GDPR #9769
Comments
|
Maybe also looking into data retention for messages, for example? This would help implement the GDPR, see , for example, here. We should store data as little as possible. Messages is of course a complicated matter I think, but keeping it forewver isn't worth the risk. So for example the ability to set a global "message retention policy" would be useful, so we are able to automatically delete messages after a year. |
|
@Wouter0100 I disagree. One of the purposes of Rocket.Chat is to provide a searchable archive of past conversations. It can't fulfill that task when all messages are deleted indiscriminately after a fixed amount of time. I could however see the usefulness of a per-channel setting so that channel owners can decide based on the purpose of the channel which retention time span might be useful. |
|
@mootari I do agree and personally I would prefer to store it too - but as the same with e-mail, e-mails with customers should also be deleted after a period of time in some circumstances. Per-channel with a server-wide default would in that case be an option, I suppose. |
|
We have discussed the retention policy with users in EU and they would prefer a deletion period setting on three levels:
So a user could decided not to keep his/her messages as the provider or the channel admin set as default. |
|
Another GDPR issue is showing minimum personal data in the room and directory search. It is configurable site-wide, which fields are taken for the search in admin/Accounts, but not, which fields are shown. Global search and directory search should be a permission configurable per role. |
|
We need to separate the outstanding tasks into other issue: |
@Wouter0100, @mootari and @rasos The expiration police for messages will be implemented in the future since it's not required by GPDR (it's not an unnecessary information). You already have the option to delete your profile and remove your messages or delete each message manually.
@rasos we will evaluate this idea and find some solutions that match the GPDR requirements and the minimum viable system usability. Any further questions about GDPR should be sent to our email privacy@rocket.chat Thanks |
Data Subject Rights
Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic fromat. This change is a dramatic shift to data transparency and empowerment of data subjects.
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subject withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
Data Portability
GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly used and machine readable format' and have the right to transmit that data to another controller.
The text was updated successfully, but these errors were encountered: