member access to other member's addresses is a breach of GDPR

[plawrie]

I note that when a member logs into admidio they have the right to view announcements, documemts, messages, events and photos, which is fine.
However, "groups and roles", when viewed by a logged-in member, allows them to view the names and addresses of all members on the database. That is a breach of the GDPR rules for the protection of personal data.
It is legitimate for a small group of administrators to have access to the member list for the strict purpose of administering the organisation - such as sending out renewal reminders by email, phoning or posting Newsletters and other correspondence.
I note that members do not have access to the email addresses and phone numbers of other members, which is fine, but postal addresses should not be published to any logged in member either.
I think it would be best not to display any details of other members at all, except to administrators.

As far as I am aware, the GDPR rules in the UK are based on EU rules, so I would expect them to be the same in Germany.

[fasse]

Hi Plawie,

you can define the access to the profiles within every role. Please have a look at the preferences. You can configure if role members could view profile of other role members or not. Also you can define there an administrator right to view all profiles. So please feel free to configure Admidio with the rights you like.

Fasse

[plawrie]

Thanks for the reply.
I thought that might be the case, but couldn't see how to do it. I will look again.
As I mentioned in my post, I think your default of showing all member addresses to ordinary logged-in members might be a breach of GDPR. However, I'm not an expert and perhaps I am wrong.

[fasse]

Hi, you are right, we should change the default, so that only Administrators and Board members could view profiles of others. I will change that for version 4.1