The Symfony project needs to be able to track Code of Conduct (CoC) violations and share them on a need-to-know basis to prevent violators from attending / speaking at events.
However, the General Data Protection Regulation (GDPR), due to be implemented from 25 May 2018, requires companies to seek explicit consent for all data collection, storage and use. It also grants users the right to request the deletion of their data.
Symfony asked us to investigate how they could achieve their goal while complying with GDPR.
We created a roadmap for the Symfony project team to follow that allows them to protect their online and offline communities, while also complying with GDPR requirements.
GDPR requires organisations to collect as little personal data as necessary (data minimisation) and only use it for the purposes intended. Data collected for one purpose cannot be used for another purpose without explicit consent.
However, there are exceptions that give organizations some leeway. Article 6.1 of the GDPR, "legitimate interest," states that processing is lawful if it is necessary for compliance, to protect someone, or is in the public interest.
This suggests that it is lawful for Symfony to track and share CoC violations under the GDPR if:
We analyzed the following documents & processes create Symfony’s CoC process:
We then determined:
We provided the Symfony project with a report that; a) explained the relevant aspects of GDPR, b) laid out guidelines for seeking user consent, and c) advised on internal and third party data handling.