I am on self hosted 4.4.1, and I have only seen one brief reference to GDPR in a single thread saying it was being prepared. Will it be in a version before the law takes effect later this month? And will it contain the following provisions (as I understand them, but please correct me if I have misunderstood)?:
A way for clients to take all their data (portability) through some kind of download
A way for clients to delete all of their data from the system
Privacy policy template (if not, I could probably just link to a doc I create from the client portal dashboard)
Some kind of opt in from client before using client portal? (not exactly sure how to square collecting necessary data from clients we obviously need to bill with getting opt-in and for what)
Again, I am just learning about GDPR from personal reading, I am not an expert and welcome anyone’s interpretations/clarifications.
Hmm… I think I may have misunderstood your post. We’ve spent a lot of time making sure to support GDPR for users of our hosted platform. I’m not sure if it applies to invoiced clients, should an invoiced client be able to delete all of their invoices?
Well, I assume if we enable the client portal, that those rules apply to the individual companies/freelancers, no? And as clients will have the ability to login and we have data stored online about them, they will each probably need to be able to do the 4 things above, no?
That said, I REALLY don’t like the idea of my clients being able to delete any record of our interactions, and I am not sure how the new law applies here. Does it mean we simply archive their data in some zip file offline and inaccessible via any web interface (as opposed to deleting it entirely)?
I hope you right. I don’t claim to be any kind of expert in law, I have just been seeing a lot of articles about this recently and wanted to ask the question.
I will try to do some useful research and come back here to post anything I can find that could clarify. Thanks for the responses though, I appreciate it.
let me pick uo this thread as I have related questions and am able to contribute to this discussion. I am a data protection office in Germany so I am quite involved with this subject except I’m not well versed with the English terms.
let me clarify something first: existent laws trump the GDPR i.e. in Germany you have to keep business correspondence for a specific period lets say it is 10 years. Within this period no client can ask for deletion of his data so #2 from the first post does not apply.
As for #1 can someone clarify how a client can do this?
I see that on the self hosted invoiceninja version you have a cookie warning with a general link and a way to confirm. It would be nice to have a way to be able to customize this.
In addition you need to inform a website visitor about what data you are gathering, the purpose, etc. So we basically need to be able to add a privacy statement to the self hosted version, i.e. somewhere in the footer. See here for details: https://gdpr-info.eu/art-13-gdpr/
OK, i get that but for an App to be GDPR compatible it needs to fulfill a couple of things. it needs to allow the app “owner” in this case me to fulfill my client’s rights.
So one of my clients i.e. “the data subject” has rights: https://gdpr-info.eu/chapter-3/ lets take an example and talk about the right to data portability. I have found the option to export all clients which should fulfill this. Its not necessary that my client has this option.
All good in this case.
What I am still missing is:
blockquote start
In addition you need to inform a website visitor about what data you are gathering, the purpose, etc. So we basically need to be able to add a privacy statement to the self hosted version, i.e. somewhere in the footer. See here for details: https://gdpr-info.eu/art-13-gdpr/
if someone visits a website, he needs to be informed what personal data is being collected. i.e. my webserver collects his IP and browser version. I need to inform him about this hence I need an option to add a page to the footer with custom filled content.
I hope I have explained a bit better what I was asking for?
###edit####
the editor is kinda removing my blockquotes
In the next version you can set a custom message and/or link in the cookie consent panel, maybe that will solve it?
that will partially help as I can then set a link to another website where I inform the user about what data is collected and so forth but it would be much easier if this page could be part of the self-hosted invoiceninja so one would not need an external page for this info. I basically need to show this info you are providing to your clients here: https://www.invoiceninja.com/gdpr/ to my own clients too and not with a link to your page obviously but on my own site.
Another option is to add a custom message in the client portal.
Displaying this info in the portal after logging in is too late. I am pretty sure I need to present my users a consent form just like the one I am shown when creating a new company: http://take.ms/ixQMt
Btw. I just noticed that the moment I create a comapany on my self hosted invoiceninja, I agree to: https://www.invoiceninja.com/self-hosting-privacy-data-control/ which states that invoiceninja gets access to: Consent: PII Data We Collect - which seems to be all my data and not my clients which is great otherwise you’d be a data processor.
Still, to operate a website in the EU you need to comply with the cookie law and the GDPR which involves having a privacy policy. If you visit a website you also need to find information about who operates that website. A self hosted invoiceninja instance counts as a website afaik hence it needs to comply. Until I have figured this out completely, I guess I’ll disable the client access.
I would appreciate any feedback/updates down the line.
GDPR relates specifically to PII. An email address is defined as PII (according to most opinions). For those self-hosting the Invoice Ninja platoform, we don’t have access to anything further than the name & email address, as stated here: https://www.invoiceninja.com/self-hosting-privacy-data-control/
As Invoice Ninja is a US based company, we are not required to present our company registration information on site for GDPR compliance.
For any questions regarding GDPR Compliance, account data use, or questions on any data use matter, please feel free to contact: compliance@invoiceninja.com
GDPR relates specifically to PII. An email address is defined as PII (according to most opinions). For those self-hosting the Invoice Ninja platoform, we don’t have access to anything further than the name & email address, as stated here: https://www.invoiceninja.com/self-hosting-privacy-data-control/
I completely agree but I am unsure which question this addresses.
As Invoice Ninja is a US based company, we are not required to present our company registration information on site for GDPR compliance.
Thanks for that info, I was just curious as I am not familiar with US requirements
