Privacy Policy and GDPR compliance info

Hi All,

I have been a happy user of GIMP , and I wanted to promote the use of GIMP in my company as well.

Unfortunately, due to privacy policies GIMP team’s Privacy Policy we need to consider for legal reasons, that is not compliant.

I understand that we could just not use GIMP, but if the privacy policy could be updated to match regulations such as GDPR it would be of great help.

Some examples could be Mozilla or Notepad++ privacy policies.

Someone has some additional information regarding the privacy policy status and if will be update in future?

According to the general provisions:

The regulation applies if the data controller (an organisation that collects information about living people, whether they are in the EU or not), or processor (an organisation that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU

But for Gimp there is no data collected… so why should the GDPR apply?

Furthermore the GDPR applies to enterprises engaged in “economic activity”, and I wonder what that would be here.

Hi Ofnuts,
first of all thank you for clarifications,

I would like to report to you on what is established for similar cases by the European Union regulation about the processing of personal data.

Should software, services and widgets that do not collect personal data still be included in the privacy policy? What about the cookie policy? Below you will find the answers to these questions and learn what the GDPR and ePrivacy Directive approach is to services that do not process personal data.
Some rather popular services (such as statistical analysis tools or heat mapping) claim that their software does not collect personal data. This means that when users browse a site or use an app that integrates them, the latter does not collect and process their personal data.
This generally occurs in two cases:
When these services actually do not collect any personal data, or
when personal data is anonymized before it is collected, so that the user cannot be identified.

It is therefore not necessary to mention these services in your privacy policy. Articles 13 and 14 of the GDPR (which stipulate what information data controllers must provide to data subjects) apply only when personal data are collected.

Therefore, services that do not collect personal data do not need to be mentioned, not least because-considering the principle of transparency (Articles 5 and 12 of the GDPR)-doing so could lead users to think that these services collect and process personal data.

The above also does not apply to the cookie policy. In this case, European legislation requires site and app providers to disclose cookies or similar tracking technologies, regardless of whether they collect or process personal data. This approach was recently confirmed by the Court of Justice of the European Union in the Planet judgment49.

Therefore, it is not only cookies that need to be mentioned in the cookie policy, but also similar technologies* that allow access to or storage of information on the user’s device, including - but not limited to - tracking pixels, installed fonts, etc., should be indicated

We can therefore avoid dwelling on whether or not the Privacy Policy is in place; however, the GDPR requires us to at least check the cookie policy of any provider, be it a software or widget or similar service.

Unfortunately, in fact, although your site explicitly states that neither trackers nor cookies are used, our system has detected two currently in operation ,check performed from cookieserve.com (altoughts is it possible that are not correct identification?)

Could you please confirm that what is stated in your statement is correct?

Thank you very much in advance,
Sincerely.

@Maraunzer Hi! Does your scanning software say which page is using “cookieserve.com”? I checked the web repository and did not find any reference to the site in the source code. I think it’s a false positive, but if you can link a specific page I can check.