The GDPR (General Data Protection Regulation) law is enacting on 25. May 2018 and forces web site owners to protect the privacy of their visitors in a restrictive way. These affects also the Joomla CMS and it's extensions. Luckily some of the Joomla core developers teamed up to create a privacy extension, which will be released with Joomla 3.9. More information can be found in the following links:
- https://github.com/joomla/joomla-cms/issues/20140
- https://github.com/joomla/joomla-cms/issues/20281
- https://github.com/joomla-projects/privacy-framework
Additionally the Joomla extensions directory contains some helpful extensions to handle cookies and more. But GDPR has also effect for extension developers, especially when they have user related workflows like DPCalendar does with it's event and booking system.
What does DPCalendar collect?
First of all, it does not collect IP addresses or uses any other functionality which opens hidden connections to other servers, except your Joomla site. DPCalendar has the following features which do open a connection to external systems. But all of these are obvious for the site visitor and can be turned off in the DPCalendar options by a site admin:
- Google maps
- Facebook share button
- Twitter share button
- Google Plus share button
- Linked In share button
- Xing share button
- Facebook comments
- Google plus comments
- Captcha usage from the core
If you have Google maps or any of the social media buttons activated in DPCalendar then you need to mention that in your privacy article. You can find many text snippets in the internet which can be copied to your privacy statement. We do not reinvent the wheel here.
Every entity (event, booking, ticket, location) in DPCalendar has a relation to the user which has created and last modified it. The important part are the bookings and tickets. For these the site admin can create menu items where the logged in user can see his records, download and delete them if required.
How is external events integration affected by GDPR?
External events like from Google calendar, iCloud or MS Exchange are fetched through their API from the Joomla web server. No user data is transmitted to the external systems as it is a connection from the server and not from the client browser. For some time we cache these data on your web server where no connection at all is opened to the external server. These cached events are then deleted when expired automatically.
What can you expect in the future?
We are constantly expanding the features of DPCalendar, especially in the next version 7 which will be an overhaul of all views. Also we are investigating ways to encrypt invoices. As soon as the Joomla privacy extension will be merged into core, we are integrating DPCalendar into it for an even better user experience.
DPCalendar related text for your privacy statement
You can copy paste the following text to your privacy article about the DPCalendar related data, keep in mind, this does not cover Google maps or the social buttons. Please do read them carefully and extend it when you think we missed something. The following text snippets should get you started and there is no guarantee that they are complete
This applies only if you have activated the booking system or if let your visitors create events on your calendar. When you provide your events in a read only mode then no extra privacy text is needed as DPCalendar behaves the same way as when your visor is reading an article.
If you have custom fields activated, then you need to mention them as well in the list of user data. If you have also activated a payment gateway like Paypal or Stripe, then you need to mention that in your privacy too.
Event author text
"Our event system collects no user data when you are browsing the events. When you as visitor has the permission to create events then a relation is established between the event and your user account. On the calendar profile page you can view your future events which can be visited, downloaded and deleted. If you need to gather past events data then you need to contact us through the contact form. No additional personal information is collected when you create an event."
Attendees text
"If you attend an event, then we collect the following information for the booking:
- Name
- Country
- County/Province/State
- City and zip
- Street and number
- Telephone
- Latitude/Longitude
If it is a paid even, then additionally the following information is collected:
- Transaction id of the payment gateway
- E-Mail address of the payment account
For every booking are different tickets created. You can view and manage all of them on the account profile page here."
Disclaimer: This is not legal advice; we are not lawyers. If unsure or have questions about GDPR compliance please consult a qualified laywer.