We are currently on OJS 22.214.171.124 and I’ve been trying to find information on how to provide our users with information on the data we process in case someone makes use of their Right of Access (see GDPR article 15 Art. 15 GDPR – Right of access by the data subject | General Data Protection Regulation (GDPR)). I tried searching the forum for information on DB-queries others might have come up with to comply with GDPR article 15, but did not find anything with keywords such as “right of access” or “gdpr user data”.
Ideally I would like to get all user related data from the database and the logfiles or any other place user data might be stored. The GDPR Guidebook at GDPR Guidebook for PKP Users lists things such as User Registration Data, but not how to access those in the most thorough way. Also logfiles don’t seem to be mentioned?
I found this recommendation: “Understand what personal data you process: what it is, how it’s stored, and how it can be accessed, modified and erased;” (What’s the Deal?) But I am wondering if really every project should do this from scratch for themselves? Couldn’t this be done in a more collaborative way?
Which part of Article 15 are you concerned about complying with? There’s quite a lot there. I suspect you are chiefly concerned about 15.3 “The controller shall provide a copy of the personal data undergoing processing”, but I want to be sure.
yes, you guessed right, sorry for not being more concise! In the past for other systems where DBs were concerned I would come up with a SQL-query and export the data as CSV files. That accompanied with a description of how the single columns and tables came to be would be what we sent our users.
I think that in the logfiles only IP-addresses are stored so unless a user has a static IP and tells me so these might not necessarily looked through, but I am not familiar enough with the DB structure yet to do what I described above. Also there is a possibility that users’ IPs are stored somewhere, then I’d be back on square one with the logfiles.
I feel like someone would have come across a user asking for a copy of their data in the past. Hopefully some German colleagues are reading this thread, as Germans tend to be very aware of data protection and so might have asked for a copy sooner or more often than others.