On Tue, Jan 08, 2019 at 08:38:01PM +0100, Benjamin Berg wrote: > > We can certainly implement a setup that does not collect or store the > > UUID together with the IP address or timestamp. Send the UUID as a > > HTTP header, don't log it, send the UUID off to a counting service > > (*). If we make sure the UUID is protected in transit, sent only to > > our own servers (or servers configured by the user), and not collected > > or stored in a personally identifiable way, I suspect that we're > > meeting our obligations under the GDPR, though we'd need to > > double-check any selected solution carefully. > > You are right that it is possible to immediately discard or obfuscate > the information. > > But, as Nicolas pointed out, the argument here is that the UUID itself > likely needs to be considered "personal data" in the GDPR sense. And > even doing something as minimal as that seems to imply "processing"[1] > the data in the GDPR sense. Nb. “UUID” sounds terribly technical. Can we use some term which is already known and understood by users, e.g. Advertising ID? -- Tomasz Torcz 72->| 80->| xmpp: zdzichubg@xxxxxxxxx 72->| 80->| _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
