May 03 00:16 2018, Michiel van der Vlist wrote to Markus Reschke:
MR>> Any node running binkd has lots of IP addresses in the log file.
MvdV> Yes. But those aren't third party data. Those are the IP numbers of MvdV> nodes that have called my system and those that my system has MvdV> called. How is that different from the list of numbers collected in MvdV> my mobile phone?
From a logical standpoint I agree that they are the same. But binkd logfiles aren't much different from the ones of a webserver. And the IP addresses listed in those logfiles are considered personal data in Germany and also in your country.
MR>> But this is only a small part of the personal data we collect and MR>> process. Who is responsible for the proper documentation required by MR>> the GDPR? Each node for his system or the NC/RC/ZC for all nodes in MR>> his net/region/zone? Presumably the latter.
MvdV> I don't know, but I don't think anyone can be responsble for what MvdV> he/she does not control. I would say the sysop - as master of his MvdV> system - is responsible for what passes through / is collected by MvdV> his/her system.
That's what common sense would tell us. Fidonet is most likely a non registered club/society without legal capacity in Germany. That means that the chairman (RC) would be the responsible person as defined by the GDPR. The offices for privacy protection published guides for the GDPR and clearly say that the GDPR applies also to the type of society I mentioned above.
MvdV> Lots of questions and very few answers. I thinks we will just have MvdV> to see how his evolves...
It's a mess. And I don't see any way we could comply. The *C would be responsible for all nodes but has no control about what each node collects and how long that will be stored. There are also requirements for providing all stored data about a person on request, also correction and deletion of personal data. So the *C would have to ask all nodes to send him all personal data about a specific person. That wouldn't work reliably.