Over five years ago, we defined our privacy posture on this blog.
Today, as many organizations are (finally) getting ready for the European Union (EU)’s General Data Protection Regulation (GDPR), privacy is a hot topic. Today, I want to dive a bit deeper on what GDPR means to us at the DirTeam.com and ActiveDir.org Weblogs (dirteam.com).
I am not a lawyer.
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union.
The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU. GDPR is implemented per EU country and has different names in some of them. In France it’s designated as règlement général sur la protection des données (RGPD), in Germany as Datenschutz-Grundverordnung (DSGVO) and in the Netherlands as AVG.
Our posture remains unchanged
I’m sharing our thoughts on privacy in more depth in this blogpost, so you are able to understand what we’re doing and why we’re doing it, based on the main topics within GDPR:
While GDPR, strictly, only applies to EU residents and/or access from a device located within the EU, we apply our privacy standards to all visitors to the DirTeam.com and ActiveDir.org Weblogs (dirteam.com).
Lawful basis for processing
Although we don’t use any cookies on this website, we do collect information on everyone’s visits in our webserver(s) and web application firewall logs. For people who comment on our website, our technical implementation within WordPress is to additionally leave their name and an email address. This means, we have access to the following information:
- Your IP-address (everyone)
- Your name (commenters only)
- Your email address (commenters only)
The information from our logs is used for analytics and security. The main purpose to collect and store personal data as part of our webserver(s) logs is detecting and preventing fraud and unauthorized access and maintaining the security of our systems. This is a legitimate basis in terms of article 6 paragraph 1, point F.
We deem analytics a lawful basis in terms of article 6 paragraph 1, point E. For analytics we use Matomo. We don’t use a 3rd party analytics service. Our logs do not leave our webserver(s). The information on your IP-address(es) do not leave our webserver(s). We do not share or intend to share the information in our logs to any third parties, except when law enforcement, judicial, or national security authorities ask us to disclose it. Reports are created fully automatically without human interaction or human intervention. Reports towards team members do not contain IP-addresses or specific locations or your visit(s).
Data protection officer
As the DirTeam.com and ActiveDir.org Weblogs (dirteam.com) is not a public authority and our core activity is not to regularly and systematically monitor you. As per article 37 paragraph 1, we do not strictly need to appoint a Data Protection Officer (DPO).
We feel we have a legal obligation to notify the supervisory authority and to notify individuals, without undue delay, when we suffer a data breach, as per Article 33.
We looked closely at ISO/IEC 30111:2013 to create a process for performing root cause analysis, weigh remediation options and notify. As the DirTeam.com and ActiveDir.org Weblogs (dirteam.com) are operated from the Azure West Europe region and, thus, primarly hosted in the Netherlands our breach notification is with the Dutch national data protection authority (Autoriteit Persoonsgegevens). Notifications of data breaches will also be sent to the email addresses of commenters using an encrypted email message.
We respect your rights
Through the General Data Protection Regulation (GDPR), you gain additional rights.
Right to access
Article 15 stipulates your right to get access to your personal data and information about how this personal data is being processed.
The lawful basis for processing part of this blogpost provides information on how we acquire your data, how we process your data and how your data is processed.
For requests, you can send an email to email@example.com. To execute this right upon your request, we have created a script that crawls the available webserver logs for the IP addresses you provide, if you provide proof you own or use that particular IP address or range of IP addresses. Furthermore, we use the default filtering options in WordPress to filter on the email address(es) and or IP address(es), based on the information provided in the way you perform the request and you provide proof you own or use that particular IP address or range of IP addresses. All information is shared as a comma separated value (*.csv) file.
We do not charge for your first request. We charge EUR 25 excluding VAT for any subsequent request you make.
For team members (“bloggers”) who want to leave the DirTeam.com / ActiveDir.org weblogs, we provide an automated export of their blogposts, but not the comments. Exports are XML-based (*.xml) files that can be imported into other WordPress installations or can be converted by the team member, so they can be imported into other popular blogging platforms.
Right to erasure
Article 17 provides you the right to request erasure of personal data related to you. We will, and in the past always have acted on request to permanently delete comments. If you send an email to firstname.lastname@example.org, thus proving your access to the non-published email address of comments, we will delete one, some or all the comment(s) you made, depending on your request.
Team members (“bloggers”) have privileged access to the database, through the WordPress front-end, only. This provides them with the ability to delete their own blogposts. Two persons can delete complete blogs, upon request from team member(s).
We protect your data by design and by default
Article 25 in the General Data Protection Regulation (GDPR) states we need to implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
While we won’t pursue outside certification to demonstrate compliance with the requirements, we feel we protect your data by design and by default:
- We don’t use 3rd party cookies and have no intention to do so.
- All data is stored using industry-accepted encryption (AES256).
- All communications from and to our systems uses industry-accepted encryption.
- We have strict scenarios for updating and upgrading our software.
- We maintain our granular role-based access control model, where we define access privileges on a need-to-know and just-in-time basis, using strict whitelisting.
- After 1 year, we automatically and permanently delete webserver and web application firewall logs. This is an automated process that does not require human interaction or human intervention. This offers a 365-day retention period for the personal data of most of our visitors.
- Our analytics solution offers a maximum 500-day retention period on visits, excluding your personal information to our team members (“bloggers”), only.
- We review our privacy and security posture, technology, processes and organization regularly.
The above information is our promise to you to protect and store the minimum amount of personal data you provide us with.