Not really, or at least I can not find it:
Part 6: Data deletion says nothing about when the data of a visitor will be deleted. Deletion on request is not enough. You have to specify how long you need the data of a visitor to secure my site and when is it deleted afterwards (automatically).
E.G. How long will the IP address of a visitor be used and when is it deleted afterwards or transformed into anonymous form?
If a visitor asks: ‘How long do you store my IP address’, the answer: ‘As long as I need it’, is not valid. The answer should be: ‘Your IP address is stored for 30 days in order to … and automatically deleted afterwards’.
That’s a good point, someone from WF will have to answer that for you/us.
Hello,
Per our data processing agreement and standard contractual clauses, we keep the data until we no longer have a business need for it which is appropriate under GDPR as it was collected under a legitimate interest to provide security. It is necessary to keep some data as malicious IPs don’t stop being malicious on a schedule. Generally we delete data after 90 days as it’s no longer needed. Per GDPR, when we no longer have a business need for it, it’s deleted. But some IPs we keep longer such as those on the IP Blacklist until they stop being malicious. That is why we had to write our agreements that way.
-Kerry
Hi,
so to summarize: you collect
– search queries
– date and time of request
– referral URL
– IP address
– MAC address
– Device make, model and operating system version
– mobile network information
– internet service provider
– browser type and language
– country and time zone in which the Device is located
– metadata stored on the Device
– data about a User’s geographic location
from the end user and store this data under normal conditions for 90 days.
Is this correct?
Good question, @wordpress7255!
I would like to know too, @kboyte. Can you please give us an update on this issue?
Thank you so much!
One of many possible ways to do it is to:
– Sign the DPA with Defiant Inc.
– In your Privacy Policy, justify the usage of WordFence on legitimate interest.
– Make a “Legitimate Interest Assessment” (templates are out there).
– Keep the assessment or even allow people to download it from your privacy page.
This is a version of the clause from my own privacy policy, you may use it but be advised that I’m not a lawyer and this GDPR thing is meant to enable us to “self-certify” simply by being honest and direct:
In order to establish and maintain security for all users, we deploy a web application firewall on this website. It sits locally on our server and scans all traffic against an ever-changing set of security rules. In the event of a visit breaking one of these rules, the firewall shares the IP address and other non-personal data with it’s developer, Defiant, Inc. (Privacy Policy) so they can protect other people from malicious IP addresses. This data will usually be deleted after 90 days but it may need to be extended in some cases (until the IP stops being malicious or goes offline).
We believe it’s plausible to justify this data processing on legitimate interest under EU-Privacy Regulations (GDPR) and we’ve prepared a legitimate interest assessment for this use case. We’ve also signed a data processing agreement with Defiant Inc. to form a legal basis for processing this data.
Defiant’s Privacy Shield application is currently pending, until then their compliance is accomplished by standard contractual clauses. (Update this when the time comes)
That summary is correct except this is a more accurate conclusion:
“from the site visitor and store this data for 90 days unless there is still malicious activity for that data in which case it is kept until no longer malicious”
