On Fri, Apr 01, 2022 at 09:18:53PM +0200, Tollef Fog Heen wrote: > ]] Adrian Bunk > > > Who will fulfill the request within the legal limit of one month if > > a person sends an email to data-protect...@debian.org asking whether > > Debian is a (joint) controller of any data about this person, and > > if yes requests a copy of all data? > > To make this easier for services and users, we recommend that services > use contributes.debian.org and that they then request the data from the > individual services and then point people at that.
Your "services" approach does not work for the non-trivial cases where Debian might be a (joint) controller of personal data. The Debian Community Team promises confidentiality regarding personal information they receive about other people,[1] which conflicts with the legal obligation of informing the person about whom personal information is being processed or stored. Debian might be a joint controller if a member of the Debian Community Team stores personal information about a person in a handwritten note on paper (see [2] as an example of case law about handwritten notes)[3]. Will this handwritten note be available through contributors.debian.org? If the personal information in the handwritten note did not come directly from the person, who at Debian is responsible to ensure that the person gets informed automatically about the existence of the note when it is written? Same questions, with "local file" instead of "handwritten note". Same questions, with "stored on a Debian machine". Discussing such questions with a lawyer early is usually cheaper and less hassle than waiting until someone brings them up in a court case. > Cheers, cu Adrian [1] https://wiki.debian.org/Teams/Community [2] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62017CJ0025&from=EN [3] This court case was under the previous Directive from 1995, but the basic definitions are unchanged in the GDPR legislation that replaced it.
