19237
Comment: Update section about promotion material orders
|
19301
Update section about merchandise orders
|
Deletions are marked like this. | Additions are marked like this. |
Line 38: | Line 38: |
|| Merchandise orders || We store merchandise orders information from [[https://fsfe.org/order/order|this]] form || Answering of incoming requests and sending packages || Contract || FSFE office staff and finance team. || The time to send the requested merchandise plus, if needed, checking that it arrived. (to be confirmed 2) || | ||<rowspan="2"> Merchandise orders || Order information from [[https://fsfe.org/order/order|this]] form || Answering of incoming requests, and sending packages || Contract ||<rowspan="2"> FSFE office staff and finance team. || Data is stored for 13 months after the order || || Payment information || Accounting || Legal requirements || Data is stored according to statutory storage periods || |
FSFE Records of processing activities
The goal of this page is to provide information regarding data processing at FSFE. It is still a work in progress and we are constantly improving the information. In case you have any questions about it, please get in contact with privacy@fsfe.org.
The FSFE e.V., Schönhauser Allee 6/7 Stairway 2, 5. floor 10119 Berlin Germany, is controller for all those processings, the most effective ways to contact the association are on our contact page.
Web sites : visitors
Service |
Processing |
What data is processed? |
Why is the data processed? |
What legal authorization do we have according to Article 6 of GDPR? |
Who has access? |
What is our Data retention policy? |
FSFE website |
Users visiting the website |
?? |
The web server needs the public IP addresses to serve the pages, we also use those data for debugging and security purposes |
Legitimate Interest |
|
|
PMPC website |
Users visiting the website |
Source IP, Date, HTTP request, User-agent. |
The web server needs the public IP addresses to serve the pages, we also use those data for debugging and security purposes |
Legitimate Interest |
Sysadmin |
The campaign's duration (to be confirmed 1) |
PMPC website |
Signing the open letter |
Email and name, country, ZIP code, comment |
To display signature of the open letter; |
Consent |
The public list is accessible to everyone |
The campaign's duration |
art13 savecodeshare.eu |
Signing the open letter |
Name, email, country |
To display signature of the open letter; |
Consent |
Signatures will be handed over to the Members of the European Parliament and the EU Council |
Data is stored for the container lifetime (i.e. the campaign's duration) |
art13 savecodeshare.eu |
Visiting the website |
IP addresses, SQL statements for error messages contain personal information |
The web server needs the public IP addresses to serve the pages, we also use those data for debugging and security purposes |
Legitimate interest |
system administrators |
Data is stored for the container lifetime (? 2) |
Blogs |
User visiting the website |
IP addresses |
The web server needs the public IP addresses to serve the pages, we also use those data for debugging and security purposes |
Legitimate Interest |
(missing information 3) |
(missing information 3) |
Wiki |
User visiting the website |
Source IP addresses |
The web server needs the public IP addresses to serve the pages, we also use those data for debugging and security purposes |
Legitimate Interest |
Wikicare takers, system-hackers |
We store data for 14 days |
Social Media
If you do not click on any external buttons to external sides, data will not be transferred. [TODO : Add references to privacy policies of the services we use.]
