Hello, I've been using git for years, but I've never before taken part in the discussion on the mailing list. I have a simple question, which probably isn't easy to answer. Is git compliant with GDPR, the EU data protection law? Before I'm able to commit with git, I'm asked for my first and last name. That is personal data. GDPR, Article 4, point (1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); [...] That data is handled by the git utility. It's sent to other parties operating remote git servers (as a result of my commands, but as far as I know that's not relevant). It sounds like it's being processed. GDPR, Article 4, point (2): ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; This data is processed with a compatible computer owned by the end user for the purpose of identification of git commits. It's sent to other parties only when specific commands are given. All this was defined by git authors/contributors (from all around the world). GDPR, Article 4, point (7): ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; [...] Git authors can be considered joint controllers. If we'd assume the above interpretations, there would be many, many consequences. I'm not a lawyer, and I have no idea if this interpretation is reasonable. I don't even know if I'd like it to be. But here are some facts: GDPR does focus on protecting the end user. Possibly, it's the most strict data protection law in the world. It doesn't care how difficult it is to adjust the organisation for compliance and it doesn't care where the controller is located, as long as it processes personal data of EU citizens (if I understand it correctly). Are there any lawyers in the git community? Could The Linux Foundation help with legal support? It's a very non-trivial issue. It's non obvious how local software relates to GDPR, and it's even more difficult with Free/Open Source software with many, many authors. But if the aforementioned interpretation was assumed, the git authors could be held responsible for non-compliance. Best, Jakub
