Question New EU rule GDPR

[Jonas N]

Hi all.

In sweden we are talking a lot about the new data protection law - Complementary provisions to the EU Data Protection Regulation SOU 2017 39.

Is this something that Plesk has in mind now ?
What are your feedback regarding this ? And how are all other web hosting company`s taking this ?
Please share your thoughts!!!

 

[UFHH01]

Hi Jonas N,

if you could reference an english translation ( I could only find a swedish "SOU 2017 39" ), or reference the actual EU law with a link from Brussels, you might reach far more people for a potential discussion.

 

[Jonas N]

Hi UFHH01 !

Sorry my bad,
Home Page of EU GDPR

This new eu law will effect all eu countries and outside eu also. A company that handels personal information regarding customers most have a plan how the handle this information even if you do not "own" the system or if the system i placed on Kina, You as the service supplier have to know what to do.

 

[IgorG]

We aware of this law and at the moment it is under our consideration. That's all that I can say.

 

[Jonas N]

Thx for the reply.
I hope that Plesk will give out some more feedback regarding this topic.
This will be something that all company`s needs to look in to that have EU customer,

 

[speedbird]

Anything new to this topic?

 

[IgorG]

Dear Pleskians,

I should note that first of all, in this conversation we need to divide the concepts of company and software. The GDPR is applied to the company, but not to the software. Therefore, speaking from the point of view of the company, Plesk is working on its compliance with GDPR and is expecting to finish this work to deadline.
If to speak from the point of view of your business in the legal field of Europe where Plesk is used, then you should carefully study the GDPR itself and prepare the relevant documentation in your company for compliance with the GDPR.
In any case, we are working on some explanatory document, which we are going to publish after a while.

 

[B_P]

Dear Pleskians,

I should note that first of all, in this conversation we need to divide the concepts of company and software. The GDPR is applied to the company, but not to the software. Therefore, speaking from the point of view of the company, Plesk is working on its compliance with GDPR and is expecting to finish this work to deadline.
If to speak from the point of view of your business in the legal field of Europe where Plesk is used, then you should carefully study the GDPR itself and prepare the relevant documentation in your company for compliance with the GDPR.
In any case, we are working on some explanatory document, which we are going to publish after a while.

It would be very much appreciated if such a document from Plesk would be released very soon so that there is enough time to get the required steps done.

One issue which is important for companies at least in Germany is that requirement to provide a link to pages that contain the imprint (see for instance Impressum im Internet: Was gilt es zu beachten?) and details about data privace (which is then related to the GDPR). So far, I do not see an opportunity that Plesk can display these links on every page of the panel (even when logged out!). Are there plans to get this implemented? That would mean that the panel has some options where I can define let's say custom links that are displayed (e.g., in the footer) of every (!) page and where I can for instance define both the name of the link and the target URL.

 

[rackleGa]

When are you going to encrypt the user passwords correctly (salted hash)? It's a big privacy problem.

 

[daanse]

Uhm, yes. We are massively getting under pressure because of GDPR.
This is very important.

 

[rhbk]

Any update from Plesk team on this? Will Plesk company and Onyx control panel be GDPR compliant?

Any official legal document/link with info about this? Your competiror, cPanel already has a page about this: General Data Protection Regulation and cPanel | cPanel Blog

 

[MarkM]

They posted about it earlier today; Plesk is moving towards full GDPR Compliance

 

[CobraArbok]

They posted about it earlier today; Plesk is moving towards full GDPR Compliance

Hello,
I may be wrong, but the document seems to refer to how Plesk handles the data of its customers.
It would be important to know also which tools or which native functions Plesk (Onyx in my case) makes available so that we can correctly manage the data of our customers.

I would also like to know how to protect data from unauthorized access to the server if this is, for example, hosted by a provider.

Thanks in advance

 

[Jan]

Hello,

to be compliant with the upcoming EU privacy laws we need to exclude all personal information from each an every plesk log. This especially holds for IP-Adresse (apache, nginx, smtp, imap, ..) and usernames.

Is there a guide for doing so?

