Does May First have a standard data processing agreement (DPA) for members who want formal compliance with the GDPR?

Members that even have an email signup from a European Union citizen are technically subject to GDPR. If you are straightforward with what you are collecting information and why, and respond to requests to remove that information, you are likely in compliance even if you have not taken special effort to write a privacy policy or other things with GDPR in mind. But the law does expect you have an explicit agreement with data processors, which seems to include any organization that physically hosts the data. Other laws, such as the Rwanda Data Protection and Privacy Law, have been developed to be compatible with GDPR and the same agreement would likely cover them too.

Here is a good article on it from Piwik Pro: Data processing agreement (DPA) & GDPR: 7 key elements - Piwik PRO

Here is Digital Ocean’s: Legal - Data Processing Agreement

Here is Linode’s: https://github.com/linode/agreements/blob/master/Data%20Processing%20Addendum%20(DPA).md

Here is Cloudflare’s: CLOUDFLARE DATA PROCESSING ADDENDUM

Perhaps the essential points are or could be covered in the member agreement, but a separate addendum makes a checking off GDPR a bit easier.

Hi @ben-agaric Sorry for the slow response. This kind of thing takes some very careful and thoughtful reading of the documents which I haven’t had time to do until now.

My first question is: are you sure this is relevant to May First?

I think it only applies to our members in Europe. For example, the GDPR does not have jurisdiction outside of Europe so even if a Euriopean fills out our Sign up for Our Newsletter form, it doesn’t mean we have to comply with a GDPR request. Having said that, we do have some members based in Europe so it’s worth thinking through (and as you point out it seems that other jurisdictions have similar laws).

The first link you sent (Piwik): says:

This means that you need a DPA, for example, when you use customer relationship management platforms (CRMs), customer data platforms (CDPs), analytics and many other types of tools designed to analyze user behavior.

None of that sounds like May First. And the Cloudflare, Linode and other documents seem to cover an “in the case we have a contract with you to analyze your data” type of thing. Does this apply if we are not processing anyone’s data? Is “process” such a generic word that it covers writing data to disk?

Also, the article says that an agreement should cover:

The subjects of data processing – whose data you want to process, for example, children, banking clients, patients or simply website visitors. Data subjects can fall into more than one category.

How could we write a general contract for that? We don’t want to process any of our members’ data!!

I’m not sure we have the budget to hire a lawyer to draft something, but that doesn’t mean we can’t write something (along the lines of our privacy policy: May First Movement Technology) that is written briefly and in intentionally easy to understand language that covers what is necessary. But I’m not sure how to do that by following the Piwik instructions (and the other examples you give are in inscrutable legalese).

Open to suggestions!!

Hi @jamie - GDPR does apply to any site that interacts with EU residents - here’s a useful link Who does the data protection law apply to?

Hey @sanjay - That’s interesting - I didn’t know that. It led me down a bit of a rabbit hole (I found an interesting stack exchange thread exploring this topic).

And also I found another post on the topic that says companies with less than 250 employees may be exempt, which is more to the point. I’m still not convinced this is a legal issue for May First, but I’m politically sympathetic to the GDPR and also want to provide whatever documents our members need to satisfy their legal requirements.

I’m wondering if there is something specific that has prompted you to raise the issue? Do you have a client that is a May First member that is trying to evaluate if they are compliant? I think we are down for helping a member get what they need - but trying to “generally” comply with the GDPR is going to be a lot harder.

@jamie Yes this is specifically for a client who is also a May First member looking to be compliant with GDPR and the Rwanda Data Protection & Privacy Law.

But really all that is needed is the general, explicit agreement with data processors of the kind i linked to; there should not be any need to customize it for a particular member— any that wanted it could make use of it.

And note that these agreements generally make provision to cover the California Consumer Protection Act also.

Hi @ben-agaric - Unfortunately, I can’t just copy and paste the Digital Ocean or Linode agreements. Those are really specific to those corporations - there is very little generic stuff. And, honestly, I don’t fully understand most of those provisions.

I’m fairly confident that you can assure your client that we are compliant with all laws. In the case of the GDPR - we are clearly exempted due to our staff size. I’m not sure if the Rwanda law has a similar provision or not.

I’m tagging @kenmontenegro to get his thoughts. Also - I found this site with a more generic processing agreement that might be easier to adapt.

Good to see this exchange thanks. meet.coop has a related issue which we haven’t yet figured how to handle. I’ll try to remember to post here, when we do.

We have members in Europe, Usa, Canada, etc. We have servers in Germany and also Canada (under Quebec Law #25 jurisdiction, which is pretty strong, equivalent to GDPR). However, web users in Europe, especially public sector/municipal orgs, are getting increasingly fidgety about strict GDPR coverage, and servers being literally inside Europe. So we need a set of protocols that cover the Canadian server (and the Canadian hosting coop, which does sysadmin on BOTH servers) to satisfy European members’ anxieties.

Of course we’re compliant, through our routine security and privacy practices (just like MayFirst is - the privacy regime here is tight). But it needs protocols to say so!

meet.coop forum thread on this topic.
https://forum.meet.coop/t/evolution-2-a-commons-hour-on-data-privacy-and-regulatory-regimes/1354/21