|
Size: 18169
Comment:
|
Size: 21091
Comment: Replaced with a more appropriate word - I hope this is fine.
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 12: | Line 12: |
| || '''Service''' ||'''Processing'''||'''What data is processed?'''||'''Why is the data processed?'''||'''What legal authorization do we have according to [[https://gdpr-info.eu/art-6-gdpr/|Article 6]] of GDPR?'''||'''Who has access?'''||'''What is our Data retention policy?'''|| || FSFE website || Users visiting the website|| ?? || || || || || || PMPC website || Users visiting the website|| Source IP, Date, HTTP request, User-agent|| The web server needs the public IP addresses to serve requests || Legitimate Interest || Sysadmin || The campaign's duration (to be confirmed 1)|| || PMPC website || Signing the open letter || Email and name, ''country, ZIP code, comment'' <<BR>> ''Italic'' information is voluntary|| To display signature of the open letter; <<BR>> to give updates about the campaign (specific consent) <BR>> To add the signature to the public list (specific consent) || consent [[https://publiccode.eu/privacy/|Link to privacy policy]] || The public list is accessible to everyone <<BR>> PMPC coordinator <<BR>> Sysadmin for others information || The campaign's duration || || art13 savecodeshare.eu || Signing the open letter || Name, email, ''country'' <<BR>> ''Italic'' information is voluntary|| To display signature of the open letter; <<BR>> to give updates about the campaign (specific consent) || consent [[https://wiki.fsfe.org/Activities/Privacy/PolicyDraft/Art13|Link to privacy policy]] || Signatures will be handed over to the Members of the European Parliament and the EU Council <<BR>> system administrators || Data is stored for the container lifetime (i.e. the campaign's duration) <<BR>> Data may be kept by the Members of the European Parliament and the EU Council for an unknown time || || art13 savecodeshare.eu || Visiting the website || IP addresses, SQL statements for error messages contain personal information|| Error message are used for debugging, the webserver needs to know the source IP address || Legitimate interest || system administrators || Data is stored for the container lifetime (? 2) || || Blogs || User visiting the website || IP addresses || Error message are used for debugging, the web server needs to know the source IP address || Legitimate Interest || (missing information 3) || (missing information 3)|| || Wiki || Webserver || Source IP addresses || Debugging and security purposes || Legitimate Interest||Wikicare takers, system-hackers || We store data for 14 days|| |
|| '''Service''' ||'''Processing'''||'''What data is processed?'''||'''Why is the data processed?'''||'''What legal permission do we have according to [[https://gdpr-info.eu/art-6-gdpr/|Article 6]] of GDPR?'''||'''Who has access?'''||'''What is our Data retention policy?'''|| || FSFE website || Users visiting the website|| ?? || The web server needs the public IP addresses to serve the pages, we also use those data for debugging and security purposes || Legitimate Interest || || || || PMPC website || Users visiting the website|| Source IP, Date, HTTP request, User-agent.<<BR>>The source IP is the IP address of our reverse proxy, not a personnal information || The web server needs the public IP addresses to serve the pages, we also use those data for debugging and security purposes || Legitimate Interest || Sysadmin || The campaign's duration (to be confirmed 1)|| || PMPC website || Signing the open letter || Email and name, ''country, ZIP code, comment'' <<BR>> ''Italic'' information is voluntary|| To display signature of the open letter; <<BR>> to give updates about the campaign(specific consent) <<BR>> To add the signature to the public list(specific consent) || Consent <<BR>> [[https://publiccode.eu/privacy/|Link to privacy policy]] || The public list is accessible to everyone <<BR>> PMPC coordinator and Sysadmin for others information || The campaign's duration || || art13 savecodeshare.eu || Signing the open letter || Name, email, ''country'' <<BR>> ''Italic'' information is voluntary|| To display signature of the open letter; <<BR>> to give updates about the campaign (specific consent) || Consent <<BR>> [[https://wiki.fsfe.org/Activities/Privacy/PolicyDraft/Art13|Link to privacy policy]] || Signatures will be handed over to the Members of the European Parliament and the EU Council <<BR>> Sysadmin access everything || Data is stored for the container lifetime (i.e. the campaign's duration) <<BR>> Data may be kept by the Members of the European Parliament and the EU Council for an unknown time || || art13 savecodeshare.eu || Visiting the website || IP addresses, SQL statements for error messages contain personal information <<BR>>The IP is the IP address of our reverse proxy, not a personnal information || The web server needs the public IP addresses to serve the pages, we also use those data for debugging and security purposes || Legitimate interest || system administrators || Data is stored for the container lifetime (? 