%ents; ]>
Best practices for GDPR compliant deployment of XMPP This informational XEP provides information on deploying XMPP in way that is compliant with the General Data Protection Regulation (GDPR) of the European Union. &LEGALNOTICE; xxxx ProtoXEP Informational Standards Council XMPP Core XEP-0001 NOT_YET_ASSIGNED Winfried Tilanus winfried@tilanus.com winfried@tilanus.com 0.0.1 2018-05-22 wt

First draft.

The General Data Protection Regulation (GDPR) is an European Union wide regulation about handling personal data. This XEP is a central place with information for server operators who need (or want) to have their server GDPR compliant. This information is general and still subject to debate amongst lawyers, it doesn't offer a legal advice. When in doubt consult your own lawyer.

These best practices are aimed at operators of public jabbers servers that are federating with other public jabber servers. Though this XEP is written with a typical server setup in mind, it contains also some considerations for other setups. This XEP does not fully cover the requirements for private XMPP deployments, like an in company server and this XEP does not cover situations where the XMPP traffic is used to observe and analyse the behaviour of users.

The XMPP core specifications and many of the XMPP Extension Protocols describe handling of data that is regulated by the GDRP. But XMPP is deployed in many different jurisdictions and the aim of the protocols is to ensure interoperability, not to encode (local) laws into the protocols. So the protocols will only contain general information on the data that processed and will offer general functionality that is not specific for one jurisdiction. This XEP is the central point for gathering all information regarding setting up a server that is compliant with the GDPR. This XEP is accompanied by several other documents, including a template for Terms of Service and a template for a Privacy Statement.

The aim of this XEP is to make it easy for operators of public XMPP servers to setup a GDPR compliant server. This XEP does not cover private setups or setups where the processed data is used for any purpose other then the communication between the end users.

TBD

XEPRelevance

TBD

TBD

TBD

TBD

TBD

TBD

REQUIRED.

REQUIRED.

REQUIRED.