Have questions about GDPR

When domain is hosted in US, company is from EU, that still managed backup will be store in US? And, if I want to use Google Analytics or Mailchimp e.g. according to GDPR legislation you need to sign a contract with the third party that states certain things. Like compliance with GDPR rules of that third party. Do you (WPMU DEV) have any such contracts prepared by any chance?

  • Adam Czajczyk
    • Support Gorilla

    Hello Peter

    I hope you’re well today and thank you for your question!

    I think you might want to take a look at this docs to get a better insight on how we/our plugins/services related to GDPR-related requirements:

    https://premium.wpmudev.org/docs/privacy/

    As for such contract – yes, we do have a Data Protection Agreement ready for you and you’ll find the copy here:

    https://premium.wpmudev.org/docs/privacy/privacy-policies-procedures/#chapter-3

    In case you’d need a signed copy of it, that’s also available (see the link above, please).

    Please note: these agreement is related to our company and our services. I’m not a GDPR specialist and not a lawyer but I believe such contract wouldn’t be of any use if it comes to 3rd-party companies/services that are not related to or associated with us (such as e.g. MailChimp). To my knowledge, you would need to reach them out separately asking them for such contract/agreement.

    Kind regards,

    Adam

  • Peter
    • Site Builder, Child of Zeus

    Hi there Adam,

    thanks for the feedback :slight_smile:

    I hope the contract will solve the problem. Everytime I look at GDPR it feels like potentially entering a world of lots of pain. Thank you lawyers.

    To my understanding you need to set up a separate contract with every contractor you are working with individually. Which does make sense for a change. If wpmudev offers an interface to mailchimp in Hustle there is little point in making wpmudev liable for mailchimp’s possible shortcomings :slight_smile:

    Thanks again for your help.

    Peter

  • Predrag Dubajic
    • Support

    Hi Peter,

    I think that GDPR introduced a world of pain for many people :slight_smile:

    From what I understand in short is that you pretty much need to make it clear which data you are collecting and why.

    If you share any of the data you then need to state with who, why and point to their privacy page as well.

    But as Adam said this is something that needs to be looked more in-depth and should be discussed in details with privacy expert or a lawyer.

    Best regards,

    Predrag

  • Peter
    • Site Builder, Child of Zeus

    Hi Predrag,

    speaking of a world of pain and GDPR. Unfortunately I’m no lawyer either. Or acutally I consider myself rather fortunate, coming to think about it.

    Manageded Snapshots – something probably needs to be done there. Either you have to inform your users, that you are using a foreign company to store your backups outside of EU but you have an agreement in place with them, that they will keep it safe (which will not go down very well and loose a high percentage of users, that bother to read it) – or there needs to be control over the server location for the managed backups, to make sure, they are stored in the EU.

    And then there’s the issue that local snapshots only store subsites and not an entire multisite install. So either way using Snapshot is not all that great for multisite. Currently you get to choose the location for the backups or to backup multisite in one go. You can’t have both at the same time at the moment.

    And another thing that always makes me cringe: SaaS. Make everything run in a browser. Store everything in the cloud.

    Those have been the leading paradigms for the last 10-15 years.

    Who do I have to bribe, so WPMU DEV considers encrypting snapshots – both for managed snapshots and local/(s)ftp snapshots? It’s such an easy thing to implement with such a huge effect for data privacy and GDPR peace of mind. :slight_smile:

    Cheers,

    Peter

  • Adam Czajczyk
    • Support Gorilla

    Hi Peter

    Disclaimer: I’m still not a lawyer, I’m afraid :wink:

    Manageded Snapshots – something probably needs to be done there. Either you have to inform your users, that you are using a foreign company to store your backups outside of EU but you have an agreement in place with them, that they will keep it safe (which will not go down very well and loose a high percentage of users, that bother to read it) – or there needs to be control over the server location for the managed backups, to make sure, they are stored in the EU.

    As to my best knowledge, it’s actually a common myth: there’s no requirement that data must be stored in EU. The point is not about where it is stored but whether the user is fully informed, did agree to this and how that data is processed. The backup is a specific thing: it’s site owner responsibility, not ours. What I just said sounds just terrible but let me explain: we provide a tool and a place to store data. And an agreement for you – you as in “you, the site owner”. Plus: we provide full GDPR compliance in terms of security and encryption of our infrastructure and full information for the site owner.

    Then, whether the site owner will pass legally required information to the end users or not? Well, we do not own or directly process data of the site’s end-users. So basically, we are obliged to provide full GDPR compliance (and we do this in the areas where it’s required) but the entire relationship is not between us and your site’s end-users but between us and you as the site owner/manager.

    And another thing that always makes me cringe: SaaS. Make everything run in a browser. Store everything in the cloud.

    Those have been the leading paradigms for the last 10-15 years.

    Who do I have to bribe, so WPMU DEV considers encrypting snapshots – both for managed snapshots and local/(s)ftp snapshots? It’s such an easy thing to implement with such a huge effect for data privacy and GDPR peace of mind.

    There’s a big difference between snapshots and managed backups. Snapshots’ managed backups are actually encrypted and stored in a (GDPR-wise) secured and encrypted environment.

    Snapshots – as in “Snapshot -> Snapshots” – is a backup created by our tool but we do not store or process it and we do have no impact on this. It’s up to you where you put it – locally or to any of your “external” locations such as FTP, Google Drive etc. I’d say that it’s the responsibility of those “storage locations’ providers” to make sure that these locations are “GDPR compliant” (like we do with our cloud for managed backups).

    However, I do believe that providing an option to actually enable additional encryption for snapshots (Snapshot -> Snapshots) could make a great addition to the plugin. To be perfectly honest, I’m a bit afraid of the possible performance issues as encryption (in a form that would meet modern standards/practices) could be quite “resource-intensive” and since backup itself is very “resource-hungry” that might cause additional issues, especially on shared hosts. But yes, I totally agree that it would be very good thing to have it there. I’ve already suggested that to our developers so they could look into possible options here :slight_smile:

    Best regards,

    Adam

    PS. Let me stress out again that I’m really not an expert if it comes to legal aspects. I do my best to make sure that what I’m sharing with you is accurate but I still strongly recommend consultation with a professional lawyer as my words cannot be taken as a “legal interpretation”. I hope that makes sense :wink:

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.