A new version of Picturepark (8.11) was released on our Picturepark Cloud on Saturday, January 27, 2018.


Picturepark 8.11 adds compatibility and styling improvements, which will benefit all customers. It also introduces features that will support your organisation with compliance with the General Data Protection Regulation (GDPR) of the European Union (EU). More details are available in the Picturepark 8.11 release notes


The EU General Data Protection Regulation (GDPR) has been officially published, and will be enforced across the EU from 25 May 2018. Note that the GDPR is effective globally. As per our legal announcement on December 20, 2017 new Picturepark agreements have become effective.


Please note that although some of the below configurations would technically allow you to be able to use HTML/CSS and JavaScript in the WorldPort, this should not be misused. Any misuse will not be supported by VIT. These measures should also not be turned off via css changes. 


Cookie Notice:


  • We have set a cookie notice for all public pages before login
  • The Office Connector is excluded for the cookie notice. As you have to download it from Picturepark we assume you have already accepted terms to do so. For technical reasons it was not added to the OfficeConnector.aspx site because the Office Connector launches a wrapped IE ActiveX Control and by default it's in IE7 mode. This throws exceptions when executing the JavaScript due to ECMAScript incompatibility. It could be possible to force the control using the latest installed IE but this can only be achieved by changing the Windows Registry. This approach can cause other problems however when the user doesn't have the necessary rights to their registry and it can also cause JavaScript exceptions if the installed IE on the user's machine is an older version.
  • System does not log consent this is informational only
  • Language Resources:
    • Standard UI: accesses language resources from the Global Manager
      • Locale.Page BtnCookieConsentDismiss (OK)
      • Locale.Page LblCookieConsentLink (Cookie Policy)
      • Locale.Page HrefCookieConsentLink (https://picturepark.com/terms/cookies)
      • Locale.Page MsgCookieConsent (This website uses cookies to ensure you get the best experience on our website.)
    • WorldPort: uses GetText. This means these cannot be adjusted per customer unless this is a server installation where it is possible but also not officially supported. It cannot be adjusted on our Cloud Platforms without a release.

            

Once you click on "OK" in the cookie notice the following cookie is set by Picturepark for the browser you are currently in. You will of course have to accept the cookie for other browsers, other machines and again after you clear your cookies:



Points to note:


  • Relevant to Administrators making changes to start pages and ui elements only. The GDPR Cookie acceptance message will also appear on the Preview Pages of the UI Elements, the Edit Pages of the Ports and the Edit pages of the templates if you have not yet accepted it. Although accepting it here will set the cookie you will have to refresh the page to remove the top Cookie acceptance message in your browser after doing so. This is known and will not be changed.
  • Start pages that are not UI elements will not have this notice displayed. Services has a task to update these pages from files on our server to UI Elements of type Start by May 2018. The affected customers have already been contacted.
  • Picturepark desk will also display the Cookie notice


GDPR PPMC:


Two additional free text and one url field have been created in the PPMC in the Menu User Interface/Templates. Due to the terms disclaimer and terms of use on login fields being freetext fields for html markup we do not restrict their length, however if you add too much text then the window on login for example becomes ridiculously long. We have not implemented a scrollbar for these cases.


GDPR Acceptance on Registration:


From 8.11 Terms will need to be accepted on registration of a new user as that is when we first store their personal data. This takes the form of a required checkbox which has a language resource that has a default text and a placeholder that will display what is written in the PPMC in the "Terms of Use on Login" freetext field. The Terms and Conditions will be added to all User Field Panels "Registration" at the last position in a new Panel "Terms and Conditions" (also a language resource). New users must accept the "Terms of use on Login" on Registration and this data will be stored in dbo.UserActionHistory. The panel will be added via Update Script in 8.11 with default Picturepark Terms.


Every time a new user registers an additional UserActionHistory entry ID 50 "Terms Accepted" is made in dbo.UserActionHistory for terms accepted with the description "Terms accepted on registration."

Every time an existing user (or one created by the admin) accepts the terms after login or after a reset of the terms an additional UserActionHistory entry ID 50 "Terms Accepted" is made for terms accepted with the description "Terms accepted."


Notes: No information regarding terms acceptance will be added to mailings sent out after registration. If user is registered terms are seen as accepted so this is unnecessary.


GDPR Compliance Login Pages


Use Case: We need to log users acceptance of Terms and Conditions on login if they did not already accept these on registration.


As we cannot query the database as to whether or not the user has already accepted terms, so as not to force them to re-accept them before they have logged in, we have implemented the following:

  • Created a check on the /Website /WorldPort/Ports(added to ViewPort)/Overview pages etc. 
  • There is a checkbox in front of what is written in the PPMC in the "Terms of Use on Login" field then a language resource for TermsAcceptanceMessage button "Continue" Locale.Page.BtnTermsAcceptance which is enabled once checkbox activated. Customers cannot access the Picturepark until the terms are noted as accepted in the UI. The users login will only show this message until he does so on a blurred background. This will also display in PPDesk. If clicking on links in Terms message will open new Picturepark Desk windows if target_blank.
  • Once the user has accepted the terms in the database and the terms changed fields in dbo.Users is not activated the user will not see the terms message displayed again until terms are changed.
  • Terms Links always displayed on the /Website (at the bottom right of the Login window next to the Picturepark Version). These are taken from Terms on Login field in PPMC.
  • Start pages that use Picturepark Core: 
  • WorldPort Login
  • WorldPort Login ADFS
  • The Terms on Login field in the PPMC can theoretically be empty however the mechanism still takes hold with a {{termsOfUse}} placeholder or if you put a space in the ppmc field it will still have the I accept button and the mechanism. This cannot be turned off.
  • If a company has a public user this will not need to be accepted for this user if he does not specifically log into the instance. As any user can be used as a public user it is important that it can be accepted so if the user logs into the Picturepark he will need to accept the terms.

