BlueOnyx Updates: GDPR/DSGVO *

Posted by: mstauber Category: General

We just published another update for BlueOnyx 5207R, 5208R and 5209R which should aide BlueOnyx server owners in the task of complying with the new GDPR/DSGVO EU regulation.

At the end of April we had already published our GDPR/DSGVO update for BlueOnyx. However: In the meantime it came to our attention that our approach might not go far enough to satisfy German legislation.

Here is the deal: German lawmakers are basically retarded and create arbitrary laws. They introduce new laws with outrageous fines, but fail to specify exact parameters within which the new laws apply. Take the DSGVO (which is what the GDPR is called in German) and think about server logfiles. Nowhere in the letter of law does it expressly state that server logfiles fall under the GDPR, nor how long these logfiles may be retained. They fall under the broad scope of "personal data" due to the included IP addresses. But the law doesn't state how many days we may keep them. The French seem to be fine with three months of logfiles from what I've heard, other countries say two weeks and *we* assumed two weeks would be reasonable. Personally I am of the opinion that one week of logfile retention is not enough, but that's just my opinion.

Here is the dealbreaker as far as German BlueOnyx operators are concerned:

A German client sued a German ISP through all levels of court. Starting at the Landgericht Darmstadt unil the case landed squarely at the BGH. The relevant court document (BGH · Urteil vom 3. Juli 2014 · Az. III ZR 391/13) for the circumstances related to that case state that it is fine to keep server logfiles for up to 7 days. That's where the "7 day rule" comes from.

However: § 100 Abs. 1 TKG does state that up to six months of traffic data ("Verkehrsdaten") may be retained in justified cases. The crux here is "legitimate interest" and that really depends on a case by case basis.

A legal expert was of the opinion that the storage of access and error logs beyond a duration of 7 days must be backed up by a reasonable legal justification (Art. 6 para. 1 lit. f DSGVO) and the data protection declaration must experessly state the legitimate interest that did lead to storing logfiles longer than 7 days. Nobody in his right mind is willing to take his special case to court, so everyone seems to settle on the "7 day rule" instead.

So that's now why every German scrambles to make sure they keep logfiles for no longer than 7 days.

To aid with that we just modified the GUI page "System Settings" / "Data Retention" to add the switch "Server Logfile Retenion". It allows you to switch your BlueOnyx from the default logfile retention of 14 days to a different retention period (1-90 days). So German BlueOnyx operators can now configure their servers to keep no more than 7 days of logfiles in /var/log/*.

It's the first switch shown in this GUI screenshot:

May 24, 2018 Category: General Posted by: mstauber
Previous page: Development Next page: Mailing List