Re: Question to all candidates: GDPR compliance review
On Fri, Apr 01, 2022 at 04:57:38PM -0600, Sam Hartman wrote:
> >>>>> "Adrian" == Adrian Bunk <firstname.lastname@example.org> writes:
> Adrian> Your "services" approach does not work for the non-trivial
> Adrian> cases where Debian might be a (joint) controller of personal
> Adrian> data.
> Adrian> The Debian Community Team promises confidentiality regarding
> Adrian> personal information they receive about other people,
> Adrian> which conflicts with the legal obligation of informing the
> Adrian> person about whom personal information is being processed or
> Adrian> stored.
> Based on legal advice I received while acting as DPL, the above is not
> Most of the information the community team process is not information we
> would need to disclose in response to a GDPR subject access request.
Debian and the community team are joint controllers?
Where is the data stored?
Who has access to the data?
For what purposes might the data be used?
What retention period is defined for the data?
> Debian has already dealt with at least one subject access request that
> dealt significantly with information held by DAM in its role as a
> delegated team.
Debian and DAM are joint controllers?
> Some of that information was responsive; some of that information was
> covered by exceptions.
This covers only a part where Debian might be compliant with the law.
> > If the personal information in the handwritten note did not come
> > directly from the person, who at Debian is responsible to ensure that
> > the person gets informed automatically about the existence of the note
> > when it is written?
Exceptions might cover not having to disclose the contents of the data
in some cases, but I would still expect that the person has to be
informed that information exists.
See  for background in what context I started thinking about these issues.
> The data protection team was looped into the process we and our lawyer
> used in responding to the request.
> The data protection team (and my successor as DPL) received copies of
> the legal advice we received.
Are you saying that all handling of personal data in Debian is following
the law, or are you just trying to make me stop asking inconvenient
I am feeling stonewalled and stalled regarding any attempts of receiving
a review of handling of personal data in Debian, with a schedule that
would be appropriate for potential illegal activity.
I would like to emphasize and repeat [3,4]:
IANAL and it is more likely than not that some things I am writing are
not correct. What I want is to see the results of a proper review by
an actual lawyer.
If I fail to achieve visible progress on this topic inside Debian,
the obvious option for getting a second opinion is to make a formal
request for all personal data about me in Debian, followed by asking
my questions to the Finnish Data Protection Ombudsman.
If everything I am writing is just wrong, then I will be told just that
by the ombudsman.