Re: (Lack of) GDPR compliance in Debian

To: debian-project@lists.debian.org
Subject: Re: (Lack of) GDPR compliance in Debian
From: Bastian Blank <waldi@debian.org>
Date: Sat, 12 Mar 2022 14:46:02 +0100
Message-id: <[🔎] YiykGg6+tpWNme5W@shell.thinkmo.de>
Mail-followup-to: debian-project@lists.debian.org
In-reply-to: <[🔎] 20220311232703.GC4190@localhost>
References: <[🔎] 20220311232703.GC4190@localhost>

Hi Adrian

On Sat, Mar 12, 2022 at 01:27:03AM +0200, Adrian Bunk wrote:
> Out of curiousity I started looking at various aspects of GDPR 
> compliance in Debian, and what I saw in the Privacy Policy[2] made me 
> worry that the lawyer has not yet been involved enough in ensuring that 
> privacy in Debian reaches at least the minimum level defined by law.

Nope, nothing happened there since I last looked at it two years ago.

> What kind of consent is required and requested for infinite storing of 
> data in archives of public mailing lists?

Well, included PII is the name and e-mail.  I think that's written
somewere already.  So consent, Art 6 (1) lit. a) GDPR, or contract, Art
6 (1) lit. b) GDPR.

> What kind of consent is required and requested for infinite storing of 
> data in archives of private mailing lists?

Same as above.

> Does this also apply to highly sensitive data revealing for example 
> sexual orientation or political opinions?

We don't process those data AFAIK.  Can you please share where you see
us doing that?

> What about people who have never submitted any data themselves to 
> Debian, and have never in any other way consented that Debian stores 
> personal data about them?

Where do you see this?

> How is the right to withdraw the consent to storing data implemented?

Via e-mail somewhere.

> How are people being informed when data about them gets stored in the 
> archives of public mailing lists?
> How are people being informed when data about them gets stored in the 
> archives of private mailing lists?

By the virtue of them sending an e-mail to it.  That's the same as the
question: am I allowed to store e-mails sent to me personaly.

> What natural or legal entity is the identity of Debian?

I believe this is SPI for most parts.  SPI holds many contracts for
Debian.  There is also a ticket open, because I believe SPI needs a EU
representative as data controller, Art. 27 GDPR.

> In addition to the embarrassment that privacy handling in Debian is not 
> even reaching the minimum bar defined by law, Debian risks both penalies 
> of up to 20 Million Euro and compensation claims when not complying with 
> the GDPR.

No, Debian does not, as Debian is not an entity.

What is also AFAIK missing:

Contracts with processors, like Fastly (for cdn.debian.org), all the
mirror providers (ftp.*.debian.org at least).

Bastian

-- 
	"Life and death are seldom logical."
	"But attaining a desired goal always is."
		-- McCoy and Spock, "The Galileo Seven", stardate 2821.7

Reply to:

Follow-Ups:
- Re: (Lack of) GDPR compliance in Debian
  - From: Adrian Bunk <bunk@debian.org>

References:
- (Lack of) GDPR compliance in Debian
  - From: Adrian Bunk <bunk@debian.org>

Prev by Date: (Lack of) GDPR compliance in Debian
Next by Date: Re: (Lack of) GDPR compliance in Debian
Previous by thread: (Lack of) GDPR compliance in Debian
Next by thread: Re: (Lack of) GDPR compliance in Debian
Index(es):
- Date
- Thread