Contributing to FSFE
Service |
Processing |
What data is processed? |
Why is the data processed? |
What legal authorization do we have according to Article 6 of GDPR? |
Who has access? |
What is our Data retention policy? |
Wiki |
FSFE Wiki |
Account data (Name or Username, Pseudonym, email address from the FSFE account, optionally jabber ID), a dedicated personal page (optional), attribution for all contributions |
Wiki management and attribution of work |
Contract |
Public pages are accessible to everyone, other pages may have limited access depending on ACL |
As long as the account exist (to be confirmed 1) |
Gitea |
FSFE Gitea contributions |
Emails and usernames of registered users and the files they work with; webserver logs (source IPs) |
For authentication and operation of the platform; attribution of contribution; webserver logs for debugging |
Contract |
contribution are public, logs are accessible only to Service maintainers, system administrators |
As long as the account exist (to be confirmed 1) |
FSFE website |
Translators of the website |
name or pseudonym of translators of each page |
To attribute translation to its translators whenever they accept to be cited |
Consent |
public information |
Attribution is kept as long as the translation exist |
Orders
Processing |
What data is processed? |
Why is the data processed? |
What legal authorization do we have according to Article 6 of GDPR? |
Who has access? |
What is our Data retention policy? |
Promotion material orders |
Order information from this form |
Answering of incoming requests, sending packages, and requesting feedback |
Contract |
FSFE office staff and finance team |
Data is stored for 13 months after the order |
Generating statistics about promotion material orders |
Legitimate interest |
||||
Payment information in case a donation is made along with the order |
Accounting |
Legal requirements |
Data is stored according to statutory storage periods |
||
Merchandise orders |
Order information from this form |
Answering of incoming requests, and sending packages |
Contract |
FSFE office staff and finance team. |
Data is stored for 13 months after the order |
Payment information |
Accounting |
Legal requirements |
Data is stored according to statutory storage periods |
Supporter/Donor handling
Service |
Processing |
What data is processed? |
Why is the data processed? |
What legal authorization do we have according to Article 6 of GDPR? |
Who has access? |
What is our Data retention policy? |
Community Database |
Donations |
Data regarding our donors: information about donations transferred, automatic donation renewal status, donation receipts issued, emails if opted in |
Donor liaison, including the creation of donation receipts. |
Legal requirements |
Community database administrator, system administrators. |
(To be confirmed 1) 10 years the data necessary for accounting; as long as you are a donor plus 1 year for data allowing us to contact you; as long as you don’t opted out, the data to automatically renew your donation if you asked for it. |
Community Database |
Emails of donors |
emails if opted in |
Donor liaison, including the creation of donation receipts. |
Consent |
Community database administrator, system administrators. |
none |
FSFE website |
All data showed in thankgnus*.xhtml |
To display a list of our donors, to respect our transparency commitment and thanks our donors |
Consent |
This data is public |
As long as the FSFE exist or until the person revoke his or her consent |
|
Community Database |
FSFE Account |
Data for our supporters, staff, contractors, and volunteers: registration status, blacklisting status, name, birthday, sex, preferred language, postal address, primary and secondary email address, opt-in information for communication, username and password (never in clear-text) for FSFE services, information about fellowship cards received, data modification history. Italic information is voluntary. |
Supporter management |
Consent for supporters and volunteers |
Community database administrator, system administrators. |
Data is automatically deleted if the registration is not confirmed (through approval by a team coordinator) within 6 weeks after signup. Upon explicit request, data is anonymised. |
Communications means
Service |
Processing |
What data is processed? |
Why is the data processed? |
What legal authorization do we have according to Article 6 of GDPR? |
Who has access? |
What is our Data retention policy? |
Mailman |
Mailing lists (https://lists.fsfe.org/mailman/listinfo) |
Email address, full name or pseudonym (if the person choose to insert one), subscription details, logging see the official Mailman page |
To manage the mails going from and to the list the individual subscribed to. |
Consent (for each mailing list) |
Mails on the mailing list may have different level of publicity from public (archive included) to restricted to a given group (see description of the list for more information) <BR> ADMIN-TECH,List-Admins,team@ may have access to all mails |
Posts and subscriptions are stored for 1 year, bounces and errors are stored for 1 month, messages sent by Mailman itself are stored for 1 week, digests are stored for 4 months |
QuickML |
Mailing list |
Email addresses |
To manage the mails going from and to the list the individual subscribed to. |
Consent (for each mailing list) |
?? |
?? |
Newsletter |
Newsletter |
Email addresses, preferred language |
To send the newsletter in the good language |
Consent |
Sysadmin, PR team |
As long as subscribed. |
OTRS |
Tickets processing |
All communication around the tickets, in the format of emails exchanged |
Answering of incoming requests. |
Consent |
FSFE core team. |
The time to close the issue raised + X months (To Be determined 1) |
Discourse |
Webserver |
IP Addresses, post timings, usernames, posts |
IP addresses are collected by discourse to prevent and block spam |
Consent |
system administrators + service maintainers |
Data is stored for the container lifetime |
CARE Team |
CoC and sanction management (To be confirmed 2) |
Depending on the situation, identification data (name/pseudo/description), contact (emails, phone number) etc. |
Data are processed to solve CoC infringement |
Legitimate interest |
CARE Team |
The time needed to solve the situation. Information regarding blacklisted individuals are kept for the time of the sanction. |
Communications tools for the FSFE community
Service |
Processing |
What data is processed? |
Why is the data processed? |
What legal authorization do we have according to Article 6 of GDPR? |
Who has access? |
What is our Data retention policy? |
Email server |
Emails processing and forwarding |
Email addresses + logs (send, receive emails, hostnames, IP addresses of messages sent through SMTP, etc) |
To manage the forward email service and assure a basic level of spam control |
Consent for providing emails and legitimate interest for spam control |
Albert Jonas Matthias Max Paul fellowship@klaproth |
1 month |
IRC Cloaks |
|
|
|
|
|
|
Jabber / XMPP |
Massage processing |
Account rosters, logs (connect, disconnect, messages process and possibly stored temporally on the server (offline storage + muc preview), status messages, with debug logging up to who talks to whom) |
Debugging purposes |
Consent for accessing the service |
system administrators |
2 weeks |
Blogs |
Writing your blog |
Your account (Username, nickname, email addresses, more is optional), your articles, log data |
To provide a platform for blogs |
Contract |
article publicity depends on the owner choosing |
Until you delete your blog or we discontinue the service |
Employee information and tools
Service |
Processing |
What data is processed? |
Why is the data processed? |
What legal authorization do we have according to Article 6 of GDPR? |
Who has access? |
What is our Data retention policy? |
Finance Archive |
Storage of financial and employee records |
Transaction data from all bank accounts, includes names of all people who send or receive money to/from FSFE. |
To do our accounting |
Legal requirements (we have to keep them for 10 years by law) |
Financial team, tax consultant, legal authorities. |
Information older than X>10 (11?) years are deleted after the annual closure of our accounts (to be confirmed 2) |
Finance Archive |
(not an independent processing) |
SSH connections are logged (IP Addresses + username) |
for debugging and security purposes |
not applicable (not an independent processing) |
coordinator and deputy coordinator system administration team , finance team |
1 month |
FSFE website |
Per diem calculator (used for travels reimbursement) |
The data entered in the form |
To help staffers to calculate allowance |
Contract (employment/Intern contract) |
Website administrators can access log (to be confirmed 1) |
The data is not stored |
Nextcloud |
Nextcloud Account management |
Emails and usernames of registered users and the files they work with; calendar and contact entries; webserver logs (user agent) |
Main working tool for everyday tasks (from sharing documents to calendar and conatact management) |
Contract (employment/Intern contract) |
Service maintainers, system administrators |
account: (missing information 3) Data: unlimited / until user deletes data; logs of data: until service update |
Nextcloud |
(not an independent processing) |
webserver logs (user agent) |
Security and debugging |
not applicable (not an independent processing) |
Service maintainers, system administrators |
logs: until service update |
OTRS |
Job and internship applications |
Job and internship applications are stored as OTRS tickets, after a decision the ticket with attachments will be deleted |
Answering and reviewing applications |
Consent |
FSFE council members and staff. We may share the application with advisors and members |
(missing information 4). |
Security principles
- [DRAFT]
By default, we apply the following principles to assure the security of your data:
- we use only Free Software and open standards;
- we apply a need to know principle for all our processing;
- no password is in cleartext;
- we log the minimum amount of information to allow us to debug or assure the security of our system;
- we in general encourage staff and volunteers to use encryption for communication and file storage;
- very few people have access to servers where the data is stored