Hi, we currently use the FEU module. There is no front end registration as the site owners add the FE users manually via the FEU module in the backend.
Is this going to be breaching the new EU General Data Protection Regulationsthat are coming into force in May 2018 since the site owner is entering the user's details into the system meaning there is no chance for the user to confirm they agree to have their data stored?
To give a bit more context; the site owners with backend access are the company owners and the FEU users will be employees and customers.
Because of this I'm considering adding the SelfRegistration module and guiding the site owners into a new way of working where instead of adding people themselves, they instead send them a link to the self registration page. This feels like a round-a-bout way of doing things and adds a bunch of extra steps making the whole thing more hassle for everyone.
Any guidance here would be appreciated
FrontEndUsers & EU GDPR
- paulbaker
- Dev Team Member
- Posts: 1465
- Joined: Sat Apr 18, 2009 10:09 pm
- Location: Maidenhead, UK
- Contact:
Re: FrontEndUsers & EU GDPR
My (limited) understanding of GDPR consent is that it can be given any way - e.g. verbally ("I'm going to put you on our database as a customer, is that OK?") or in an email etc. So no need to implement self registration if you don't want to as long as you get the consent some way or other.
To copy System Information to the forum:
https://docs.cmsmadesimple.org/troubles ... nformation
CMS Made Simple Geekmoots attended:
Nottingham, UK 2012 | Ghent, Belgium 2015 | Leicester, UK 2016
https://docs.cmsmadesimple.org/troubles ... nformation
CMS Made Simple Geekmoots attended:
Nottingham, UK 2012 | Ghent, Belgium 2015 | Leicester, UK 2016
Re: FrontEndUsers & EU GDPR
hmmm interesting, your mention of verbal consent gave me an idea which I followed and led to me stumbling upon a much clearer site than the ones I previously read:
https://www.whitecase.com/publications/ ... regulation
It does mention that verbal consent is OK:
"depending on the circumstances, valid consent could be provided verbally, in writing, by ticking a box on a web page"
However that will make this other ruling more difficult to follow:
"The controller must be able to demonstrate consent: the controller must be able to demonstrate that it has obtained valid consent from the affected data subjects"
So that would mean verbal consent is acceptable as long as you record it! Ugh.
Another level to look at is the fact that as the one creating and hosting the system I would be "the controller", not the company owner. They would be "the processor". Apart from running the system I will have no direct contact with their employees which means I'll need something in the system that records their consent.
Grumble, all these new regulations are a right pain in the ass. The more I read into it the more it seems I will have to implement the self registration module. I'm also reading about mysql transparent data encryption as I want to avoid having to encrypt each FEU property individually (using the FEU module's encryption option) so that the site owner can amend user details.
https://www.whitecase.com/publications/ ... regulation
It does mention that verbal consent is OK:
"depending on the circumstances, valid consent could be provided verbally, in writing, by ticking a box on a web page"
However that will make this other ruling more difficult to follow:
"The controller must be able to demonstrate consent: the controller must be able to demonstrate that it has obtained valid consent from the affected data subjects"
So that would mean verbal consent is acceptable as long as you record it! Ugh.
Another level to look at is the fact that as the one creating and hosting the system I would be "the controller", not the company owner. They would be "the processor". Apart from running the system I will have no direct contact with their employees which means I'll need something in the system that records their consent.
Grumble, all these new regulations are a right pain in the ass. The more I read into it the more it seems I will have to implement the self registration module. I'm also reading about mysql transparent data encryption as I want to avoid having to encrypt each FEU property individually (using the FEU module's encryption option) so that the site owner can amend user details.
- paulbaker
- Dev Team Member
- Posts: 1465
- Joined: Sat Apr 18, 2009 10:09 pm
- Location: Maidenhead, UK
- Contact:
Re: FrontEndUsers & EU GDPR
Now there's something we can all agree on!TannSan wrote:Grumble, all these new regulations are a right pain in the ass.
To copy System Information to the forum:
https://docs.cmsmadesimple.org/troubles ... nformation
CMS Made Simple Geekmoots attended:
Nottingham, UK 2012 | Ghent, Belgium 2015 | Leicester, UK 2016
https://docs.cmsmadesimple.org/troubles ... nformation
CMS Made Simple Geekmoots attended:
Nottingham, UK 2012 | Ghent, Belgium 2015 | Leicester, UK 2016