I am slowly building a new web app for industry in EVE and I am now worried about it’s compliance with GDPR. In general the only data I collect is the one manually entered by users - various settings and presets for blueprints. No personal accounts are created and no e-mails collected. All users are authorized via ESI and a uuid token is generated to identify the session. So, no cookies either.
In this situation - should I convert my app from a web server to standalone off-line tool as the only way to avoid this GDPR headache?
Would be nice to have legal team from CCP to provide some guidelines/advice on what to do and do not with the 3rd party apps for those who are not so good in EU legal issues.
Thank you. However, I really don’t think your answer is even close to satisfy my curiosity.
With respect to suggestion to delete and not process data in undesired way: the question is not in how to comply with this monstrous directive, but how not to have to comply - following all principles listed there (even without logging of processing activities) is just too expensive for me to develop.
Hence, I am more interested to learn whether I am SUPPOSED to do this at all with respect to data about virtual properties of “data subjects” and how can I use this data in such way, i.e. using encryption and/or anonymization, that I don’t have to mess with any other GDPR-related issues.
Is possibility to identify person’s ingame character and/or link between multiple characters related to the same person enough to treat that as Personal Information?
GDPR is far too big and far too ambiguous for you to rely on legal advice from forums and I very much doubt that CCP would expose themselves to liability by giving legal advice to app developers. That’s a can of worms best left unopened.
First of all, the scope includes all “data subjects” based in the EU, which is probably half the Eve players, and since you cannot discern (AFAIK) from their SSO login whether they’re based in EU or not, the GDPR applies to your users.
Next, as you noticed, it comes down to whether the data is “personal data” or not. And personal data is taken in a very broad meaning in the EU. But my gut feeling (I am not a lawyer) is that it does not apply because what is normally meant by personal information (even in EU) is still data like the address, name, email, or credit card info. Presumably, you are not planning on collecting any of that. And the chance of someone calling you out over GDPR is rather small to be honest.
As always in business, whether for profit or not, if you need legal advice then you should speak to a legal counsel, and if you can’t afford to speak to a legal counsel (remember - first consultation is often free! Take advantage of it!) then you can’t afford to be in business.
If you don’t want hassle the rules are pretty simple:
only collect neccessary data
if a user consents to give you more data you have to say what you do with it and give an interface to withdrawl consent/delete the data (i.e. a “profile-page” where they can edit/delete everything you save)
have an easily accessible option to delete all data
If you want something different (i.e. storing who HAD an account unconditionally, sell any data, share any data with 3rd parties, do more than is necessary without consent, etc.) then you get the whole shithole of law-speak and pages of privacy agreements, consent-forms, etc. pp.
the law has not changed in the last 2 years, just the penalty for not following it (at max 20 mio or 4% of revenue - whichever is higher; opposed to the max 300k penalty before). Now all big players are panicking because 4% of revenue is way more than the max 300k they had to pay before…
Another small thing: Everything must be set to privacy by default and the user has to actively enable it (i.e. if he wants to use feature X of your app) and must be able to disable it again afterwards.
tl;dr: if you dont sell anything, mess with the data, run personalized ads, etc. and give people a chance to delete everything, you are fine.
this has nothing to do with GDPR. Before that you could be held accountable for this as well.
You can still collect this, if it is neccessary (i.e. to track attacks), but then you have to tell your deletion-policy (i.e. logrotate them out after 48h or so).
If you want to do statistics you can enable the option to zero the last octet (x,x,x,0) of every ip in every webserver of your choice - which you should do anyway! Then they are not “personal” anymore.
