[gdpr-discuss] Git and the Right for Rectification

Tapani Tarvainen tapani.tarvainen at effi.org
Mon May 21 18:31:28 BST 2018 

On Mon, May 21, 2018 at 07:01:01PM +0200, Jens Kubieziel (maillist at kubieziel.de) wrote:

> * Jonas Wielicki schrieb am 2018-05-21 um 18:22 Uhr:

> > - The email address was valid at the time the commit was made and is thus an 
> > accurate representation of the history at the time the commit was made (which 
> > is timestamped) and thus doesn’t need to be rectified.
> > 
> > - It is expected that the user would provide accurate information and if they, 
> > for example, have a typo in e.g. their name in the commit metadata, it is kind 
> > of their fault and this does not need to be corrected.
> 
> I think both arguments are not valid, because the data subject has this
> right independent from what was correct or not not.

The latter is clearly invalid on that basis. The former, however, is
not so obvious:

> If the data is incorrect now, the data subject has the right to
> rectification and also the controller has a duty to process correct
> data.

If I expand Jonas' point a bit, I could argue the data is *not*
incorrect now, as it is historical record and as such *must* not be
changed, indeed changing it would be tantamount to forgery.

Of course that does not solve the problem, because then we'd need
a justification for keeping such historical records.

To that end it could be argued that the email was used as means of
authentication, and as such must be kept just like signatures in any
old deeds or other legal paperwork - you can't get your name changed
in or removed from such either. The analogy, however, fails or at
least isn't as strong when it comes to *publishing* the data, as with
public git repositories, so it may not help much.

In any case this line of argument does not stand or fall on the basis
of technology used alone: git or not, what matters is what it's used
for and how, and what its users have accepted or what can be justified
by some of the other relevant clauses of GDPR.

-- 
Tapani Tarvainen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://www.earth.li/pipermail/gdpr-discuss/attachments/20180521/a0c0c9a9/attachment-0001.sig>

More information about the gdpr-discuss mailing list