On Thu, Nov 05, 2020 at 11:48:20AM -0500, Ryan Sleevi via dev-security-policy wrote: > competency is with individuals, not organizations.
[snip] > I find the appeal to redundancy and the NAB, and further, the suggestion of > GDPR, to be a bit insulting to this community. This opposition to > transparency fundamentally undermines the trust in ETSI provided audits, or > this appeal to the eIDAS scheme, which has limited relevance given it's a > fundamentally different audit scheme, beggars belief. If you'd like to > raise Fear/Uncertainty/Doubt about GDPR, I believe you owe this community a > precise and detailed explanation about what you believe, relevant to the > auditor professional experience, would be problematic. Not the original poster, but 1) I understand that the very general language of OP, which you dismiss as FUD, is because this is "consult your own lawyer" area; 2) contrary to what you have written, the onus is on Mozilla to demonstrate the compliance with GDPR and not the other way around. If Mozilla (or you personally, in your capacity as peer, doesn't matter) intend to keep track of competency of people (like "physical people" and not corporations), those people (at least those, who perform audits in Europe) have certain rights from Mozilla under GDPR. You can't have it both ways -- either you keep trust in organisations and ignore GDPR, or you keep trust in people, and then you have all those GDPR requirements. Those are not hard to fulfill, but they would have to be thought through before the policy takes effect. I have found nothing in either the proposed change, or your response, that this problem has been thought through. For example, art. 13 of GDPR specifies that the data subject (the auditor) is to be provided with information that the data about her/him is processed. In the spirit of transparency, could you post an example notice which would be sent to the auditor in question? What would be the legal basis? (art. 6) If (e) or (f), the auditor has a right to object; what would happen after the objection? Have Mozilla appointed a representative in the EU (art. 27)? (I just checked and I have found only "Attn: Legal" address in USA). If not, why? If yes, what's his/her name and contact details? -- pozdrawiam / best regards Wojtek Porczyk I do not fear computers, I fear lack of them. -- Isaac Asimov
signature.asc
Description: PGP signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy