I am no lawyer, but have been studying the impact of GDPR on a couple of other 
organisations I work with on a voluntary basis. I am treasurer of one, and use 
GnuCash for its accounts.

GDPR states that you must have a legal basis for holding data. It does not say 
that you need consent forms, that is simply one way of establishing a ‘legal 
basis’. If you need the data in order to fulfil your ‘contract’ with your 
customer, then you have a legal basis.

If you need their address in order to supply an invoice or guarantee, then I 
would say you have a legal basis.

If you are collecting it just for the hell of it and with a view to spamming, 
sorry, marketing to them later, then you do not have a legal basis unless they 
give permission. You will also have to provide a way for them to withdraw that 
permission and view the data. 

In other words, depending on your type of business, if you have no need to 
contact the customer once the transaction is complete, it is not wise to be 
collecting (spurious) data from them.

Of course, once the law comes into effect and it has been tested in the courts, 
we will find out what it really means. In the meantime, tread with care.

— 
Colin

> ------------------------------
> 
> Message: 11
> Date: Tue, 10 Apr 2018 12:51:08 +0100
> From: Mike Evans <mi...@saxicola.co.uk>
> To: gnucash-user@gnucash.org
> Subject: [GNC] GDPR and data held in GnuCash
> Message-ID: <20180410125108.1dc4d63a@saxicola>
> Content-Type: text/plain; charset=US-ASCII
> 
> Is everyone aware of the impact of GDPR on their customers/vendors data 
> stored within GnuCash?  I admit I've only just become aware of it and am 
> still puzzled as what I should do to be compliant.
> 
> It seems I may have to either delete all my customer data or "repermission" 
> my existing customers and vendors in order to hold any data about them. I'm 
> not sure how GnuCash will behave if I delete customer data, given that I 
> can't do that via GnuCash and will have to "manually" edit my database (or 
> XML file in my case). I should probably file an enhancement request to add a 
> delete customer facility to GnuCash.
> 
> It may be only applicable if you hold data for the purposes of mailing list 
> marketing.
> 
> There may be issues if you backup or store your GnuCash data "in the cloud" 
> as this probably means moving data to servers based outside of the EU. In 
> which case it will have to be encrypted before transmission. I guess that 
> applies for server storage inside the EU too. Business users storing 
> unencrypted data in the "cloud" would fall foul of the regulations.
> 
> There's a Wikipedia article at 
> https://en.wikipedia.org/wiki/General_Data_Protection_Regulation 
> 
> and there's https://www.eugdpr.org/
> 
> 
> Just a few discussion points.
> Mike Evans
> 
> 
> ------------------------------
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> 
> gnucash-user mailing list
> gnucash-user@gnucash.org
> To update your subscription preferences or to unsubscribe:
> https://lists.gnucash.org/mailman/listinfo/gnucash-user
> If you are using Nabble or Gmane, please see 
> https://wiki.gnucash.org/wiki/Mailing_Lists for more information.
> -----
> Please remember to CC this list on all your replies.
> You can do this by using Reply-To-List or Reply-All.
> 
> ------------------------------
> 
> End of gnucash-user Digest, Vol 181, Issue 50
> *********************************************

_______________________________________________
gnucash-user mailing list
gnucash-user@gnucash.org
To update your subscription preferences or to unsubscribe:
https://lists.gnucash.org/mailman/listinfo/gnucash-user
If you are using Nabble or Gmane, please see 
https://wiki.gnucash.org/wiki/Mailing_Lists for more information.
-----
Please remember to CC this list on all your replies.
You can do this by using Reply-To-List or Reply-All.

Reply via email to