How to comply with EU Data Protection Laws [SOLVED]

SeaBee61 · 2024-08-14 04:43:28

Hello, I have nearly completed writing a GPL3 open source program using C++ and Qt6 and I intend to include it in the Arch Linux AUR. This program will probably be called "Chemical Calculator" or something closely related. This program is intended for scientists and laboratory personnel as it calculates the amount of chemicals need for mixing solutions.

I recently added a feature that allows the user to type in the name of the chemical and obtain the molecular weight from an online database PubChem, run by the US government. I do not collect any data at all, but the program sends the user's IP address and the chemical name to the PubChem database for a search which returns data back to the program which then extracts the molecular weight of the chemical.

Now I am concerned that this feature may need notifications and a way to opt-out of sending this data in order to comply with EU Data Protection Laws, and/or best practices.

The Chemical Calculator program uses a Pubchem interface called "Entrez" which allows scripting quires for fast well-formatted responses (about 1 second), but the user never sees the PubChem website this way and any privacy policy on their website are not seen.

Question 1) Is an IP address alone considered "personal data" in the EU or elsewhere? What about an IP address plus chemical name?

Question 2) What are your opinions about the best practices on how and where to do notifications and opt-outs. Should I just do it once on the first startup or do I need to notify every time before data is transferred? Or can I just put the notification in the help section with directions to opt-out?

Question 3) Can I set the default to allow this data transfer to happen unless the user opts-out, or should the default be no data transferred unless the user opts-in?

Last edited by SeaBee61 (2024-08-15 01:45:31)

Head_on_a_Stick · 2024-08-14 04:48:13

I have no legal expertise whatsoever but a quick search confirms that a user's public IP address does fall under the remit of the GDPR: https://www.dbswebsite.com/blog/ip-addresses-gdpr/

seth · 2024-08-14 08:16:38

You're sending your WAN IP to any host when you ping it…
The user needs to be aware that you're querying an external source, not because of any EU legislation but courtesy.
Since it's likely not an expected behavior ("wait, what? ping makes an online query??!!") in your software, I'd inform them when they try to invoke the feature along a checkbox that says "Ok, got it. Please don't spam me again with that"

SeaBee61 · 2024-08-15 01:56:57

Thanks for your replies. I'm going to mark this thread as SOLVED.

I think I will have the user opt-in or opt-out (to the data transfer) on the first use of the program, and allow them to change it at any time. After all it is their computer and they should have full control over any data transfers.

Arch Linux

#1 2024-08-14 04:43:28

How to comply with EU Data Protection Laws [SOLVED]

#2 2024-08-14 04:48:13

Re: How to comply with EU Data Protection Laws [SOLVED]

#3 2024-08-14 08:16:38

Re: How to comply with EU Data Protection Laws [SOLVED]

#4 2024-08-15 01:56:57

Re: How to comply with EU Data Protection Laws [SOLVED]

Board footer