NOTE:

VP of privacy is needed.  

Privacy Policy

The Apache Software Foundation has a contract with Bitergia that specifically says that information will be handled following the ASF privacy policy, and that results will only be used to further the goals of The Apache Foundation.

In order to be GDPR compliant, we will inform the community members of the processing and offer them a way to opt-out.

GDPR Checks - WIP

☐ ASF, acting as Data Controller, has a legitimate interest in analysing the data accessed during a Bitergia analysis.

• Yes. For gaining insight on different aspects related directly or indirectly to different aspects of software development in the analysed FOSS projects, including:
  • Sustainability and resiliency of the projects
  • Performance, including the performance and efficiency of the many processes related to software development.
  • Community, including aspects such as diversity, involvement, onboarding and exiting.

☐ We have informed the community about the analysis and its purpose

☐ We have considered whether we can offer an opt-out.

☐ The subject matter and duration of the processing

• Yes. DPA clause 4.1

☐ The nature and purpose of the processing.

• Yes. DPA clause 4.1

☐ The types of personal data and categories of data subjects

• Yes. DPA clause 4.1

☐ The obligations and rights of the controller

• Yes. DPA clause 4.4

☐ Require that processors process personal data only on documented instructions from the controller (unless required to do otherwise by law)

• Yes. DPA clause 4.5(a)

☐ Require that processors transfer personal data internationally only on documented instructions from the controller (unless required to do otherwise by law)

• Yes. DPA clause 7

☐ Require that processors ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality

• Yes. DPA clause 6

☐ Require that processors take all measures required pursuant to Article 32 (Security of Processing), which includes the obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk

• Yes. DPA clause 6

☐ Require that processors obtain authorization from the controller before engaging a subprocessor and provide notice to the controller of any intended changes concerning the addition or replacement of processors, thereby giving the controller the opportunity to object to such changes

• Yes. DPA clause 6

☐ Require the processor to contractually flow down the same data protection obligations in its contract with the controller to all subprocessors and hold the processor fully liable to the controller for the subprocessors’ performance of such data protection obligations

• Yes. DPA clause 6

☐ Require that processors assist the controller by appropriate technical and organizational measures in responding to data subject rights requests

• Yes. DPA clause 4.4(a)

☐ Require that processors assist the controller in responding to a data breach (including but not limited to complying with breach notification obligations)

• Yes. DPA clause 8

☐ Require that processors delete or return all personal data to the controller, at the choice of the controller, after the end of the provision of services relating to the processing (unless continued storage is required by law)

• Yes. DPA clause 4.5(e)

☐ Require that processors make available to the controller all information necessary to demonstrate their compliance with their Article 28 obligations and allow for and contribute to audits conducted by or at the request of the controller

• Yes. DPA clause 4.5(f)

☐ Keep a record of processing activities in the case of processing personal data that may pose a risk to the rights and freedoms of the data subject and / or in a non-occasional manner, or which involves the processing of special categories of data and / or data relating to convictions and infractions.

• Yes. DPA clause 4.5 ( i )

☐ Respond to the legal rights established by the GDPR 

• Yes. DPA clause 5

FAQs