[wp-meta] [Making WordPress.org] #7403: Plugin Directory: Field on plugin info page for GDPR data collection Privacy

Making WordPress.org noreply at wordpress.org
Mon Jan 15 09:42:21 UTC 2024 

#7403: Plugin Directory: Field on plugin info page for GDPR data collection
Privacy
------------------------------+-----------------------
 Reporter:  brothman01        |       Owner:  (none)
     Type:  enhancement       |      Status:  reopened
 Priority:  normal            |   Milestone:
Component:  Plugin Directory  |  Resolution:
 Keywords:                    |
------------------------------+-----------------------

Comment (by alanfuller):

 Replying to [comment:9 brothman01]:
 > The issue I am trying to resolve here is that I am concerned that
 WordPress does not have enough in place to handle GDPR compliance.  Maybe
 they do, and what I am suggesting is overkill.  Do you think the current
 measures in WP are enough for GDPR compliance?

 OK for clarity, compliance of GDPR is not with software or software
 provders but the Data Controller.

 When a Data controller selects a software solution and implements it they
 are meant to implement it in such as way that the Data  Controller is
 compliant.

 In the case where a Data Controller selects  software that they identify
 that transmits personal data to a third party, that third party is known
 as a Data Processor and the Data Controller is reposonsible to ensure that
 the third party Data Proceessor protects the personal data in an
 appropriate manner ( noramlly through a signed Data Processing Agreement
 with Standard Contractual Clauses ).

 The Data Controller also need to identify when software stores personal
 data on their own systems, not just third parties and to document their
 own controls for such.

 I'm not a lawyer, this is not legal advice just a description to make my
 point.

 A software organisation itself is not the one that needs to be compliant.

 What your original request was, was not about WP or plugins being
 compliant, as they never can be as they are not the entity that needs to
 comply, but are there tools that can make it easier for Data Processors to
 work out what they need to do to be compliant.

 My opinion is there would be no reliable shortcut to doing proper
 analaysis by the Data Controller.

 I don't know, but I expect that relying in court on some words written in
 a readme that said no personal data was transmitted and the Data Processor
 didnt double check and knowing that they agreed to a licence that
 explicily says 'THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
 PROGRAM IS WITH YOU. ' would not be a good defence.

-- 
Ticket URL: <https://meta.trac.wordpress.org/ticket/7403#comment:10>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list