On 7. Oct 2020, at 21:59, Gerald Pfeifer <gp@suse.com> wrote:

== Data protection officer for openSUSE ==

* Not strictly necessary as of today, though desirable; latest with a
Foundation openSUSE will need a data protection officer.
* Gerald is waiting for a brief role description.
* Will then share that and a request for volunteer(s) with project@.

Under most legislations that have some clear jurisdictions over the openSUSE Project, a Data Protection Officer is a legally defined role that has very clear requirements and protections. For example in the UK:

The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.

UK guidance on this topic is very clear - an organisation that fails to appoint a DPO with sufficient professional expertise can be judged to be failing its obligations under Data Protection legislation.

In our case where openSUSE (as a result of its close relationship with SUSE), this responsibility would mean someone with sufficient professional expertise in not only the UK, but (after 1 Jan 2021) also the rest of the EU which may develop its laws differently and also the US.

While, luckily, all legislation I’m aware of doesn’t transfer liability of the organisation onto its DPOs (ie. the Foundation will be legally responsible in the event of a DPO failing to do their job properly) I think it will be a tall order to find an volunteer for such an important and complicated role.

Don’t most foundations pay for a DPO?

Regards

Richard