2) || || Blogs || User visiting the website || IP addresses ||The web server needs the public IP addresses to serve the pages, we also use those data for debugging and security purposes || Legitimate Interest || (missing information 3) || (missing information 3)|| || Wiki || User visiting the website || Source IP addresses || The web server needs the public IP addresses to serve the pages, we also use those data for debugging and security purposes || Legitimate Interest||Wikicare takers, system-hackers || We store data for 14 days|| |
| Line 26: | Line 26: |
| == Contributing to FSFE == | == Collaboration == |
| Line 28: | Line 29: |
| || Webserver + build system|| Webserver || || || || || || || Wiki || FSFE Wiki || Account data (Name or Username, Pseudonym, email address from the FSFE account, optionally jabber ID), a dedicated personal page (optional), attribution for all contributions <<BR>> || Wiki management and attribution of work || Contract of services or Consent (to be confirmed)|| Public pages are accessible to everyone, other pages may have limited access depending on ACL (cf. https://wiki.fsfe.org/TechDocs/Wiki) || As long as the account exist (to be confirmed 1)|| || Gitea || FSFE Gitea contributions || Emails and usernames of registered users and the files they work with; webserver logs (source IPs)||For authentication and operation of the platform; attribution of contribution; webserver logs for debugging || Contract of services or Consent (to be confirmed) || contribution are public, logs are accessible only to Service maintainers, system administrators || Contribution is kept as long as the account exists (to be confirmed 2); 1 week for logs || || FSFE website ||Translators of the website|| name or pseudonym of translators of each page || To attribute translation to its translators whenever they accept to be cited || consent || public information || Attribution is kept as long as the translation exist || |
||<rowspan="2"> Community Database and LDAP server || FSFE account management || Name, email address, username, password hash || Managing access to FSFE's online services || Legitimate interest || Community database administrator || Data is stored as long as the account exists || || Community data maintenance || Birthday, sex, preferred language, postal address, secondary email address || Managing FSFE's community of contributors || Consent || Community database administrator || Data can be changed or deleted at any time by the subject || || Wiki || FSFE Wiki || Account data (Name or Username, Pseudonym, email address from the FSFE account, optionally jabber ID), a dedicated personal page (optional), attribution for all contributions <<BR>> || Wiki management and attribution of work || Contract || Public pages are accessible to everyone, other pages may have limited access depending on [[https://wiki.fsfe.org/TechDocs/Wiki)|ACL]] || As long as the account exist (to be confirmed 1) <<BR>> As the account is the base to attribution of contribution, we do not delete account without the data subject request.|| || Gitea || FSFE Gitea contributions || Emails and usernames of registered users and the files they work with; webserver logs (source IPs)||For authentication and operation of the platform; attribution of contribution; webserver logs for debugging || Contract || contribution are public, logs are accessible only to Service maintainers, system administrators || As long as the account exist (to be confirmed 1) <<BR>> As the account is the base to attribution of contribution, we do not delete account without the data subject request. <<BR>> <<BR>> 1 week for logs || || FSFE website ||Translators of the website|| name or pseudonym of translators of each page || To attribute translation to its translators whenever they accept to be cited || Consent || public information || Attribution is kept as long as the translation exist || || Reimbursements || Financial reimbursements for expenses || All communication around the reimbursement including payment data || Reimbursing (paid and volunteer) contributors for their expenses || Contract || Financial team, parties involved in the payment processing, tax consultant, public authorities || Data is stored according to statutory storage periods || |
| Line 35: | Line 38: |
| || OTRS || Promo orders|| We store promo orders information from [[https://fsfe.org/contribute/spreadtheword|this]] form ||Answering of incoming requests and sending packages|| Consent ||FSFE office staff and finance team.|| The time to send the requested promotional documents and, if needed, checking that it arrived. (to be confirmed 1) || || OTRS || Merchandise orders|| We store merchandise orders information from [[https://fsfe.org/order/order.html|this]] form ||Answering of incoming requests and sending packages|| Consent ||FSFE office staff and finance team.|| The time to send the requested merchandise plus, if needed, checking that it arrived. (to be confirmed 2)|| |
||'''Processing'''||'''What data is processed?'''||'''Why is the data processed?'''||'''What legal authorization do we have according to [[https://gdpr-info.eu/art-6-gdpr/|Article 6]] of GDPR?'''||'''Who has access?'''||'''What is our Data retention policy?'''|| ||<rowspan="3"> Promotion material orders ||<rowspan="2"> Order information from [[https://fsfe.org/contribute/spreadtheword|this]] form || Answering of incoming requests, sending packages, and requesting feedback || Contract ||<rowspan="2"> FSFE office staff and financial team ||<rowspan="2"> Data is stored for 13 months after the order || || Generating statistics about promotion material orders || Legitimate interest || || Payment information in case a donation is made along with the order || Accounting || Legal requirements || Financial team, parties involved in the payment processing, tax consultant, public authorities || Data is stored according to statutory storage periods || ||<rowspan="2"> Merchandise orders || Order information from [[https://fsfe.org/order/order|this]] form || Answering of incoming requests, and sending packages || Contract || FSFE office staff and financial team. || Data is stored for 13 months after the order || || Payment information || Accounting || Legal requirements || Financial team, parties involved in the payment processing, tax consultant, public authorities || Data is stored according to statutory storage periods || ||<rowspan="2"> Registration for participation in FSFE events || Information entered into each event registration form || To organize each FSFE event || Consent || FSFE office staff and financial team || Data is stored for 1 month after the end date of each FSFE event || || Payment information || Accounting || Legal requirements || Financial team, parties involved in the payment processing, tax consultant, public authorities || Data is stored according to statutory storage periods || || Registration for Legal Network membership || Information entered into [[https://fsfe.org/activities/ftf/ln-application.en.html|this]] form || To determine eligibility for Legal Network membership || Consent || FSFE office staff, Legal Team || Data is stored as long as the subject is a member of the Legal Network|| |
| Line 38: | Line 48: |
| == Donations == | |
| Line 39: | Line 50: |
| == Supporter/Donor handling == || '''Service''' ||'''Processing'''||'''What data is processed?'''||'''Why is the data processed?'''||'''What legal authorization do we have according to [[https://gdpr-info.eu/art-6-gdpr/|Article 6]] of GDPR?'''||'''Who has access?'''||'''What is our Data retention policy?'''|| ||Community Database|| Donations || Data regarding our donors: information about donations transferred, automatic donation renewal status, donation receipts issued, emails if opted in|| Donor liaison, including the creation of donation receipts.||Legal requirements ||Community database administrator, system administrators.|| (To be confirmed 1) 10 years the data necessary for accounting; as long as you are a donor plus 1 year for data allowing us to contact you; as long as you don’t opted out, the data to automatically renew your donation if you asked for it. || ||Community Database || Emails of donors || emails if opted in|| Donor liaison, including the creation of donation receipts.|| Consent ||Community database administrator, system administrators.