On Tue, 2019-01-08 at 09:59 -0500, Owen Taylor wrote: > On Tue, Jan 8, 2019 at 7:17 AM Benjamin Berg <bberg@xxxxxxxxxx> wrote: > > On Tue, 2019-01-08 at 12:33 +0100, Miroslav Suchý wrote: > > > Dne 08. 01. 19 v 11:35 Nicolas Mailhot napsal(a): > > > > *which* *do* *not* *permit* *or* *no* *longer* *permit* *the* > > > > *identification* *of* *data* *subjects* > > > > > > How do you identify data subject solely on UUID? > > > > You also inherently collect information such as the IP and the > > timestamp of the request which in principle permits identification. You > > could for example collect the IP from Fedora account logins and one of > > these pings. This way you can de-anonymise the data collected for the > > UUID. > > We can certainly implement a setup that does not collect or store the > UUID together with the IP address or timestamp. Send the UUID as a > HTTP header, don't log it, send the UUID off to a counting service > (*). If we make sure the UUID is protected in transit, sent only to > our own servers (or servers configured by the user), and not collected > or stored in a personally identifiable way, I suspect that we're > meeting our obligations under the GDPR, though we'd need to > double-check any selected solution carefully. You are right that it is possible to immediately discard or obfuscate the information. But, as Nicolas pointed out, the argument here is that the UUID itself likely needs to be considered "personal data" in the GDPR sense. And even doing something as minimal as that seems to imply "processing"[1] the data in the GDPR sense. Benjamin [1] The definition of "processing" reads: """ ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; """ _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
