[gdpr-discuss] Undeleteable data

Daniel Stone daniel at fooishbar.org
Fri Apr 13 14:05:36 BST 2018 

Hi TJ,

On 13 April 2018 at 15:00, TJ <0.gdpr-discuss at iam.tj> wrote:
> On 13/04/18 12:07, Daniel Stone wrote:
>> Does anyone know if there's some kind of GDPR 'out' for, 'by posting
>> here you agree that everything is going to be made public, so as
>> there's nothing we can do about its distribution, it's not useful or
>> practical for us to undo that'? And are there any kind of credible
>> Bugzilla/Mailman deletion tools?
>
> From reading the regulation and various interpretations of it, it seems
> that PII required to operate the service is exempt from the requirement
> to get specific consent, and from what I've read, may also exempt (some
> of) that data from the deletion requirement.
>
> The regulation is designed to protect non-essential collected PII.
>
> I'd also wonder about the difference between 'collected' and
> 'volunteered' data in respect of bug reports, emails to mailing lists,
> etc., since in most cases the service isn't asking for PII.
>
> On the contract side, if the processing is necessary for the performance
> of the contract, then it is a lawful use not requiring explicit consent.
>
> The data subject is giving consent by subscribing or sending to a
> mailing list, or creating or adding to a bug report. In this case I'd
> suspect ensuring there is an explicit notice that the action is giving
> consent would be sufficient (although it's not clear these used require
> consent).

This is quite a different viewpoint from Moritz's, and was also my
reading of it. This is what our current privacy policies and notices
express, so people are at least fully aware of the consequences of
volunteering information. As it comes from Mailman/Bugzilla, it is not
exactly passive: you are voluntarily providing data to be posted for
public consumption, and we make people aware of the consequences of
doing so when registering/subscribing.

> Corner-cases are where a child is the data-subject and verifiable
> parental consent is required.

That one is far more difficult. I suppose there is another corner
case, if someone was to e.g. forward a mail from someone else to a
list. In that case, the person whose PII is available has not
necessarily directly consented to our processing of that information.
I'm not at all sure what regulations apply to this third-party case.

Cheers,
Daniel

More information about the gdpr-discuss mailing list