Out of curiousity I started looking at various aspects of GDPR
compliance in Debian, and what I saw in the Privacy Policy[2] made me
worry that the lawyer has not yet been involved enough in ensuring that privacy in Debian reaches at least the minimum level defined by law.
What kind of consent is required and requested for infinite storing of
data in archives of public mailing lists?
What kind of consent is required and requested for infinite storing of
data in archives of private mailing lists?
Does this also apply to highly sensitive data revealing for example
sexual orientation or political opinions?
What about people who have never submitted any data themselves to
Debian, and have never in any other way consented that Debian stores
personal data about them?
How is the right to withdraw the consent to storing data implemented?
How are people being informed when data about them gets stored in the archives of public mailing lists?
How are people being informed when data about them gets stored in the archives of private mailing lists?
What natural or legal entity is the identity of Debian?
In addition to the embarrassment that privacy handling in Debian is not
even reaching the minimum bar defined by law, Debian risks both penalies
of up to 20 Million Euro and compensation claims when not complying with
the GDPR.
Is it SPI that is liable for penalies of up to 20 Million Euro and compensation claims, or is it individual team members who are personally liable for penalies of up to 20 Million Euro and compensation claims?
If this is unclear, the easiest way for anyone who wants to take legal
action is to target a natural person.
Hi Adrian
On Sat, Mar 12, 2022 at 01:27:03AM +0200, Adrian Bunk wrote:
...
Does this also apply to highly sensitive data revealing for example
sexual orientation or political opinions?
We don't process those data AFAIK. Can you please share where you see
us doing that?
What about people who have never submitted any data themselves to
Debian, and have never in any other way consented that Debian stores personal data about them?
Where do you see this?
...
How are people being informed when data about them gets stored in the archives of public mailing lists?
How are people being informed when data about them gets stored in the archives of private mailing lists?
By the virtue of them sending an e-mail to it. That's the same as the question: am I allowed to store e-mails sent to me personaly.
What natural or legal entity is the identity of Debian?
I believe this is SPI for most parts. SPI holds many contracts for
Debian. There is also a ticket open, because I believe SPI needs a EU representative as data controller, Art. 27 GDPR.
In addition to the embarrassment that privacy handling in Debian is not even reaching the minimum bar defined by law, Debian risks both penalies
of up to 20 Million Euro and compensation claims when not complying with the GDPR.
No, Debian does not, as Debian is not an entity.
...
Bastian
It's not 100% clear to me, but from what I understand having had some informal conversations with experts in this field (we should ideally
speak get some more information from legal experts on this topic), it
would fall on individual members, unless a TO has en explicit contract
with someone.
It's one of a few important reasons why we need to look at incorporating Debian, I wanted to push for that during the last year, but during the release and the last 1.5 GRs didn't seem like an ideal time for it. I'll
also provide some more details and thoughts on this on -vote over the
next week, but I believe this is something important to pursue for the project regardless of who serves as DPL for the next term.
(If you do open source work outside of the auspices of an organization
that carries insurance and you have assets to protect, it's worth
considering a personal umbrella policy.)
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 18:03:58 |
Calls: | 6,707 |
Calls today: | 1 |
Files: | 12,239 |
Messages: | 5,351,542 |