Make SonarQube ready for European GDPR (Regulation (EU) 2016/679)?

[Günter Wirth]

Hi,

2018 the European GDPR (General Data Protection Regulation) will be coming (dealine: 25. Mai 2018). SQ is saving personal data, e.g. the author of code, an issue, ... .
Are there any plans to align SQ with the GDPR?

For my understanding there should be

• a global permission to turn display of / usage of author: on/off
• code author (blame data)
• filtering for author in e.g. Issues / Author
  
• to delete an author from the database

Regards,
Günter

[G. Ann Campbell]

Hi Guenter,

Not entirely tangentially, do you know what plans - if any - GitHub, BitBucket, et al. have for this? For that matter, vanilla Git, SVN, CVS, ...

That's where we get blame data. If the providers mask it, then we've got nothing to work with.

Ann

[Günter Wirth]

Hi Ann,

> Not entirely tangentially, do you know what plans - if any - GitHub, BitBucket, et al. have for this? For that matter, vanilla Git, SVN, CVS, ...

We are using SVN and Git. The problem is that your tool latest starting with 6.7 LTS is no more usable with disabled SCM. Many information are missing or make problems (leak period, coverage on new code, tracking of changes/issue in code/changed code, ...).

But independent from this your tool is able to store personal data which means you have to be compliant with the GDPR regulation.

For my understanding there should be at least

• a global permission to turn display of / usage of author: on/off
• code author (blame data)
• filtering for author in e.g. Issues / Author
  
• to delete an author from the database

What are your plans here?

Regards,

Günter

[G. Ann Campbell]

Hi Guenter,

We don't have any plans there. 

But on the other hand, we are actively working to improve the experience without SCM data: https://jira.sonarsource.com/browse/MMF-808

Ann

---

G. Ann Campbell | SonarSource

Product Manager

@GAnnCampbell

https://sonarsource.com

--
You received this message because you are subscribed to a topic in the Google Groups "SonarQube" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sonarqube/Qs_BrDnbQwk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sonarqube+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/46cb7c03-0c1c-4f14-976a-1fb540f0ae01%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Günter Wirth]

Hi Ann,

The problem seems to be really that all tools which are at least theoretical able to store personal data have to keep GDPR?

For my understanding you have to support at least this somehow:

• https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Right_to_erasure
• https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Data_protection_by_Design_and_by_Default

Regards,
Günter

[Olivier Gaudin]

Günter,

I am currently looking at GDPR from a product point of view for SonarQube. 

I understand where you are coming from on this, however I am not sure I agree with your perspective here. Let me explain: when you install SonarQube, SonarSource is not involved and has zero access to any "personal" data. 

So what we are talking about here is: a company X installs SonarQube and will store some information inside. Should the name of a committer and the date of a commit be considered as personal information? I have some difficulties to think it is personal data, to me this is company data. 

I would therefore tend to say that from a GDPR point of view, there is nothing to be done here.

What do you think?

Thanks

Olivier

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/20085126-6c0c-4059-a24c-cb40f703f252%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Olivier Gaudin | SonarSource

CEO & Co-Founder

+41 (0)22 510 2424

https://sonarsource.com

[Günter Wirth]

Oliver,

>>I have some difficulties to think it is personal data, to me this is company data.

That’s not so easy to answer. Typically you have in bigger companies two players in the game. One is the Data Security Officer (DSO) who cares also for GDPR compliance and the Work Council.

First of all it depends on the employees contract what the employer is allowed to do with the data (aligned with legal aspects).

Introducing a new tool the tool owner have to put a contract in place with the DSO and Work Council to clarify which kind of data is raised, for what reason, how long it is stored, access right and so on.

It depends on your company processes if blame data is really needed and should be visible to others.

An absolute must have is the possibility to delete users, maybe after they are leaving the company.

From Work Council it’s an absolute no-go to derive metrics from the personal data. How much LoC does developer A write, how much developer B, how many issues are in the code, … and use this to compare the performance. In case the data (author) is visible it’s possible.

Does this answer your question?

Best regards,
Günter

[Olivier Gaudin]

It does and definitely clarifies.

I will come back on this thread with news.

Many thanks

Olivier

--

You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/a9e78ff7-4852-41b2-ab8a-1c8e81571118%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[sandyo...@gmail.com]

Hi,

Can you please provide me an EULA agreement from Sonarqube for GDPR compliance?

Thanks,

Sandhya

[sandyo...@gmail.com]

Hi Again,

Our project uses SonarQube and Can you please share the plans on SonarQube tool on moving towards GDPR

What are the plan and actions from the tool front in compliance with GDPR

If you already think the tool is compliant, Please provide us a written confirmation on the same so we can document it

Thanks,

Sandhya

[Olivier Gaudin]

I believe the product is compliant.

Regards

Olivier

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/4105ae7f-e16c-412c-a2ca-5626e68243f7%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Sandhya Bharani]

Hi Oliver,

Thanks for the confirmation, can you please share link to sonarqube Agreement document or any compliance document on this one for documentation purpose

Thanks,

Sandhya

To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/4105ae7f-e16c-412c-a2ca-5626e68243f7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Olivier Gaudin | SonarSource

CEO & Co-Founder

+41 (0)22 510 2424

https://sonarsource.com

--

Regards,

Sandy

[Sandhya Bharani]

Hi Oliver,

Can you please send me the Agreement PDF or document on Sonarqube toward GDPR, or any link where you have this document

Also few more questions

• Which privacy enhancing techniques (PETs) are in place
• How is the data destroyed or archived
• Where is the hosting location? is it in the build server where we have hosted sonarqube or do you have any associated data which is fetched from us and where it is being saved

Please help asap since we are closing in for GDPR

Thanks,

Sandhya

On Thu, May 3, 2018 at 9:00 PM, Sandhya Bharani <sandyo...@gmail.com> wrote:

Hi Oliver,

Thanks for the confirmation, can you please share link to sonarqube Agreement document or any compliance document on this one for documentation purpose

Thanks,

Sandhya

--

Regards,

Sandy