this post was submitted on 01 Jul 2023
134 points (97.9% liked)

Selfhosted

40741 readers
536 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I'd be really keen to host a lemmy instance but just wondering with GDPR and everything, if there is anything else to consider outside of the technical setup and provisioning of hardware?

Lemmy is storing users data so is there any requirement to do anything GDPR wise?

Hope this is the right place for this - But seen a lot of posts interested in hosting their own lemmy instance, and this is an extension of that

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 2 years ago* (last edited 2 years ago) (5 children)

Obviously IP addresses are personal data, but those are not shared to other instances.

You could probably argue that the federated ID is personal data, but I am not sure as it might also count as an internal identifier required for operation only. IANAL but I don't think votes can be considered personal data under the GDPR.

[–] [email protected] 1 points 2 years ago (4 children)

Question boils down to where is the boundary. Does an alias of your choosing, which uniquely identifies you across the fediverse personally identifiable? I think we all would say yes. Does then actions linked to that alias constitutes as personally identifiable? Well, in absence of the correlation of the ID, it is still technically possible to map out who this user is and what their interests and preferences are, so maybe yes? That’s a hard grey area to determine IMO.

[–] [email protected] 1 points 2 years ago (2 children)

I think as @[email protected] commented slightly higher up, this might be considered pseudonymised data? The link he provided suggested it was considered personally indentifying information - I'm (as per my question) definitely no expert in this though

[–] danieljackson 4 points 2 years ago (1 children)

The link I provided says that pseudonymous data can be used to hide personalized data.

If you are a DPO, you can see the appeal and benefits of pseudonymization. It makes data identifiable if needed, but inaccessible to unauthorized users and allows data processors and data controllers to lower the risk of a potential data breach and safeguard personal data.

GDPR requires you to take all appropriate technical and organizational measures to protect personal data, and pseudonymization can be an appropriate method of choice if you want to keep the data utility.

The owner of lemmy.one can use [email protected] to map it to an IP and/or email address. This becomes now personally identifiable data. But other instance owners can't map it to any personalized data, so it is basically "anonymized data" for them.

You just have to provide a way to either

  • To delete personally identifiable data
  • Unlink the personally identifiable data from the pseudonymized data on your local instance.

Disclaimer, IANAL, YMMV, yaddy, yadda,...

[–] [email protected] 1 points 2 years ago

Understood, missed that subtelty. The fact emails aren't actually shared makes it very GDPR "friendly"

load more comments (1 replies)
load more comments (1 replies)