https://bugs.kde.org/show_bug.cgi?id=435120
--- Comment #12 from Rainer Klute <rainer.kl...@gmx.de> --- (In reply to 2wxsy58236r3 from comment #11) > Author name is personal information, but is the timestamp also considered as > personal information? According to Article 4 (1) GDPR, “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly”. Whether a timestamp is personal information, depends on the circumstances. If the author’s name is given and it relates to a natural person (i. e. not “Anonymous”, “Donald Duck”, or the like), the timestamp no doubt is personal data, because it reveals a data trace showing when that individual has created or edited which comments. Timestamps are even more revealing if the person creates/modifies multiple annotations, because you can deduce information about the working speed of the data subject, when he or she made pauses and for how long, and maybe more. I would say the timestamp can be highly sensitive personal data, even though it does not fall into the special categories defined by Article 9 paragraph 1 GDPR. But even the timestamp alone, without regard to the author name field, can be personal data, namely if it’s obvious from the context or other information, which doesn't have to be in the document itself, who the author is. For example, if you send me a PDF, I create an annotation, and I send the document back to you, you know it was me - and when - even if I left the author field blank. This is what the GDPR means when it talks about “directly or indirectly” identifying a person. To make a long story short, the timestamp is not always personal date. But as a first approximation, I would consider it as such, unless proven otherwise. > Can you please share your use case / workflow? (So that developers can > understand the importance of the requested feature) The use case is that an individual making annotations does not want to reveal when he or she created/modified them – for whatever reasons or without any reason at all. I would even say that according to Article 25 paragraph 2 GDPR omitting the timestamp should even be the default. (“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”) -- You are receiving this mail because: You are watching all bug changes.
