General GDPR Overview NextCloud
General GDPR Overview NextCloud
GDPR
General
Data
Protection
Regulation
Compliance Kit
Nextcloud GmbH T: +49.711.25 24 28 -0 Web: https://nextcloud.com
Hauptmannsreute 44A F: +49.711.25 24 28 -20 E-Mail: [email protected]
70192 Stuttgart
Germany
The GPDR Admin Manual details where you can find personal data
in Nextcloud and how to secure and handle it.
Under the current law, privacy notices need to notify users of:
- your identity
- the reasons you gather their data
- which use you make of their data
- who it will be disclosed to
- if the data will be transferred outside the EU.
The GDPR also requires you to make sure these notices are
concise and easy to understand for everyone – try to use easy
language and avoid using any technical or legal jargon.
See the GPDR Admin Manual for information on how to inform users
about their rights and how you use data.
Note that the right to data portability is new, and only applies in
three specific cases:
- personal data a person has provided to a controller
- in cases where the processing is based for the performance of a
contract or on the person’s consent
- if processing is carried out by automated means.
Making sure all these rights are respected includes figuring out in
advance how personal data is deleted, and being able to inform
users or staff of the way this is done. It also includes figuring out in
advance how you will provide personal data electronically in
cases where your users ask for it; you need to be able to provide
this data in a commonly used format.
Generally you are not allowed to charge for complying with such
a request. However you can refuse or charge for a request if you
can demonstrate that the cost for your organization will be
excessive, or if the request is manifestly unfounded. If you refuse a
request, you will have to clearly communicate your refusal, and
inform the person of the reasons for it. Additionally, you will have to
inform the person of their right to complain to the supervisory
authority in charge, and to a judicial remedy. Refusals must be
communicated within one month at the latest.
Review how you seek, manage and record consent and make the
necessary changes. According the the GDPR, consent must be
freely given, specific, informed and unambiguous.
If you find out after a DPIA that your organization may not be able
to be able to comply with the GDPR with full certainty, it is
mandatory to notify and consult the authorities in charge in the
state you operate in on the specific process that is at risk.
Under the GDPR, your organization will deal with a single LSA for
most of your processing activities. In order to find out what
your main establishment is, start by mapping out where the
decisions about data processing are made in your organization.
This should indicate where which state’s LSA you will depend on.
Conclusion
There is much more to read about the GDPR. Two great documents
can be found here:
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-
steps.pdf
http://gdprandyou.ie/gdpr-12-steps/
and you can find the text of the GDPR easy to search through here:
https://gdpr-info.eu/