|| none || ||FSFE website || [[https://fsfe.org/donate/thankgnus.en.html|Donors page]] || All data showed in [[https://git.fsfe.org/FSFE/fsfe-website/src/branch/master/donate|thankgnus*.xhtml]] || To display a list of our donors, to respect our transparency commitment and thanks our donors || Consent || This data is public || As long as the FSFE exist or until the person revoke his or her consent|| ||Community Database|| FSFE Account || Data for our supporters, staff, contractors, and volunteers: registration status, blacklisting status, name, ''birthday'', ''sex'', ''preferred language'', ''postal address'', primary ''and secondary'' email address, opt-in information for communication, username and password (never in clear-text) for FSFE services, information about fellowship cards received, data modification history. ''Italic'' information is voluntary.|| Supporter management <<BR>> Access management to FSFE's online services. <<BR>> Statistical queries. || Consent for supporters and volunteers <<BR>> Contract for staff and contractors|| Community database administrator, system administrators.||Data is automatically deleted if the registration is not confirmed (through approval by a team coordinator) within 6 weeks after signup. Upon explicit request, data is anonymised.|| |
||'''Processing'''||'''What data is processed?'''||'''Why is the data processed?'''||'''What legal authorization do we have according to [[https://gdpr-info.eu/art-6-gdpr/|Article 6]] of GDPR?'''||'''Who has access?'''||'''What is our Data retention policy?'''|| || All Donations || Name, email address, date of payment, payment method, amount || Processing the donation, accounting || Legal requirements || Community database administrator, financial team, parties involved in the payment processing, tax consultant, public authorities || Data is stored according to statutory storage periods || || Supporter contributions || Name, email address, date/method/amount of last payment, automatic renewal status || Reminding supporters of the next contribution || Contract || Community database administrator || Data is processed as long as the subject participates in FSFE's supporter program || || Donations for which a donation receipt is requested || Name, postal address, date of payment, amount, date of donation receipt || Issuing donation receipts || Legal requirements || Community database administrator, financial team, tax consultant, public authorities || Data is stored according to statutory storage periods || || Donations >= 480 € per year or 40 € per month || Name, donation category || Maintaining the public [[https://fsfe.org/donate/thankgnus.en.html|donors list]] for reasons of transparency and recognition || Consent || This data is public || As long as the FSFE exists or until the person revoke his or her consent || |
| Line 51: | Line 59: |
| || Community emails || Emails from the FSFE to its communiy || Name, email address, preferred language (optional), sex (optional, to allow for correct grammar), postal address (optional, to allow for region-specific information) || Keeping the FSFE community informed || Consent || Community database administrator || Consent can at any time be revoked by the subject || | |
| Line 73: | Line 82: |
| || Weekly timelogs || Communication weekly activities in encrypted mail || Data about time spent on different activities || To keep track of overtime and remaining vacation days || Contract (employment/Intern contract) || Mails encrypted to FSFE Council members || Data should be deleted after accounting for the year is done.|| | |
| Line 101: | Line 111: |
| || Mailtrain + ZoneMTA || Emails processing || Email address, full name, subscription details || || || || Data is stored for the container lifetime || }}} | || Mailtrain + ZoneMTA || Emails processing || Email address, full name, subscription details || || || || Data is stored for the container lifetime || || Webserver + build system|| Webserver || || || || || ||}}} |
| Line 104: | Line 115: |
| == Security principle == | == Security principles == |
| Line 108: | Line 119: |
| * we use only Free Software; | * we use only Free Software and open standards; |
| Line 110: | Line 121: |
| * no password is in cleartext, we rely on [[https://en.wikipedia.org/wiki/Cryptographic_hash_function|hash functions]] and [[https://en.wikipedia.org/wiki/Public-key_cryptography|public-key cryptography]] to store them; | * no password is in cleartext; |
FSFE Records of processing activities
The goal of this page is to provide information regarding data processing at FSFE. It is still a work in progress and we are constantly improving the information. In case you have any questions about it, please get in contact with privacy@fsfe.org.
The FSFE e.V., Schönhauser Allee 6/7 Stairway 2, 5. floor 10119 Berlin Germany, is controller for all those processings, the most effective ways to contact the association are on our contact page.
Web sites : visitors
Service |
Processing |
What data is processed? |
Why is the data processed? |
What legal permission do we have according to Article 6 of GDPR? |
Who has access? |
What is our Data retention policy? |
FSFE website |
Users visiting the website |
?? |
The web server needs the public IP addresses to serve the pages, we also use those data for debugging and security purposes |
Legitimate Interest |
|
|
PMPC website |
Users visiting the website |
Source IP, Date, HTTP request, User-agent. |
The web server needs the public IP addresses to serve the pages, we also use those data for debugging and security purposes |
Legitimate Interest |
Sysadmin |
The campaign's duration (to be confirmed 1) |
PMPC website |
Signing the open letter |
Email and name, country, ZIP code, comment |
To display signature of the open letter; |
Consent |
The public list is accessible to everyone |
The campaign's duration |
art13 savecodeshare.eu |
Signing the open letter |
Name, email, country |
To display signature of the open letter; |
Consent |
Signatures will be handed over to the Members of the European Parliament and the EU Council |
Data is stored for the container lifetime (i.e. the campaign's duration) |
art13 savecodeshare.eu |
Visiting the website |
IP addresses, SQL statements for error messages contain personal information |
The web server needs the public IP addresses to serve the pages, we also use those data for debugging and security purposes |
Legitimate interest |
system administrators |
Data is stored for the container lifetime (? 2) |
Blogs |
User visiting the website |
IP addresses |
The web server needs the public IP addresses to serve the pages, we also use those data for debugging and security purposes |
Legitimate Interest |
(missing information 3) |
(missing information 3) |
Wiki |
User visiting the website |
Source IP addresses |
The web server needs the public IP addresses to serve the pages, we also use those data for debugging and security purposes |
Legitimate Interest |
Wikicare takers, system-hackers |
We store data for 14 days |
Social Media
If you do not click on any external buttons to external sides, data will not be transferred. [TODO : Add references to privacy policies of the services we use.]
Collaboration
Service |
Processing |
What data is processed? |
Why is the data processed? |
What legal authorization do we have according to Article 6 of GDPR? |
Who has access? |
What is our Data retention policy? |
Community Database and LDAP server |
FSFE account management |
Name, email address, username, password hash |
Managing access to FSFE's online services |
Legitimate interest |
Community database administrator |
Data is stored as long as the account exists |
Community data maintenance |
Birthday, sex, preferred language, postal address, secondary email address |
Managing FSFE's community of contributors |
Consent |
Community database administrator |
Data can be changed or deleted at any time by the subject |
|
Wiki |
FSFE Wiki |
Account data (Name or Username, Pseudonym, email address from the FSFE account, optionally jabber ID), a dedicated personal page (optional), attribution for all contributions |
Wiki management and attribution of work |
Contract |
Public pages are accessible to everyone, other pages may have limited access depending on ACL |
As long as the account exist (to be confirmed 1) |
Gitea |
FSFE Gitea contributions |
Emails and usernames of registered users and the files they work with; webserver logs (source IPs) |
For authentication and operation of the platform; attribution of contribution; webserver logs for debugging |
Contract |
contribution are public, logs are accessible only to Service maintainers, system administrators |
As long as the account exist (to be confirmed 1) |
FSFE website |
Translators of the website |
name or pseudonym of translators of each page |
To attribute translation to its translators whenever they accept to be cited |
Consent |
public information |
Attribution is kept as long as the translation exist |
Reimbursements |
Financial reimbursements for expenses |
All communication around the reimbursement including payment data |
Reimbursing (paid and volunteer) contributors for their expenses |
Contract |
Financial team, parties involved in the payment processing, tax consultant, public authorities |
Data is stored according to statutory storage periods |
Orders
Processing |
What data is processed? |
Why is the data processed? |
What legal authorization do we have according to Article 6 of GDPR? |
Who has access? |
What is our Data retention policy? |
Promotion material orders |
Order information from this form |
Answering of incoming requests, sending packages, and requesting feedback |
Contract |
FSFE office staff and financial team |
Data is stored for 13 months after the order |
