Re: (Lack of) GDPR compliance in Debian
Hi Adrian
On Sat, Mar 12, 2022 at 01:27:03AM +0200, Adrian Bunk wrote:
> Out of curiousity I started looking at various aspects of GDPR
> compliance in Debian, and what I saw in the Privacy Policy[2] made me
> worry that the lawyer has not yet been involved enough in ensuring that
> privacy in Debian reaches at least the minimum level defined by law.
Nope, nothing happened there since I last looked at it two years ago.
> What kind of consent is required and requested for infinite storing of
> data in archives of public mailing lists?
Well, included PII is the name and e-mail. I think that's written
somewere already. So consent, Art 6 (1) lit. a) GDPR, or contract, Art
6 (1) lit. b) GDPR.
> What kind of consent is required and requested for infinite storing of
> data in archives of private mailing lists?
Same as above.
> Does this also apply to highly sensitive data revealing for example
> sexual orientation or political opinions?
We don't process those data AFAIK. Can you please share where you see
us doing that?
> What about people who have never submitted any data themselves to
> Debian, and have never in any other way consented that Debian stores
> personal data about them?
Where do you see this?
> How is the right to withdraw the consent to storing data implemented?
Via e-mail somewhere.
> How are people being informed when data about them gets stored in the
> archives of public mailing lists?
> How are people being informed when data about them gets stored in the
> archives of private mailing lists?
By the virtue of them sending an e-mail to it. That's the same as the
question: am I allowed to store e-mails sent to me personaly.
> What natural or legal entity is the identity of Debian?
I believe this is SPI for most parts. SPI holds many contracts for
Debian. There is also a ticket open, because I believe SPI needs a EU
representative as data controller, Art. 27 GDPR.
> In addition to the embarrassment that privacy handling in Debian is not
> even reaching the minimum bar defined by law, Debian risks both penalies
> of up to 20 Million Euro and compensation claims when not complying with
> the GDPR.
No, Debian does not, as Debian is not an entity.
What is also AFAIK missing:
Contracts with processors, like Fastly (for cdn.debian.org), all the
mirror providers (ftp.*.debian.org at least).
Bastian
--
"Life and death are seldom logical."
"But attaining a desired goal always is."
-- McCoy and Spock, "The Galileo Seven", stardate 2821.7
Reply to: