- Posts: 6
- Thank you received: 0
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
Technical questions about cookies and the "resume later" function for GDPR
- nolten
- Topic Author
- Offline
- New Member
we're conducting surveys with LimeSurvey as part of our current research project. To comply with the GDPR, I'm currently writing a privacy policy.
For this, I got a few technical questions about cookies and the "resume later" function our server admin could not answer me. I hope, this is the correct subforum for such questions?
Cookies:
1. How long are session cookies valid, so how much time do participants have to take breaks/finish a long page of questions without loading a new page (assuming the cookie refreshes when loading a new page)?
2. Does LS use other cookies than session cookies? If yes, which and how long are they stored/valid?
"Resume later":
3. As using the "resume later" function counts as "registration" of an "account", we need to include this option in the policy. It is also required to give the participants the chance to "change their account data". But, how does this work, where to find and how to change it?
4. How long are those "accounts" stored? Until first used? Until participant finishes the survey? What happens with the account if the participant does not resume the survey until it is closed - is it deleted or saved until the survey itself is deleted?
Only thing I found using the search function was for "resume later" , and the manual does not include technical information like this.
Thanks in advance!
- jelo
- Offline
- Platinum Member
- Posts: 5070
- Thank you received: 1263
Where is LimeSurvey hosted?
And what version of LimeSurvey is used?
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
- nolten
- Topic Author
- Offline
- New Member
- Posts: 6
- Thank you received: 0
I'm sadly not quite sure about the currently used version on the productive server. I've asked our admin, but haven't got an answer yet (because of data privacy later I do not have access to the productive server myself).
On a test server that is not in active use yet we run Version 3.12.1+180616, but from what I remember the interface on the productive server looked a little different, so it could be a slightly older version.
I'll update as soon as I got a reply from our admin, but maybe that already helps a little?
- Joffm
- Away
- LimeSurvey Community Team
- Posts: 12788
- Thank you received: 3940
only some remarks to your points 3 & 4.
There is no 'account' or 'registration'.
The participant just enters a password. This is absolutely free, like '123456' or '4€&aFgse&€3@&7'.
Only if he is afraid of suffering from Alzheimer disease he may enter an email address to get his password sent by email.
And this is according to the GDPR, because it is only used for this communication.
Now 4.
I am on a business trip, but I'll try. IMO this information should be deleted when the survey is deactivated.
But I am not really sure.
Joffm
Volunteers are not paid.
Not because they are worthless, but because they are priceless
- DenisChenu
- Offline
- LimeSurvey Community Team
- Posts: 13935
- Thank you received: 2551
And more : it's internal cookies (just for technical usage) .
About resume later : else : all information are deleted when submit survey.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
- nolten
- Topic Author
- Offline
- New Member
- Posts: 6
- Thank you received: 0
This is VERY interesting - we thought that by giving a (fictional) name and password, you automatically create an "account" (and therefore, are subject to the respective regulation), even if it does not include any data on the person itself.Joffm wrote: Hi,
only some remarks to your points 3 & 4.
There is no 'account' or 'registration'.
The participant just enters a password. This is absolutely free, like '123456' or '4€&aFgse&€3@&7'.
Only if he is afraid of suffering from Alzheimer disease he may enter an email address to get his password sent by email.
And this is according to the GDPR, because it is only used for this communication.
If that's not the case, we could delete this whole section in our privacy policy, saving me lots of headaches... Question 4 would then become irrelevant, as this information would not count as personal data anymore and therefore needs no information on how long it is saved etc.
Are you sure about that? I would then just add a sentence in the section telling what data we collect about this function and probably be done with it.
We do not have this function activated, so it's session cookies only. Great, that makes my life quite a bit easier!DenisChenu wrote: Except if you check "Set cookie to prevent repeated participation" : all cookies are session cookies. Then close your browser : nothing leave.
And more : it's internal cookies (just for technical usage) .
Thank you both very much for your help!
