- How was Ghost installed and configured? Digital Ocean’s droplet
- What Node version, database, OS & browser are you using? Node 14, MySQL 8, Windows, Firefox
(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.
Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
Consent should cover all processing activities carried out for the same purpose or purposes.
When the processing has multiple purposes, consent should be given for all of them.
If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
[Issue 1] Does anyone know how to disable newsletter singup on account creation? I don’t think this behaviour is GDPR compliant. According to GDPR the user needs to agree for newsletter by checking the checkbox before account creation.
[Issue 2] Portal login page sends a registration link, when the user with that e-mail is not in database (which complicates things with checkbox) and can spam e-mails of other people when we for example do a typo during a login process. How to force Portal login page to send only login links?
Both good questions and while this does not answer any of your concerns, I look forward to the response from the Ghost team.
My main concern is divided into two areas whereof the email is one and when using name in the portal, that’s my second concern. There’s no “I accept” checkbox.
The email alone can be considered personal data / information and can be tied a specific living person. What I miss from this whole portal experience is GDPR consistency.
There should be a checkbox on the portal and on the login for “I accept the GDPR guidelines for this website” or similar.
Looking at the Members section in Ghost admin, we get access to their name and email whereof combined, are details that require consent no matter how the details are stored.
Furthermore, Facebook and Twitter and other social media platforms are known for gathering data on and off their platforms.
GDPR states the following regarding newsletters:
It is permitted for a company to send, for example, newsletters and other direct marketing on the basis of the legal basis of balancing interests (which means that you do not have to consent to the mailings), according to the Data Protection Regulation, GDPR. In that case, the protection of your personal integrity is weighed against an actor’s financial interest in, for example, being able to market himself / herself and / or his / her goods / services. However, as a registrant, you can always object to your information being used for direct marketing. You can do so at any time and the personal data may not be processed for such purposes after that. For example, you can send an e-mail to the sender and point out that you do not want your personal data processed for that purpose and then the advertising will cease. The company must respect that you do not want your data processed for direct marketing purposes. You can also contact the company’s data protection officer (if any) who will be able to assist you in this matter.