Basis for Personal Data Processing

 Data, Data Processing, DPO, EU, GDPR, Legal, RGDP  Comments Off on Basis for Personal Data Processing
Feb 142018
 

GDPR enforces organizations to have a valid lawful basis in order to process personal data.
There are six lawful bases, all equal in importance, though the selection of which basis is the most appropriate to use will depend on the organization purpose and its relationship with people.

The lawful basis must be determined before the data processing begins because it should be documented along with the purposes of the data processing, and included in the privacy notice accepted by the individuals. This makes it clear for the people to know what they are consenting.

If the purposes change, unless it is compatible with the initial purpose, it will require a change of the lawful basis, and it could be necessary to redo the processes of documentation, consenting, etc..

Lawful Bases for Data Processing

The six lawful bases for personal data processing are defined in Article 6:

  • the data subject has given consent to the processing of their personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.

Processing activities that fall under performance of a contract, legal obligation, vital interests and public task may be fairly straight-forward to identify. The key for many will be assessing whether Consent or Legitimate Interests will be most appropriate for specific processing of personal information.

Processing Special Category Data

When processing special category data organizations need to identify both a lawful basis for the general processing and an additional condition for processing this type of data.

Criminal Data Processing

When processing criminal conviction data, or data about offenses, it is necessary to identify both a lawful basis for general processing and an additional condition for processing this type of data.

GDPR Principles

 Data, Data Processing, DPO, EU, GDPR, Legal, RGDP, Security  Comments Off on GDPR Principles
Feb 102018
 

The GDPR define the main responsibilities for organisations when it comes to data protection and personal data processing.

Article 5 of the GDPR introduces the two pillars of the personal data protection and processing. Putting it simply, it introduces the data related principles and who is responsible for enforcing it.

Data Principles

Under GDPR, personal data shall be:

  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

As seen above, there are specific situations where the data protection and processing principles have been, somewhat, extended.
For such cases, safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes are introduced in Article 89.

Controller

Under GDPR, a controller is required and shall be

be responsible for, and be able to demonstrate, compliance with the principles.

In short, organisations now have a Data Protection Officer (commonly known as DPO) that has the responsible for, and be able to demonstrate compliance with, the data protection in accordance with GDPR, becoming accountable for its compliance.

Depending on the size of the organisation, DPO can be someone from the organisation itself, except someone from the organisation administration, for obviously possible conflict of interests.

What is GDPR?

 Data, Data Processing, EU, GDPR, Legal, RGDP, Security  Comments Off on What is GDPR?
Feb 052018
 

GDPR stands for General Data Protection Regulation and, legally, it’s the EU 2016/679 regulation about protection of personal data.

GDPR defines the rights and obligations regarding the gathering, processing and movement of EU citizens personal data. It provides a high and coherent protection level, equivalent in all member states, and is extensible to external EU organizations that work with EU citizens personal data.

The obligations related to the manipulation of personal data now cover things like the right to be forgotten and organizations are now obligated to inform the regulator when they have a personal data breach.

So, what is “personal data”?

In a simple way, it’s all the data about a person that an organization collects, stores and transmits: web forms, cookies, user preferences, medical reports, receipts, etc.. GDPR enforces the lawful, fair and transparent processing of the personal data in relation to the data subject.
In the GDPR legislation, personal data is defined as

any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity

Check Article 4 for detail.

How about highly sensitive data?

GDPR takes into consideration special types of data that are highly sensitive, such as health, criminal convictions, sexual life, political, genetical, etc.. In such cases, special rules are applicable.

Check Article 9 for detail.

Who does this applies to?

This applies to all people and organizations that collect, gather, transmit or process in any way European Union citizens personal data. Yes, this means that non-EU organizations must comply with this regulation when dealing with EU citizens.

Micro, small and medium-sized organizations have a somewhat relaxed compliance levels. It includes a derogation for organizations with fewer than 250 employees with regard to record-keeping.

Public and criminal law organizations are covered by special rules since they address specific national and European issues.

How hard is it for me to comply with GDPR?

As it’s obviously understandable, it will depend on how big your organization is, what it does and how it already addresses the personal data processing.

The best map road for compliance starts with an assessment performed by a multidisciplinary team composed by GDPR certified people, GDPR knowledgeable lawyers and a pragmatic IT team that truly understands GDPR.

Get in touch with us if you need help on the subject.

Debugging email on Django application development

 Django, Linux, Python, Software Development, Web  Comments Off on Debugging email on Django application development
May 212014
 

One of the common functionalities in Django applications is to send emails, such as for user password resets.

Python SMTP

Since Python comes with it’s own SMTP, it’s easy to redirect the emails from the local Django application being developed to this dummy mail server and see the emails on the console.
Here’s how to do it:

  • Run Python SMTP with this command line:
    python -m smtpd -n -c DebuggingServer localhost:1025
  • Define Django email server as:
    EMAIL_HOST = 'localhost'
    EMAIL_PORT = 1025

And that’s it. All emails sent will be seen on the console where you’r running the Python SMTP.
This technique is actually quite useful since you can use this for any application you are developing locally.

Redirect to Console

There’s another way to see the emails on the console with no dependencies.
To do so, just configure the email to use the console email backend.

EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'

This will actually redirect all emails to the standard output, which usually is the console.

Redirect to File

Another approach is to redirect the emails into a local file for prior usage.
To do so, just configure the email to use the file email backend.

EMAIL_BACKEND = 'django.core.mail.backends.filebased.EmailBackend'
EMAIL_FILE_PATH = '/tmp/app-messages' # change this to a proper location

This will write all emails into separate files located in

/tmp/app-messages

and you can analyze them latter.

