How to comply with GDPR Right of Access Article 15
In accordance with the GDPR legislation, all data subjects have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and where that is the case, access to the personal data together with additional information regarding use and storage. This is covered by the "Right to access" and described in article 15. In short this means that any user can request a to get a copy of their processed personal data as well as other supplementary information upon request.
This information should be provided in a standardized electronic form and the following information should be included:
- A copy of the personal data undergoing processing
- Purpose of processing
- In particular, if automated decision-making or profiling takes place, and if so, the logic involved, significance and likely consequences of such processing
- Categories of data processed (e.g., name, address, online browsing behavior)
- Any third party recipients of this personal data, both backward or forward looking, especially recipients in third countries (i.e. countries outside of the EU)
- What safeguards are in place to protect the data being transferred
- Any third party sources of data subject’s personal data (i.e. not collected from the data subject directly, for instance by purchasing said data from another source that previously collected the data directly)
- How long such personal data would be stored, or if that’s not determinable, how the length of this period would be determined
Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
Inside a FotoWare system there is multiple places were personal data might be stored depending on the system setup and software being utilized. To help comply with Article 15 of , here is a overview of possible data collections with Personal data and how to extract.
Metadata in an asset might contain Personal information.
- Metadata (XMP/IPTC)
- "Uploaded by" for FotoWeb users
Fotoweb will automatically add personally identifiable data on upload as files are automatically tagged with user data. The data recorded for each upload and automatically added to the metadata of a file is "Uploaded by" (field ID 360), "Uploaded by full name", (Field ID 361) and "Upload time" (Field ID 362).
- History events for FotoStation users: History events are written to the file if History event logging is enabled (Field ID 231) For more information regarding the History event option please see: https://learn.fotoware.com/03_FotoStation_8.0/05_Adding_metadata_to_assets/File_history
The easiest way of finding this metadata is searching for example for the username/userID and export the metadata directly. FotoStation could make the task easy with using the export text function from a collection of files.
FotoWeb User database (MongoDB):
The MongoDB is the main FotoWeb database and it can, depending on use, contain personally identifiable data in the following collections:
- Registered user data
- Reset password
- Created by (Smart folders and Taxonomies)
- Export presets
- Crop presets
- Background tasks
- Auth Device tokens
- Auth Upload tokens
How to export all MongoDB data for single user:
The user information and user ID is defined as Personal information. This is stored in a number of collections inside FotoWeb. Export of all data registred for a single data subject in MongoDB can be done by following the easy steps below using the attached GDPR.pyc script (attached in bottom of the page).
This will export all data available to a txt file in JSON format. As the format is JSON it makes it easy to create scripts/templates for displaying this to a user in your choosen form and format.
- Check your SITENAME inside Operation Center and "Settings" (it is always capital letters, and the command is case sensitive).
- Check username for the actual data subject.
- Copy the GDPR.pyc script to your FotoWeb server
- Run the following command from a command prompt:
- c:\program Files (x86)\FotoWare\FotoWeb 8.0\Python\python.exe" C:\pytest\gdpr.pyc <SITENAME> <username> <output path>
FotoWeb SQL database
The information registered in the SQL for reporting purposes are depends on logging options set inside Site configuration, settings, logging. Note that searches are always logged.The following additional information can be logged through, and may turned off completely if not needed.
- Metadata edit
- Asset details
Following fields are by default enabled: login, download, workflow.
SQL logs can be flushed automatically. Please see SQL configuration documentation:
How to create a custom report to export all SQL data for a single user:
The FotoWeb Reports module can be found in the Operations Center and is configured per site. This makes it easy to create a custom report consisting of all data concerning a data subject.
How to setup the custom reports and what parameters to use:
- Go to Reports in Site Settings of your site.
- Click "Design report"
- The following settings should be used:
- Date.: Date to time
- Events: All
- Groups: All
- Columns: Enable all except preview, byline, source and title.
- On column for “Username” choose the “filter option”. Either choose the correct username or in the option “Show rows with the value that” choose “Is equal to” and type “User ID”, where “User ID” is the id number displayed in Operation Center. Click “filter”.
- Save the report and give it a name.
- Run the report regarding the user, and you can extract the information as csv, html or xml depended on what format is needed.
Webserver logging, FWEvents.log and Debug logs:
Logging events might be storing user data regarding login name, IP address as well as more in depth information if debug logging is enabled (debug logging should only be enabled for debug purposes only, and thereafter deleted).
Even though logs may contain personal data, you may store personal data in your server logs for the limited and legitimate purpose of "preventing unauthorized access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.” To clarify, you can actually keep logs but they should have restricted access, and can be deleted as soon as information is not needed.
Since these are a number of text files they can easily be searched with any text editor like Notepad++