Who I am
I am the data controller, and you can visit my homepage to learn more about me. Any complaints can be sent to me by email.
This website is hosted by the SRCF, who is my data processor.
Data I process
The SRCF collects web server logs on my behalf. Amongst many other things, the web server log contains the following information:
- Your IP address (which is explicitly classified as personal data according to GDPR Recital 30).
- The page you are browsing (duh).
- The date and time you accessed a page
- The "referrer", which is usually the page that linked you to my webpage (for example, it would be "http://www.google.com/" if a Google search referred you here, or "http://m.facebook.com" if you clicked on a Facebook link on a mobile app). You can ask your browser to not send this information to me.
- Your user agent string, which is a confusing list of characters that supposedly identifies the browser and operating system you are using.
See the Apache documentation for a better description of what information is collected.
Both the SRCF sysadmins and I are able to access the web server logs, which may be used to investigate security incidents if necessary. The period for which the personal data is stored is determined by the SRCF. At the time of writing, this is 24 months. The legal basis for doing so is legitimate interest, because we want to be able to figure out what happened if a website is hacked.
Data other people process
The website uses Google Fonts. Whenever you visit the page, your browser may request the font from Google, and they will know about it. I have no idea what they do with the knowledge. Note that your browser might be telling Google the page that is requesting the font, and they will know that you are visiting my page (see the discussion of "referrer" above). Again, you can tell your browser to not do that.
You have the right to request that your personal data is erased (but not necessarily the right to have your personal data erased). You also have the right to complain to the Information Commissioner's Office if you are unhappy with the way your personal data is handled.
Do I actually need to write this privacy notice?
According to GDPR Article 2,
- This Regulation does not apply to the processing of personal data:
- by a natural person in the course of a purely personal or household activity;
I am certainly a natural person, but it is not clear if the purpose of this website is "purely personal or household activities". GDPR Recital 18 fails to clarify this.