Re: Question to all candidates: GDPR compliance review
> "Adrian" == Adrian Bunk writes: Adrian> If I send an email requesting all data Debian has about me to Adrian> data-protect...@debian.org, will I receive a complete reply within the Adrian> expected time, including all data members of delegations like the Adrian> Debian Account Managers and the Community Team might have? Someone did exactly that while I was DPL. They received a response within the GPR's allowed time giving them all data Debian held regarding them that was not covered by an exception to the GDPR. They also received a list of exceptions to the GDPR that might apply to data that was not turned over. This was all handled in a manner consistent with the advice received from a lawyer specializing in GDPR issues that was ultimately paid for by SPI. As you might imagine, there are GDPR exceptions that apply to some classes of data that DAM routinely processes. I cannot speak to the community team as the community team did not exist at the time of this request. --Sam
Re: Question to all candidates: GDPR compliance review
On Fri, Apr 05, 2024 at 04:38:57PM +0200, Andreas Tille wrote: > Hi Adrian, Hi Andreas, > Am Fri, Apr 05, 2024 at 12:41:17AM +0300 schrieb Adrian Bunk: >... > > Many parts of Debians Privacy Policy look questionable. > > > > For example the rights are not stated, and in addition to this being a > > formal problem there is also the question whether for example the Debian > > Data Protection team does fulfil the right to request only where > > required by law or whether all people around the world are treated > > the same. > > I need to admit I do not understand this example. the Privacy Policy lacks explicit statements of the rights like You have the right to request a copy of all personal data. that are legally required. An explicit statement would also make it clear whether or not Debian might extend such rights to people not covered by the GDPR. > > The attempts in the Privacy Policy for blanket eternal storage > > of data might not pass a legal review, especially when this might > > contain sensitive data like sexual orientation or political opinions. > > I'm not aware that those personal data are stored. If this is really > the case you have a point. During the RMS GR I was often thinking "assume RMS was living in the EU". The archives of debian-vote contain plenty of sensitive data like political opinions of RMS where it is questionable that they could be stored forever if the GDPR applied. And who in Debian would have been responsible of informing him that sensitive personal data about him is being stored by Debian that was provided by third parties? >... > > I would be glad to hear from a qualified person that I am wrong and that > > all handling of personal data by these teams is lawful. > > If I understand you correctly you want to know my opinion whether Debian > should pay some lawyer specialized in data privacy to inspect "all > handling of personal data", right? Yes. > > There is also a personal side for me: > > > > I am feeling quite unsafe in Debian due to not knowing what data people > > in positions of power in Debian who dislike me might have about me, and > > I want to request all data about me in Debian. This is also a prerequisite > > for exercising the right of rectification of inaccurate personal data if > > any data turns out to be incorrect. > > While I may be somewhat naive, I'm unaware of any positions within > Debian that hold the power to harm others. IMHO, the most troubling > aspect is your feeling that there are individuals who dislike you. If > you really feel unsafe about this situation IMHO the first step should > be to talk to some individual you are trusting inside Debian. >... If I send an email requesting all data Debian has about me to data-protect...@debian.org, will I receive a complete reply within the expected time, including all data members of delegations like the Debian Account Managers and the Community Team might have? > Kind regards > Andreas. >... cu Adrian
Re: Question to all candidates: GDPR compliance review
On 05/04/24 03:11, Adrian Bunk wrote: Hi, this email has two parts: A short question where I would appreciate a "yes" or "no" answer from all candidates, and a longer explanation what and why I am asking. Question: If elected, will you commit to have a lawyer specialized in that area review policies and practices around handling of personal data in Debian for GDPR compliance, and report the result of the review to all project members by the end of 2024? Maybe. I do think we might need some review in this regard, but right now I do not have all the details about GDPR, so I can't be sure and say yes. OpenPGP_signature.asc Description: OpenPGP digital signature
Re: Question to all candidates: GDPR compliance review
Hi Adrian, Am Fri, Apr 05, 2024 at 12:41:17AM +0300 schrieb Adrian Bunk: > this email has two parts: > A short question where I would appreciate a "yes" or "no" answer from > all candidates, and a longer explanation what and why I am asking. > > > Question: > > If elected, will you commit to have a lawyer specialized in that area > review policies and practices around handling of personal data in Debian > for GDPR compliance, and report the result of the review to all project > members by the end of 2024? No. > Explanation: Explanation for my "No". You wanted a binary answer and you got it. I doubt a binary answer to a complex question that needs a long explanation is appropriate. > One might discuss whether or not Debian should aim at being better than > average in the area of privacy, but compliance with the law is the > minimum everyone can expect. > > Unlawful actions can have consequences, organizations and > individuals might be subject to fines up to 20 Million Euro > as well as compensation for material and non-material damage, > and in some countries also prosecution under criminal law. > > > Many parts of Debians Privacy Policy look questionable. > > For example the rights are not stated, and in addition to this being a > formal problem there is also the question whether for example the Debian > Data Protection team does fulfil the right to request only where > required by law or whether all people around the world are treated > the same. I need to admit I do not understand this example. > The attempts in the Privacy Policy for blanket eternal storage > of data might not pass a legal review, especially when this might > contain sensitive data like sexual orientation or political opinions. I'm not aware that those personal data are stored. If this is really the case you have a point. > I also suspect that the Debian Account Manager and Community Teams > might be abusing people by illegally processing data outside of what > is being permitted by the Privacy Policy. I've reviewed the "State of the Data Protection team" talk from DebConf22[1]. I understand that you can address those suspicions with this team. > I would be glad to hear from a qualified person that I am wrong and that > all handling of personal data by these teams is lawful. If I understand you correctly you want to know my opinion whether Debian should pay some lawyer specialized in data privacy to inspect "all handling of personal data", right? > There is also a personal side for me: > > I am feeling quite unsafe in Debian due to not knowing what data people > in positions of power in Debian who dislike me might have about me, and > I want to request all data about me in Debian. This is also a prerequisite > for exercising the right of rectification of inaccurate personal data if > any data turns out to be incorrect. While I may be somewhat naive, I'm unaware of any positions within Debian that hold the power to harm others. IMHO, the most troubling aspect is your feeling that there are individuals who dislike you. If you really feel unsafe about this situation IMHO the first step should be to talk to some individual you are trusting inside Debian. > I would wish that Debian itself can ensure that all handling of personal > data is lawful, and that GDPR requests are being fulfilled without > problems - like everywhere else. I'm not particularly well-versed in GDPR issues, but I would imagine that there must be a justified suspicion before seeking legal counsel. > Other places with DDs also have laws protecting personal data > (at least California, China, Brazil, South Africa, Singapore). > > I am asking specifically about GDPR since that affects me directly, but > either during the GDPR review or afterwards it would of course be good > to also obtain legal advice whether there are additional requirements > in other jurisdictions. To qualify my previously stated 'no' I'd rather say: No, except you come up with some more specific example (feel free to do this in private and if you like in our common mother language). Alternatively, the urgency of the issue might be highlighted by several other developers to bring my attention to the severity of the problem. Kind regards Andreas. [1] https://debconf22.debconf.org/talks/39-state-of-the-data-protection-team/ -- https://fam-tille.de
Re: Question to all candidates: GDPR compliance review
