On Mon, Jul 22, 2019 at 1:27 PM Bernd Oberknapp bo@ub.uni-freiburg.de wrote:
On 2019-07-20 13:24, Peter Schober wrote:
Nit: If the SP recieves a persistent identifier (i.e., one that doesn't change from session to session) the subject is not "anonymous" but merely "pseudonymous", at least under GDPR terminology. (This matters to those of us that have to compy with GDPR because "anonymous data" isn't personal data and doesn't fall under GDPR, but "pseudonymous" is personal data just as if it were not pseudonymised.)
According to the assessment of GEANT https://www.geant.org/Projects/GEANT_Project_GN4/deliverables/M9-2_Assessmen... both persistent and non-persistent identifiers are personal data according to GDPR because they can both be used to indirectly identify the person. So the only way to avoid personal data would be to not sent any identifier which probably wouldn't be acceptable for many content providers.
Thank you, Bernd, Peter, for clarifying this.
Could be Albert-Ludwigs-Universität Freiburg a representative of a group of universitites, libraries who don't want to release any identifier and want their users to sign-in twice for personalisation? We should tune up 5a in our recommentations according to wishes of this group.
Moravian Library, Czech National Library of Technology, Charles University are among a group of libraries, universitites, who wish to release persistent identifier to allow SPs to provide users with one seamless sign in for personalisation. So Moravian Library, Czech National Library of Technology, Charles University are fine with 5b and 5c options in our recommentations, wish SPs to request persistent identifier in SP metadata and comply with CoCo.
Best regards
Jiri