Our core policy, in laymans terms, is:
We don't want or need your data.
Content Vs Personally Identifiable Data: We identify content as willingly provided and becoming a central part of the platform. It is at the user’s discretion if they provide their real name or not (except in the case of code contributions). By submitting content, you agree that it will remain part of the target platform (i.e. Phabricator) as long as it is consistent with community guidelines (in which case we may remove offensive content.)
Contributons: We require code contributions to be made under an identifiable name, for the purposes of security audits and git history. Additionally, submitting code is understood to be within compliance with the software license of the project in question, and is outside the purview of the GDPR. When submitted, code contributions form a static part of the git history of a given project and cannot be removed. They can only be removed from the used code and git tree, and will not be removed unless there is a valid, software-engineering reason to do so (i.e. compliance, usefulness).
1. Data protection principles
Serpent OS is committed to processing data in accordance with its responsibilities under the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation-GDPR).
Article 5 of the GDPR requires that personal data shall be: a. processed lawfully, fairly and in a transparent manner in relation to individuals; b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
3. Lawful, fair and transparent processing
a. To ensure its processing of data is lawful, fair and transparent, Serpent OS shall maintain a Register of Services. b. The Register of Services shall be reviewed at least annually. c. Serpent OS services are defined as its primary website, its Tracker and its downloads (packages + OS Image Files). c. Individuals have the right to access their personal data and any such requests made to Serpent OS shall be dealt with in a timely manner, in line with Article 15 of the GDPR.
4. Lawful purposes
a. All data processed by Serpent OS must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests. b. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data. c. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately.
5. Data minimisation
a. Serpent OS shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
a. Serpent OS shall take reasonable steps to ensure personal data is accurate. b. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
7. Archiving / removal
a. Serpent OS will ensure that personal data is kept for no longer than necessary. b. Serpent OS cannot delete content in many cases, and will not attempt to do so, unless it is not in compliance with community guidelines (i.e. offensive content). Instead Serpent OS can delete associated data, by ghosting an account, and therefore removing all personal identifiable information. This is applicable only to our content platforms, as our other services have no access to any kind of personally identifable information. For user account deletion, it is not feasible to achieve this with Phabricator, as it becomes a core part of the state and working tree. Instead, Serpent OS will ‘ghost’ an account, by removing any personally identifying information such as the account username or ‘real name’ field, and deactivating the account against further login attempts. Serpent OS cannot, and will not, modify any content containing personally identifying information that the user has submitted, as it would invalidate the history of discussions and software development. c. Serpent OS services and server network do not deliberately collect any identifying information. Serpent OS only provides online services over HTTPS (SSL) and at most the servers create automatic access logs with the IP address and timestamp. These logs are only used in short-term analysis to detect any malicious activity from bad actors and potential security breaches. No personally identifying information is attached to the log files and they are automatically purged within a 4-week window.
8. External Content
At times, we may link to or include third-party content on our website. These include, but are not limited to:
a. Serpent OS shall ensure that personal data is stored securely using modern software that is kept-up-to-date. b. Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information. c. When personal data is deleted this should be done safely such that the data is irrecoverable. d. Appropriate back-up and disaster recovery solutions shall be in place.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Serpent OS shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the relevant Data Protection Authority, usually, the Irish Data Protection Commission.
END OF POLICY
Please note this page has been written without legal consultation, and sets out the policies we intend to operate by. If you find issues with this policy, or have any questions in general with the policy, please contact the Data Protection Officer.