On 23.07.19 14:19, Jiri Pavlik wrote:
On Mon, Jul 22, 2019 at 1:27 PM Bernd Oberknapp bo@ub.uni-freiburg.de wrote:
On 2019-07-20 13:24, Peter Schober wrote:
Nit: If the SP recieves a persistent identifier (i.e., one that doesn't change from session to session) the subject is not "anonymous" but merely "pseudonymous", at least under GDPR terminology. (This matters to those of us that have to compy with GDPR because "anonymous data" isn't personal data and doesn't fall under GDPR, but "pseudonymous" is personal data just as if it were not pseudonymised.)
According to the assessment of GEANT https://www.geant.org/Projects/GEANT_Project_GN4/deliverables/M9-2_Assessmen... both persistent and non-persistent identifiers are personal data according to GDPR because they can both be used to indirectly identify the person. So the only way to avoid personal data would be to not sent any identifier which probably wouldn't be acceptable for many content providers.
Thank you, Bernd, Peter, for clarifying this.
Could be Albert-Ludwigs-Universität Freiburg a representative of a group of universitites, libraries who don't want to release any identifier and want their users to sign-in twice for personalisation? We should tune up 5a in our recommentations according to wishes of this group.
No. In my opinion the solution should be to only release a persistent identifier (as an attribute) when the user wants to use the personalization, so we will look at optionally releasing attributes in the medium/long term.
Best regards, Bernd