[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Question to all candidates: GDPR compliance review

On Fri, Apr 01, 2022 at 04:57:38PM -0600, Sam Hartman wrote:
> >>>>> "Adrian" == Adrian Bunk <bunk@debian.org> writes:
>     Adrian> Your "services" approach does not work for the non-trivial
>     Adrian> cases where Debian might be a (joint) controller of personal
>     Adrian> data.
> 
>     Adrian> The Debian Community Team promises confidentiality regarding
>     Adrian> personal information they receive about other people,[1]
>     Adrian> which conflicts with the legal obligation of informing the
>     Adrian> person about whom personal information is being processed or
>     Adrian> stored.
> 
> Based on legal advice I received while acting as DPL, the above is not
> correct.
> Most of the information the community team process is not information we
> would need to disclose in response to a GDPR subject access request.

Where does Debians Privacy Policy[1] describe this personal data where
Debian and the community team are joint controllers?

Where is the data stored?
Who has access to the data?
For what purposes might the data be used?
What retention period is defined for the data?

> Debian has already dealt with at least one subject access request  that
> dealt significantly with information held by DAM in its role as a
> delegated team.

Where does Debians Privacy Policy[1] describe this personal data where 
Debian and DAM are joint controllers?

> Some of that information was responsive; some of that information was
> covered by exceptions.

This covers only a part where Debian might be compliant with the law.

>...
> > If the personal information in the handwritten note did not come
> > directly from the person, who at Debian is responsible to ensure that
> > the person gets informed automatically about the existence of the note
> > when it is written?
>...

Exceptions might cover not having to disclose the contents of the data 
in some cases, but I would still expect that the person has to be 
informed that information exists.

See [2] for background in what context I started thinking about these issues.

>...
> The data protection team was looped into the process we and our lawyer
> used in responding to the request.
> The data protection team (and my successor as DPL) received copies of
> the legal advice we received.

Are you saying that all handling of personal data in Debian is following 
the law, or are you just trying to make me stop asking inconvenient 
questions?

I am feeling stonewalled and stalled regarding any attempts of receiving 
a review of handling of personal data in Debian, with a schedule that 
would be appropriate for potential illegal activity.

I would like to emphasize and repeat [3,4]:
IANAL and it is more likely than not that some things I am writing are 
not correct. What I want is to see the results of a proper review by
an actual lawyer.

If I fail to achieve visible progress on this topic inside Debian,
the obvious option for getting a second opinion is to make a formal
request for all personal data about me in Debian, followed by asking
my questions to the Finnish Data Protection Ombudsman.

If everything I am writing is just wrong, then I will be told just that 
by the ombudsman.

> --Sam

cu
Adrian

[1] https://www.debian.org/legal/privacy
[2] https://lists.debian.org/debian-project/2022/03/msg00010.html
[3] https://lists.debian.org/debian-project/2022/03/msg00008.html
[4] https://lists.debian.org/debian-vote/2022/03/msg00270.html
Reply to: