[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

(Lack of) GDPR compliance in Debian

This email is about the EU GDPR (General Data Protection Regulation), 
and any use of "data" below refers to personal data of people covered
by the GDPR.

Two years ago the outgoing DPL announced that our Data Protection Team 
has a relationship with a GDPR lawyer.[1]

Out of curiousity I started looking at various aspects of GDPR 
compliance in Debian, and what I saw in the Privacy Policy[2] made me 
worry that the lawyer has not yet been involved enough in ensuring that 
privacy in Debian reaches at least the minimum level defined by law.

What kind of consent is required and requested for infinite storing of 
data in archives of public mailing lists?

What kind of consent is required and requested for infinite storing of 
data in archives of private mailing lists?

Does this also apply to highly sensitive data revealing for example 
sexual orientation or political opinions?

What about people who have never submitted any data themselves to 
Debian, and have never in any other way consented that Debian stores 
personal data about them?

How is the right to withdraw the consent to storing data implemented?

How are people being informed when data about them gets stored in the 
archives of public mailing lists?

How are people being informed when data about them gets stored in the 
archives of private mailing lists?

Who has access to data, and for what purposes might data be used?

Where is data being stored?

If data is being stored outside the EU, how is legal compliance ensured?

The rights are not stated, like the right to lodge complaints with a 
supervisory authority.

What natural or legal entity is the identity of Debian?

Debian is a joint controller of data handled by external subcontractors
like Outreachy on behalf of Debian.

Debian is a joint controller of data processed or stored by teams or 
individual team members. Teams or team members of teams like for example 
the Debian Community Team, the Debian Account Managers or the Debian 
System Administration team are storing data on behalf of Debian that is 
currently not listed in the Privacy Policy.

Is such data currently being included when people request a copy of all
data about them from Debian?

What is the data retention period for such data?

Does Debconf have a privacy policy?
I didn't find one when searching on the webpage.

It is not even clear whether Debconf is legally a part of Debian or a 
separate entity.

In addition to the embarrassment that privacy handling in Debian is not 
even reaching the minimum bar defined by law, Debian risks both penalies 
of up to 20 Million Euro and compensation claims when not complying with 
the GDPR.

Properly defined policies and processes also make it easier to provide 
the data when people request from Debian a copy of all data about them.

IANAL and it is more likely than not that not everything I wrote above 
is not correct. This is something the Debian Data Protection Team should 
review together with their GDPR lawyer, who will surely point out where 
I might be wrong.

cu
Adrian

[1] https://lists.debian.org/debian-project/2020/06/msg00051.html
[2] https://www.debian.org/legal/privacy
Reply to: