GDPR compliance

GDPR (General Data Protection Regulation), also known as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, is an EU law valid from May 25, 2018. It repeals EU Directive 95/46/EC and replaces the national regulations on the same matters of EU member states. GDPR states mandatory conditions that must be met by web sites, IT companies, organizations, national and regional authorities, and any individuals or legal persons that store and/or process the personal data of EU residents.

Note - GDPR is an EU law, but this does not mean that it is automatically valid in all EU countries. Each EU country needs to incorporate the GDPR directives in its own law before they become valid at the national level, which often takes years to implement. This means, in practice, that GDPR starts taking effect at different times in different EU countries. GDPR is therefore not automatically enforced from the time the EU GDPR law took effect.

This law applies to any of the above entities, regardless of their geographic location. It is enough that these entities store and/or process personal data of EU citizens to make them subjected to GDPR rules.

A relevant point is whether EU law really can be enforced outside the EU. The EU states that GDPR does apply to all companies that offer products or services in the EU and/or process information of EU citizens. If the defendant has no economic interests within the EU and no other ties to the EU, the possibilities for the EU to enforce GDPR abroad would seem to be extremely limited, as long as the GDPR transgression is not a crime in the respective country. This web site (www.savazzi.net) offers neither products nor services, and is not hosted in the EU. Furthermore, being a personal web site, it is outside the scope of GDPR.

A non-EU company or organization that does process information on EU citizens (for examples by logging IP addresses of web visitors from the EU) is exempted from GDPR record-keeping obligations (in this case, primarily the safe archiving of web visitor information) if the organization has fewer than 250 employees or members (GDPR Article 30.5). For this reason, savazzi.net and its web site (which are purely personal and managed by one person), are exempted from GDPR record keeping regulations and from the obligation of collecting the consent of EU citizens before storing their personal information.

GDPR does not apply to "purely personal or household activity". EU citizens that I may mention or show in pictures in this context on this web site can therefore have no expectation of being protected by GDPR.

Another important exception to GDPR is that EU citizens can only request that their personal data is removed from public view. They cannot ask for deletion of the actual data. As long as the data is not publicly accessible, e.g. by Googling for it, or can be proved to have been collected and used for illicit purposes, it is not subjected to GDPR. As an example, BBC was requested to remove hundreds of its web pages from its own search results and from Google databases, by request of persons mentioned in these pages. The large majority of these persons are convicted criminals who object to their court sentences being made publicly accessible (this fact makes the interesting point that GDPR is being routinely used to protect the privacy of criminals at the expense of the public). GDPR, however, cannot force BBC to remove the actual web pages, since the details of criminal convictions are a matter of public record. As a result, BBC is keeping a publicly accessible and updated list, with links, of all pages that it has been forced to make inaccessible to web searches by persons invoking their GDPR rights. The list is available here.

Cookie policy

This web site uses no cookies. I will never know, nor care, whether you allow your browser to store cookies. This is the whole story about cookies on this site.

More in general, what data does a cookie contain, and can cookies be a threat to your privacy?

A cookie is a text file that a web server sends to your browser. Your browser stores this file on your computer (if configured to do so). Modern browsers typically store all cookies in a single database, which is faster than storing and retrieving individual files. This data file contains:

- The server's URL. This is used by the browser to locate the cookie and send it back to the same server when you visit this server at a later time. Cookies typically expire (i.e., are deleted) by the browser after a number of days (which may be specified in the cookie but may be overridden by the browser settings). Some browsers also allow the user to delete all cookies in bulk.
- Some data provided by the server. This data is usually obfuscated and not directly readable by the user. This data may contain information about you that is known by the server. Potentially, this data may therefore contain personal information like your name, physical location, originating IP address and any other data that you may have entered, for example, while registering for membership on the server. This data may also contain a pointer to a database record stored on the server, which allows the server to identify you and use your personal data for a targeted user experience even if the cookie contains no personal data about you. This means, in practice, that the server (and any companies/organizations that have purchased the data stored on the server) may know a lot more about you than what is contained in the cookie itself.

Therefore, while cookies are generally used for innocent purposes, like recognizing you as a previous visitor, instructing the server to present its pages in the way you selected during previous visits, and calling your attention to posts and news that you have not yet read on previous visits, some users may desire not to be identified by the server. In these cases, for maximum safety, configure the browser not to accept cookies from specific (or all) servers.

Even if you store no cookies on your computer, a server may still identify you, for example, through your username and password. The server may also try to identify you by comparing your IP address with addresses it has stored during previous visits. The latter method is only a best guess, since the user IP address may change without notice. Some Internet providers may try to assign you always the same IP address, while others may give you a different address every time your Internet router or mobile phone is restarted or reconnected. The latter is especially frequent when using a mobile Internet connection.

Updated About cross-site cookies. You should probably be made aware that, by default, cookies placed on your computer by one website are available for reading by all the other web sites you visit, as long as they look for this specific cookie on your computer. This is broadly used by many companies to trace your surfing and shopping activities across the Internet, and to analyze your spending and shopping patterns in order to target you with commercial offers tailored to your habits, either via online ads, messages, or e-mail. Buying and selling cookie information to make cookies easier to track across web sites is a large market that involves hundreds of companies.

