Hello

Because of the fact that the "General Data Protection Regulation" (GDPR) of the European Union (EU) is not only relevant for the german audience, I'll write here in English. I will split the different tasks into different postings to split also the discussions about forgotten points, steps to go and so on.

A forum operator has to follow the rules of the GDPR if and when her/his forum is mainly directed towards an audience of citizens of the member countries of the EU, even the operator is not an inhabitant of one of the member countries of the EU and/or the forum server is not located in the EU. The GDPR dictates several rights of the audience (in our cases) and in context with that several responsibilities for a service provider, in our cases a forum operator.

The data privacy statement, a forum site should provide.

List of collected data (actual status):

- The server hoster could collect data on it's own. A forum operator normally has no influence on the data collection of the server hoster but she/he has to inform the visitor about the collection and the details of its coverage.

- During a forum visit without posting the script sets three cookies, a session cookie, that gets deleted after the browser sessions end (closing the browser program), a cookie with the timestamp of the last visit of the forum and a cookie with user settings. The last two cookies get stored for 30 days. (default behaviour, the period can be changed through a forum administrator). Additionally the forum software stores the IP-address and the timestamp of a browser request for a few minutes (default: 10 min.) to count the users, that visiting a forum (online users). These data get removed from the forums database ten minutes after the last request with the namely IP. The forum stores no further data about the visitor on the forum server.

- When a visitor registrates a user account, she/he is enforced to provide a user name/a pseudonym for identification, an e-mail-address for verification and notification e-mails and a password for login. Additionally the IP of the registering user gets stored and will be deleted after the amount of hours, defined with the setting delete_ips (in case of delete_ips > 0 (enabled)).
- The password is stored only in its encrypted form and is not readable for any visitor of the forum and is also not readable for the forum admin.
- The user decides if she/he wants to be contactable via the given e-mail-address. The e-mail-address itself will not be provided to forum users and visitors. An forum administrator is able to see the e-mai-address.
- The user is furthermore able to give optional data like a website URL, the birthday date, her/his location, the real name and her/his gender. Further data can but must not be provided in the signature and the profile. A user is able to inspect all provided data and is able to delete all of the optional given data.

- When a registered and logged in user creates an entry no further personal data is requested. Personal data that get displayed with the entry are extracted from the user data.

- When a visitor creates an entry without login, she/he is enforced to provide a user name/a pseudonym. The user is furhtermore able to provide an e-mail-address and a URL for a website, giving these data is not mandatory. The given data will be stored until the entry gets deleted. The IP-address gets stored to make abuses traceable. The IP-addresses get deleted after a time of X days, if the setting delete_ips is enabled (delete_ips > 0).

- When submitting a posting as a visitor or a registered user but not as a moderator or an administrator, it might be the case, that data get sended to third parties. The administrator of a forum can enable plugins to check posting data for spam prevention. The per default available third party services, that sends data to the service provider, are:
- Akismet: sends the user name and entry text as well as the e-mail-address and homepage-URL if provided
- Stop Forum Spam, where only the e-mail-address get sent if provided

- If a user deletes her/his user account all data with exception of the user name/the pseudonym gets deleted form the forum. The user name will remain because the entries of the former forum member need the declaration of a user name. If one wants to hide the hitherto user name, she/he must change the user name before the deletion of the account. A user has therefor to put a request for the user name change to an administrator. The content of the entries itself will not get altered.

- With the use of the contact form, regardless of contacting the forum operator or a different user, all input gets transmitted to the recipient of the e-mail. No further data gets stored on the forum server.

This is, what the software collects. Please amend things, I forgot. The collection above is no legal phrasing but the contained informations must be given to the visitors of a site.

If a forum operator collects additional data (Piwik, Google Analytics, ads, whatever), the informations about the data collecting services would be further additons to the data privacy statement.

To formulate a model for a data privacy statement is not the task for the maintainer team. The GDPR is a regulation in EU law and doesnt need to be transferred into national legislation. Therfor it is a valid law act in itself. But the EU countries can provide differing regulatory statutes so we can not know all possible corner cases. Furthermore the software itself can be configured in different manners, we can't take into account of a universal formulation with all it's corner cases. And last but not least, (not speaking for the other team members) I am not able to phrase legal notes in my mothers tongue and not at all in a foreign language.

So it's up to you as the forum operators to phrase or let phrase your own data privacy statement matching your own case.

Tschö, Auge