Notes: 

  • You can still directly open assets in the Picturepark Backend via URL eg ?AssetId=xxx, however these will open behind the Acceptance on Login window and will be blurred.
  • You can still directly open assets via URL for the world port, these will open over the modal window however discussed with PM that we accept this and will not change for 8.11.



GDPR Compliance Public Pages


The terms disclaimer (if enabled in the PPMC) is present on all Public Mailing pages (Backend and WorldPort) but does not need to be accepted by the user. 


This affects:

  • Sharing UI Elements
  • Template_ListSharing (Management Console/User Interface/Templates), 
  • Template_PressCenterSharing (Management Console/User Interface/Templates)
  • Default mailing.aspx code - these skins are called "Mailing".  They are used when no UI Element of type share is present in a Picturepark and for the review manager (we have not adjusted these for the review manager).
    • Placement per default under other sharing information (Sent by, expiration date etc.) at last postion
    • Only displayed as link.
    • No acceptance necessary.


Review Manager Mailings: The review manager will not have a terms link displayed. This feature is not used by many customers. We are planning to discontinue it in a future release. Terms can always be added manually to the mailing skin for customers that use the review manager should they request this.


Mailing skin only: Will show what is written in Terms Disclaimer in the PPMC under the expiration date of the sharing. 


UI Element type Share. Will display along with other sharing variables such as expiration date. Placement can be adjusted if required via CSS. 



GDPR Compliance User Management - Terms changed


Use Case:  If terms are changed then we can reset this so the user needs to re-accept these on login. If this is the case please contact support@picturepark.com.


  • A "Reset terms acceptance" button has been added to the user management window as we have for reset personal settings - position is in front of personal settings. Terms can only be reset for all users.
  • The button has been added to the language resources and translated for de, en, fr.
  • Rights are currently limited to the VIT SuperUser group only.
  • The reset enters a 0 in the dbo.Users field "HasTermsAccepted"
  • The mechanism on reacceptance of terms once again adds an entry in dbo.UserActionHistory for terms accepted.
  • User cannot access (sees the window and blurring) Picturepark until he reaccepts terms if these have changed.
  • If you are logged in when terms accepted reset then the next refresh of the page will ask you to re-accept e.g. clicking on an asset or searching etc will not cause this to happen.


Resources:

  • Locale.user.ManagerWindow.BtnResetTermsAcceptance - button itself
  • Locale.user.ManagerWindow.LblResetTermsAcceptance -  Heading of box that opens to ask you if your really want to reset terms.
  • Locale.user.ManagerWindow.LblResetTermsAcceptanceMessage - Text of the box that opens to ask you if you really want to reset terms.



GDPR Compliance User Management - User revokes acceptance


The unregister form link in the PPMC is linked to an "Unregister" button in the user profile of each user. If a user wants to revoke his acceptance of the terms he can do so by clicking on a link in the user profile in Picturepark and a link in the menu in the WorldPort. This goes to our website https://picturepark.com/terms/gdpr-consent-withdrawal/?fields[pictureparkuid]={0}&fields[pictureparkuserid]={1} from there an email is then sent to support@picturepark.com once the form filled out. Support will inform customer that user needs to be deleted manually. We will pass Customer and UserId parameters when this button is clicked. Nothing happens to the user that clicks on this link automatically.


We have a default link to our unregister form. You can save an empty link in the PPMC in which case the unregister button will still appear, however if clicked it will just reload the page. Customers can add a link to their own forms if they would like.


Resources:

  • Locale.user.ProfileEditWindow.BtnUnregister
  • Locale.user.ProfileEditWindow.TipUnregister
  • Locale.user.ProfileEditWindow.TTLUnregister
  • Locale.user.ProfileEditWindow.MsgUnregister


Anonymizing Data once user deleted will not be automated. If a user requests their data to be deleted via Picturepark form we will notify admin of that Picturepark and after deletion run scripts in our database to anonymize data.


Notes

  • We will not log this revoking in dbo.UserActionHistory.
  • The window opens in target_self (same window)
  • AssetConnector will not have this ability as there is no user menu
  • There is no profile in Picturepark Desk so there will not be an unregister link available here.
  • Office Connector will also not have an unregister link
  • If a company has a public user he will also get a terminate account link. There is no configuration to hide this per default. Clicking on this link only forwards to a form on our website.


GDPR Statistics:


Have been added in the User Management in the User Journal and in the Global Statistics under Users.

Each acceptance on login and registration is added as a line in dbo.UserActionHistory with the UserActionId 50 "TermsAccepted" with the description "Terms Accepted" if you accept it in the UI after login and description "Terms accepted on registration." if you accept the terms on registration. You can see the corresponding User Id "CreatedByUserId" as well as the UserHostAddress.