On 22 Jul 2022, at 13:10, Atro Tossavainen via mailop wrote: [✄ but thoroughly read]
> Becoming a data controller entails needing a legitimate basis for > processing the personal data of the customer's customers, with whom > the ESP does not have any kind of a direct business relationship so > it's really very hard to justify. You can probably pull the notes on > "so, you want to be a data controller" from the past conference > proceedings from the members area. I love this angle! If we agree that IP addresses, email addresses and real names are all PII as per GDPR, your example is comparable to Cloudflare. The end-user browsing a website is sending PII (its IP address, along with cookies and whatnot) to CF, which it then forwards to the proxied website. The visitor that does not know how to block cookies on their browser, also cannot know it is sending its PII to CF. Does this turn CF into a data controller? If CF decides that the end user is indeed a bot because of data gathered among various CF clients, does it become a data controller? Going back to the example of an ESP, does the hash of the email address equate the email address as per GDPR? Happy weekend! -lem _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
