From b923e4d3f7fd29e64ccb905b140ef76e4265afeb Mon Sep 17 00:00:00 2001
From: Bjoern Schiessle <bjoern@schiessle.org>
Date: Thu, 28 Nov 2019 15:23:14 +0100
Subject: [PATCH] add GDPR section

start with documentation about cookies

Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 admin_manual/contents.rst     |  1 +
 admin_manual/gdpr/cookies.rst | 32 ++++++++++++++++++++++++++++++++
 admin_manual/gdpr/index.rst   |  9 +++++++++
 3 files changed, 42 insertions(+)
 create mode 100644 admin_manual/gdpr/cookies.rst
 create mode 100644 admin_manual/gdpr/index.rst

diff --git a/admin_manual/contents.rst b/admin_manual/contents.rst
index ec815afe5..5955b3b58 100644
--- a/admin_manual/contents.rst
+++ b/admin_manual/contents.rst
@@ -18,3 +18,4 @@ Table of contents
     configuration_mimetypes/index
     maintenance/index
     issues/index
+    gdpr/index
diff --git a/admin_manual/gdpr/cookies.rst b/admin_manual/gdpr/cookies.rst
new file mode 100644
index 000000000..ac37f1288
--- /dev/null
+++ b/admin_manual/gdpr/cookies.rst
@@ -0,0 +1,32 @@
+=======
+Cookies
+=======
+
+.. sectionauthor:: Björn Schießle <bjoern@nextcloud.com>
+.. _cookies:
+
+Nextcloud only stores cookies needed for Nextcloud to work properly. All cookies comes from your Nextcloud server directly, no 3rd-party cookies will be send to your system. Regarding GDPR, `only data which contain personal data are relevant`_.
+
+.. _`only data which contain personal data are relevant`: https://gdpr-info.eu/recitals/no-26/
+
+
+Cookies stored by Nextcloud
+===========================
+
+====================  ====================================  ================
+ Cookie               Data Stored                             Lifetime
+====================  ====================================  ================
+ Session cookie        - session ID                          24 minutes
+                       - secret token (used to decrypt 
+                         the session on the server)
+ Same-site cookies     no user-related data are stored,      forever
+                       all same-site cookies are the same
+                       for all users on all Nextcloud 
+                       instances
+ Remember-me cookie    - user id                             15 days (can be
+                       - original session id                 configured)
+                       - remember token                       
+====================  ====================================  ================
+
+The same-site cookies are used to determine how a request reaches the Nextcloud server. We use to prevest CSRF attacks. No identifable information is stored in those.
+The rest of the cookies are strickly used to identify the user to the system.
diff --git a/admin_manual/gdpr/index.rst b/admin_manual/gdpr/index.rst
new file mode 100644
index 000000000..cb47f49e1
--- /dev/null
+++ b/admin_manual/gdpr/index.rst
@@ -0,0 +1,9 @@
+====
+GDPR
+==== 
+
+.. toctree::
+    :maxdepth: 2
+
+    cookies
+