Sustainability Rules for LinuxFr.org Accounts and Personal Information – LinuxFr.org – LinuxFr

Technology News / By /

The LinuxFr.org site can be consulted without an account and without authentication. It also allows you to create an account (see help on (unauthenticated) visit, or why create an account?). This account is associated with technical personal data necessary for the service provided and optional personal data that may or may not be entered by the person using the account.

This notice describes the personal data processed, whether associated with an account or not, the lifecycle of their data and the change in policy related to that lifecycle. For the sake of brevity, the abbreviation DCP is used for personal data.

The most important innovation concerns the retention periods for personal data. From June 28, 2023:

  • THE Accounts that have been inactive for three years will be closed and stored data not required for the service deleted;
  • THE Accounts closed for more than a year data associated with the service that is not required will be deleted.

Summary

context

The LinuxFr.org website is managed by the LinuxFr Association. The team consists entirely of volunteers. The website has no commercial purpose, does not host advertising or paid content, and does not sell personal information of people using the service. The website collects the data that is strictly necessary for the service, as well as some others that are optionally added by the people who own the accounts. There is no profiling or tracking of people and accounts for advertising or commercial purposes (no unnecessary cookies, no trackers).

Personal data (DCP) processed

List

The personal data required for the provision of the service:

  • Identifier or nickname: Unique throughout the site, it also defines an element of the address that will be associated with the account (the part between “/users/” and “https://linuxfr.org/” in the address associated with the Account). It cannot be changed by the person using the account. It is necessary to create a uniquely identifiable external account.
  • Display name: chosen by the person using the account and changeable at any time while the account is open. It is necessary to identify the user to other users of the site (knowing that the identifier or nickname is used by default).
  • Email address: defined by the person using the account, validated by the email originally sent when the account was created; it can be changed later as long as the account is open. It is necessary to validate the humanity of the account and for notifications.
  • Password: is initially generated randomly and can be changed by the person using the account at any time while it is open. It is used to authenticate yourself on the website.
  • Account creation IP address: cannot be changed afterwards;
  • IP address of the last connection.

The personal data, not mandatory for the service and provided by users, are:

  • an avatar image: the person using the account can associate an image with it (which may or may not identify them) and change it at any time while the account is open;
  • a personal website address: the person using the account may assign such an address and change it at any time while the account is open;
  • an XMPP instant messaging address: the person using the account may associate such an address with it and change it at any time while the account is open;
  • Address of a Mastodon Account: the person using the account may assign such an address and change it at any time while the account is open;
  • a signature added to each comment: the person using the account can associate such a signature with it and change it at any time while the account is open;
  • a personal style sheet: The person using the account can assign such a style sheet to them and can change it at any time while the account is open.

account closure

The account can be closed by the person using the account (see Help on closing an account). It is up to her to previously remove the personal data she wishes to remove, for example: choosing the name that will continue to be displayed, removing the chosen avatar, removing all personal website addresses and/or instant messaging and/or mastodon -Accounts, remove any signature or remove a personal style sheet.

To date, no personal data has been modified or subsequently deleted, except for exceptional operations as reported in the notice “One year after the major website update, major cleanup of user accounts” or in the help to close your account.

The account can also be closed by the website team (e.g. to fight spam or for non-compliance with the rules applicable on the website). In this case, all personal page, instant messaging or mastodon account addresses are automatically deleted (mainly in the case of spam, to limit referencing). Apart from extraordinary events, no personal data was previously changed or subsequently deleted.

Other Account Information

Account may be associated with content (messages, personal diary, forum posts, polls, wiki pages, links, tracking system entries), comments, ratings or tags, and content that the account has contributed to. The account can also be linked to third-party applications or websites after being authorized to access specific information via an Oauth2 API. The account may be associated with administrative operations (password change, temporary ban on commenting, etc.).

The closure of the account had no effect on this data. A request for anonymization (remapping everything to the fictitious anonymous user) is possible through the site team.

Obligations and legal bases for processing

The law (the Data Protection Regulation or GDPR and the Data Protection Act or LIL in France) requires a legal basis for any processing of personal data. This obligation applies regardless of the activity status of the account. Therefore, if an account is inactive, there must be a legal basis to justify retaining the associated personal data.

In the case of active accounts, the mandatory information stored in the database is required for the provision of the service:

  • validate an email address to verify the account and send the initial password through this channel;
  • Have a contact address for service-related notifications, such as shipping approvals/denials or monthly awards;
  • clearly display public data associated with the account (the account itself, account content, account comments, etc.) and internally technically have a unique identifier per account;
  • have identification, attribution and contact data for posting content/comments of third parties (the Accounts), to manage possible disputes (e.g. manifestly illegal, allegedly illegal) or the legal framework (e.g. changing own account details). , Copyright ©);
  • recognize possible misuse (multiple accounts etc.).

The GDPR restricts the storage of personal data. In the present context, this obligation applies to accounts that are still open but not used for a certain period of time, as well as accounts that have been closed. In any case, LinuxFr.org has no legitimate interest or need to keep this data indefinitely after a reasonable period of time has elapsed. For example, the statute of limitations for press law in France is 3 months, otherwise the risk of seeing the same spammer again with the same contact details drops enormously in a few months or even weeks, etc.

Change in Account Management Policy

So, let’s move on to the changes in account and personal information management effective June 28, 2023:

Accounts that have been inactive for three years will be closed :

  • all non-public content and comments from these accounts will be deleted;
  • in the absence of public content or comments or posts on public content, the account will be deleted;
  • Otherwise :
    • Stores identifier or nickname, email address, display name, and signature (for copyright attribution);
    • password, account creation and last connection IP addresses, any avatar picture, personal website addresses, XMPP instant messaging and/or mastodon account addresses will be deleted from database, personal style sheet.

Clarification: The three-year period begins on the day following the last activity on the account.

Accounts that have been closed (by the account holders or by the team) for more than a year will have their associated data reduced in terms of service needs:

  • all non-public content and comments from these accounts will be deleted;
  • in the absence of public content or comments or posts on public content, the account will be deleted;
  • Otherwise
    • the identifier or nickname, displayable name and signature (for attribution of copyright) are retained;
    • The e-mail address, password, IP addresses of the creation of the account and the last connection, the possible picture of the avatar, the possible addresses of the personal website, XMPP instant messaging and/or Mastodon account are deleted from the active database , the possible personal style sheet.

The main difference concerns keeping the email address to reopen the account and sending a new password in case of a request.

At the end of the term, the operations will be carried out manually (first by a team of volunteers, then and finally automatically) as quickly as possible.