Open Closed

GDPR Compliance, Right to be Forgotten, Consent, Cookies #1810


User avatar
0
michal.cadecky@m2ms.sk created

Hello! This is going to be a longer topic with some questions and some feature requests. The company I am working for is using ABP Platform (with Commercial/Pro modules) for creating and deploying customized applications for customers which are obliged to be GDPR compliant when working with user data. Therefore we as a supplier are required to provide necessary means to fullfil all legal requirements. I understand this is more about the relationship between our customers and their users but this is something I consider to be general feature that shall be part of platforms like ABP is. In general the GDPR topic is quite complex so I will try to address some of the relevant parts.

1. GDPR Compliance

I don't want to really go into details of the GDPR rules and compliancy but my questions here is if the ABP teams did some research and already addressed some of the GDPR requirements? I have seen there are lot of information been processed and stored about users (either identity level or logs - system log files or auditing/entity changes). This data definitely requires consent from users and I haven't seen any features or documentation regarding this. Is there at least any list with all the user data being processed and stored (database, files, logs, cookies)?

2. Right to be Forgotten

Special part of the GDPR rules is the "Right to be Forgotten" or the "Right to erasure". Any user can ask the service provider to remove his/her user data (or anonymized in a way that the leftover data cannot be connected to the user in any way utilizing 3rd party databases). The ruling is much more complex and there are exceptions when the user does not have this right - but that is up to the service provider to determine. This is more of a feature request - it would be very nice if ABP could provide functionality that will either remove or at least anonymize personal data of a specific user from all existing data sources (excluding backups - there are special rules for that one). Data allowing anyone to uniqually identify the person - name, address, email address, phone number, IP address (it is considered as personal data in some countries), etc. This is something we had already addressed in our previous platform before moving to ABP.

3. Consent and Cookies

I know there is a possibility to utilize Consent functionality of IdentityServer4 but it would be really nice if e.g. Identity module could provide this kind of consent functionality out of the box (consent page redirection and configuration). Same logic applies to consent regarding the cookies. I have seen that other product of Volosoft - ASP.NET Zero already supports it. With upcoming version of ABP it would be a really nice addition, if this kind of features will be supported.

I understand these features will require time to be introduced to ABP, if the ABP team decides to support it. We are open for participation or contributions but we will definitely require support, expertise and cooperation of ABP team, if the ABP team has the possibility to provide it.

I'm quite surprised that there are only few questions regarding the GDPR in the support forum. This has become a really large thing in the EU and many companies are still dealing with proper implementation of the whole GDPR process and its requirements. Anyway thanks for reading and I am looking forward to any replies.


3 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    See https://support.abp.io/QA/Questions/896/SuggestionFeature-request--GDPR---data-retention-schedules

    We have an internal issue about GDPR, but there is no development plan.

  • User Avatar
    0
    michal.cadecky@m2ms.sk created

    Thank you. I had seen the provided link before I have started this thread. Yes, I understand that this is something already in your backlog with a (probably) low priority. That is why we would like to rise attention to this feature and kindly ask for your support and cooperation.

    There are several more questions in the original post so I would also like to ask you, if you could take a look on them as well. Thanks!

  • User Avatar
    0
    alper created
    Support Team Director

    Hi and thanks for your feedback. This feature request is still at the backlog but we can move it to v5.1. Why nobody asks this! because it's a high level request and it's up to the project owner whether to support GDPR. There's no limitation to do all these on your side. When we implement this feature, the hard side is customization! Every single option will be asked to customize in the future. Eg: "I want to change the cookie consent sentence and add extra links, optional consent options etc..." . By the way I can share you this issue's analyze information:


    The user data is stored in the following environments

    File system:

    User-specific texts are inside the flat log text file. Logs/*.txt (search for specific logs when updating/creating a user)


    DB Tables:

    AbpUsers:

    Username, Name, Surname, Email, Phone number, Profile picture

    AbpAuditLogs:

    ClientIpAddress, Username

    AbpAuditLogActions:

    | ServiceName | MethodName | |--------------|------------| | Volo.Abp.Account.AccountAppService | RegisterAsyncAbpEntityPropertyChanges | | Volo.Abp.AspNetCore.Mvc.Localization.AbpLanguagesController | Switch | | Volo.Abp.Identity.IdentitySecurityLogAppService | GetMyListAsync | | Volo.Abp.Identity.IdentitySecurityLogController | GetListAsync | | Volo.Abp.Identity.IdentitySecurityLogController | GetMyListAsyncLog | | Volo.Abp.Identity.IdentityUserAppService | CreateAsync | | Volo.Abp.Identity.IdentityUserAppService | UpdateAsync | | Volo.Abp.Identity.ProfileAppService | UpdateAsync | | Volo.Abp.Identity.ProfileController | UpdateAsyncCulture |

    AbpEntityChanges:

    *.AppUser

    AbpEntityPropertyChanges :

    PropertyName field equals Username, Name, Surname, Email, PhoneNumber


    Claims:

    phone_number
    address
    email_verified
    email
    locale
    zoneinfo
    birthdate
    phone_number_verified
    gender
    picture
    profile
    preferred_username
    nickname
    middle_name
    given_name
    family_name
    name


    Functions:

    • Allow users to delete the personal data or allow only admins to delete the data
    • Allow users to download the personal data or allow only admins to delete the data
    • Show a cookie consent like This website uses cookies to ensure you get the best experience on the website. If you continue to browse, then you agree to our <cookie policy: link> - <Got It: button>.
Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11