Privacy statement R. Harmsen

21–22 May 2018, translated from Dutch by the author. See also my previous 2013 Privacy Statement.

1 Definitions

1.1 ‘I’, ‘me’, ‘my’, ‘mine’

The Processor of personal data.

1.2 ‘Processor’

I, Ruud Harmsen, am the Processor, being the webmaster of the Website, and entrepreneur of the one-man company R. Harmsen. For the protection of my privacy I do not expressly state my contact details here. Instead I refer to my e-mail address description (also to be found here), to whois details of the domains of the Website, and to the trade register of the Dutch Chamber of Commerce. My entry in the trade register is under number 30126921.

1.3 ‘Website’

The Website is accessible via the internet domains rudhar.com, rhar.info and rhar.net.

1.4 ‘Charter’

The Charter of fundamental rights of the European Union (2000/C 364/01).

1.5 ‘GDPR’

The GDPR (General Data Protection Regulation) is the
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 27 April 2016
on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

See also the corrigendum. English starts on page 90.

1.6 ‘Implementation Act’

The Implementing Act is the Dutch Uitvoeringswet Algemene verordening gegevensbescherming, which lays down “Rules for the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OjEU 2016, L 119)”.

1.7 ‘AP’

The AP is the Dutch Autoriteit Persoonsgegevens, i.e. the Supervisory authority in the sense of Chapter VI, starting at Article 51, of the GDPR.

1.8 ‘VPS’

The VPS is my Virtual Private Server, implemented by Tilaa.com. The VPS runs web server Apache, mail server Sendmail, Procmail, spam rejector milter-greylist (official site) and spam filter SpamAssassin.


2 Introduction

With this privacy statement I intend to comply with:

Articles 13/14 of the GDPR

Where the personal data consists mainly of an IP address, it is not possible to contact the data subject directly in order to provide the information described in these articles. Identifying the natural person who has operated the possibly identifiable unique computer linked to the IP address, would require investigative powers that I do not have and do not want to have.

Fortunately, Article 11 of the GDPR states that I “shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.

It feels strange to have to inform someone who is trying to gain unauthorised access to my VPS, about the use of his/her IP address in order to prevent such access even better.

In view of the above, I offer data subjects the opportunity to find the information as referred to in Article 13/14 of the GDPR here on my Website.

Where the personal data such as IP address, name and e-mail address are received by the Processor via e-mail, it is impractical, and would probably also be perceived as disruptive by the data subject, to provide the information according to Article 13/14 in a reply e-mail every time again. Article 13(4) and point (a) of Article 14(5) of the GDPR make that unnecessary.

Article 30 of the GDPR

This Article is about the register. It is not mandatory to publish the register, it is sufficient to show it to the AP upon request. However, because there is quite some overlap between Article 30 and Article 13/14, I intend this privacy statement to also be the register.


3 Processing of personal data

3.0 Processing categories

The following processing categories are discussed below:

  1. Website logging
  2. Blocking unauthorised ssh access
  3. Spam rejection by milter-greylist
  4. Spam fighting by SpamAssassin
  5. Discussions, Usenet
  6. Discussions, email, Facebook and Twitter
  7. Agreeing on work to be done
  8. Personal data in texts to be translated

3.1 Website logging

3.1.1 What personal data about whom?

IP address of the website visitor, visited page of the website. Sometimes the previous page visited, occasionally the keywords used if the visit came via a search engine. For examples, see the older privacy statement.

3.1.2 Processing

The data is stored in a log file by web server Apache. Several times a day, visits from well-known robots (such as GoogleBot, and many others) are removed from the logging, and only the most recent 3000 entries are kept.

Apache’s visit logging data is used automatically to display some live statistics: recently visited pages and a count of popular pages. There is also a randomised list of unpopular pages, i.e. randomly selected pages from the site map, corrected for recent visits.

None of these statistics display any personal information: no IP numbers and no search terms.

Sometimes out of curiosity, I request data from an IP address, using tools like as ‘whois’ and ‘nslookup’. This does not tell me who the visitors were – and I do not really want to know – but it may sometimes reveal something about the country the visitor visits my page from and the language of preference. Such information, in combination with search terms, if any, may help me set priorities for future writing activities: it is more fun to write things that are more unlikely to find a audience.

3.1.3 Legal basis

My legitimate interests as the Controller (point (f) of Article 6(1) of the GDPR): being able to manage the Website, and to optimise the reach of web pages; my freedom of expression and of information.

3.1.4 Storage period

The result of removing robot visits from the logging, and of keeping only recent entries, is that website visitor records are stored for only about 3 to 4 days.

3.1.5 Transfers

No personal data will be transferred, neither within the Netherlands nor to third countries or international organisations.

3.1.6 Security

I am the only one having access to the VPS that stores the website visits logging. No encryption is used.


3.2 Blocking unauthorised ssh access

3.2.1 What personal data about whom?

Using logging data stored by the operating system FreeBSD, I detect attempts to access my VPS without authorisation, using invented or generated combinations of user name and password. The IP addresses of such attempts are recorded.

3.2.2 Processing

Automated decision-making takes place, on the basis of which certain IP addresses are denied further access by means of a firewall. Point (f) of Article 13(2) of the GDPR states that I should provide “meaningful information about the logic involved” to the data subjects, i.e. the persons who are possibly behind the IP addresses in question. However, in the interest of the security of processing in the sense of Article 32 of the GDPR, and also because of my legitimate interest (point (f) of Article 6(1) of the GDPR) in having a secure VPS, I do not give further details about that logic.

3.2.3 Legal basis

The security of the processing, as mentioned in Article 32 of the GDPR. My legitimate interest (point (f) Article 6(1) of the GDPR) in securing my VPS, recitals (47) and (49) of the GDPR.

3.2.4 Storage period

The data is retained for as long as is necessary for security purposes. This can mean that the storage period is unlimited.

3.2.5 Transfers

No personal data will be transferred, neither within the Netherlands nor to third countries or international organisations.

3.2.6 Security

I am the only one having access to the VPS that stores the data for the ssh protection. No encryption is used.


3.3 Spam rejection by milter-greylist

3.3.1 What personal data about whom?

Milter-greylist is a system for rejecting unsolicited e-mails (‘spam’). By default any server delivering an e-mail is initially shown the door. If the server tries again after a while (most regular mail servers do, many spambots don’t), the message is accepted and delivered. That sender is then entered in a list of legitimate senders.

To this end, milter-greylist collects personal data such as IP address, e-mail address of the recipient and e-mail address of the sender. The “meaningful information about the logic involved” under point (f) of Article 13(2) of the GDPR can be found in the documentation to milter-greylist.

3.3.2 Processing

See the previous paragraph, 3.3.1.

3.3.3 Legal basis

My legitimate interest (point (f) of Article 6(1) of the GDPR) of not receiving spam.

3.3.4 Storage period

The autowhite setting is 45 days. Once that period has expired, the sender’s data will be erased automatically, unless a similar new message has been let through in the meantime.

3.3.5 Transfers

No personal data will be transferred, neither within the Netherlands nor to third countries or international organisations.

3.3.6 Security

I am the only one having access to the VPS that stores the data for the spam rejection milter-greylist. No encryption is used.


3.4 Spam fighting by SpamAssassin

3.4.1 What personal data about whom?

SpamAssassin performs various heuristic and statistical analysis tests on email headers and body text including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases.

3.4.2 Processing

Based on the above techniques, SpamAssassin assigns a score to each e-mail message received, which indicates the probability that it is a spam message. Based on that score, some messages are already set aside on my VPS, others only after they have been downloaded to my laptop, using the POP3 protocol.

3.4.3 Legal basis

My legitimate interest (point (f) of Article 6(1) of the GDPR) of not receiving spam.

