Not GDPR Compilant

  • Resolved fs5ve

    (@fs5ve)


    3 years ago

    Dear Concern,

    We, a group of researchers from University of Virginia and Johns Hopkins University, are analyzing the GDPR compliance in different plugins. From our analysis we found that you are storing ‘IP Address’, ‘username’ (PII) information in the database without providing data access and data deletion functionalities. According to GDPR, whenever you store PII, you need to provide user the data access and data deletion functionality. Not doing so will violate GDPR law.

    Can you please take a look at this issue and confirm us? If needed we can provide more information on this.

Viewing 1 replies (of 1 total)
  • Michael Beckwith

    (@tw2113)

    The BenchPresser

    3 years ago

    Hi @fs5ve

    We do store some PII, but temporarily. In versions 4.3.4 and 4.3.5 we made some edits that remove our stored IP address information from user meta, after approval, and added some UI to help clear out previously stored IP addresses that are no longer needed.

    In case it helps at all, it was only ever displayed while the user was in moderation status, but despite that we did put in the changes to remove completely afterwards. PII like names all used standard WordPress and BuddyPress fields and that information would have the access available via the methods provided by those plugins. The IP addresses were the only separate part.

    That said, if you’re still seeing some issues the harm compliance, let us know so we can review what else may need to be done and so we can get that out to everyone with the plugin installed.

Viewing 1 replies (of 1 total)
  • The topic ‘Not GDPR Compilant’ is closed to new replies.