- DenisChenu
- Offline
- LimeSurvey Community Team
- Posts: 13935
- Thank you received: 2551
1: token … this is personnal information (email at minima)
2: set 'Save IP adress' : this one is awfull (i really dislike it), but more save complete IP adress : no way to save partial IP adress (like matomo ( matomo.org/gdpr/ ) ). And this don't show a warning to admin user …
3: Save "enter url" : this can be out of GDPR issue
4: and of course : personnal information inside surveys
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
- holch
- Away
- LimeSurvey Community Team
- Posts: 11757
- Thank you received: 2753
2: set 'Save IP adress' : this one is awfull (i really dislike it), but more save complete IP adress : no way to save partial IP adress (like matomo ( matomo.org/gdpr/ ) ). And this don't show a warning to admin user …
This can make sense, so I don't think it is a good idea to exclude it. I agree that it would be great to have the additional option to just save the IP particially. But if you inform your respondents at the beginning of the survey that you will store the IP and for how long, this should be OK as well.
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
- DenisChenu
- Offline
- LimeSurvey Community Team
- Posts: 13935
- Thank you received: 2551
Yes, but if a survey is set «not anonymous» : there are specific action done by LimeSurvey code (show the privacy.twig from template) , we don't have such systme for IP.holch wrote:
2: set 'Save IP adress' : this one is awfull (i really dislike it), but more save complete IP adress : no way to save partial IP adress (like matomo ( matomo.org/gdpr/ ) ). And this don't show a warning to admin user …
This can make sense, so I don't think it is a good idea to exclude it. I agree that it would be great to have the additional option to just save the IP particially. But if you inform your respondents at the beginning of the survey that you will store the IP and for how long, this should be OK as well.
Then the information must be updated survey by survey
Maybe just add an empty twig saveipadress.twig file only addes if ip adress is saved in 1st page
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
- nolten
- Topic Author
- Offline
- New Member
- Posts: 6
- Thank you received: 0
As far as I know, the IP is only stored via logfiles (for 4 weeks), which we state in the policy - all other options should be deactivated. So this should probably be ok?holch wrote:
This can make sense, so I don't think it is a good idea to exclude it. I agree that it would be great to have the additional option to just save the IP particially. But if you inform your respondents at the beginning of the survey that you will store the IP and for how long, this should be OK as well.2: set 'Save IP adress' : this one is awfull (i really dislike it), but more save complete IP adress : no way to save partial IP adress (like matomo ( matomo.org/gdpr/ ) ). And this don't show a warning to admin user …
And does anyone else know something about the "resume later" function being some kind of registration or not, just to be sure?
- holch
- Away
- LimeSurvey Community Team
- Posts: 11757
- Thank you received: 2753
And does anyone else know something about the "resume later" function being some kind of registration or not, just to be sure?
I guess, this pretty much depends on the eye of the beholder. When is putting an email* and a password a registration, when not? *I know that the email is not necessary, but still. It is there and people can put it.
To be on the save side I would consider it a temporary registration, deleted after a certain time. But as I said, this depends very much on how the GDPR defines "registration".
If the survey is not extremely long, I would just not offer this option. I think this only really makes sense when the survey is pretty long.
I answer at the LimeSurvey forum in my spare time, I'm not a LimeSurvey GmbH employee.
No support via private message.
- DenisChenu
- Offline
- LimeSurvey Community Team
- Posts: 13935
- Thank you received: 2551
I spoke for LimeSurvey settings : manual.limesurvey.org/Notifications_%26_datanolten wrote: As far as I know, the IP is only stored via logfiles (for 4 weeks), which we state in the policy - all other options should be deactivated. So this should probably be ok?
4 weeks, in France : we have this law : www.legifrance.gouv.fr/affichCode.do?cid...LEGITEXT000006070987 . We must keep log one year … but not more else we are out of this law : www.legifrance.gouv.fr/affichTexteArticl...LEGIARTI000006528131
:silly:
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.