3.4.4 Storage period

For as long as is necessary for the proper operation of the SpamAssassin software.

3.4.5 Transfers

To the best of my knowledge, no personal data will be transmitted by SpamAssassin.

3.4.6 Security

I am the only one having access to the VPS that stores the data for SpamAssassin. No encryption is used.


3.5 Discussions, Usenet

3.5.1 What personal data about whom?

I have been participating in discussion groups for many years, also on Usenet. Some examples, dating from almost 29 years ago: 10 July 1989, 15 August 1989, 16 August 1989, 22 August 1989, 18 December 1989, 15 January 1990 and 22 January 1990. And some recent ones: 12 May 2018, 18 May 2018.

Personal data that may appear in such messages are: IP addresses (not in the past, now they often do, depending on technical realisation), names (real or not, they may be nicknames) and e-mail addresses (real of not, often fake to avoid spam) of participants.

3.5.2 Processing

I keep copies of a selection of messages, if they interest me and if they seem useful for later reference. I often respond to messages, and then may use any names and/or e-mail addresses as author references for text quotations.

The discussions are largely personal and of an opinion-forming nature. They may also contain professional content, for example in the fields of information and communication technology, language and translation.

3.5.3 Legal basis

My legitimate interest (point (f) of Article 6(1) of the GDPR): my fundamental right: “Freedom of expression and of information”, based on Article 11 of the Charter.

3.5.4 Storage period

Unlimited.

3.5.5 Transfers

When participating in discussions, while quoting text fragments from original messages as a reference, any personal data such as names and e-mail addresses will be sent back to the news server where they came from, as a reference to the authors of those messages.

3.5.6 Security

I store the selected messages on my laptop and in backups. No encryption is used, as the discussions in question are also stored on the Internet in many places, and are publicly accessible from there.


3.6 Discussions, email, Facebook and Twitter

3.6.1 What personal data about whom?

I have been participating in discussion groups for many years, based on mailing lists, and more recently in groups on Facebook and on Twitter. Discussions take place using LISTSERV software, for example Lantra-L (now here), an international forum for translators, and more recently INTERLNG about the lingua Interlingua.

Other platforms include Yahoo! Groups, Google Groups, and as said Facebook and Twitter.

Personal data that may appear in such messages are: IP addresses, names and email addresses of participants.

3.6.2 Processing

I keep copies of a selection of messages, if they interest me and if they seem useful for later reference. I often respond to messages, and then may use names and/or e-mail addresses as author references for text quotations.

The discussions are partly personal and opinion-forming in nature. Often they also contain professional content, for example in the fields of information and communication technology, language and translation. Especially with the messages I select to save, that is usually the case.

In the event that the discussions take place on Facebook or Twitter, keeping copies of messages refers to notifications to be received as e-mails, if enabled.

3.6.3 Legal bases

  1. My legitimate interest (point (f) of Article 6(1) of the GDPR): my fundamental right: “Freedom of expression and of information”, based on Article 11 of the Charter.

  2. In the case of professional context, such as discussions about terminology, translation methods and best practices for running a business: my legitimate interest (point (f) of Article 6(1) of the GDPR) in being able to review these discussions at a later date and use them for work decisions.

    In order to assess the relative value of the material presented in a discussion, and to draw conclusions from it, it is necessary to consider the whole context of the discussion, including the identity of the contributors. It is therefore my opinion that the stored discussion messages should include the personal data.

    In my situation, pseudonymisation isn’t feasible: modifying the storage of e-mails would disrupt their accessibility with the e-mail program Eudora.

    Article 4(5) of the GDPR defines ‘pseudonymisation’ as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”. Such separate storage, and the technical and organisational measures, are not sensibly possible in a one-man company where all storage is done on a single laptop.

  3. My archive of discussion messages, some of which are over 20 years old, supports my personal memories about my life, comparable to personal diary entries. My memory is still sharp, but it can fade. Pointers do help. Memories can be an inspiration for journalistic and/or literary expression.

