Re: GDPR compliance best practices?

Thu, 07 Jun 2018 15:39:26 -0700 

On Fri, 8 Jun 2018, Peter Backes wrote:


On Thu, Jun 07, 2018 at 10:28:47PM +0100, Philip Oakley wrote:

Some of Peter's fine distinctions may be technically valid, but that does
not stop there being legal grounds. The proof of copyright is a legal
grounds.


Again: The GDPR certainly allows you to keep a proof of copyright
privately if you have it. However, it does not allow you to keep
publishing it if someone exercises his right to be forgotten.



someone is granting the world the right to use the code and you are claiming 
that the evidence that they have granted this right is illegal to have?



the GDPR recognizes that there are legal reasons why records need to be kept and 
does not insist that they be deleted.



you can't sign a deal to buy something, then insist that the GDPR allows your 
name to be removed from the contract.



And you are incorrect to say that the GDPR lets you keep records privately and 
only applies to publishing them. The GDPR is specifically targeted at companies 
like Facebook and Google that want to keep lots of data privately. It does no 
good to ask Facebook to not publish your info, they don't want to publish it in 
the first place, they want to keep it internally and use it.


David Lang



There is simply no justification for publishing against the explicit
will of the subject, except for the rare circumstances where there are
overriding legitimate grounds for doing so. I hardly see those for the
average author entry in your everyday git repo. Such a justification is
extremely fragile.


Unfortunately once one gets into legal nitpicking the wording becomes
tortuous and helps no-one.


That's not nitpicking. If what you say were true, the GDPR would be
without any practical validity at all.


If one starts from an absolute "right to be forgotten" perspective one can
demand all evidence of wrong doing , or authority to do something, be
forgotten. The GDPR has the right to retain such evidence.


Yes, but not to keep it published.


I'll try and comment where I see the distinctions to be.


You're essentially repeating what you already said there.


Publishing (the meta data) is *distinct* from having it.


Absolutely right. That is my point.


You either start off public and stay public, or you start off private and
stay there.


Nope. The GDPR says you have to go from public to private if the
subject wishes so and there are no overriding legitimate grounds.

That is the entire purpose of the GDPR's right to be forgotten.

Best wishes
Peter































					Reply via email to