GDPR Compliance Statement

Introduction

The General Data Protection Regulation is a complex EU regulation that stipulates many points for protecting private data of users on the Internet. Even though this is an EU regulation, it has a worldwide impact due to the nature of the Internet. The MetaBrainz Foundation with its collection of projects is also affected by this regulation. We’ve been learning and adapting our sites to be compliant with the GDPR – sadly this regulation isn’t entirely black and white and there is an incredible amount of room left for interpretation of these rules.

The good news is that this regulation is roughly in line with our established practices: We’ve always held private information in a high regard and applied the sort of rules to ourselves as we wish to have our own private data treated. Luckily, this makes our compliance effort considerably easier. We’ve made two significant changes to how we treat your data and also adopted terminology as used in the GDPR in order to use the same languages that many other sites are now adopting. Please keep reading to find out the exact details of what we are doing to comply.

However, we do ask for your compassion and help in our process of complying with the GDPR. As we already mentioned, the GDPR is a complex set of rules that are not fully clarified yet. We’ve taken action on the steps that are clear to us and we’re following ongoing conversations on points that are in gray zones or unclear to us. We’ve made our best initial effort on compliance and promise to keep working on it as the picture becomes more clear. If you believe that we could improve our compliance, please contact us and let us know what we can do to improve. It would also help us if you could provide concrete discussion or examples to help us understand and take action on your suggestion.

Finally, below are the key sections of the GDPR as we understand them and how they affect your data in our ecosystem. Where possible, we provide links for deeper understanding, links for you to examine our relevant code and links to tickets to follow the process of improving our compliance.

Right to be forgotten

Summary: Provide the user with the ability to remove their private data from our services.

The most important aspect of the right to be forgotten is the ability to delete your account. Once you request for us to delete your account, we will remove any personally identifying information you may have provided us from your account (name, email address, gender, biography, URL, etc.). The visible name on your account will be changed to “Deleted User #####” and effectively the account will no longer be identifiable as your account.

However, given the nature of our projects where we work on collaborative databases, your contributions that are not personally identifying are valuable assets to our database and these contributions will not be removed from our databases. But we will ensure that these contributions no longer contain personally identifying data.

Our process of automatically deleting your accounts across the MetaBrainz ecosystem is not complete yet (see below for a set of tickets where you can track our progress). If you would like to delete your accounts in the MetaBrainz ecosystem or mark a donation that is currently public as a private donation, please contact us and we will address your request as soon as possible.

Links:

Restriction of processing

Summary: To allow the user to control how their personally identifying data is being used..

With the exception of the ListenBrainz and AcousticBrainz projects we do not process personally identifying data. Any personally identifying data that our projects store is for the purpose of being able to contact you about your contributions to our database (email address) or for voluntarily showing information about you to other users (biography, homepage, location, etc).

The ListenBrainz project differs in that the Listens (metadata about what music you have listened to) are stored on our servers and made available to the public. We believe Listens to be personally identifying data and furthermore we have goals of creating open source recommendation engines with this data, which is becomes processing the user’s data. These two points are fundamental goals of the ListenBrainz project and we do not see a reasonable way to reach another compromise position.

Because of this we are going to require users to either acknowledge that we may process their Listen data or alternatively to delete their account, including all of their Listens. Please note that if you decide to delete your ListenBrainz account, it may take up to two weeks for all of your listens to no longer be included in our efforts to build a recommendation engine. Also, we haven’t implemented the feature that automatically deletes Listen data from the public BigQuery data set. If you wish to have your Listens removed there after deleting your ListenBrainz accounts, please request this by contacting us.

We have always made it clear that the data in ListenBrainz was to be public and that we plan to build new tools with your data, so this should not come as a surprise to our users.

The AcousticBrainz project does not track who submits data to the database. If you create an account and use our data creation tools (e.g. create a dataset or participate in a challenge) then we link your participation and the things that you create to your account. If you choose to delete your account then we keep the non personally identifying data that you create, but anonymize it so that it cannot be linked back to you.

The final point to restriction of processing is that we used to gather aggregate statistics about our web traffic (mostly to identify which browsers our sites need to support) in Google Analytics. Google Analytics has always been a contentious service in the eyes of our community, so we decided to stop using the service and implement the minor feature of browsers analysis on our own servers at a later point in time.

Links:

Right to data portability / exporting your data

Summary: You have the right to access/download the data we store about you.

With the exception of the ListenBrainz and AcousticBrainz projects we do not store personally identifying data beyond the information that is available in your public profile on each of our projects. Since this data is plainly available in your profile we do not provide a means for you to export this data.

There are the following exceptions to this:

All of the non personally identifying data, such as your metadata contributions, are publicly visible, available for download and available via the project APIs. For details about this data, downloads and APIs please check the documentation for the respective projects you are interested in.

Anyone wishing to get a list of financial donations they have made to the MetaBrainz Foundation, please contact us and provide your MusicBrainz editor name so that we can look up your donations.

Right to rectification

Summary: You have the right to correct your data.

All of our projects allow their users to update their personally identifying information in their profiles. Furthermore, most of our projects allow the editing of their own metadata contributions. If you find that some of your data is incorrect, please feel free to edit the data since we provide the tools to do so.

If anyone who has made a financial donation to the MetaBrainz Foundation would like to make their donation private, please contact us.

Right to be informed

Summary: You have the right to be informed about how we use your data in plain English.

Our privacy policy, as well as other policies, have always been written by humans for human consumption. We abhor legalese and not speaking in direct terms.

Links:

Right to access

Summary: You have the right to access the data that we collect about you.

All of our projects make all of the data we collect on your behalf, privately identifying or not, available to you. The only exception to this are the IP addresses we store for 7 days – see above for details.