MvdV>> Yes. But those aren't third party data. Those are the IP MvdV>> numbers of nodes that have called my system and those that my MvdV>> system has called. How is that different from the list of MvdV>> numbers collected in my mobile phone?
MR> From a logical standpoint I agree that they are the same. But binkd MR> logfiles aren't much different from the ones of a webserver. And the MR> IP addresses listed in those logfiles are considered personal data in MR> Germany and also in your country.
Yes, IP numbers are personel data. Confirmed by Dutch Court rulings. And by extension so are Fidonet node numbers. Probably.
But he fact that they are personal data, does not necesarely mean that those numbers are stored and kept on behalf of the organisation of Fidonet. That I am a member of Fdionet does not mean that I can not store and keep data as a person.
MR>>> But this is only a small part of the personal data we collect MR>>> and process. Who is responsible for the proper documentation MR>>> required by the GDPR? Each node for his system or the NC/RC/ZC MR>>> for all nodes in his net/region/zone? Presumably the latter.
MvdV>> I don't know, but I don't think anyone can be responsble for MvdV>> what he/she does not control. I would say the sysop - as master MvdV>> of his system - is responsible for what passes through / is MvdV>> collected by his/her system.
MR> That's what common sense would tell us. Fidonet is most likely a non MR> registered club/society without legal capacity in Germany. That means MR> that the chairman (RC) would be the responsible person as defined by MR> the GDPR.
Why the RC? Why not the NC? And if the resposibility floats to the top why stop at the RC? Why not the ZC?
MR> The offices for privacy protection published guides for the GDPR and MR> clearly say that the GDPR applies also to the type of society I MR> mentioned above.
Yes, the las applies. But that does not mean that everything every member does is the responsibility of the chairman.
MvdV>> Lots of questions and very few answers. I thinks we will just MvdV>> have to see how his evolves...
MR> It's a mess. And I don't see any way we could comply. The *C would be MR> responsible for all nodes but has no control about what each node MR> collects and how long that will be stored. There are also requirements MR> for providing all stored data about a person on request,
If a Fidiomet member requests what data I have stored about him about my system, I will happily comply.
MR> also correction and deletion of personal data. So the *C would have to MR> ask all nodes to send him all personal data about a specific person. MR> That wouldn't work reliably.
Indeed, obviously that would not work. And if that how the law is interpreted and enforced, that would be the end of Fidonet.
But I am not that pessimistic. No doubt Fidonet will not be the only one with this problem and surely there will be other organisations with a much higher profile. I have confidence that such problems will be worked out before Fidonet appears on the radar of the enforcers...