this post was submitted on 06 Jul 2023
50 points (98.1% liked)

Asklemmy

43810 readers
1592 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago
MODERATORS
Cloak@lemmy.ml
mekhos@lemmy.ml
tmpod
14specks@lemmy.ml
50
How can an instance comply with GDPR if they're federated? (lemmy.world)
submitted 1 year ago by firipu@lemmy.world to c/asklemmy@lemmy.ml
51 comments fedilink hide all child comments
 

So if I understand GDPR correctly: If I want a service/business to remove all my personal data, they have to comply with it in a certain timespan or get in trouble with the law.

If I understand federation correctly: All posts get replicated on federated instances all over the fediverse.

My question: If I e.g. want lemmy.world to remove my data, all my posts etc are still up on lemmy.ml right? As they just have a copy of these posts?

Would I as a customer have to contact every single instance to get my data removed? Or how does GDPR compliance work with lemmy?

Or am I completely misunderstanding how GDPR works?

you are viewing a single comment's thread
view the rest of the comments
[–] oatmilkmaid@possumpat.io 5 points 1 year ago* (last edited 1 year ago) (1 children)

Someone correct me if I’m wrong but GDPR doesn’t apply fully to small organizations (less than 250 employees) and mostly only applies if you offer goods and services which is not the case if you’re running a Lemmy instance. If you’re an instance owner with no employees because you’re not a registered business of any sort, you’re not on the hook for anything

Then again, I am neither European or knowledgeable in GDPR so someone please correct me if I’m wrong.

Edit: I am wrong see below

[–] Hotzilla@sopuli.xyz 8 points 1 year ago (1 children)

This is incorrect, GDPR is any registery, company size or even profit/nonprofit is not relevant. Even it being digital/in paper is not relevant. If EU citizen is identifiable in registery, it must comply with GDPR.

[–] oatmilkmaid@possumpat.io 2 points 1 year ago* (last edited 1 year ago) (1 children)

Apologies and thank you for the clarification, I was reading an earlier draft of GDPR that had information on companies with fewer than 250 employees. Not sure how Lemmy instances fall under this though, do you know?

Businesses that are not engaged in processing of the personal data listed in Article 9 or Article 10 do not need to appoint a data protection officer (DPO or DPO as a Service) unless they are engaged in regular and systematic monitoring of data subjects on a “large scale”.

I would also assume that deleting your information would only apply to the information located on the server and anything that’s already been propagated is up for grabs unless you request it from someone. Not sure how Lemmy as a software is responsible for being GDPR compliant. Again, I don’t know anything about GDPR teehee

[–] Hotzilla@sopuli.xyz 2 points 1 year ago (1 children)

That quote from GDPR talks about specific job role that large company is by-law requires to have, called data protection officer. He/She is responsible that company is GDPR compliant.

[–] oatmilkmaid@possumpat.io 1 points 1 year ago

Ahh! Thank you