    Considering this, as a legal basis for the processing, in particular the storing of said e-mails, I also invoke my legitimate interest (point (f) of Article 6(1) of the GDPR), my fundamental right: “Freedom of expression and of information” based on Article 11 of the Charter, and the “Exemptions for journalistic purposes or academic, artistic or literary expression” in Article 43 of the Implementation Act.

3.6.4 Storage period

Unlimited, on the basis of the arguments set out in point 3.6.3.

3.6.5 Transfers

When participating in discussions, while quoting text fragments from original messages as a reference, personal data such as names and e-mail addresses will be sent back to where they came from, as a reference to the authors of those messages.

3.6.6 Security

My email archive is on my laptop, in a so-called data container encrypted with BestCrypt Container Encryption by the Finnish company Jetico.

I regularly back up the containers on external storage media. Encryption is then retained.


3.7 Agreeing on work to be done

3.7.1 What personal data about whom?

I work as an independent translator. In the past, I also did IT work. Agreements on work to be performed are made by exchanging e-mails. Personal data appearing in such messages are: IP address, name and e-mail address of the client’s contact.

3.7.2 Processing

I read these e-mails, reply to them and save them.

3.7.3 Legal bases

  1. Processing is necessary in order to take steps prior to entering into a contract, and for the performance of the contract. Point (b) of Article 6(1) of the GDPR.

  2. Processing (including storage) is necessary in order to comply with the fiscal retention obligation. Point (c) of Article 6(1) of the GDPR. According to the Dutch page How long do you need to keep your records?, this period is 7 years.

  3. My archive of client contacts supports my personal memories about my career, and therefore about my life, comparable to personal diary entries. My memory is still sharp, but it can fade. Pointers do help. Memories can be an inspiration for journalistic and/or literary expression.

    Considering this, as a legal basis for the processing, in particular the storing of e-mails, I also invoke my legitimate interest (point f of Article 6(1) of the GDPR),y my fundamental right: “Freedom of expression and of information” based on Article 11 of the Charter, and the “Exemptions for journalistic purposes or academic, artistic or literary expression” in Article 43 of the Implementation Act.

3.7.4 Storage period

Seven years, based on 3.7.3 point (b) above.

After that: unlimited, based on 3.7.3 point (c) above.

3.7.5 Transfers

When replying to messages, the author’s name and e-mail address are used to indicate the parts of the text which are cited for confirmation. These personal details are returned to the e-mail address that they came from.

3.7.6 Security

My email archive is on my laptop, in a so-called data container encrypted with BestCrypt Container Encryption by the Finnish company Jetico.

I regularly back up the containers on external storage media. Encryption is then retained.


3.8 Personal data in texts to be translated

3.8.1 What personal data about whom?

The texts I translate on behalf of others are mostly of a technical nature. The texts themselves hardly ever contain any personal data. Yet, whenever that is the case, I will pay special attention to them.

3.8.2 Processing

The personal data will appear in appropriate places in the translated text, on the basis of where they were in the original. Originals and translations are stored. When saving translation segment pairs in translation memories, I will anonymise them as soon as possible.

3.8.3 Legal bases

  1. Processing is necessary for the performance of the contract. Point (b) of Article 6(1) of the GDPR.

  2. Processing (including storage) is necessary in order to comply with the fiscal retention obligation. Point (c) of Article 6(1) of the GDPR. According to the Dutch page How long do you need to keep your records?, this period is 7 years.

3.8.4 Storage period

For as long as necessary, in view of points 3.8.3(a) and (b) above.

3.8.5 Transfers

The translation of the source text, including the personal data, is passed on to the client who provided me with the source text.

3.8.6 Security

Translation files are on my laptop, in a so-called data container encrypted with BestCrypt Container Encryption by the Finnish company Jetico.

I regularly back up the containers on external storage media. Encryption is then retained.

Colours: Neutral Weird No preference Reload screen