Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compatibility with GDPR #16

Open
avillegasn opened this issue Dec 13, 2018 · 4 comments
Open

Compatibility with GDPR #16

avillegasn opened this issue Dec 13, 2018 · 4 comments
Labels
question Further information is requested

Comments

@avillegasn
Copy link
Collaborator

We need to check if we need to do something about it in the camptix-invoices plugin.
@avillegasn avillegasn added the question Further information is requested label Dec 13, 2018
@iceablemedia
Copy link
Member

From what I understand about GDPR, I don't think * we * need to do anything * in the plugin *, but site owners (and WordCamp Central in the case of wordcamp.org) will definitely need to have a GDPR-compliant privacy policy which takes into account:

  • The personal data involved in the invoicing process for each attendee (name, email address, invoicing street address, vat number if applicable)
  • The fact that these are stored in the website's database
  • That they are not shared with anyone, and only the site owner (event organizer(s)) and related ticket owners have access to them
  • For the purpose of providing an invoice to attendees who request one during purchase
  • For probably X weeks/month after the event (to be determined by the site owner / event organizer)

Maybe we can add a notice as a reminder about these in the plugin or its documentation?

About the last point, I wonder if camptix allows to delete tickets/attendees information at some point after the event. If so we could allow invoices and associated data to be deleted at the same time. Otherwise we could leave it to the site owners to manage data on their site, and delete them when appropriate.

@iandunn
Copy link

iandunn commented Feb 19, 2019

I can't think of any implications GDPR has in this context, since we're not collecting any additional data, or providing it to any new parties. @coreymckrill, @vedanshujain, can you think of anything?

@coreymckrill
Copy link

It looks like there is potentially some additional data that this plugin collects that we'd need to include in data export/erasure requests.

  • Email address that the invoice will be sent to. Assuming this is generally the email address of the ticket purchaser, who is usually an individual rather than a business.
  • Street address that gets included in the invoice document that is created. Assuming this is generally the street address of the ticket purchaser, who is usually an individual rather than a business.
  • VAT number?

We'll need to make sure those fields get hooked into the relevant wp_privacy_ hooks.

avillegasn added a commit that referenced this issue Apr 16, 2019
@avillegasn
Helps dealing with privacy exports as in #16
41a3dc6
@avillegasn
Copy link
Collaborator Author

I've added the code that adds invoice data in the data export request. But for the erasure request, I'm not sure if it is legally correct to allow erasing/anonymizing invoices. As far as I know, invoices shouldn't change/be removed once they are issued (even if a person asks us to do it). Let me know what you think about this @coreymckrill

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@iandunn @coreymckrill @avillegasn @iceablemedia