0

I want to give a logged in user the ability to search for other users by their exact email. The search input is passed asynchronously by Javascript so the email would remain in server logs and so on. The connections are HTTPS only (cookie secure=true). I am based in Austria so i have to handle according to our DSGVO and want to know:

Is this handling in the green, gray or red area?

Additional info:-It is a self coded PHP application using a SQL database

yeah_well
  • 3,699
  • 1
  • 13
  • 30
phpnoob
  • 1
  • 1
  • Please define your question more precisely: Do you mean "Based on signed agreements, users have right to see the email of other users. Is it DSGVO conform to use SSL (TLS) to access such data?" Or do you mean "If one user sees an email of another user, is it DSGVO conform?" – mentallurg Aug 04 '19 at 16:04
  • I mean the second one: "If one user sees an email of another user, is it DSGVO conform?" – phpnoob Aug 04 '19 at 16:07
  • For those wondering what is DSGVO - it's GDPR in English – Munchkin Sep 07 '21 at 13:46

1 Answers1

1

The best answer can only give a lawyer.

To my knowledge, it mainly depends, if there is a legal base for providing Email address of one user to another user. See the Article 6 "Lawfulness of processing" in DSGVO.

A few examples.

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

One legal reason can be, that all users gave you a consent that their Email addresses will be available to all other users. This may look simple, but it is not. For instance if you maintain a web site for Anonymous Alcoholics, may be your users will not give a consent to show their emails to other users.

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Using your application, some user place work requests, the others provide some services. For instance, one user needs get his house painted. Hi gives a consent to disclose his Email to another users, so that are able to send him contract proposals.

Compliance with DSGVO can be not easy in some cases. Better talk to a layer.

mentallurg
  • 8,536
  • 4
  • 26
  • 41
  • First of all, thank you very much! I am thinking of someone who will collect all the email addresse without my knowledge with the use of automated tasks, for e.g i provide api access for some business tasks. I could monitor the access to see if specific clients extract more data than reasonable or so but as far as i know, DSGVO states, i "have to ensure the security and integrity.." of ".. data which i process". – phpnoob Aug 05 '19 at 13:31
  • @phpnoob: "I could monitor the access to see ..." - It doesn't matter, it somebody really uses it. Either you allow to obtain email addresses via API or not. If user has not given you a consent and you provide access to it, then you violate DSGVO. – mentallurg Aug 09 '19 at 23:56
  • Of course, i allow it, but when they are passed via HTTP requests they still resist in my server logs and - of course it is "metadata" for google if they has a tracking cookie on the users machine, am i wrong? Or does google only see the querystrings if there is a cookie especially for my domain? I dont embed any 3rd party stuff, neither maps or tracking stuff – phpnoob Aug 12 '19 at 12:33