GDPR Right to be Forgotten
The issue has come up regarding the new GDPR regulations and an individual's right to request their personal data be erased. #42829 Under GDPR, third parties may only process personal data if they have the legal right to such information. One way to gain that right is to obtain the consent of the individuals covered by GDPR. However under GDPR, in certain circumstances individuals have the right to revoke their consent to the processing of their personal data. This right to be forgotten applies to consumers and employees alike.
Another option for obtaining the right to process the personal data does not rely on consent. GDPR also allows processing of personal information when "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract." Under this basis of obtaining the right to process the personal data, there is not the same right to revoke consent. The right to use the personal data would continue until “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.”
Due to the nature of Git, capturing personal data (name and email) is necessary in order to maintain the version control feature of Git. Removing the personal data would not only be contrary to the fundamental function of Git, but would also break the code.
The proposed solution would be to:
- obtain the proper consent from all contributors prior to making a contribution;
- include in the consent, a waiver of the right to revoke such consent; AND
- provide written notice to the contributor, in advance of making a contribution, that their personal data is necessary for the performance of the parties' contractual relationship (ie the licensed right to use the code being contributed).