May 04 13:59 2018, Michiel van der Vlist wrote to Markus Reschke:
MR>> and follow the GDPR by the letter.
MvdV> Impossible. Too vague and too much room for interpretation. As you MvdV> already pointed out, we do not even know yet who is responsible for MvdV> what part.
Maybe we need RDPCs (Region Data Privacy Coordinator). But I bet that nobody would like to do that job :)
I found another tidbit. To transfer personal data to a non-EU country legally the destination country has to be on a white-list of countries with similar data privacy laws. The USA aren't on that list but there's the Privacy Shield. If you want to transfer personal data to the US, like the Z2 part of the nodelist, the organization in the USA receiving the data has to be certified for being compliant with the Privacy Shield. In our case Z1 would need that certification.