Roon access to personally identifiable core data without user consent

It does indeed

Not the GDPR part.

Just looked at my logs - nothing there they don’t already mention in the policies
Nothing to worry about

Again, it’s about the pulling.

if it works the same way I received a beta firmware from a Zidoo developer, it’s just a CS request to your Roon server’s unique_id to phone the zipped logs home. Simple.

Let’s hope it’s all safe and fine but I’d like to hear it from the horse’s mouth.

It would also be crucial to know if the pulling implies access through the user’s firewall.

So three questions:

1. is personal data as defined by the GDPR continually pullable by Roon, and without the customer knowing?
2. is this in conflict with GDPR requirements?
3. does the pulling mechanism imply a reduction of the user’s network safety, for instance by bypassing a firewall?

If the answer to either one of these is «yes» I would like to also ask: why do you think this particular solution is worth it?

That, it definitely does not do.
Don’t forget that Roon core has a 2-way communication with Roon … home (you are logged in in order for it to work).

An explicit requirement of running Roon 2.0 is a permanent Internet connection. The corollary of this that your core is connected to Roon infrastructure 24x7.

Moreover, your request was about personal identifiable information. I don’t see that the logs include anything in this category that isn’t already necessarily known by Roon.

As I already said, please state what PII you believe they are extracting–over and above what’s listed in the privacy policy–from the logs. I imagine these include IP address, but they already know this in the same way a web browser does.

You don’t have to imagine - just look at them

I could but again, that isn’t my point. They have some sort of access to every user’s data which they control 100% and I would like to know if this access is safe and according to regulations. The tone from customer service in that other thread implies that they were surprised to learn that people didn’t take pleasure in them looking through people’s love letters even though they had a key to the study.

Guys, don’t get hung up on the word “pulling”. Your Roon server is constantly in contact with Roon’s servers. It doesn’t work without internet, remember? All that’s needed is a flag in your account that your Roon server sees and checks, and that says “upload logs”.

Wouldn’t it be nice if someone who knew could enlighten us?

@mjw I deal with privacy issues as part of my technology officer roles, and am very familiar with GDPR. While what you say is
true (GDPR does prohibt the collection of PII, only how it is used) but that is just part of the story: GDPR also includes a “right to forget” clause, meaning that - if asked by a citizen of a European member nation - if Roon is asked to remove a that users data it must be able to comply. It does not matter if Roon is operated in the US, if it’s end-user available in the EU it needs to be able to comply with the right to forget.

Secondly, in the US we have the CCPA (California Consumer Privacy Act) which is modeled after the GDPR, including what was discussed above. The CCPA only applies to California residents, but Roon must be ready to comply with “right to forget” requests coming from California residents.

I just wanted to make those points clear - there’s a lot of confusion and subtly around this in the minds of consumers.

So, to recap, both the GDPR and the CCPA:

• allow for the collection of Personally Identifiable Information (PII)
• Restrict the usage of PII to everything within the Terms of Service (ToS)
• The user has to agree to the ToS and can be legally denied access to the service if they do not agree
• The service has to be able to remove a user’s PII upon request if the user resides in the EU (for the GDPR) or California (CCPA)

But doesn’t such a role include the reading of policies before having an opinion and writing about them?

This is explicitly laid out in the privacy policy.

EU DATA SUBJECT’S RIGHTS UNDER GDPR.

Data Subjects (as such term is defined in the GDPR) are hereby notified that they have the following additional rights pursuant to the GDPR:
(…)

• Pursuant to GDPR Article 17 (Right to Erasure; “Right to be Forgotten”), to request the deletion of the Data Subject’s Personal Data stored by Us, except for the allowed continued uses permitted by the GDPR, including without limitation as far as the Processing is needed to exercise the right to freedom of expression and information, for the fulfillment of a legal obligations, for reasons of the public interest, or for the assertion, exercise, or defense of legal claims, if required;

LEGAL BASIS FOR COMPANY’S PROCESSING OF PERSONAL DATA UNDER GDPR.
(…)
In any case, the Company will gladly help to clarify the specific legal basis that applies to the Processing of Your Personal Data, and, in particular, whether the provision of Personal Data (as defined under the GDPR) is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

10. Contact us

If a User believes that the Company is not complying with the policies outlined in this Software Privacy Policy, or if the User has any questions relating to this Software Privacy Policy, then the User should write to the Company at this email address: contact@roonlabs.com.

Did you read the entire thread?

I think all the questions you have and details about how and what are answered in the various posts of the entire thread, not just that one post that was linked. I may be wrong, but, if you didn’t read the entire thread, I’d give it go through.

Your core does not contain personal data that we don’t already have in the cloud (name, phone, payment info, etc).

Good. Any thoughts on this?

Roon is inside your network. The protocols it uses to constantly communicate with the Roon servers already allow for sending things, like when you search for something the search terms will be sent out and the results will be sent in. For Roon to work at all, you have to allow this and already did. The same protocols can also transmit the info to request logs. Why the heck would anyone have any need to drill through firewalls. This simply makes no sense at all.

I understand this and am familiar with data protection. Incidently, this aspect is covered in section 9 of the Roon privacy policy, which explains the company’s obligations under GDPR.
.
As I have tried to explain to the OP, the core doesn’t contain any PII.

So, to answer the specific questions.

• Is personal data as defined by the GDPR continually pullable by Roon, and without the customer knowing?

• Is this in conflict with GDPR requirements?
  No, the privacy policy describes how PII is handled in accordance with the GDPR.

• Does the pulling mechanism imply a reduction of the user’s network safety, for instance by bypassing a firewall?
  No, this was answered earlier in the thread by @kc1 and @Suedkiez.