undefined | Better HN

0 pointsIMTDb1y ago0 comments

The definition of "personal data" is so wide that it is impossible to provide any web service without collecting some form of "personal data".

If all you have is an apache web server with the default configuration serving fully static HTML / CSS page without any script tag, you already might need a DPO and complete some documents.

0 comments

diggan1y ago

> The definition of "personal data" is so wide that it is impossible to provide any web service without collecting some form of "personal data".

Just because Apache by default collect and stores IPs doesn't mean it is impossible to provide a web service without collecting personal data? Disable the IP collecting, and even the default configuration wouldn't need to follow GDPR as it again doesn't even apply.

Is there something else in Apache that collects personal data by default? If you're unsure what "persona data" really means, https://gdpr-info.eu/art-4-gdpr/ has the definition.

Not sure how HTML/CSS is relevant, it shouldn't depend on what content you're serving.

IMTDbOP1y ago

All that requires additional active effort to fight having access to any data. The more complex your infra the harder it becomes to not having to do paperwork. Include a reverse proxy, and a CDN to the above and the chance of you not having access to any "personal data" is really really close to 0 unless you spend significant engineering resources triple checking everything. Even then, if you wanna be safe you better have the paperwork ready in case you forgot something. In the example above, I hope that you would not have stopped at checking the apache configuration as I am sure you are fully aware that there are multiple log levels at the OS level that need to be tweaked as well.

This is of course despite the fact that you clearly have 0 ill intent and that none of these "personal data" can really be used for anything bad.

The mention HTML/CSS is just to make it clear that no additional data collection can happen through javascript tags (Google analytics, or any other alternative), or useful third parties. It makes total sense that if you dare use a bug tracking software, you should definitely pay hundreds of euros per month to hire a proper DPO who will handle all the paperwork or risk being exposed as the mental lunatic that the EU commission believes you are.

diggan1y ago

> All that requires additional active effort to fight having access to any data

I agree that it requires additional active effort, I'm not arguing against that. I don't agree with your original point that it's "impossible to provide any web service without collecting personal data", and it would seem you no longer agree with that either.

> It makes total sense that if you dare use a bug tracking software, you should definitely pay hundreds of euros per month to hire a proper DPO who will handle all the paperwork or risk being exposed as the mental lunatic that the EU commission believes you are.

If you willy-willy use bug tracking software that is needlessly collect and/or process EU individuals personal data, then yeah, you need to follow the regulations in the region you operate in.

If the collecting/processing actually serves a higher purpose (for your business and otherwise) then again, makes sense you need to follow the regulations.

1 more reply

j / k navigate · click thread line to collapse

0 comments

diggan1y ago

> The definition of "personal data" is so wide that it is impossible to provide any web service without collecting some form of "personal data".

Is there something else in Apache that collects personal data by default? If you're unsure what "persona data" really means, https://gdpr-info.eu/art-4-gdpr/ has the definition.

Not sure how HTML/CSS is relevant, it shouldn't depend on what content you're serving.

IMTDbOP1y ago

This is of course despite the fact that you clearly have 0 ill intent and that none of these "personal data" can really be used for anything bad.

diggan1y ago

> All that requires additional active effort to fight having access to any data

If you willy-willy use bug tracking software that is needlessly collect and/or process EU individuals personal data, then yeah, you need to follow the regulations in the region you operate in.

If the collecting/processing actually serves a higher purpose (for your business and otherwise) then again, makes sense you need to follow the regulations.

1 more reply

j / k navigate · click thread line to collapse