Versions Compared

Old Version 6

changes.mady.by.user Luis Cañas-Díaz

Saved on

compared with

New Version 7

changes.mady.by.user Luis Cañas-Díaz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added new checks for the GDPR check list

...

In order to be GDPR compliant, we will only contact apache.org email addresses, which implies that their users have given ASF permission to use it for contacting them on topics related to ASF. Further, we will announce that this survey will take place in a blog post and participation is opt-in only. we will inform the community members of the processing and offer them a way to opt-out.

GDPR Checks - WIP

We have checked that legitimate interest is the most appropriate basisASF, acting as Data Controller, has a legitimate interest in analysing the data accessed during a Bitergia analysis.

  • Yes. For gaining insight on different aspects related directly or indirectly to different aspects of software development in the analysed FOSS projects, including:
    • Sustainability and resiliency of the projects
    • Performance, including the performance and efficiency of the many processes related to software development.
    • Community, including aspects such as diversity, involvement, onboarding and exiting.

We have informed the community about the analysis and its purpose

☐ We understand our responsibility to protect the individual’s interests.

☐ We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.

Yes. Personal data won't be used for a purpose different to identify general trends in the community. Personal data will not be shared with any third party.

☐ If we process prisoners, protected classes or children’s data, we take extra care to make sure we protect their interests.

N/A. Since we do not know this from our records, We have no way to ensure this. 

☐ We have considered safeguards to reduce the impact where possible.

Yes. Sensitive information such as emails is not shown in any of the dashboard panels. No communication is done with the data subject. Information such us the name of the contributors can be pseudononymized in case it is needed to be displayed on the dashboards.

☐ We have considered whether we can offer an opt-out.

...

have considered whether we can offer an opt-out.

☐ The subject matter and duration of the processing

  • Yes. DPA clause 4.1

☐ The nature and purpose of the processing.

  • Yes. DPA clause 4.1

☐ The types of personal data and categories of data subjects

  • Yes. DPA clause 4.1

☐ The obligations and rights of the controller

  • Yes. DPA clause 4.4

☐ Require that processors process personal data only on documented instructions from the controller (unless required to do otherwise by law)

  • Yes. DPA clause 4.5(a)

☐ Require that processors transfer personal data internationally only on documented instructions from the controller (unless required to do otherwise by law)

  • Yes. DPA clause 7

☐ Require that processors ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality

  • Yes. DPA clause 6

☐ Require that processors take all measures required pursuant to Article 32 (Security of Processing), which includes the obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk

  • Yes. DPA clause 6

☐ Require that processors obtain authorization from the controller before engaging a subprocessor and provide notice to the controller of any intended changes concerning the addition or replacement of processors, thereby giving the controller the opportunity to object to such changes

  • Yes. DPA clause 6

☐ Require the processor to contractually flow down the same data protection obligations in its contract with the controller to all subprocessors and hold the processor fully liable to the controller for the subprocessors’ performance of such data protection obligations

  • Yes. DPA clause 6

☐ Require that processors assist the controller by appropriate technical and organizational measures in responding to data subject rights requests

  • Yes. DPA clause 4.4(a)

☐ Require that processors assist the controller in responding to a data breach (including but not limited to complying with breach notification obligations)

  • Yes. DPA clause 8

☐ Require that processors delete or return all personal data to the controller, at the choice of the controller, after the end of the provision of services relating to the processing (unless continued storage is required by law)

  • Yes. DPA clause 4.5(e)

☐ Require that processors make available to the controller all information necessary to demonstrate their compliance with their Article 28 obligations and allow for and contribute to audits conducted by or at the request of the controller

  • Yes. DPA clause 4.5(f)

☐ Keep a record of processing activities in the case of processing personal data that may pose a risk to the rights and freedoms of the data subject and / or in a non-occasional manner, or which involves the processing of special categories of data and / or data relating to convictions and infractions.

  • Yes. DPA clause 4.5 ( i )

☐ Respond to the legal rights established by the GDPR 

  • Yes. DPA clause 5

FAQs

Will there be a message to committer@ explaining that they will receive a subsequent message?

...