On Sat, Apr 02, 2022 at 12:21:24PM +0200, Christian Kastner wrote: > On 2022-04-02 10:55, Adrian Bunk wrote: > > Where does our Privacy Policy[1] describe personal data where Debian and > > the community team are joint controllers? > > > Where does our Privacy Policy describe personal data where Debian and > > DAM are joint controllers? > > Has it been established yet that Debian fits the definition of a > controller as per Article 4 lit. 7 GDPR? > > I can see DAM, or CT, or the DPL possibly being controllers. What is the identity of DAM or CT? Likely each individual team members is a controller. If a person has suffered material or non-material damage as a result of a GDPR infringement, each controller or processor can be held liable for compensation of the entire damage (Article 82(4)). > But > without some form of officially recognized organization, I don't see how > Debian could be one. "Debian" doesn't even have an address, you couldn't > even determine which data protection authority has jurisdiction. What is "The Debian Project" in the Privacy Policy[2]? Providing the identity and the contact details of the controller is mandatory for processing of personal data (Articles 13(1)(a) and 14(1)(a)), failure to do so is subject to administrative fines of up to 20 Million Euro (Article 83(5)(b)). > This is just one of the things that, I think, would be a lot simpler if > Debian would register as an organization, hence my question [1] to the > candidates. >... This is likely required and desirable, as was also discussed in the thread starting with [3]. cu Adrian [1] Here in Finland the threshold for gift tax is 5000 Euro. [2] https://www.debian.org/legal/privacy [3] https://lists.debian.org/debian-project/2022/03/msg8.html
Re: Question to all candidates: GDPR compliance review
Hi Adrian, On Fri, 2022-04-01 at 23:48 +0300, Adrian Bunk wrote: > Will this handwritten note be available through > contributors.debian.org? > > If the personal information in the handwritten note did not come > directly from the person, who at Debian is responsible to ensure that > the person gets informed automatically about the existence of the > note when it is written? > > Same questions, with "local file" instead of "handwritten note". > > Same questions, with "stored on a Debian machine". I am fairly confident you store personal data about me. Could you please provide some information about it? Do you publish a privacy policy? What data do you store? (Please don't send a copy to the list; private mail is okay.) On what legal basis is the data processed? Where is the data physically stored? Who besides you has access to the data? For what purposes might the data be used? What retention period is defined for the data? Why was I not informed that data about me is being stored? Ansgar
Re: Question to all candidates: GDPR compliance review
On 2022-04-02 10:55, Adrian Bunk wrote: > Where does our Privacy Policy[1] describe personal data where Debian and > the community team are joint controllers? > Where does our Privacy Policy describe personal data where Debian and > DAM are joint controllers? Has it been established yet that Debian fits the definition of a controller as per Article 4 lit. 7 GDPR? I can see DAM, or CT, or the DPL possibly being controllers. But without some form of officially recognized organization, I don't see how Debian could be one. "Debian" doesn't even have an address, you couldn't even determine which data protection authority has jurisdiction. This is just one of the things that, I think, would be a lot simpler if Debian would register as an organization, hence my question [1] to the candidates. [1] https://lists.debian.org/debian-vote/2022/03/msg00135.html
Re: Question to all candidates: GDPR compliance review
On Fri, Apr 01, 2022 at 09:25:46PM +0200, Jonathan Carter wrote: > On 2022/04/01 20:28, Adrian Bunk wrote: > > Would you commit to something more specific, like that our Data > > Protection team will reply to debian-project within 3 months discussing > > all issues mentioned in the discussion at [1] so far, and with their > > reply having been proof-read by our GDPR lawyer? > > > [1]https://lists.debian.org/debian-project/2022/03/msg8.html > > That mail asks a bunch of very, very broad questions. My opinion is that > it's better to direct specific problems at the data protection team as > noodles suggested. Then let's start with some very specific questions based on the email I just sent to Sam: Where does our Privacy Policy[1] describe personal data where Debian and the community team are joint controllers? On what legal basis is the data processed? Where is the data physically stored? Who has access to the data? For what purposes might the data be used? What retention period is defined for the data? How are people being informed when data about them is being stored? Where does our Privacy Policy describe personal data where Debian and DAM are joint controllers? On what legal basis is the data processed? Where is the data physically stored? Who has access to the data? For what purposes might the data be used? What retention period is defined for the data? How are people being informed when data about them is being stored? These are specific questions about items that are supposed to be written in our Privacy Policy. > -Jonathan cu Adrian [1] https://www.debian.org/legal/privacy
Re: Question to all candidates: GDPR compliance review
