website tos gdpr compliance

Hey, in the context of implementing in-game gdpr compliance the xonotic website tos came up again.
It is probably beneficial to mostly split these two things into different issues and threads.
So this is the thread about the website TOS, if you have a remark on the in-game changes required, head over to this thread

I really like how easy to read the TOS are, however imho it does lack important information as to who is actually responsible.
"We - the past and present contributors to Xonotic" simply does not cut it, because someone is certainly hosting this website and in theory if anything happens this is the person accountable. This is information that should be mentioned in the TOS. A person accountable. This person could also serve as the "controller" according to GDPR.
And providing proof that the processing is actually done according to what is stated is easy: the stuff is open source, right? But that has to be linked and mentioned properly.
This cuts out any real responsibility of a controller.

EDIT: I said "person" but mean legal entity ofc

Also I think it would be even easier to understand if stats and forum aren't handled in one tos but instead use one each. This would mean we create some redundancy, but lots of information used in the forums are not used in stats. This way we could have a more "pure" stats TOS.

I'm not a lawyer, but I think Halogene's question in the original thread must be considered before any action is taken: is a loosely-affiliated group of people on the internet sufficient to define a legal entity? I don't know!

I do know this: I will not *personally* take ANY legal burdens on behalf of this project. It's simply not worth it to me.

well, whoever is hosting the website already has in some way taken a legal burden. And thats precisely my point, The devs of the game aka the loosely-affiliated group of people is not even required to act like it. However the website hosts are.
That being said, I don't actually have a clue how this website is hosted. Maybe someone could clarify this?

According to german law, all commercial websites need an imprint (e.g. as soon as you make money with ads). This is not the case with the website, so at least for that part we're good to go.
The IP addresses in the access logs are not enough to create a personalized profile, so again, no need to worry.
The IRC webchat page might be a minor problem as the widget is embedded from another website. I think we only need to mention that this is an external service with quakenet being fully responsible.

Now for the ridiculous part: The cacs page allows searches. These searches will show up in the access logs and can be connected to IP addresses. Strictly speaking (or at least as I understand the GDPR), this is already a personal profile. Just to be sure, I would mention that we don't use that data to create personal profiles.

I think the searches on CACS are all client side, so they wouldn't be in the log at all.

The IP addresses in the access logs are not enough to create a personalized profile, so again, no need to worry.

Still needs to be mentioned that it is being logged according to GDPR, At least thats how I understand it.
And the only logical controller is the crowd of people that could in theory modify or delete logs and database.
That will have to be written out, who has internal access?

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

So, "core team". That label/moniker is as far as I will go in any TOS or Privacy Policy. 

who has internal access?

See my prior comment about legal liability. Unless otherwise notified, I will extend that same paranoia to the rest of my collaborators.