Re: Question to all candidates: GDPR compliance review
>>>>> "Adrian" == Adrian Bunk <firstname.lastname@example.org> writes:
Adrian> Your "services" approach does not work for the non-trivial
Adrian> cases where Debian might be a (joint) controller of personal
Adrian> The Debian Community Team promises confidentiality regarding
Adrian> personal information they receive about other people,
Adrian> which conflicts with the legal obligation of informing the
Adrian> person about whom personal information is being processed or
Based on legal advice I received while acting as DPL, the above is not
Most of the information the community team process is not information we
would need to disclose in response to a GDPR subject access request.
Debian has already dealt with at least one subject access request that
dealt significantly with information held by DAM in its role as a
Some of that information was responsive; some of that information was
covered by exceptions.
The data protection team was looped into the process we and our lawyer
used in responding to the request.
The data protection team (and my successor as DPL) received copies of
the legal advice we received.