On 2018-05-04 20:35, Wolfgang Lenerz via Ql-Users wrote:
Hi,
Article 30, section 5:
"5. The obligations referred to in paragraphs 1 and 2 shall not apply
to an enterprise or an organisation employing fewer than 250 persons
unless the processing it carries out is likely to result in a risk to
the rights and freedoms of data subjects, the processing is not
occasional, or the processing includes special categories of data as
referred to in Article 9(1) or personal data relating to criminal
convictions and offences referred to in Article 10."
I think this makes the mailing list excempt from the need to keep
detailed records. Under the presumption that less than 250 people
manage the mailing list, of course.
This only applies to the need for a data controller and processor, not
the general duties under the GDPR.
Ah yes - so it appears:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/documentation/who-needs-to-document-their-processing-activities/
However,
"This Regulation applies to the processing of personal data wholly or
partly by automated means and to the processing other than by
automated means of personal data which form part of a filing system or
are intended to form part of a filing system." (art 2)
and
'‘personal data’ means any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural
person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one
or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that natural person;'
(art 4-1)
and
'processing’ means any operation or set of operations which is
performed on personal data or on sets of personal data, whether or not
by automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction,
erasure or destruction; (art 4-2)
Whether an email list, where it may be argued that no processing of
personal data is done, falls under that scope is, at least,
debatable...
Possibly true - although if an IP address can be classified as personal
data or a factor specific to the identity of that natural person, I am
sure an email address can be. I forget all of the mailing list
commands, but there used to be one where you could get a list of email
subscribers, and of course the online archive still contains past
messages, including where people may have entered their name, website,
or address as part of their signature.
There is then no way to exercise the right to be forgotten.
Presumably the software behind the mailing list will itself be updated
at some point
Rich Mellor RWAP Software www.rwapsoftware.co.uk www.sellmyretro.com
_______________________________________________
QL-Users Mailing List