Whenever you click a button in your browser to get past the cookie notice and get on with your surfing, you provide valuable personal information to this market, willingly and for free. It is not surprising that the default response for dismissing the cookie notice is to "allow all cookies", while other choices require multiple button presses and time for reading plenty of small print and deciding which boxes to tick in an online form with long lists of multiple choices.

The current version of Firefox (as of May, 2022) offers an option to make cookies stored on your computer only available for reading by the same web site that gave you the cookie. This effectively makes it impossible to track your surfing habits by using cross-site cookies. Other web browsers may offer comparable functionality. This, in practice, helps to make your surfing less likely to be commercially exploited, and gives a better protection of your privacy.

How this web site complies with GDPR

  • This web site contains no personal data of EU citizens, except data already in the public domain, or my own personal data. As web master of this site, I am therefore neither a data controller nor a data processor as defined by GDPR.
  • No database is connected to this site, and all content of this site is contained in static pages and available online at all times. There are no "secret" or "member-only" areas on this site that might hide personal data, and no lists of members or visitors.
  • GDPR gives each EU resident the right to request what personal data a controller or processor is holding about said EU resident.
  • GDPR gives each EU resident the right to ask for removal of personal data of said EU resident from databases, web sites, etc.
    • If you are an EU resident, in the unlikely case you will find some of your personal data (as defined by GDPR) on this web site and you object to it, you may ask me to remove this data by e-mailing me, specifying which page contains the data, which data to remove, and providing evidence of your identity as well as sufficient proof that you are the person mentioned on the page in question.
      Exceptions      :
      • I will ignore any blanket "remove me from your site" request that lacks a clear indication of which data to remove, or proof that the data refers to you.
    • I will not remove any of the following data from this web site:
      • Non-personal data, e.g. a street name, city name, company name, or date that is not accompanied on this site by other personal data that may allow you to be identified as an individual. Explanation: If one of my pages contains, for example, a date that accidentally happens to be your birthday, or the name of the street where you live, and nothing more about your identity like your name or phone number, this is not personal data as defined by GDPR. GDPR covers only data that may allow others to uniquely identify you.
      • Data that is already in the public domain, e.g. your name if you are the author of a published book, chapter, article, paper, or patent. Explanation: I will only remove personal data that is not in the public domain. Removing data from this site that is already in the public domain and easily accessible would do nothing to protect your privacy.
      • Personal data from snapshots of earlier versions of this web site, stored on web archives like Wayback Machine and ScreenShots, or returned by search services like Google Search.
        Explanation: I have no control over these databases. Contact them if you want to remove your personal data from their databases. I will not do it on your behalf.
    • I reserve the right to clearly mark the place in the page where I removed the personal data, with a language similar to the following:

      Personal data was removed from this page by request of a person previously mentioned here.

    I also reserve the right to publish a list of all pages of this site where I removed personal data for compliance with GDPR.

    HTTPS, privacy and logging

    The contents of this web site are sent to your web browser encrypted with HTTPS, which in principle makes it impossible for a third-party to casually eavesdrop on the contents sent to your web browser, and to alter or replace these contents with something else.

    HTTPS encrypts the whole connection between server and client at the TCP level, by piggybacking TLS between TCP and HTTP, so a casual observer eavesdropping on the HTTPS traffic between server and client, in principle, will not see any plaintext data after the initial protocol handshaking, will not know which URLs are requested by the client, and will not know how the server responds to the requests.

    HTTPS does not protect against MITM (man-in-the-middle) attacks, so it is entirely possible for a government, corporation or determined individual to eavesdrop on the encrypted HTTPS traffic passing through an Internet router or firewall. This requires the router/firewall to replace the client's credentials with its own credentials when the TLS connection is first established, and subsequently to decrypt, log and re-encrypt the data before forwarding it to the destination. In practice, on the client's side the MITM pretends to be the server, and on the server side pretends to be the client.

    Only a government or a large corporation should be expected to devote the necessary resources for mass-eavesdropping on HTTPS traffic, especially considering that the bulk of this traffic will contain no information of any use to most attackers. Logging the traffic in its entirety for analysis at a subsequent time is largely impractical. Selecting and logging connections of potential interest is therefore very expensive, and requires large amounts of manpower and/or AI. A variety of systems, including shared-secret-key, can allow a client to detect MITM attacks.

    The IP addresses of visitors of this site and the URLs requested by their browsers are only logged when necessary for diagnostic purposes. Logs are stored by the web hosting company (Freehostia) of this site. I keep no separate copy of the logs.

    The total number of site-wide page hits is recorded for traffic statistics purposes. The site-wide number of visitors aggregated by geographic location is recorded via clustrmaps.com (based on the originating IP address as seen by clustrmaps.com) and displayed on a map (generated by clustrmaps.com) at the bottom of each page. Web browsers configured to prevent cross-domain requests typically interfere with this mechanism, and in this case you will not see the map in your browser (but everything else on this site will continue to work).

    This web site does not change or tailor the served contents on the basis of your location. All visitors see the exact same contents, unless firewalls set up by your provider or your government change or restrict the contents being sent to you.

    Access denied and page not found incidents are logged for security purposes and for detecting broken internal links. The logged information includes the originating IP addresses, the requested URL, and any information supplied by the visitor's browser. Based on these logs, attempts to access resources on this site for clear hacking purposes may lead to a temporary or permanent blocking of the originating IP addresses, domains and in some cases countries.

     
at www.freevisitorcounters.com