[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Question to all candidates: GDPR compliance review

>>>>> "Adrian" == Adrian Bunk <bunk@debian.org> writes:
    Adrian> Your "services" approach does not work for the non-trivial
    Adrian> cases where Debian might be a (joint) controller of personal
    Adrian> data.

    Adrian> The Debian Community Team promises confidentiality regarding
    Adrian> personal information they receive about other people,[1]
    Adrian> which conflicts with the legal obligation of informing the
    Adrian> person about whom personal information is being processed or
    Adrian> stored.

Based on legal advice I received while acting as DPL, the above is not
correct.
Most of the information the community team process is not information we
would need to disclose in response to a GDPR subject access request.

Debian has already dealt with at least one subject access request  that
dealt significantly with information held by DAM in its role as a
delegated team.
Some of that information was responsive; some of that information was
covered by exceptions.
The data protection team was looped into the process we and our lawyer
used in responding to the request.
The data protection team (and my successor as DPL) received copies of
the legal advice we received.


--Sam
Reply to: