[wp-meta] [Making WordPress.org] #7403: Plugin Directory: Field on plugin info page for GDPR data collection Privacy
Making WordPress.org
noreply at wordpress.org
Mon Jan 15 09:42:21 UTC 2024
#7403: Plugin Directory: Field on plugin info page for GDPR data collection
Privacy
------------------------------+-----------------------
Reporter: brothman01 | Owner: (none)
Type: enhancement | Status: reopened
Priority: normal | Milestone:
Component: Plugin Directory | Resolution:
Keywords: |
------------------------------+-----------------------
Comment (by alanfuller):
Replying to [comment:9 brothman01]:
> The issue I am trying to resolve here is that I am concerned that
WordPress does not have enough in place to handle GDPR compliance. Maybe
they do, and what I am suggesting is overkill. Do you think the current
measures in WP are enough for GDPR compliance?
OK for clarity, compliance of GDPR is not with software or software
provders but the Data Controller.
When a Data controller selects a software solution and implements it they
are meant to implement it in such as way that the Data Controller is
compliant.
In the case where a Data Controller selects software that they identify
that transmits personal data to a third party, that third party is known
as a Data Processor and the Data Controller is reposonsible to ensure that
the third party Data Proceessor protects the personal data in an
appropriate manner ( noramlly through a signed Data Processing Agreement
with Standard Contractual Clauses ).
The Data Controller also need to identify when software stores personal
data on their own systems, not just third parties and to document their
own controls for such.
I'm not a lawyer, this is not legal advice just a description to make my
point.
A software organisation itself is not the one that needs to be compliant.
What your original request was, was not about WP or plugins being
compliant, as they never can be as they are not the entity that needs to
comply, but are there tools that can make it easier for Data Processors to
work out what they need to do to be compliant.
My opinion is there would be no reliable shortcut to doing proper
analaysis by the Data Controller.
I don't know, but I expect that relying in court on some words written in
a readme that said no personal data was transmitted and the Data Processor
didnt double check and knowing that they agreed to a licence that
explicily says 'THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
PROGRAM IS WITH YOU. ' would not be a good defence.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/7403#comment:10>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list