hostnames, the website owner does not get set free from having to mention that he is storing hostnames in my eyes. So if your aim is not to put the website owner into trouble, my suggestion would be to enable replacing the hostname, too. [I understand that other security plugins do not do this at all, but as you have taken the first step, I think it would be just logical – and helpful – to do the second.]

This would be only something to consider, though, if my argument about having to treat hostnames in the same way as IP addresses would be correct.

• This reply was modified 4 years, 6 months ago by lovinglyhappy.

Thank you for your response. I am not sure whether I perhaps have misunderstood something of what you wrote (or hostnames), but as for IP addresses it is simply a fact that those are viewed as data through which it is possible to identify a person and therefore to be treated at least like personal data (I am not so sure about the correct legal terminology in English, but in German they are considered to fall into the category of “personenbezogene Daten”). One might like it or not, but if one does not want to be in the danger to pay… Which leads me to: I have not found hostnames discussed either. However, if you look at my chain of arguments (i.e. they can serve to identify a single user as much as an IP address can, can they not? For you can even find the IP address from a hostname, right? ), I do not see how they could be treated differently. If there is a difference, I would be glad to learn about it.

This is not about the question whether BPS is in compliance with the GDPR (and I am not questioning it at all): The point is, that if IP addresses and (according to my line of argument) hostnames are not anonymised / if they are stored, then one has to take that into account when formulating one’s privacy declaration. I have set my webspace to deleting all server logs after 7 days, that should be safe, but if I cannot also do that with IP addresses and hostnames in security plugins, then… well…. I would need to think about what to do, and perhaps not find a legally satisfying solution. Therefore I prefer it if no personal data (or “personenbezogene Daten”) are stored at all, and if it is unavoidable, that at least there is a way to easily have them be deleted after 7 days.

• This reply was modified 4 years, 6 months ago by lovinglyhappy. Reason: better worded
• This reply was modified 4 years, 6 months ago by lovinglyhappy. Reason: spelling
• This reply was modified 4 years, 6 months ago by lovinglyhappy.

Thank you very much!

Hi,

I have got the same problem. Obviously I should use “[manager_link]” in order to show the URL to the subscription manager, but unfortunately there is no information provided what the URL is or how to use this in order to show this unknown URL… I would appreciate your help…

Thank you!