Sailor Logbook Homepage -> Legal Stuff -> GDPR compliance for the Sailor Logbook Website

GDPR compliance for the Sailor Logbook Website

The EU GDPR (General Data Protection Regulation) is implemented May 25, 2018. On this background, the current document outlines:

Consider it a supplement to the Privacy policy for the Sailor Logbook Website document.

User data at the website

These are collected, maintained and deleted by voluntary, user initiated actions. For details, consult the Sailor Logbook Website manual. User data have different character:

User data in cookies

A precondition for the website to function is, that the user have to accept that cookies must be enabled. This is emphasized in the Sailor Logbook Website manual.

Also, in the Login form a black bottom part appears with a This website uses cookies needed for site functionality message that appears at every login until a Got it! button is pressed. This button tries to set a longliving cookie named cookieconsent_status expiring after one year.

Other Sailor Logbook Website cookies are used to temporarily store the users credentials (username and password) - only - in an encoded form on the users computer (PC/Mac, smartphone, tablet). The cookies are session cookies that expire at the end of the session (when the browser closes).

All other types of user data are stored at the Sailor Logbook Website, in a more permanent form.

User data of personal character

The following data elements are all entered by the person requesting an account, and are all - except for username - fully maintainable by the user:

Element Purpose Remark Note
username identification of user hidden from other users A)
password login control stored as a hash (cannot be read) B)
nickName cross-user identication (friend name) cannot be same as username -
countryId sorting 'friends' by country - -
timezoneId correct time display - -
email communication from website - C)
shipname future use optional -
shiptype future use optional -
homeport future use optional -
comment future use optional -
shareMaps allowing users to see each others Cruisemap checkbox - default is 'No' D)
newsLetter accepting to receive newsletters checkbox - default is 'No' -

Note A): should be neutral, i.e. not identifying the person - this is up to the person requesting an account to ensure. In case an unfortunate username was chosen, the Admin can change it.

Note B): when an account has been created, a one-time password is sent by mail to the new user. At first login, it must be changed to one of own choise. Hereafter it can be changed by the user at any time, but it's not required that such change is done. A forgot password function is found at the Login form - when activated, a new one-time password is sent by mail and must be changed in a similar way.

Note C): the email address is the only user datum, that we consider confidential. It's needed to inform new users on password and login procedure, as well as to send new one-time passwords after a 'forgot password' action. And sending newsletters.

Note D): default is 'No sharing'. In an exiting account, the element is presented as a checkbox in the Edit MyProfile form - if checkmarked, other users who also checkmarked their checkbox can see the users Cruisemap - and vice versa.

The user has access to all of the above listed data, provided his account exists, it hasn't be subject to Blocking, and he knows his credentials.

In case a user forgot his password - or even username - only requirement for resolving the problem is, that he enters his email address in the 'forgot password' function.

User data of technical character

A number of elements of a users profile are used to monitor and control:

For security, details on this cannot be revealed. Access to the elements is restricted to the system administrator (the Admin).

These data are the only user data, that a user doesn't have access to.

User data of application character

The purpose of the system is primarily receiving, storing and processing data collected during sailing. The collection of location data is done with a iOS tracking app, where also textual information can be entered. These data are uploaded to the website.

Textual information on harbors and persons participating on sailing cruises can be entered on the website as supplemantary data.

All these data are maintanable by the user, i.e. they can be inspected, modified and deleted by the user after login.

Unless a user has checkmarked his shareMaps checkbox, no other user has any access to his data. If he does checkmark shareMaps, other users who also checkmarked the checkbox, will be able to see the users Cruisemap.

When another user sees a Cruisemap, it's content is limited compared to a users own view of it, but will or can contain:

The Cruisemap content hidden to other users is:

The user has full access to his data of application character, just like his access to his data of personal character.

Measures to protect user data

Physical access control

The website program code and database is hosted at the webhotel company one.com - so we refer questions on physical access control, firewall etc. to them.

Logical access control

All communication to / from the website:

As described earlier, a user has full control of his data of personal and application character, i.e. he alone is the source of creating, updating and deleting these data.

On rare occasions, the Admin may have to update these data. Also, the Admin may have to delete a users account and all related data - e.g. as response to a users request, or discovery of hacking or misuse. See Deleting an account. Also in these situations, logging is done.

Logging

Creation and modification of user data of personal character - only - is logged. I.e. on demand, information on this can be achieved - but has to be manually processed by the Admin to be intelligible.

Creation, modification and deletion of other data - i.e. user data of application character is not logged, due to the number and volume of these transactions.

Sanity checks

On a regular basis, the Admin makes statistics on number of records, categorized by user and record type. These numbers express growth tendencies and are checked for probability.

In case of an unreasonable pattern, action will be taken - i.e. temporarily blocking single or all users.

Blocking

Blocking a single user

In case of suspicion that a single user is misusing the website, his account can be blocked by the Admin. When trying to login he will get the message SORRY - this account has been blocked.

When trying to communicate from the iOS tracking app (upload to / download from website), he will be informed on BAD username or credentials not valid (any more).

The user will be informed by mail on the blocking.

Blocking all users

If a major incident is recognized, the login script will be temporarily removed, and a Not Found (a HTTP 404 error) will be shown when trying to access to Login form.

Likewise, the app communication script will be temporarily removed, and when trying to communicate from the iOS tracking app the user will see a communication error message.

Users will be informed on the situation on the Sailor Logbook Homepage.

Also, the authorities (www.datatilsynet.dk) will be informed.

Backup and restore

The webhotel has dayly routines, taking backup of the Sailor Logbook Website. It's possible to go 14 days back in case of emergency.

In case of a restore, this will be announced on the Sailor Logbook Homepage. Operational problems will also be announced there.

Deleting an account

In case a user wants to revoke his or her account, he or she can do so from the Sailor Logbook App, from where the account was created in the first place.

Alternatively, he or she can contact us via the link at the Homepage and tell us to delete the account. The Admin will then do this asap.

After deletion, there will be no trace of the user or his or her activities.

Contacting us

The current document outlines issues that - in our opinion - relate to data protection. We leave it to the reader - you - to determine to what degree the Sailor Logbook Website is compliant. Please contact us if you think important matters are omitted, or if you have any questions.


© Copyright 2018 CoaSoft ApS Denmark - This document was last updated on January 12, 2019