On 6/20/19 3:31 PM, Per Jessen wrote:
Michael Strc3b6der wrote:
But it might also produce complex conflict situations: Forged sender addresses can easily be used for really nasty spam or weird false messages. So the real owner of an e-mail address might have a vital and legitimate interest a forged message to be removed. If you prevent this correction/deletion by saying nobody can prove the identity the e-mail address owner could take the legal entity running the lists to court.
Yes, there are all kinds of complexities.
This means our personal opinion(s) does not matter much.
The legal entity is of course SUSE GmbH.
That's also my understanding.
Although I manage the mailing lists, I am under no legal obligation by SUSE, nor have I received any instructions from SUSE regarding the GDPR. Another couple of reasons for not wanting to touch the whole thing.
My suggestion would be to take this to the openSUSE board.
It's not unlikely that a judge would argue that because there's also no real identity proof when accepting a message sent to the list it is sufficient as identity proof to simply check whether an e-mail challenge is correctly answered.
I have also been wondering about that.
Technically I see no reason why we couldn't setup a challenge-response mechanism via e-mail for the identity proof of an e-mail address before processing GDPR correction/removal requests. Thinking about this a bit more it should be a standard functionality of a mailing list manager software.
I'm not a lawyer. These are just my personal thoughts. For now we all don't know for sure. Conclusion: Ask your lawyer.
Amen.
;-) Ciao, Michael.