GDPR Compliance

erxes is GDPR compliant

erxes has implemented various updates and changes to its codebase in preparation for GDPR enforcement on Jul 31st 2018.

A summary of erxes overall GDPR readiness strategy for this project can be found below:

Right to Access

Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic fromat. This change is a dramatic shift to data transparency and empowerment of data subjects.

Right to be Forgotten

Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subject withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.

Data Portability

GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly used and machine readable format' and have the right to transmit that data to another controller.

The following are some of the more recent GDPR updates that are now part of the core codebase:

Right of Access

Description

Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic fromat. This change is a dramatic shift to data transparency and empowerment of data subjects.

Comment

Maybe a web page for registered users to download their content stored in the database. Check the Facebook feature for ideas, they have solved it in a nice way I think.

Right to be forgotten/erased

Description

Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.

Comment

This can be a web page / option to delete the account + all user generated content - exactly how this should be done can be hard, but it is the GDPR rights for the user to do this

Data Portability

Description

GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly used and machine readable format' and have the right to transmit that data to another controller.

Comment

This is a way to export all available data in order to more easily move to other platforms - if possible. I would suggest that Rocket Chat implements this as JSON export of all user data and make it an option in the Right to Access feature, keep it as simple as possible!

Other rights

Other rights for the data subjects are either covered by features already built into our codebase, or outside the scope of the open source software project, including:

Right to Rectification

The codebase can be configured to support user modification/correction/rectification of any data supplied (entered) by the user.

Right to restriction of processing

This is outside the scope of the open source software project, and is up to the controller ( administrator / deployer / operator of the the server system) to enforce.

Right to Object

This is outside the scope of the open source software project, and is up to the controller ( administrator / deployer / operator of the server system) to enforce.

Community compliance

The above will allow our community members to build and deploy GDPR compliant systems and services. We know and understand that all of you have custom installation, configuration and deployment environments and that you are working to ensure your own deployment of erxes Inc. is compliant with GDPR if necessary.

Meanwhile, we would welcome any advice, input, or questions you may have regarding erxes GDPR readiness. Please help us by emailing your thoughts to [email protected]

Thank you!

Erxes Inc Team

erxes is an AI meets open source messaging platform for sales, marketing and support