On Fri, Apr 01, 2022 at 04:57:38PM -0600, Sam Hartman wrote: > > "Adrian" == Adrian Bunk writes: > Adrian> Your "services" approach does not work for the non-trivial > Adrian> cases where Debian might be a (joint) controller of personal > Adrian> data. > > Adrian> The Debian Community Team promises confidentiality regarding > Adrian> personal information they receive about other people,[1] > Adrian> which conflicts with the legal obligation of informing the > Adrian> person about whom personal information is being processed or > Adrian> stored. > > Based on legal advice I received while acting as DPL, the above is not > correct. > Most of the information the community team process is not information we > would need to disclose in response to a GDPR subject access request. Where does Debians Privacy Policy[1] describe this personal data where Debian and the community team are joint controllers? Where is the data stored? Who has access to the data? For what purposes might the data be used? What retention period is defined for the data? > Debian has already dealt with at least one subject access request that > dealt significantly with information held by DAM in its role as a > delegated team. Where does Debians Privacy Policy[1] describe this personal data where Debian and DAM are joint controllers? > Some of that information was responsive; some of that information was > covered by exceptions. This covers only a part where Debian might be compliant with the law. >... > > If the personal information in the handwritten note did not come > > directly from the person, who at Debian is responsible to ensure that > > the person gets informed automatically about the existence of the note > > when it is written? >... Exceptions might cover not having to disclose the contents of the data in some cases, but I would still expect that the person has to be informed that information exists. See [2] for background in what context I started thinking about these issues. >... > The data protection team was looped into the process we and our lawyer > used in responding to the request. > The data protection team (and my successor as DPL) received copies of > the legal advice we received. Are you saying that all handling of personal data in Debian is following the law, or are you just trying to make me stop asking inconvenient questions? I am feeling stonewalled and stalled regarding any attempts of receiving a review of handling of personal data in Debian, with a schedule that would be appropriate for potential illegal activity. I would like to emphasize and repeat [3,4]: IANAL and it is more likely than not that some things I am writing are not correct. What I want is to see the results of a proper review by an actual lawyer. If I fail to achieve visible progress on this topic inside Debian, the obvious option for getting a second opinion is to make a formal request for all personal data about me in Debian, followed by asking my questions to the Finnish Data Protection Ombudsman. If everything I am writing is just wrong, then I will be told just that by the ombudsman. > --Sam cu Adrian [1] https://www.debian.org/legal/privacy [2] https://lists.debian.org/debian-project/2022/03/msg00010.html [3] https://lists.debian.org/debian-project/2022/03/msg8.html [4] https://lists.debian.org/debian-vote/2022/03/msg00270.html
Re: Question to all candidates: GDPR compliance review
On Fri, 1 Apr 2022 22:16:55 +0300 Adrian Bunk wrote: > One option would be to outsource this work to our paid GDPR lawyer. Is there any option to cooperate with other FLOSS organizations? They would have the same issue and we may be able to share it and costs ;) -- Hideki Yamane
Re: Question to all candidates: GDPR compliance review
> "Adrian" == Adrian Bunk writes: Adrian> Your "services" approach does not work for the non-trivial Adrian> cases where Debian might be a (joint) controller of personal Adrian> data. Adrian> The Debian Community Team promises confidentiality regarding Adrian> personal information they receive about other people,[1] Adrian> which conflicts with the legal obligation of informing the Adrian> person about whom personal information is being processed or Adrian> stored. Based on legal advice I received while acting as DPL, the above is not correct. Most of the information the community team process is not information we would need to disclose in response to a GDPR subject access request. Debian has already dealt with at least one subject access request that dealt significantly with information held by DAM in its role as a delegated team. Some of that information was responsive; some of that information was covered by exceptions. The data protection team was looped into the process we and our lawyer used in responding to the request. The data protection team (and my successor as DPL) received copies of the legal advice we received. --Sam
Re: Question to all candidates: GDPR compliance review