Generating statistics about promotion material orders |
Legitimate interest |
||||
Payment information in case a donation is made along with the order |
Accounting |
Legal requirements |
Financial team, parties involved in the payment processing, tax consultant, public authorities |
Data is stored according to statutory storage periods |
|
Merchandise orders |
Order information from this form |
Answering of incoming requests, and sending packages |
Contract |
FSFE office staff and financial team. |
Data is stored for 13 months after the order |
Payment information |
Accounting |
Legal requirements |
Financial team, parties involved in the payment processing, tax consultant, public authorities |
Data is stored according to statutory storage periods |
|
Registration for participation in FSFE events |
Information entered into each event registration form |
To organize each FSFE event |
Consent |
FSFE office staff and financial team |
Data is stored for 1 month after the end date of each FSFE event |
Payment information |
Accounting |
Legal requirements |
Financial team, parties involved in the payment processing, tax consultant, public authorities |
Data is stored according to statutory storage periods |
|
Registration for Legal Network membership |
Information entered into this form |
To determine eligibility for Legal Network membership |
Consent |
FSFE office staff, Legal Team |
Data is stored as long as the subject is a member of the Legal Network |
Donations
Processing |
What data is processed? |
Why is the data processed? |
What legal authorization do we have according to Article 6 of GDPR? |
Who has access? |
What is our Data retention policy? |
All Donations |
Name, email address, date of payment, payment method, amount |
Processing the donation, accounting |
Legal requirements |
Community database administrator, financial team, parties involved in the payment processing, tax consultant, public authorities |
Data is stored according to statutory storage periods |
Supporter contributions |
Name, email address, date/method/amount of last payment, automatic renewal status |
Reminding supporters of the next contribution |
Contract |
Community database administrator |
Data is processed as long as the subject participates in FSFE's supporter program |
Donations for which a donation receipt is requested |
Name, postal address, date of payment, amount, date of donation receipt |
Issuing donation receipts |
Legal requirements |
Community database administrator, financial team, tax consultant, public authorities |
Data is stored according to statutory storage periods |
Donations >= 480 € per year or 40 € per month |
Name, donation category |
Maintaining the public donors list for reasons of transparency and recognition |
Consent |
This data is public |
As long as the FSFE exists or until the person revoke his or her consent |
Communications means
Service |
Processing |
What data is processed? |
Why is the data processed? |
What legal authorization do we have according to Article 6 of GDPR? |
Who has access? |
What is our Data retention policy? |
Community emails |
Emails from the FSFE to its communiy |
Name, email address, preferred language (optional), sex (optional, to allow for correct grammar), postal address (optional, to allow for region-specific information) |
Keeping the FSFE community informed |
Consent |
Community database administrator |
Consent can at any time be revoked by the subject |
Mailman |
Mailing lists (https://lists.fsfe.org/mailman/listinfo) |
Email address, full name or pseudonym (if the person choose to insert one), subscription details, logging see the official Mailman page |
To manage the mails going from and to the list the individual subscribed to. |
Consent (for each mailing list) |
Mails on the mailing list may have different level of publicity from public (archive included) to restricted to a given group (see description of the list for more information) <BR> ADMIN-TECH,List-Admins,team@ may have access to all mails |
Posts and subscriptions are stored for 1 year, bounces and errors are stored for 1 month, messages sent by Mailman itself are stored for 1 week, digests are stored for 4 months |
QuickML |
Mailing list |
Email addresses |
To manage the mails going from and to the list the individual subscribed to. |
Consent (for each mailing list) |
?? |
?? |
Newsletter |
Newsletter |
Email addresses, preferred language |
To send the newsletter in the good language |
Consent |
Sysadmin, PR team |
As long as subscribed. |
OTRS |
Tickets processing |
All communication around the tickets, in the format of emails exchanged |
Answering of incoming requests. |
Consent |
FSFE core team. |
The time to close the issue raised + X months (To Be determined 1) |
Discourse |
Webserver |
IP Addresses, post timings, usernames, posts |
