Question to all candidates: GDPR compliance review

To: debian-vote@lists.debian.org
Subject: Question to all candidates: GDPR compliance review
From: Adrian Bunk <bunk@debian.org>
Date: Fri, 5 Apr 2024 00:41:17 +0300
Message-id: <[🔎] Zg8efSbeFHd95zcc@localhost>

Hi,

this email has two parts:
A short question where I would appreciate a "yes" or "no" answer from 
all candidates, and a longer explanation what and why I am asking.


Question:

If elected, will you commit to have a lawyer specialized in that area
review policies and practices around handling of personal data in Debian 
for GDPR compliance, and report the result of the review to all project 
members by the end of 2024?



Explanation:

One might discuss whether or not Debian should aim at being better than 
average in the area of privacy, but compliance with the law is the 
minimum everyone can expect.

Unlawful actions can have consequences, organizations and 
individuals might be subject to fines up to 20 Million Euro
as well as compensation for material and non-material damage,
and in some countries also prosecution under criminal law.


Many parts of Debians Privacy Policy look questionable.

For example the rights are not stated, and in addition to this being a 
formal problem there is also the question whether for example the Debian 
Data Protection team does fulfil the right to request only where 
required by law or whether all people around the world are treated
the same.

The attempts in the Privacy Policy for blanket eternal storage
of data might not pass a legal review, especially when this might
contain sensitive data like sexual orientation or political opinions.


I also suspect that the Debian Account Manager and Community Teams
might be abusing people by illegally processing data outside of what
is being permitted by the Privacy Policy.

I would be glad to hear from a qualified person that I am wrong and that 
all handling of personal data by these teams is lawful.


There is also a personal side for me:

I am feeling quite unsafe in Debian due to not knowing what data people 
in positions of power in Debian who dislike me might have about me, and 
I want to request all data about me in Debian. This is also a prerequisite
for exercising the right of rectification of inaccurate personal data if 
any data turns out to be incorrect.

I would wish that Debian itself can ensure that all handling of personal 
data is lawful, and that GDPR requests are being fulfilled without 
problems - like everywhere else.


Other places with DDs also have laws protecting personal data
(at least California, China, Brazil, South Africa, Singapore).

I am asking specifically about GDPR since that affects me directly, but 
either during the GDPR review or afterwards it would of course be good 
to also obtain legal advice whether there are additional requirements
in other jurisdictions.


Thanks
Adrian

Reply to:

Follow-Ups:
- Re: Question to all candidates: GDPR compliance review
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Question to all candidates: GDPR compliance review
  - From: Sruthi Chandran <srud@disroot.org>

Prev by Date: Re: Question to all candidates: What are your technical goals
Next by Date: Draft ballot
Previous by thread: Re: Question to all candidates: What are your technical goals
Next by thread: Re: Question to all candidates: GDPR compliance review
Index(es):
- Date
- Thread