On Fri, Apr 01, 2022 at 09:18:53PM +0200, Tollef Fog Heen wrote: > ]] Adrian Bunk > > > Who will fulfill the request within the legal limit of one month if > > a person sends an email to data-protect...@debian.org asking whether > > Debian is a (joint) controller of any data about this person, and > > if yes requests a copy of all data? > > To make this easier for services and users, we recommend that services > use contributes.debian.org and that they then request the data from the > individual services and then point people at that. Your "services" approach does not work for the non-trivial cases where Debian might be a (joint) controller of personal data. The Debian Community Team promises confidentiality regarding personal information they receive about other people,[1] which conflicts with the legal obligation of informing the person about whom personal information is being processed or stored. Debian might be a joint controller if a member of the Debian Community Team stores personal information about a person in a handwritten note on paper (see [2] as an example of case law about handwritten notes)[3]. Will this handwritten note be available through contributors.debian.org? If the personal information in the handwritten note did not come directly from the person, who at Debian is responsible to ensure that the person gets informed automatically about the existence of the note when it is written? Same questions, with "local file" instead of "handwritten note". Same questions, with "stored on a Debian machine". Discussing such questions with a lawyer early is usually cheaper and less hassle than waiting until someone brings them up in a court case. > Cheers, cu Adrian [1] https://wiki.debian.org/Teams/Community [2] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62017CJ0025=EN [3] This court case was under the previous Directive from 1995, but the basic definitions are unchanged in the GDPR legislation that replaced it.
Re: Question to all candidates: GDPR compliance review
On 2022/04/01 20:28, Adrian Bunk wrote: Would you commit to something more specific, like that our Data Protection team will reply to debian-project within 3 months discussing all issues mentioned in the discussion at [1] so far, and with their reply having been proof-read by our GDPR lawyer? [1]https://lists.debian.org/debian-project/2022/03/msg8.html That mail asks a bunch of very, very broad questions. My opinion is that it's better to direct specific problems at the data protection team as noodles suggested. -Jonathan
Re: Question to all candidates: GDPR compliance review
On Fri, Apr 01, 2022 at 08:46:42PM +0200, Tollef Fog Heen wrote: > ]] Adrian Bunk > > > Would you commit to something more specific, like that our Data > > Protection team will reply to debian-project within 3 months discussing > > all issues mentioned in the discussion at [1] so far, and with their > > reply having been proof-read by our GDPR lawyer? > > I don't think that's something the DPL could commit to, even if they > wanted to. First of all, what you're asking for is not what the data > protection team is there for, secondly, neither the DPL nor anyone else > has the ability to commit to anyone in Debian doing anything on any > particular timeline. > > If that's what you're looking for, you're looking for a company with > staff, not a volunteer project. One option would be to outsource this work to our paid GDPR lawyer. > Cheers, cu Adrian
Re: Question to all candidates: GDPR compliance review
On Fri, Apr 01, 2022 at 07:40:02PM +0200, Tollef Fog Heen wrote: >... > This isn't the role of the data protection team, though, any more than > owner@bugs is responsible for fixing all the bugs in all the packages. > I'm quite happy to act as a redirector (as per the first part of the > delegation) as well as advising service owners. I have below-zero > interest in auditing all our services and tracking everything relevant > to data privacy throughout Debian. >... Who will fulfill the request within the legal limit of one month if a person sends an email to data-protect...@debian.org asking whether Debian is a (joint) controller of any data about this person, and if yes requests a copy of all data? If there is no reply within one month, the person can request an order from the local supervisory authority (e.g. [1] is the online form for such requests in my country of residence). > Cheers, cu Adrian [1] https://tietosuoja.fi/en/find-out-whether-the-data-protection-ombudsman-can-help-you-rights
Re: Question to all candidates: GDPR compliance review
]] Adrian Bunk > Who will fulfill the request within the legal limit of one month if > a person sends an email to data-protect...@debian.org asking whether > Debian is a (joint) controller of any data about this person, and > if yes requests a copy of all data? To make this easier for services and users, we recommend that services use contributes.debian.org and that they then request the data from the individual services and then point people at that. Cheers, -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are
Re: Question to all candidates: GDPR compliance review
