Re: GDPR compliance best practices?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Adding one more datapoint here, I reached out to Github to find out their stance.

Here is what I got back

Quote:

Thanks for reaching out to us about this.

It's important to remember that the Right to Erasure only applies to personal data, not all data. It only applies to data a controller (GitHub, for example) is processing _solely_ on the basis of consent. And it only applies when there's not another legal reason to keep the data — for instance, if the data is no longer necessary for the purpose for which it was collected.

We do not process Git commit history on the basis of consent. We have a legitimate business purpose for collecting Git commit history: to maintain the integrity of the Git commit record. It remains necessary for its purpose for as long as a commit needs to be attributable to its committer. At GitHub, as part of our Privacy By Design work, we offer ways for users to set their own Git commit email data, so if an individual wants to remain anonymous or pseudonymous, he or she can do so. We also explain, in our [Privacy Statement](https://help.github.com/articles/github-privacy-statement), that we are not able to delete personal data from the Git commit history once it has been recorded.

End Quote

I'll point out that not only did the Github lawyers need to sign off on this stance, but the Microsoft lawyers would have looked at it as well as part of their purchase of Github.

David Lang

[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux