General Data Protection Regulation

From GnuCash
Jump to: navigation, search

In May 2018 EUs General Data Protection Regulation (GDPR) finally replaced Directive 95/46/EC.

You can read or download the official document in all EU languages and several formats as EUR-Lex Document 32016R0679.


While there is some fear about it because of penalties up to max (20 Mio. EUR; 4% of annual global revenue), others see chances for FOSS:

Marc Jones: FOSS and the GDPR - Overview of key changes to EU privacy law that FOSS can use to promote individual's privacy and autonomy (slides, video) at FOSDEM 2017.

A nice abstract is How will the GDPR impact open source communities?.

ePrivacy aka Cookie Law

It is the sibbling of GDPR. Its final main target are tools like Google Analytics. And it needs a review on as that stores at least a language cookie.

Organisation-wide Data Audit


  • what data you have,
  • where it is and
  • how it is being used.
  • Distinguish between personal and non-personal data,
  • identify its use,
  • the processes applied to it and
  • the legal considerations.

Final takeaways to become GDPR-compliant:

  • Request for consent and purpose of data collected must be intelligible – for sensitive personal data, users will have to “opt in” rather than “opt out”
  • Individuals must have the right to access their data:
  • Individuals must have the right to withdraw consent and prevent further dissemination of data:
  • Those concerned must be notified if there is a security breach.


Notes from 2018-05-24 on IRC

Open Questions

  • How does GDPR interact with the GnuCash mailing lists, bugzilla, git repositories, IRC Logs, and/or wiki?
  • What changes (if any) should/must we make to the GnuCash mailing lists and archives?
  • What do we do if a user asks for their old posts to be removed?