IP addresses are collected by discourse to prevent and block spam |
Consent |
system administrators + service maintainers |
Data is stored for the container lifetime |
CARE Team |
CoC and sanction management (To be confirmed 2) |
Depending on the situation, identification data (name/pseudo/description), contact (emails, phone number) etc. |
Data are processed to solve CoC infringement |
Legitimate interest |
CARE Team |
The time needed to solve the situation. Information regarding blacklisted individuals are kept for the time of the sanction. |
Communications tools for the FSFE community
Service |
Processing |
What data is processed? |
Why is the data processed? |
What legal authorization do we have according to Article 6 of GDPR? |
Who has access? |
What is our Data retention policy? |
Email server |
Emails processing and forwarding |
Email addresses + logs (send, receive emails, hostnames, IP addresses of messages sent through SMTP, etc) |
To manage the forward email service and assure a basic level of spam control |
Consent for providing emails and legitimate interest for spam control |
Albert Jonas Matthias Max Paul fellowship@klaproth |
1 month |
IRC Cloaks |
|
|
|
|
|
|
Jabber / XMPP |
Massage processing |
Account rosters, logs (connect, disconnect, messages process and possibly stored temporally on the server (offline storage + muc preview), status messages, with debug logging up to who talks to whom) |
Debugging purposes |
Consent for accessing the service |
system administrators |
2 weeks |
Blogs |
Writing your blog |
Your account (Username, nickname, email addresses, more is optional), your articles, log data |
To provide a platform for blogs |
Contract |
article publicity depends on the owner choosing |
Until you delete your blog or we discontinue the service |
Employee information and tools
Service |
Processing |
What data is processed? |
Why is the data processed? |
What legal authorization do we have according to Article 6 of GDPR? |
Who has access? |
What is our Data retention policy? |
Finance Archive |
Storage of financial and employee records |
Transaction data from all bank accounts, includes names of all people who send or receive money to/from FSFE. |
To do our accounting |
Legal requirements (we have to keep them for 10 years by law) |
Financial team, tax consultant, legal authorities. |
Information older than X>10 (11?) years are deleted after the annual closure of our accounts (to be confirmed 2) |
Finance Archive |
(not an independent processing) |
SSH connections are logged (IP Addresses + username) |
for debugging and security purposes |
not applicable (not an independent processing) |
coordinator and deputy coordinator system administration team , finance team |
1 month |
FSFE website |
Per diem calculator (used for travels reimbursement) |
The data entered in the form |
To help staffers to calculate allowance |
Contract (employment/Intern contract) |
Website administrators can access log (to be confirmed 1) |
The data is not stored |
Weekly timelogs |
Communication weekly activities in encrypted mail |
Data about time spent on different activities |
To keep track of overtime and remaining vacation days |
Contract (employment/Intern contract) |
Mails encrypted to FSFE Council members |
Data should be deleted after accounting for the year is done. |
Nextcloud |
Nextcloud Account management |
Emails and usernames of registered users and the files they work with; calendar and contact entries; webserver logs (user agent) |
Main working tool for everyday tasks (from sharing documents to calendar and conatact management) |
Contract (employment/Intern contract) |
Service maintainers, system administrators |
account: (missing information 3) Data: unlimited / until user deletes data; logs of data: until service update |
Nextcloud |
(not an independent processing) |
webserver logs (user agent) |
Security and debugging |
not applicable (not an independent processing) |
Service maintainers, system administrators |
logs: until service update |
OTRS |
Job and internship applications |
Job and internship applications are stored as OTRS tickets, after a decision the ticket with attachments will be deleted |
Answering and reviewing applications |
Consent |
FSFE council members and staff. We may share the application with advisors and members |
(missing information 4). |
Security principles
- [DRAFT]
By default, we apply the following principles to assure the security of your data:
- we use only Free Software and open standards;
- we apply a need to know principle for all our processing;
- no password is in cleartext;
- we log the minimum amount of information to allow us to debug or assure the security of our system;
- we in general encourage staff and volunteers to use encryption for communication and file storage;
- very few people have access to servers where the data is stored