Install and Configure PostgreSQL

 Database, Linux, PostgreSQL  Comments Off on Install and Configure PostgreSQL
May 052014
 

Here’s how to correctly install and configure PostgreSQL.

Install

First update the system

sudo apt-get update

Then install the packages:

sudo apt-get install postgresql postgresql-contrib

Create Database and User

Now let’s create a PostgreSQL roles and databases.

PostgreSQL uses the concept of roles to distinguish the variety of users that can connect to a database. After a fresh install, the default PostgreSQL user is actual named “postgres”.

Login into the “postgres” user using

sudo su postgres

and add a user

createuser -e -P USERNAME

set the password for the specified USERNAME.

Now create a database and assign the user to it

createdb -O USERNAME DATABASENAME

Connect to the database using

psql -d DATABASENAME -U USERNAME

And that’s it.

Correctly Uninstall PostgreSQL

 Database, Linux, PostgreSQL  Comments Off on Correctly Uninstall PostgreSQL
May 022014
 

Uninstalling PostgreSQL may leave some undesired files. Here’s how to purge it:

First, uninstall all packages from PostgreSQL from the system using

sudo apt-get --purge remove postgresql\*

Then remove all the configuration and library stuff

sudo rm -r /etc/postgresql/
sudo rm -r /etc/postgresql-common/
sudo rm -r /var/lib/postgresql/

And finally, remove the user and group

sudo userdel -r postgres
sudo groupdel postgres

Upgrade PostgreSQL from 9.1 to 9.3 on Kubuntu

 Data Migration, Database, Linux, PostgreSQL  Comments Off on Upgrade PostgreSQL from 9.1 to 9.3 on Kubuntu
Apr 192014
 

This seven steps will perform the upgrade of PostgreSQL from version 9.1 to version 9.3.
This also works in Ubuntu and it can also be used to upgrade between any version numbers.

To upgrade between any versions, just changed the 9.1 for the legacy version number and the 9.3 for the new version number.

First install the necessary dependencies

sudo apt-get update
sudo apt-get -y install python-software-properties

Second, add the PostgreSQL repository

wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -

Third, setup the repository

sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ precise-pgdg main" >> /etc/apt/sources.list.d/postgresql.list'

Fourth, install PostgreSQL 9.3.

sudo apt-get install postgresql-9.3 postgresql-server-dev-9.3 postgresql-contrib-9.3

Fifth, perform the upgrade process.
The upgrade process is performed by having both servers running at the same time. Note that the new 9.3 version will run on a different port, 5433 as specified in the script bellow, and it will be set to the default port latter when the legacy version is uninstalled and the default port becomes available.

sudo su -l postgres
psql -d template1 -p 5433
CREATE EXTENSION IF NOT EXISTS hstore;
CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
\q #logout from database
service postgresql stop
/usr/lib/postgresql/9.3/bin/pg_upgrade -b /usr/lib/postgresql/9.1/bin -B /usr/lib/postgresql/9.3/bin -d /var/lib/postgresql/9.1/main/ -D /var/lib/postgresql/9.3/main/ -O " -c config_file=/etc/postgresql/9.3/main/postgresql.conf" -o "-c config_file=/etc/postgresql/9.1/main/postgresql.conf"
exit # logout postgresql back to previous user

Sixth, remove the 9.1 version.

sudo apt-get remove postgresql-9.1

Seventh, set the new version server port back to the default value and restart the service.

sudo vim /etc/postgresql/9.3/main/postgresql.conf # find old port of 5433 and change it to 5432
sudo service postgresql restart

Change Keyboard Layout on Ubuntu Server Permanently

 Linux, Operating System  Comments Off on Change Keyboard Layout on Ubuntu Server Permanently
Mar 062014
 

When working on Ubuntu Servers, sometimes the defined keyboard layout is not aligned with the physical keyboard one’s using.

In order to permanently change it, just execute the following two commands.

First, configure the keyboard:

sudo dpkg-reconfigure keyboard-configuration

Test the keyboard, in particular the characters like slash, asterisk, etc.. If things are not ok, just configure it again with different options.

Next, configure the console:

sudo dpkg-reconfigure console-setup

And that’s it.

If you want to configure the size of your TTY, i. e. the text console resolution, check ChangeTTYResolution.

Testing for Internet Explorer

 Internet Explorer, Linux, Mac OS X, Operating System, Web, Windows  Comments Off on Testing for Internet Explorer
Nov 082013
 

While developing for the web, one has to take into account the various browsers that people use.
Depending on the kind of project and target users, this may range from an easy option focused on a single browser up to the dawnting task of supporting the most used browsers world wide.

To help in this task, Microsoft has provided a set of combinations of Windows and Internet Explorer versions in ready to use virtual machines available to all major operating systems.
You can get them here in the Modern.IE web site in the virtual tools section.

Setting Drupal File Permissions and Ownership

 Drupal, Linux, Operating System  Comments Off on Setting Drupal File Permissions and Ownership
Nov 042013
 

To correctly secure a Drupal installation in Linux, just follow these simple steps:

[root@localhost]cd /path_to_drupal_installation
[root@localhost]chown -R vsftpd:www-data .
[root@localhost]find . -type d -exec chmod u=rwx,g=rx,o= '{}' \;
[root@localhost]find . -type f -exec chmod u=rw,g=r,o= '{}' \;

Change the vsftpd by your own user name, ftp deamon user or what evere user you need.

[root@localhost]cd /path_to_drupal_installation/sites
[root@localhost]find . -type d -name files -exec chmod ug=rwx,o= '{}' \;
[root@localhost]for d in ./*/files
do
   find $d -type d -exec chmod ug=rwx,o= '{}' \;
   find $d -type f -exec chmod ug=rw,o= '{}' \;
done

Full article and explanation from Securing file permissions and ownership.