>>>>> "Adrian" == Adrian Bunk <b...@debian.org> writes: Adrian> Your "services" approach does not work for the non-trivial Adrian> cases where Debian might be a (joint) controller of personal Adrian> data.
Adrian> The Debian Community Team promises confidentiality regarding Adrian> personal information they receive about other people,[1] Adrian> which conflicts with the legal obligation of informing the Adrian> person about whom personal information is being processed or Adrian> stored. Based on legal advice I received while acting as DPL, the above is not correct. Most of the information the community team process is not information we would need to disclose in response to a GDPR subject access request. Debian has already dealt with at least one subject access request that dealt significantly with information held by DAM in its role as a delegated team. Some of that information was responsive; some of that information was covered by exceptions. The data protection team was looped into the process we and our lawyer used in responding to the request. The data protection team (and my successor as DPL) received copies of the legal advice we received. --Sam