Re: Question to all candidates: GDPR compliance review
On Fri, Apr 01, 2022 at 09:18:53PM +0200, Tollef Fog Heen wrote:
> ]] Adrian Bunk
>
> > Who will fulfill the request within the legal limit of one month if
> > a person sends an email to data-protection@debian.org asking whether
> > Debian is a (joint) controller of any data about this person, and
> > if yes requests a copy of all data?
>
> To make this easier for services and users, we recommend that services
> use contributes.debian.org and that they then request the data from the
> individual services and then point people at that.
Your "services" approach does not work for the non-trivial cases where
Debian might be a (joint) controller of personal data.
The Debian Community Team promises confidentiality regarding personal
information they receive about other people,[1] which conflicts with the
legal obligation of informing the person about whom personal information
is being processed or stored.
Debian might be a joint controller if a member of the Debian Community
Team stores personal information about a person in a handwritten note
on paper (see [2] as an example of case law about handwritten notes)[3].
Will this handwritten note be available through contributors.debian.org?
If the personal information in the handwritten note did not come
directly from the person, who at Debian is responsible to ensure that
the person gets informed automatically about the existence of the note
when it is written?
Same questions, with "local file" instead of "handwritten note".
Same questions, with "stored on a Debian machine".
Discussing such questions with a lawyer early is usually cheaper and
less hassle than waiting until someone brings them up in a court case.
> Cheers,
cu
Adrian
[1] https://wiki.debian.org/Teams/Community
[2] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62017CJ0025&from=EN
[3] This court case was under the previous Directive from 1995, but the basic
definitions are unchanged in the GDPR legislation that replaced it.
Reply to: