letsbe
/
MOPC-App
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
MOPC-App/docs/gdpr/platform-gdpr-compliance.md

325 lines
9.5 KiB
Markdown
Raw Blame History

# MOPC Platform - GDPR Compliance Documentation
## 1. Data Controller Information
| Field | Value |
|-------|-------|
| **Data Controller** | Monaco Ocean Protection Challenge |
| **Contact** | [Data Protection Officer email] |
| **Platform** | monaco-opc.com |
| **Jurisdiction** | Monaco |
---
## 2. Personal Data Collected
### 2.1 User Account Data
| Data Type | Purpose | Legal Basis | Retention |
|-----------|---------|-------------|-----------|
| Email address | Account identification, notifications | Contract performance | Account lifetime + 2 years |
| Name | Display in platform, certificates | Contract performance | Account lifetime + 2 years |
| Phone number (optional) | WhatsApp notifications | Consent | Until consent withdrawn |
| Profile photo (optional) | Platform personalization | Consent | Until deleted by user |
| Role | Access control | Contract performance | Account lifetime |
| IP address | Security, audit logging | Legitimate interest | 12 months |
| User agent | Security, debugging | Legitimate interest | 12 months |
### 2.2 Project/Application Data
| Data Type | Purpose | Legal Basis | Retention |
|-----------|---------|-------------|-----------|
| Project title | Competition entry | Contract performance | Program lifetime + 5 years |
| Project description | Evaluation | Contract performance | Program lifetime + 5 years |
| Team information | Contact, evaluation | Contract performance | Program lifetime + 5 years |
| Uploaded files | Evaluation | Contract performance | Program lifetime + 5 years |
| Country/Region | Geographic eligibility | Contract performance | Program lifetime + 5 years |
### 2.3 Evaluation Data
| Data Type | Purpose | Legal Basis | Retention |
|-----------|---------|-------------|-----------|
| Jury evaluations | Competition judging | Contract performance | Program lifetime + 5 years |
| Scores and comments | Competition judging | Contract performance | Program lifetime + 5 years |
| Evaluation timestamps | Audit trail | Legitimate interest | Program lifetime + 5 years |
### 2.4 Technical Data
| Data Type | Purpose | Legal Basis | Retention |
|-----------|---------|-------------|-----------|
| Session tokens | Authentication | Contract performance | Session duration |
| Magic link tokens | Passwordless login | Contract performance | 15 minutes |
| Audit logs | Security, compliance | Legitimate interest | 12 months |
| AI usage logs | Cost tracking, debugging | Legitimate interest | 12 months |
---
## 3. Data Processing Purposes
### 3.1 Primary Purposes
1. **Competition Management** - Managing project submissions, evaluations, and results
2. **User Authentication** - Secure access to the platform
3. **Communication** - Sending notifications about evaluations, deadlines, results
### 3.2 Secondary Purposes
1. **Analytics** - Understanding platform usage (aggregated, anonymized)
2. **Security** - Detecting and preventing unauthorized access
3. **AI Processing** - Automated filtering and matching (anonymized data only)
---
## 4. Third-Party Data Sharing
### 4.1 Subprocessors
| Subprocessor | Purpose | Data Shared | Location | DPA |
|--------------|---------|-------------|----------|-----|
| OpenAI | AI processing | Anonymized project data only | USA | Yes |
| MinIO/S3 | File storage | Uploaded files | [Location] | Yes |
| Poste.io | Email delivery | Email addresses, notification content | [Location] | Yes |
### 4.2 Data Shared with OpenAI
**Sent to OpenAI:**
- Anonymized project titles (PII sanitized)
- Truncated descriptions (500 chars max)
- Project category, tags, country
- Team size (count only)
- Founded year (year only)
**NEVER sent to OpenAI:**
- Names of any individuals
- Email addresses
- Phone numbers
- Physical addresses
- External URLs
- Internal database IDs
- File contents
For full details, see [AI Data Processing](./ai-data-processing.md).