On Fri, Apr 01, 2022 at 09:28:53PM +0300, Adrian Bunk wrote: > Would you commit to something more specific, like that our Data > Protection team will reply to debian-project within 3 months discussing > all issues mentioned in the discussion at [1] so far, and with their > reply having been proof-read by our GDPR lawyer? If you had really cared about engaging with the data protection team and really believed the project was exposed to a lawsuit then the prudent thing would have been to initially contact the data protection team and DPL, rather than producing a long list of questions and stating that you didn't believe we are compliant with GDPR obligations and mailing it only to -project. If you have specific, concrete, concerns then perhaps you can state them, but it's hard to assume good faith when I don't see any sign that you're trying to actually help here. J. -- ] https://www.earth.li/~noodles/ [] Make friends.[ ] PGP/GPG Key @ the.earth.li[][ ] via keyserver, web or email. [][ ] RSA: 4096/0x94FA372B2DA8B985 [][
Re: Question to all candidates: GDPR compliance review
On Fri, Apr 01, 2022 at 07:02:15PM +0200, Jonathan Carter wrote: > Hi Adrian Hi Jonathan, >... > I'm not sure bringing in the lawyer as a first step is optimal, they are > expensive and will probably tell us a lot of things we already know. IMHO > it's better to do some initial groundwork, compile a list of issues that we > need help on, and then take that to the lawyer for further input. usually trying to solve legal issues without consulting a lawyer early ends up being more expensive. >... > So, I would appreciate it if the data protection team could look into all of > the issues we know of in Debian, but I'd also like there to be a process > where people can file issues with the data protection team. >... > So, I think it's more important to take care of known issues and low hanging > fruit before getting a lawyer involved. I also think it's a good idea to > make it easy to file issues as they are found, and would like to know if the > Data Protection team has any ideas or if they would consider implementing > anything like the above. It might not have been intended, but to me this comes across like stalling, trying to avoid addressing the big problems - we all know from our BTS that "filing issues" does not necessarily imply that anything will ever happen. Would you commit to something more specific, like that our Data Protection team will reply to debian-project within 3 months discussing all issues mentioned in the discussion at [1] so far, and with their reply having been proof-read by our GDPR lawyer? > -Jonathan cu Adrian [1] https://lists.debian.org/debian-project/2022/03/msg8.html
Re: Question to all candidates: GDPR compliance review
]] Adrian Bunk > Would you commit to something more specific, like that our Data > Protection team will reply to debian-project within 3 months discussing > all issues mentioned in the discussion at [1] so far, and with their > reply having been proof-read by our GDPR lawyer? I don't think that's something the DPL could commit to, even if they wanted to. First of all, what you're asking for is not what the data protection team is there for, secondly, neither the DPL nor anyone else has the ability to commit to anyone in Debian doing anything on any particular timeline. If that's what you're looking for, you're looking for a company with staff, not a volunteer project. Cheers, -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are
Re: Question to all candidates: GDPR compliance review
]] Jonathan Carter > So, I would appreciate it if the data protection team could look into > all of the issues we know of in Debian, but I'd also like there to be > a process where people can file issues with the data protection > team. I'll admit I had to search a bit to find the data-protection > email address, it doesn't seem to prominently feature anywhere on our > website. www.debian.org → Contact → privacy (not sure why the footer is missing from the front page) and it's there, so while not _very_ prominently, it's not very hidden either. > But it would be great if it was clear that someone could file > a bug with a tag, or whether they should use the data-protection > alias, so that it's possible to file and keep track of data protection > issues that need to be resolved. This isn't the role of the data protection team, though, any more than owner@bugs is responsible for fixing all the bugs in all the packages. I'm quite happy to act as a redirector (as per the first part of the delegation) as well as advising service owners. I have below-zero interest in auditing all our services and tracking everything relevant to data privacy throughout Debian. I can't speak for the other team members, but I have not seen them express enthusiasm about this idea either. Even if you got a team that would perform that tracking and auditing, what good would it be? They wouldn't be able to compel any service owners to fix their service. Cheers, -- Tollef Fog Heen, for himself UNIX is user friendly, it's just picky about who its friends are
