On May 25th, 2018 the European Union's General Data Protection Regulation (GDPR) comes into effect. In this article we will explain what are the changes it brings with regards to our services and our software.
IMPORTANT INFORMATION REGARDING AUTOMATIC ACCOUNT DELETION
The EU GDPR requires us to automatically and irreversibly delete inactive user accounts. If you have not logged in to our site in the past 18 (eighteen) calendar months we will be legally obliged to delete your account. The deletion is automatic and IRREVERSIBLE: we are legally forbidden from being able to restore your user information.
If you want to prevent your account from being deleted you simply need to log into our site. You DO NOT have to make any purchase WHATSOEVER. All accounts which have EITHER logged in the last 6 months OR have one or more active subscriptions are exempt from the automatic account deletion.
Unfortunately we cannot exempt you from the account deletion policy even if you ask us to. The law does not give us that option.
GDPR and your account at Securitycheck Extensions
The GDPR is legislation designed to promote a privacy first approach to handling your personal data with more transparency and a way to reasonably exercise your data rights. While it only covers citizens of any member state to the European Union we consider it better to provide the same level of treatment to everyone. Not only it's more sane for us (since we can't know what is your nationality, to begin with) but also because we care deeply about your privacy and security.
First and foremost, you will see that there our
are now separate documents from our
Terms of Service
. However, accepting the whole lot is still required to use our services. The Terms of Service does state that the privacy statment and our cookies policy are integral parts of our Terms of Service.
Per the GDPR you now have to give your explicit consent to us processing your personal information. That's a fancy way of saying that you let us give your invoicing information to the tax authorities and our accountants and auditors. You will need to indicate your consent if you subscribed before April 2018 or do not have an active subscription with us. You can withdraw your consent at any time but we won't be able to provide any of our services to you until you give your consent again. Managing your consent will be possible from the My Profile page when Joomla 3.9 arrive.
Cookies can likewise be rejected, including the login / session cookie of our site. If you reject cookies you will not be able to log into our site and we will not be able to provide you our services due to no fault of ours. We might revise this policy in the future since login cookies are exempt by the GDPR. It's just that the third party extension we currently use does not have that option. We don't use any other cookies on our site as of the time of this writing; check the Cookies Policy for the most up to date information. Cookie consent can be given and revoked at any time. Look at the bottom of every page of our site for the controls.
After Joomla 3.9 realease is published you will be able to exercise your data rights with us more easily as well. Your My Profile page will have a link to your data rights control panel where you can give or revoke your consent to processing your personal information, export your profile with us (data portability / access to your data rights) or delete your user profile with us (right to be forgotten). Please note that exporting your user profile gives you a machine readable XML data dump of everything we have on you. Emails and any off-site communications are deleted immediately after we conclude our communication (typically: after we send you a reply). We do not keep any copies. Please keep in mind that after Joomla 3.9 release onwards we will NOT consider email or other out-of-site communications as binding in any way. This includes the Contact Us page which simply sends us an email. Also note that deleting your user profile is irreversible and terminates your relationship with us without refund. If you exercise your right to be forgotten we truly and immediately forget you have ever been a client of ours.
Finally, the GDPR mandates data minimization. That's a complicated way of saying that we must delete your information when we have no reasonable business use for that. This means that we will delete your data profile 6 months after your last subscription expires or you last logged into our site, whichever comes later. This is a legal requirement. We will send you an email to the email address we have on file for you a month before we delete your user account as a courtesy and to prevent any issues. You DO NOT have to buy a subscription or otherwise pay us to keep your data with us. You can very simply log into your user account with us at least once every six months.
Since profile deletion is permanent and irreversible we are going to be ramping up the deletion period over time. If your account is deleted it's because we are legally required to do so and no, we cannot reinstate your account because we no longer have your data and we are not allowed by the law to do it anyway. If you do send us an email we will point you back to this page since there are only so many ways this can be put into words. Yes, we do understand that for the average client this is horrible and will lead to frustration but no, we cannot ignore the law. The highest fine for ignoring the GDPR is 20 million Euros.
GDPR and our software, on our site and on your sites
Disclaimer: this is not legal advice; we are not lawyers.
In the following paragraphs we will discuss how the information collected by our various software, installed on bot our site and,most importantly, your sites affects the GDPR compliance of the site where they are installed.
Our Web Application Firewall (Securitycheck Pro)
While storing IP information may be considered personally identifiable information, the GDPR makes an exception for IP information stored in the context of security. As such the extension's log and related IP whitelist, IP blacklist and dynamic blacklist is outside the scope of personal data protection. It's also worth noting that IP addresses per se are not personally identifiable information. If your organization has the legal means to compel ISPs to divulge the real world identity belonging to an IP address (that is to say, without having to go through court) OR if you store the IP address in cojuction with personally identifiable information (e.g. email address) or a personal marker (e.g. user ID) then that IP address becomes personally identifiable information. But, again, if it's just used for security logs it is exempt from the requirement of providing consent.
Text log files may, however, contain privileged information as they capture the entirety of the request sent by the user to your site. Furthermore, the GDPR calls for data minimization. To comply with this requirement we urge you to set the "Days to delete logs after" option to a non-zero value in Configuration -> WAF Configuration -> Logs tab. Typically, a value of 60 provides a good balance between data minimization and security.
Using the Geoblocking feature is also GDPR compliant. The IP address does not leave your server. The copy of the MaxMind GeoLite Country IP Database used to determine the country and continent of an IP address is stored on your own server. And no, before you ask, if you are outside the EU you can NOT use GeoIP blocking to dodge GDPR completely. The GDPR applies to all EU citizens regardless of where they live. A French person sitting in a cafe in New York city is protected by the GDPR the same way as if they were sitting in a cafe in Paris. GDPR concerns the nationality of the user, not their physical location. Not to mention that there are VPN and proxy services to fake the GeoIP location of a user, as well as the imperfect (around 90%) accuracy of GeoIP in general. Don't try to use GeoBlocking to dodge the GDPR, you will only make matters worse for you.
Finally, it is possible that in the past you may have enabled the feature to log failed login passwords. This might be a security concern or a violation of the GDPR. We have now removed that feature but you may still have information stored in your database. We recommend that you go to the Logs page, filter by type "User session protection" and delete all records presented to you.
Our extension to manage websites (Securitycheck Pro Control Center)
This extension is out of the scope of GDPR as no personal information is stored into it. Anyway, all the sensitive information used by Securitycheck Pro Control Center (secret keys, admin protection key...) is stored ciphered into database.
Our extension to fight spammers (Spam protection)
This extension sends visitor's IP and/or email against the StopForumSpam database only when he tries to register on your site. StopForumSpam's
assures they comply with GDPR.
The software we are using to enforce GDPR compliance
GDPR compliance (data rights) uses a Joomla! 3.9 native solution called com_privacy.