---
## 5. Data Subject Rights
### 5.1 Right of Access (Article 15)
Users can request a copy of their personal data via:
- Profile → Settings → Download My Data
- Email to [DPO email]
**Response Time:** Within 30 days
### 5.2 Right to Rectification (Article 16)
Users can update their data via:
- Profile → Settings → Edit Profile
- Contact support for assistance
**Response Time:** Immediately for self-service, 72 hours for support
### 5.3 Right to Erasure (Article 17)
Users can request deletion via:
- Profile → Settings → Delete Account
- Email to [DPO email]
**Exceptions:** Data required for legal obligations or ongoing competitions
**Response Time:** Within 30 days
### 5.4 Right to Restrict Processing (Article 18)
Users can request processing restrictions by contacting [DPO email]
**Response Time:** Within 72 hours
### 5.5 Right to Data Portability (Article 20)
Users can export their data in machine-readable format (JSON) via:
- Profile → Settings → Export Data
**Format:** JSON file containing all user data
### 5.6 Right to Object (Article 21)
Users can object to processing based on legitimate interests by contacting [DPO email]
**Response Time:** Within 72 hours
---
## 6. Security Measures (Article 32)
### 6.1 Technical Measures
| Measure | Implementation |
|---------|----------------|
| Encryption in transit | TLS 1.3 for all connections |
| Encryption at rest | AES-256 for sensitive data |
| Authentication | Magic link (passwordless) or OAuth |
| Rate limiting | 100 requests/minute per IP |
| Session management | Secure cookies, automatic expiry |
| Input validation | Zod schema validation on all inputs |
### 6.2 Access Controls
| Control | Implementation |
|---------|----------------|
| RBAC | Role-based permissions (SUPER_ADMIN, PROGRAM_ADMIN, JURY_MEMBER, etc.) |
| Least privilege | Users only see assigned projects/programs |
| Session expiry | Configurable timeout (default 24 hours) |
| Audit logging | All sensitive actions logged |
### 6.3 Infrastructure Security
| Measure | Implementation |
|---------|----------------|
| Firewall | iptables rules on VPS |
| DDoS protection | Cloudflare (if configured) |
| Updates | Regular security patches |
| Backups | Daily encrypted backups, 90-day retention |
| Monitoring | Error logging, performance monitoring |
---
## 7. Data Retention Policy
| Data Category | Retention Period | Deletion Method |
|---------------|------------------|-----------------|
| Active user accounts | Account lifetime | Soft delete → hard delete after 30 days |
| Inactive accounts | 2 years after last login | Automatic anonymization |
| Project data | Program lifetime + 5 years | Archived, then anonymized |
| Audit logs | 12 months | Automatic deletion |
| AI usage logs | 12 months | Automatic deletion |
| Session data | Session duration | Automatic expiration |
| Backup data | 90 days | Automatic rotation |
---
## 8. International Data Transfers
### 8.1 OpenAI (USA)
| Aspect | Details |
|--------|---------|
| Transfer Mechanism | Standard Contractual Clauses (SCCs) |
| DPA | OpenAI Data Processing Agreement |
| Data Minimization | Only anonymized data transferred |
| Risk Assessment | Low (no PII transferred) |
### 8.2 Data Localization
| Service | Location |
|---------|----------|
| Primary database | [EU location] |
| File storage | [Location] |
| Email service | [Location] |
---
## 9. Cookies and Tracking
### 9.1 Essential Cookies
| Cookie | Purpose | Duration |
|--------|---------|----------|
| `session_token` | User authentication | Session |
| `csrf_token` | CSRF protection | Session |
### 9.2 Optional Cookies
The platform does **not** use:
- Marketing cookies
- Analytics cookies that track individuals
- Third-party tracking
---
## 10. Data Protection Impact Assessment (DPIA)
### 10.1 AI Processing DPIA
| Factor | Assessment |
|--------|------------|
| **Risk** | Personal data sent to third-party AI |
| **Mitigation** | Strict anonymization before processing |
| **Residual Risk** | Low (no PII transferred) |
### 10.2 File Upload DPIA
| Factor | Assessment |
|--------|------------|
| **Risk** | Sensitive documents uploaded |
| **Mitigation** | Pre-signed URLs, access controls, virus scanning |
| **Residual Risk** | Medium (users control uploads) |
### 10.3 Evaluation Data DPIA
| Factor | Assessment |
|--------|------------|
| **Risk** | Subjective opinions about projects/teams |
| **Mitigation** | Access controls, audit logging |
| **Residual Risk** | Low |
---
## 11. Breach Notification Procedure
### 11.1 Detection (Within 24 hours)
1. Automated monitoring alerts
2. User reports
3. Security audit findings
### 11.2 Assessment (Within 48 hours)
1. Identify affected data and individuals
2. Assess severity and risk
3. Document incident details
### 11.3 Notification (Within 72 hours)
**Supervisory Authority:**
- Notify if risk to individuals
- Include: nature of breach, categories of data, number affected, consequences, measures taken
**Affected Individuals:**
- Notify without undue delay if high risk
- Include: nature of breach, likely consequences, measures taken, contact for information
### 11.4 Documentation
All breaches documented regardless of notification requirement.
---
## 12. Contact Information
| Role | Contact |
|------|---------|
| **Data Protection Officer** | [DPO name] |
| **Email** | [DPO email] |
| **Address** | [Physical address] |
**Supervisory Authority:**
Commission de Contrôle des Informations Nominatives (CCIN)
[Address in Monaco]
---
## 13. Document History
| Version | Date | Changes |
|---------|------|---------|
| 1.0 | 2025-01 | Initial version |
---
## See Also
- [AI Data Processing](./ai-data-processing.md)
- [AI System Architecture](../architecture/ai-system.md)
Reference in New Issue View Git Blame Copy Permalink