2 Jul
2025
2 Jul
'25
9:04 a.m.
We need to understand if the XEP should define the necessary mechanisms
for XMPP clients and servers (also bridges) to exchange all relevant
information regarding data processing policies — including legal basis,
categories of personal data, metadata handling, and processing purposes
— and also to allow the client application to actively obtain the
explicit consent of the user (data subject) where required by applicable
regulations (e.g. the GDPR), for in-band registration but not limited to
it (e.g. web app like Movim or Conversejs and other client scenarios
where data processing may occur outside traditional registration contexts).
Mario
Il 02/07/25 14:49, Goffi ha scritto:
I was envisioning this specification as purely informational, I'm not sure if
it's the right place to ask for consent, and I'm not sure how it should be
requested (also regarding UX).
For servers or gateways if in-band registration is used, this can be a field
used at this moment, and client can show a nicely formatted data policy.
For gateways which work without registration, maybe use should be rejected as
long as consent is not given.
I see how this can quickly become cumbersome and really bad UX, but if it's a
legal requirement, we have so handle it somehow.
You've raised an important point, independently of this data policy
specification: how do we handle consent request with any XMPP service?