In the case of git, and the integrity of a code base that has implications for the security of many people, I would look into legitimate interest from Article 6(1)(f):
“processing is necessary for…
…the purposes of the legitimate interests pursued by the controller or by a third party, …
…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
In short: purpose, necessity, and balancing. Also consider what is PII and what isn’t. Make a decision and document it.
Cheers,
Karen Reilly
On Mon 21. May 2018 at 19:01, Jens Kubieziel maillist@kubieziel.de wrote:
- Jonas Wielicki schrieb am 2018-05-21 um 18:22 Uhr:
This would require re-writing all history since that commit, which is a
huge
issue.
So you could argue with Art. 12 (5) lit. b GDPR: »Where requests from a data subject are manifestly unfounded or excessive, […], the controller may either: […] refuse to act on the request.« However this is quite a weak argument and will probably not work for a git archive.
If it is not possible to correctly identify the person, the request must be rejected (think of nicknames).
- The email address was valid at the time the commit was made and is
thus an
accurate representation of the history at the time the commit was made
(which
is timestamped) and thus doesn’t need to be rectified.
- It is expected that the user would provide accurate information and if
they,
for example, have a typo in e.g. their name in the commit metadata, it
is kind
of their fault and this does not need to be corrected.
I think both arguments are not valid, because the data subject has this right independent from what was correct or not not. If the data is incorrect now, the data subject has the right to rectification and also the controller has a duty to process correct data.
In the case of git some other arguments are needed, IMHO.
-- Jens Kubieziel https://www.kubieziel.de Wer vom Glück immer nur träumt, darf sich nicht wundern, wenn er es verschläft. Ernst Deutsch _______________________________________________ gdpr-discuss mailing list gdpr-discuss@earth.li https://www.earth.li/mailman/listinfo/gdpr-discuss