[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Question to all candidates: GDPR compliance review

On Sat, Apr 02, 2022 at 12:21:24PM +0200, Christian Kastner wrote:
> On 2022-04-02 10:55, Adrian Bunk wrote:
> > Where does our Privacy Policy[1] describe personal data where Debian and 
> > the community team are joint controllers?
> > Where does our Privacy Policy describe personal data where Debian and
> > DAM are joint controllers?
> Has it been established yet that Debian fits the definition of a
> controller as per Article 4 lit. 7 GDPR?
> I can see DAM, or CT, or the DPL possibly being controllers.

What is the identity of DAM or CT?
Likely each individual team members is a controller.

If a person has suffered material or non-material damage as a result of 
a GDPR infringement, each controller or processor can be held liable for 
compensation of the entire damage (Article 82(4)).

> But
> without some form of officially recognized organization, I don't see how
> Debian could be one. "Debian" doesn't even have an address, you couldn't
> even determine which data protection authority has jurisdiction.

What is "The Debian Project" in the Privacy Policy[2]?

Providing the identity and the contact details of the controller is 
mandatory for processing of personal data (Articles 13(1)(a) and 14(1)(a)),
failure to do so is subject to administrative fines of up to 20 Million Euro
(Article 83(5)(b)).

> This is just one of the things that, I think, would be a lot simpler if
> Debian would register as an organization, hence my question [1] to the
> candidates.

This is likely required and desirable, as was also discussed in the 
thread starting with [3].


[1] Here in Finland the threshold for gift tax is 5000 Euro.
[2] https://www.debian.org/legal/privacy
[3] https://lists.debian.org/debian-project/2022/03/msg00008.html

Reply to: