[plibither8]

> All the pics and their vectors stay on this small server.

This should be mentioned on the website.

> if you want to be deleted please drop me a letter wastemaster@gmail.com

There should be an easier mechanism to request a deletion of our photo. Better still, request permission from the user to store the photo in your servers before actually storing them.

I think this is the bare minimum of transparency that should required before letting people upload personal data, especially in this day and age.

[moreira]

Not to mention that the website is accessible from the EU, and you're required -by law- to obtain consent to store this personal data, and to tell people what exactly you're going to do with it, and with whom you're sharing it (if anyone).

I know everyone's used to the wild west but I'm glad that's changing, because of comments like yours - this transparency should NOT be something done out of the website owner's good heart (because as we've seen, most will just give us the finger), but enforced by law.

Edit: For the record, wastemaster's actually quite nice, and this is not directed at them, just websites in general.

[deytempo]

How exactly would anyone in the EU prosecute someone outside of it for running their own website if that individual does so outside of the EU and does not have any organization or company they are affiliated with. Just because something is accessible from the EU does not make it under their jurisdiction to police.

[icebraining]

The EU claims jurisdiction based on the fact that part of the interaction occurred in the EU, so they can fine you (it should be noted that the GDPR applies to data related to people in the EU, not related to EU citizens living elsewhere). Whether they can collect on those fines is a different matter.

[deytempo]

How do they intend to fine non EU residents hosting a website outside of the EU? I could see if it was a company but if someone is running a server with a not for profit site on it with no way to identify the site owner and an EU resident visits it, good luck trying to fine anyone. The EU does not own or even control the internet outside of their borders.

[deytempo]

After doing some research it appears that only businesses and organizations are responsible for compliance with GDPR

[jodrellblank]

and you're required -by law-

Does the GDPR apply to non-commercial, non-business, non-organizations?

[plibither8]

Yes. If the organisation/company/service is processing the data of the users, GDPR applies.

https://gdprexplained.eu/who-has-to-comply/

[sneak]

Why do you care what happens with a photo of your face? Many thousands of them exist; you probably have a profile photo on gravatar, or linkedin, or twitter somewhere anyway, to say nothing of the many thousands upon thousands of pictures of your face captured in frames on surveillance camera footage.

You provide this information (a picture of your face) to every convenience store, casino, bank, airport, and office building you walk into, many hundreds of times per day, for permanent storage. What is the threat model here from someone with a webserver having a single picture of your face with no other associated identifying information about it?

[wastemaster]

Agree, thank you. Somehow I missed that, yep going to add with next update

[jstanley]

The fact that you don't want to immediately delete the data after processing is a cause for concern.

I can't think of any reason not to immediately delete the data, other than that you intend to use it for something else in the future.

That said, I appreciate your honesty. If you had actually nefarious intentions, you would presumably just claim that you deleted the data when you don't

[botto]

I would honestly suggest just deleting the photo after use, there is such a big minefield with something like this and the EU

[nevertoolate]

Can’t you just remove all the stored data?

[wastemaster]

Already doing this! Cleaning up all the uploaded info in 3 minutes