GDPR compliance

[Xinayder]

SpaceDock is currently hosted in Germany, a member of the European Union, which means we must now comply with the GDPR.

I don't know exactly how it works but I'm pretty sure there are a few points that we are currently missing from it (and surprisingly no one complained about it :P).

---

Personal data

According to gdpr.eu, this is the definition of "personal data":

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

And a few paragraphs below on the same site:

Any information that can lead to either the direct or indirect identification of an individual will likely be considered personal data under the GDPR.

Related IRC conversation:

00:32:49 <RockyTV> I was thinking, since sd is hosted on germany, that means we have to comply with the GDPR
00:33:23 <RockyTV> which means we should implement a function for the user to request its data. would it return the zipfile for mods as well or just the info about mods published, ratings/reviews posted and modpacks created?
00:44:45 <DasSkelett[m]> Regarding the modfiles, no idea if that's needed by the GDPR or not.
00:44:46 <DasSkelett[m]> I would add basically the row of the user db (minus password) too.
00:46:46 <RockyTV> yeah
00:46:54 <RockyTV> user info + mods info + modpacks info

Personal note: I guess modpacks/mods created and the userprofile are considered personal data.

A few points gathered from https://gdpr.eu/checklist/ :

• Organizations with fewer than 250 employees should also conduct an assessment because it will make complying with the GDPR's other requirements easier. In your list, you should include: the purposes of the processing, what kind of data you process, who has access to it in your organization, any third parties (and where they are located) that have access, what you're doing to protect the data (e.g. encryption), and when you plan to erase it (if possible).

• People have the right to see what personal data you have about them and how you're using it. They also have a right to know how long you plan to store their information and the reason for keeping it that length of time.

  • A data export could produce a zipped folder containing JSON or human-readable text files (or both). It would be like using /api/user/[user], listing information that is publicly available, along with some other stuff we can include from the database, such as email addresses. Any user creation (mods/modpacks) and interactions (ratings/reviews) would also be on this file.

Another issue the GDPR brings us is data deletion, brought up in #215.

People generally have the right to ask you to delete all the personal data you have about them, and you have to honor their request within about a month.

---

Useful resources

https://gdpr.eu/checklist/
https://gdpr.eu/article-15-right-of-access/
https://gdpr.eu/faq/
https://gdpr.eu/eu-gdpr-personal-data/

---

I am not a lawyer, but I think these are solid points to comply with the GDPR. Any feedback is highly recommended.