Re: Question to all candidates: GDPR compliance review
On Fri, Apr 01, 2022 at 09:25:46PM +0200, Jonathan Carter wrote:
> On 2022/04/01 20:28, Adrian Bunk wrote:
> > Would you commit to something more specific, like that our Data
> > Protection team will reply to debian-project within 3 months discussing
> > all issues mentioned in the discussion at [1] so far, and with their
> > reply having been proof-read by our GDPR lawyer?
> <snip>
> > [1]https://lists.debian.org/debian-project/2022/03/msg00008.html
>
> That mail asks a bunch of very, very broad questions. My opinion is that
> it's better to direct specific problems at the data protection team as
> noodles suggested.
Then let's start with some very specific questions based on the email
I just sent to Sam:
Where does our Privacy Policy[1] describe personal data where Debian and
the community team are joint controllers?
On what legal basis is the data processed?
Where is the data physically stored?
Who has access to the data?
For what purposes might the data be used?
What retention period is defined for the data?
How are people being informed when data about them is being stored?
Where does our Privacy Policy describe personal data where Debian and
DAM are joint controllers?
On what legal basis is the data processed?
Where is the data physically stored?
Who has access to the data?
For what purposes might the data be used?
What retention period is defined for the data?
How are people being informed when data about them is being stored?
These are specific questions about items that are supposed to be
written in our Privacy Policy.
> -Jonathan
cu
Adrian
[1] https://www.debian.org/legal/privacy
Reply to: