> I've put a subject access request into mailchimp, so I'll see what
> comes back. I guess depends whether mailchimp think they are
> governed by GDPR or not.
They are of course governed by the GDPR... in the role of the data
*processor*. As such, upon receiving such a request they will have to
refer you to all the customers involved, whom you will need to identify
because clearly not every single one of the millions of customers such
a company might have possess any data on you. The customers are the data
*controllers* and are the ones who would have any data related to you
and other subscribers.
The topic of whether an ESP should want to become a data controller
in its own right is extensively discussed within M3AAWG. It comes up
practically in every meeting and in the discussions in between, and
many fab ideas that could be used to prevent bad sending always come
down to the fact that as soon as you start processing anything related
to your customers' data outside the context of doing your customer's
direct bidding, you go down the rabbit hole of becoming a data controller
and
YOU DON'T WANT TO GO THERE.
One Simon McGarr has lectured us extensively on the topic.
--
Atro Tossavainen, Chairman of the Board
Infinite Mho Oy, Helsinki, Finland
tel. +358-44-5000 600, http://www.infinitemho.fi/
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
