Commit 6d32a025 authored by Jörg Schaarschmidt's avatar Jörg Schaarschmidt
Browse files

Update privacy.md

parents
# Privacy policy for the GitLab service of the MaterialDigital platform
In addition to the general information on data processing by the MaterialDigital platform (PMD), which must also be observed in this respect, this data protection declaration informs you about the nature, scope and purpose of the processing of personal data within the scope of the GitLab service. For reasons of better readability, the use of gender-specific forms of language is dispensed with in this data protection declaration. All personal terms nevertheless apply to all genders.
## I. Person responsible
The person responsible for data processing within the meaning of the GDPR (Art. 4 No. 7) and other provisions of data protection law is:
Karlsruhe Institute of Technology (KIT)
Kaiserstrasse 12
76131 Karlsruhe Germany
Phone: +49 721 608-0 Fax: +49 721 608-44290
E-mail: info@kit.edu
The Karlsruhe Institute of Technology is a public corporation. It is represented by the President Prof. Dr. Holger Hanselka. You can reach our data protection officer at dsb@kit.edu or the postal address with the addition "Die Datenschutzbeauftragte".
## II. Technical implementation of the service
The technical implementation of the GitLab service is performed internally at KIT by the PMD, which can be reached via the following e-mail address: info@material-digital.de.
## III. Provision of the GitLab Web Interface
### 1. Description and scope of data processing
In addition to data processing in the context of providing the website and creating log files, we process the following data for the GitLab web interface:
* GitLab Session Cookie,
* name, user ID (hereinafter UID) and e-mail address of logged-in users*.
The aforementioned data (except for those marked with *) are also stored temporarily - that is, only temporarily - in the log files of our systems.
### 2. Legal Basis for Data Processing
KIT is entitled to process personal data of a User with or without the aid of automated procedures, i.e., for example, to collect, record, arrange, store, query, or delete such data, if and to the extent that the processing is necessary for the provision of the GitLab service.
**Personal Data**.
In the context of the use of this GitLab instance, we process your personal data to the extent necessary for the provision of our content and services.
According to Art. 4 No. 1 of the EU General Data Protection Regulation (GDPR), personal data is any information relating to an identified or identifiable natural person (e.g. name, address, e-mail and user behavior).
The basis for the processing of personal data by KIT is Article 6 (1) p. 1 lit. e) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR).
The legal basis for the collection and temporary storage of the data in the log files is Art. 6 para. 1 p. 1 lit. f) GDPR (protection of a legitimate interest). In addition, Art. 6 para. 1 p. 1 lit. c) GDPR in conjunction with § 100 TKG also permits data storage.
### 3. Purpose of data processing
When you log in to the GitLab service, your name, UID and email address are additionally transmitted by the Keycloack SSO after you have authenticated yourself. After you agree to the terms of use of the GitLab service, an account is created in the GitLab service.
The email address of logged-in users is mainly used to allow users to receive notifications about activities in the GitLab service. We also use this email address to communicate with users in the event of technical issues. If the email address matches the author's email in the Git commit, GitLab uses it to link to the associated account in the GitLab service.
### 4. Duration of storage
In addition to the duration of storage in the context of providing the website and creating log files, the following applies to the GitLab service:
Name, UID and email address of users are automatically deleted as soon as a GitLab account is deleted by the user.
## V. Provision of the GitLab API and Access via Git Protocol
### 1. Description and scope of data processing
In addition to data processing in the context of providing the website and creating log files, we process the following data for the GitLab API and access via Git protocol:
* if applicable, uploaded Git commits, which may contain personal data such as the author's name and email address,
* content transferred via GitLab API, if applicable,
* SSH authentication key
* API tokens used for authentication
You can use the GitLab API and access via Git protocol only after you have logged in via the web interface. To use access via API, you must create an API token in the web interface. To use the Git protocol, it is necessary to store one or more public SSH keys in GitLab.
### 2. Legal basis for data processing.
KIT is entitled to process personal data of a User with or without the aid of automated procedures, i.e., for example, to collect, record, arrange, store, query or delete such data, if and to the extent that such processing is necessary for the fulfillment of the user relationship under public law with the User - inter alia, for the provision of the GitLab service.
The basis for the processing of personal data by KIT is Article 6 (1) p. 1 lit. e) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR).
The legal basis for the collection and temporary storage of the data in the log files is Art. 6 para. 1 p. 1 lit. f) GDPR (protection of a legitimate interest). In addition, Art. 6 para. 1 p. 1 lit. c) GDPR in conjunction with § 100 TKG also permits data storage.
### 3. Purpose of data processing
SSH keys provided by the user are used to authenticate Git push and pull commands. The public part of the SSH keys is stored. Log files store the fingerprint of the public key. We use this for error diagnosis.
API tokens for accessing the GitLab API are stored in the profile of the respective user and serve as proof of user authorization for the respective API function.
Storage of transmitted content submitted through the GitLab API or by uploading Git commits is a core functionality of the Service. Git commits may contain personal data such as email address and author name. It is possible to use pseudonyms in Git commits. If the same email address is used in Git commits that matches the email address stored in a user profile, GitLab will link the corresponding commits to the user profile.
### 4. Data processing security
Only version 2 of the SSH protocol, which is considered secure according to the state of the art, is used for data transmission via SSH.
### 5. Duration of storage
In addition to the duration of storage in the context of the creation of log files, the following applies to the GitLab service:
SSH key and API token details stored in the user profile will be deleted along with the user's user profile as soon as the user deletes their account.
Projects in groups will be deleted once they no longer have valid users as owners.
### 6. Possibility of objection and removal
In addition to the options for objection and removal in the context of providing the website and creating log files, we would like to point out that (personal) data that has been transferred to repositories by means of commits cannot be subsequently changed without destroying the integrity of the repositories (cf. Art. 17 Para. 1 lit. a) or lit. c) GDPR). This is because in the event of a change, the commit IDs of the affected commits and all subsequent commits would change. If you do not want your directly personal data to be stored in Git repositories, then you should take advantage of the pseudonymous use option.
Contact persons for questions regarding personal data in Git repositories are the respective owners or administrators of the repositories.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment