On 13/04/18 12:07, Daniel Stone wrote:
Does anyone know if there's some kind of GDPR 'out' for, 'by posting here you agree that everything is going to be made public, so as there's nothing we can do about its distribution, it's not useful or practical for us to undo that'? And are there any kind of credible Bugzilla/Mailman deletion tools?
From reading the regulation and various interpretations of it, it seems
that PII required to operate the service is exempt from the requirement to get specific consent, and from what I've read, may also exempt (some of) that data from the deletion requirement.
The regulation is designed to protect non-essential collected PII.
I'd also wonder about the difference between 'collected' and 'volunteered' data in respect of bug reports, emails to mailing lists, etc., since in most cases the service isn't asking for PII.
On the contract side, if the processing is necessary for the performance of the contract, then it is a lawful use not requiring explicit consent.
The data subject is giving consent by subscribing or sending to a mailing list, or creating or adding to a bug report. In this case I'd suspect ensuring there is an explicit notice that the action is giving consent would be sufficient (although it's not clear these used require consent).
Corner-cases are where a child is the data-subject and verifiable parental consent is required.