@KuJoe@mindly.social PII includes names, usernames, e-mail addresses, physical addresses, IP addresses, phone numbers, and essentially any personal information that can be used to identify an individual, including in combination with other available data.

This does extend to user-contributed content, as people do tend to write about themselves, which does add to the pool of information that can be used to identify them.

So... yeah. The very fact that we're talking means that your server is pulling and processing my Fedi profile, which is rife with PII.

And the same applies to any other user whose instance federates with mindly.social.

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

@KuJoe@mindly.social
That's a start. What's the plan for current data you're processing?

Reason I'm asking is because mindly is (yet another) business that's processing my data without my awareness or any privacy controls in place.

It's getting to the point where Fedi is becoming more of a liability than a benefit, and the work I have to do to track my digital footprint is exploding lately.

Now to be clear - I'm not accusing you, but it's been the case in the past that LLC's would collect my data, and a few years later either be breached, or decide to sell that data to third parties (advertising, other purposes).

I'd like to avoid that if possible.

@KuJoe@mindly.social
Thanks, I appreciate the response. Let me cut to the chase.

The rules governing the processing of PII are very different between running a personal instance, and one that's owned by a business.

As an LLC, mindly.social carries higher legal and regulatory obligations. It is a data controller under GDPR Article 3.

What's the legal basis (i.e. what right do you claim) for processing the PII of individuals who are not mindly.social's customers or partners?

And your privacy policy isn't particularly encouraging:

We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our site, conducting our business, or servicing you, so long as those parties agree to keep this information confidential.

@JesseF8693@mindly.social
I just got a follow request from your server, and upon checking, I see that mindly.social has a registered LLC in the USA, and that it's hosted on US infrastructure.

Now, I don't mind community instances, but yours being owned by a business does raise some flags in terms of what's happening with all the personal data you're processing.

Is there any chance you could provide an overview of how the data is being protected, and if it's shared with any third parties?

Do you have any protections in place for EU-based individuals whose data fall under GDPR?

Do you have a BCR, DTIA, or SCCs in place for organizations your network connects to?

Thanks

#gdpr #compliance #privacy #personadata #personalinformation #pii #fediverse #dataprotection