On Tue, Jan 08, 2019 at 08:38:01PM +0100, Benjamin Berg wrote:
> We can certainly implement a setup that does not collect or
> UUID together with the IP address or timestamp. Send the UUID as a
> HTTP header, don't log it, send the UUID off to a counting service
> (*). If we make sure the UUID is protected in transit, sent only to
> our own servers (or servers configured by the user), and not collected
> or stored in a personally identifiable way, I suspect that we're
> meeting our obligations under the GDPR, though we'd need to
> double-check any selected solution carefully.
You are right that it is possible to immediately discard or obfuscate
But, as Nicolas pointed out, the argument here is that the UUID itself
likely needs to be considered "personal data" in the GDPR sense. And
even doing something as minimal as that seems to imply "processing"
the data in the GDPR sense.
Nb. “UUID” sounds terribly technical. Can we use some term which
is already known and understood by users, e.g. Advertising ID?
Tomasz Torcz 72->| 80->|
xmpp: zdzichubg(a)chrome.pl 72->| 80->|