Re: (Lack of) GDPR compliance in Debian

To: debian-project@lists.debian.org
Subject: Re: (Lack of) GDPR compliance in Debian
From: Adrian Bunk <bunk@debian.org>
Date: Sat, 12 Mar 2022 17:23:06 +0200
Message-id: <[🔎] 20220312152306.GD4190@localhost>
In-reply-to: <[🔎] YiykGg6+tpWNme5W@shell.thinkmo.de>
References: <[🔎] 20220311232703.GC4190@localhost> <[🔎] YiykGg6+tpWNme5W@shell.thinkmo.de>

On Sat, Mar 12, 2022 at 02:46:02PM +0100, Bastian Blank wrote:
> Hi Adrian

Hi Bastian,

> On Sat, Mar 12, 2022 at 01:27:03AM +0200, Adrian Bunk wrote:
>...
> > Does this also apply to highly sensitive data revealing for example 
> > sexual orientation or political opinions?
> 
> We don't process those data AFAIK.  Can you please share where you see
> us doing that?
> 
> > What about people who have never submitted any data themselves to 
> > Debian, and have never in any other way consented that Debian stores 
> > personal data about them?
> 
> Where do you see this?
>...
> > How are people being informed when data about them gets stored in the 
> > archives of public mailing lists?
> > How are people being informed when data about them gets stored in the 
> > archives of private mailing lists?
> 
> By the virtue of them sending an e-mail to it.  That's the same as the
> question: am I allowed to store e-mails sent to me personaly.

I started thinking about this topic a year ago during the RMS GR,
thinking about the legal implications if he was living in the EU.

The way Debian is handling storing personal data including political 
opinions of RMS that were sent by other people would not be complicant 
with the GDPR.

> > What natural or legal entity is the identity of Debian?
> 
> I believe this is SPI for most parts.  SPI holds many contracts for
> Debian.  There is also a ticket open, because I believe SPI needs a EU
> representative as data controller, Art. 27 GDPR.
> 
> > In addition to the embarrassment that privacy handling in Debian is not 
> > even reaching the minimum bar defined by law, Debian risks both penalies 
> > of up to 20 Million Euro and compensation claims when not complying with 
> > the GDPR.
> 
> No, Debian does not, as Debian is not an entity.

Is it SPI that is liable for penalies of up to 20 Million Euro and 
compensation claims, or is it individual team members who are personally 
liable for penalies of up to 20 Million Euro and compensation claims?

If this is unclear, the easiest way for anyone who wants to take legal 
action is to target a natural person.

>...
> Bastian

cu
Adrian

Reply to:

Follow-Ups:
- Re: (Lack of) GDPR compliance in Debian
  - From: Jonathan Carter <jcc@debian.org>

References:
- (Lack of) GDPR compliance in Debian
  - From: Adrian Bunk <bunk@debian.org>
- Re: (Lack of) GDPR compliance in Debian
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: Re: (Lack of) GDPR compliance in Debian
Next by Date: Re: (Lack of) GDPR compliance in Debian
Previous by thread: Re: (Lack of) GDPR compliance in Debian
Next by thread: Re: (Lack of) GDPR compliance in Debian
Index(es):
- Date
- Thread