Thanks, Jan

 

[Bitpalast]

Under GDPR it is in almost no case necessary to remove IP addresses from log files. Most logging won't even make sense to do at all when the IP address is removed. I recommend to read this article. It pretty much sums it up and explains why providers can and will continue to store logs: EU GDPR and personal data in web server logs – Ctrl blog

 

[Jan]

Hello,

Under GDPR it is in almost no case necessary to remove IP addresses from log files. Most logging won't even make sense to do at all when the IP address is removed. I recommend to read this article. It pretty much sums it up and explains why providers can and will continue to store logs: EU GDPR and personal data in web server logs – Ctrl blog

I disagree:
The article clearly points out, which personal information is included in the server logs.

Technically, I'm allowed to store personal information for "detecting and preventing fraud and unauthorized access and maintaining the security of your systems."

However, having vServer for really small sites, I'm neither able to provide technical infrastructure for securing access (4-eye-principles, etc.) nor the legal aspects (privacy policy).
Thus, I don't want collect any kind of personal data.

Greetz, Jan

 

[B4c4rd1]

Under GDPR it is in almost no case necessary to remove IP addresses from log files. Most logging won't even make sense to do at all when the IP address is removed. I recommend to read this article. It pretty much sums it up and explains why providers can and will continue to store logs: EU GDPR and personal data in web server logs – Ctrl blog

I have to contradict that too.
There are several log files here. The server's own may be stored for a maximum of 14 days retroactively without anonymization. Then the IP address must be anonymized or the files deleted.

The situation is different with the log files for the customers. These must be immediately anonymized. Otherwise, the hosting provider becomes a criminal offense and can be held liable under the new law.


Gesendet von iPhone mit Tapatalk

 

[Bitpalast]

The server's own may be stored for a maximum of 14 days retroactively without anonymization.

Please quote the passage from GDPR where this is required.

The situation is different with the log files for the customers. These must be immediately anonymized.

Please quote the passage from GDPR where this is required.

Otherwise, the hosting provider becomes a criminal offense and can be held liable under the new law.

Rubbish.

 

[B4c4rd1]

Rubbish.

Not Rubbish! Please read Art. 82 Abs. 1 DSGVO/GDPR!

1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

You are the processor!

Please quote the passage from GDPR where this is required.

Only IP addresses may be stored if they are required for security. The log files of the customers under /var/www/vhosts/system are clearly not included.
Art. 6 Abs. 1 DSGVO/GDPR!

If so, the customer must give the processor a legitimate interest. Since you are the processor, so the customer tells you what to do with the data, you must not decide for the customer! Otherwise you can be held liable.

The protection of legitimate interests may, for example, justify the temporary storage of the IP addresses of website visitors, if necessary to ensure the security of the website against attacks. Usually, however, storing IP addresses for these purposes should take no longer than 7-14 days. Adequate storage period!

Since you can not assess whether there is a legitimate interest here, the customer must give in order. For this reason, the IP addresses of visitors are not allowed to be stored easily.

These are roughly the requirements for shared hosting.

Plesk was supposed to develop new instruments that meet this requirement.

 

[Bitpalast]

First of all, it is not a criminal offense, but - if it comes to a court rule - a civil rights case. Second, "who has suffered" means that only if storing log files causes a damage to a person a processor CAN be held liable. It is not a pre-requisite, neither does it mean that hosting provides must discontinue to store log files.

Regarding your second argument - "if they are required for security", and that is exactly the case. They are, because else it becomes impossible to block brute force attacks. There is no section in GDPR that log files under /var/www/vhost/system are not permitted.

Further, what an "adequate" storage period is, is not defined either. If it is necessary for other purposes such as tax laws, criminal prosecution, security and others, "adequate" can be longer than 14 days, for example 30 days or even longer if required. "Adequate" only means that the log files ought not be stored longer than adequate.

You are welcome to share your opinion and live by your opinion. Howeer, most others won't, including the Big A data centers that are hosting millions of accounts, including all well-known brands across Europe. And for the part of log file deletion: Current log file rotation options enable you to delete log files as early as you like. You are also free to not to store log files at all.