Re: Question to all candidates: GDPR compliance review
Hi Adrian (I'm including the data-protection team, perhaps they can expand on your question or comment on my feedback) On 2022/03/31 22:08, Adrian Bunk wrote: The discussion starting in [1] is about privacy in Debian with a focus on the GDPR of the European Union. It started with the GDPR, in my country we have POPIA, in California there's CCPA, there are now over a dozen similar legislations (and I suspect more countries will be implementing them as time goes by). Fortunately they seem to mostly overlap, so complying to at least GDPR properly should make it a lot easier to comply in the other territories that we operate. When I first read through a GDPR guideline, I was quite happy about it because for the most part, it forces websites to do things that I consider a bare minimum when it comes to the safety of users' data. Personally, I think it would be great if we exceed the expectations of these legislations around the world. There seems to be a general agreement that privacy in Debian falls short of the legal minimum requirements at least in the EU. Even the exact scope of the problem is not clear. Question to all candidates: If elected, will you ask our Data Protection team and our GDPR lawyer to jointly do a review of all handling of personal data in Debian regarding GDPR compliance, and make the results of the review available to all developers? I'm not sure bringing in the lawyer as a first step is optimal, they are expensive and will probably tell us a lot of things we already know. IMHO it's better to do some initial groundwork, compile a list of issues that we need help on, and then take that to the lawyer for further input. I can also think of some examples where we processed user data that you didn't mention. As one example, we used to use the DebConf wiki quite a bit to organize events, and those all got turned into static pages. People who signed up and provided information (potentially contact details, where they were at certain dates, etc) couldn't have possibly known that the data they entered would've been later archived as publicly accessible read-only material later on, well at least not by us. So, I would appreciate it if the data protection team could look into all of the issues we know of in Debian, but I'd also like there to be a process where people can file issues with the data protection team. I'll admit I had to search a bit to find the data-protection email address, it doesn't seem to prominently feature anywhere on our website. But it would be great if it was clear that someone could file a bug with a tag, or whether they should use the data-protection alias, so that it's possible to file and keep track of data protection issues that need to be resolved. So, I think it's more important to take care of known issues and low hanging fruit before getting a lawyer involved. I also think it's a good idea to make it easy to file issues as they are found, and would like to know if the Data Protection team has any ideas or if they would consider implementing anything like the above. -Jonathan
Re: Question to all candidates: GDPR compliance review
Hi, On Thu, 31 Mar 2022 23:08:41 +0300 Adrian Bunk wrote: > If elected, will you ask our Data Protection team and our GDPR lawyer to > jointly do a review of all handling of personal data in Debian regarding > GDPR compliance, Yes. > and make the results of the review available to all > developers? I'm positive about it but not sure since I don't understand the negative side effects of showing it to all. Transparency is important for us, but sometimes "just all open" approach causes some trouble. -- Hideki Yamane
Re: Question to all candidates: GDPR compliance review
Hi Adrian, On Thu, Mar 31, 2022 at 1:24 PM Adrian Bunk wrote: > > The discussion starting in [1] is about privacy in Debian with a focus > on the GDPR of the European Union. > > There seems to be a general agreement that privacy in Debian falls > short of the legal minimum requirements at least in the EU. > > Even the exact scope of the problem is not clear. > > Question to all candidates: > > If elected, will you ask our Data Protection team and our GDPR lawyer to > jointly do a review of all handling of personal data in Debian regarding > GDPR compliance, and make the results of the review available to all > developers? Yes. The release of any findings may be redacted, or may be a summary. Recipients may be required to sign a confidentiality agreement coupled with an indemnity in the event of a breach, and a release of claims, or both. In all cases, I reserve the right to act on the advice of counsel—but with an explanation to you. I will treat you the same way that I would wish to be treated if our roles were reversed. I am committed to transparency when possible. Kind regards, Felix Lechner