Hi TJ,
On 13 April 2018 at 15:00, TJ 0.gdpr-discuss@iam.tj wrote:
On 13/04/18 12:07, Daniel Stone wrote:
Does anyone know if there's some kind of GDPR 'out' for, 'by posting here you agree that everything is going to be made public, so as there's nothing we can do about its distribution, it's not useful or practical for us to undo that'? And are there any kind of credible Bugzilla/Mailman deletion tools?
From reading the regulation and various interpretations of it, it seems that PII required to operate the service is exempt from the requirement to get specific consent, and from what I've read, may also exempt (some of) that data from the deletion requirement.
The regulation is designed to protect non-essential collected PII.
I'd also wonder about the difference between 'collected' and 'volunteered' data in respect of bug reports, emails to mailing lists, etc., since in most cases the service isn't asking for PII.
On the contract side, if the processing is necessary for the performance of the contract, then it is a lawful use not requiring explicit consent.
The data subject is giving consent by subscribing or sending to a mailing list, or creating or adding to a bug report. In this case I'd suspect ensuring there is an explicit notice that the action is giving consent would be sufficient (although it's not clear these used require consent).
This is quite a different viewpoint from Moritz's, and was also my reading of it. This is what our current privacy policies and notices express, so people are at least fully aware of the consequences of volunteering information. As it comes from Mailman/Bugzilla, it is not exactly passive: you are voluntarily providing data to be posted for public consumption, and we make people aware of the consequences of doing so when registering/subscribing.
Corner-cases are where a child is the data-subject and verifiable parental consent is required.
That one is far more difficult. I suppose there is another corner case, if someone was to e.g. forward a mail from someone else to a list. In that case, the person whose PII is available has not necessarily directly consented to our processing of that information. I'm not at all sure what regulations apply to this third-party case.
Cheers, Daniel