General Data Protection Regulation #777
Comments
|
I think email shouldn't be saved as invitee hasn't consented, so probably email may be used to send invitation but it should be cleared from db once email is sent. Then, accept invitation should ask for email again, or email could be added to accept invitation link, so user can accept without entering email again. Probably, it would be better done saving data into new invitations table, as requested in #228 |
|
I like the idea of having the email be a parameter in the invitation link. It would allow you to delete it from the database. I think with gdpr having a separate table is going to help people feel more comfortable with it. Personally I would just create a chron job for deleting emails. I haven't read anything that says how long you can store it for. I plan to store the invitation email for a while so I can send out follow ups automatically in the event that they haven't responded in a week. I still plan to delete the email after a month which sounds like it would still be complying with the "rule". |
|
@Willardgmoore I'm far from an expert but I think if the user hasn't consented to their email being stored (which given someone else is inviting them is almost certainly the case) then it would be breaking GDPR.
|
Devise inevitable asks one user to invite another (invitee). Given the invitee hasn't consented to giving their email (or name) I wounded if you or anyone else has an opinion on if storing the users email is in breach of General Data Protection Regulation (GDPR) use of Personal Data. If yes (or even maybe) then it might make sense to add something to the Readme warning others about this.
The text was updated successfully, but these errors were encountered: