[okular] [Bug 435120] Data protection: Removing or editing annotation metadata (author, date, time) should be possible

[Rainer Klute]

https://bugs.kde.org/show_bug.cgi?id=435120

--- Comment #12 from Rainer Klute <rainer.klute at gmx.de> ---
(In reply to 2wxsy58236r3 from comment #11)
> Author name is personal information, but is the timestamp also considered as
> personal information?

According to Article 4 (1) GDPR, “‘personal data’ means any information
relating to an identified or identifiable natural person (‘data subject’); an
identifiable natural person is one who can be identified, directly or
indirectly”.

Whether a timestamp is personal information, depends on the circumstances. If
the author’s name is given and it relates to a natural person (i. e. not
“Anonymous”, “Donald Duck”, or the like), the timestamp no doubt is personal
data, because it reveals a data trace showing when that individual has created
or edited which comments. Timestamps are even more revealing if the person
creates/modifies multiple annotations, because you can deduce information about
the working speed of the data subject, when he or she made pauses and for how
long, and maybe more. I would say the timestamp can be highly sensitive
personal data, even though it does not fall into the special categories defined
by Article 9 paragraph 1 GDPR.

But even the timestamp alone, without regard to the author name field, can be
personal data, namely if it’s obvious from the context or other information,
which doesn't have to be in the document itself, who the author is. For
example, if you send me a PDF, I create an annotation, and I send the document
back to you, you know it was me - and when - even if I left the author field
blank. This is what the GDPR means when it talks about “directly or indirectly”
identifying a person.

To make a long story short, the timestamp is not always personal date. But as a
first approximation, I would consider it as such, unless proven otherwise.


> Can you please share your use case / workflow? (So that developers can
> understand the importance of the requested feature)

The use case is that an individual making annotations does not want to reveal
when he or she created/modified them – for whatever reasons or without any
reason at all.

I would even say that according to Article 25 paragraph 2 GDPR omitting the
timestamp should even be the default. (“The controller shall implement
appropriate technical and organisational measures for ensuring that, by
default, only personal data which are necessary for each specific purpose of
the processing are processed. That obligation applies to the amount of personal
data collected, the extent of their processing, the period of their storage and
their accessibility. In particular, such measures shall ensure that by default
personal data are not made accessible without the individual’s intervention to
an indefinite number of natural persons.”)

-- 
You are receiving this mail because:
You are the assignee for the bug.