On 12/08/2024 15:48, Richard Brown wrote:
On 2024-08-12 13:52, Patrick Fitzgerald wrote:
On 12/08/2024 13:36, Richard Brown wrote:
On 2024-08-12 10:47, Patrick Fitzgerald wrote:
Richard Absolutely agree with Richard's points here. I think that the community has to see a bit more transparency on the foundation topic. It is much easier to release records than letting people speculate.
Agreed, and I am working on this. I forgot to mention that we are using the openSUSE TSP system, which I am unfamiliar with, (and I don't believe that even have access to except to make requests). Doug is currently on vacation, so unless there someone who can produce a report prior to his return.. the TSP side will have to wait. BUT everything TSP-related is in that database.
How are we handling the data protection and GDPR issues of this arrangement?
Use of the TSP platform is governed by the SUSE privacy policy as it requires use of SUSES IDM tooling
https://www.suse.com/company/legal/
This document clearly states “We process your Personal Data solely within the SUSE Group unless we expressly inform you otherwise”
But if the TSP is being governed by the Geeko Foundation as you describe, where can I find the details of the Data transfer policies between those organisations and to whom would a GDPR right-to-be-forgotten request be sent to, SUSE or the Geeko Foundation?
It is the same system! Managed by the same people (whoever they are at SUSE/oS) - I'm sure we'll either host the same system, or come up with our own. Right now, NOTHING has changed. We don't /govern/ it, we just /use /it. So by extension, I would expect that everything of which you speak is still managed by SUSE.
Doug will know more. Once again, contributions are very welcome.
/p
The Geeko Foundation is a UK registered entity is it not? Seperate from the SUSE Group entities that are governed under that privacy policy
Of the Geeko Foundation is receiving money which it is then giving to TSP receipiants, this must mean identifiable data is being transferred from SUSE/openSUSE to that UK registered legal entity in order to facilitate those payments. Interesting point. I see what you are getting at, but this work is done by a SUSE employee.
There must be some policies, documentation and legal structure covering the transfer of information, no? Well, it is documented on
* messages mostly on the openSUSE email system * and GF Wise bank account
For example, how long does the Geeko Foundation retain the bank details of the TSP recipients it receives from SUSE?
Grey area actually. Stripe do all of our incoming payment processing, so don't hold anything, apart from what the bank keeps for their, and our, records. We don't hold any data ourselves except for those who opt-in to receiving emails, at the time of donation, and that is just their name and email address. For example, I can't even tell if /you/ have donated. My guess is.. not. But to quote the GDPR: "An individual has the right to have their personal data erased if: The personal data is no longer necessary for the purpose an organization originally collected or processed it."
I’m sure this sort of thing must have been thought of before SUSE starting giving tons of money for the Geeko Foundation to administer via the TSP.. surely?
tons of money?? 😂 Richard, would you like to help by working with us to draft the kind of policies that make sense from your point of view, you are very welcome. Seriously. I'd rather engage in something constructive rather than this. How you draft something and I'll get it checked, and put it on the website? Or we collaborate? That's what this community is all about, isn't it? The Foundation is very much a work in progress, moving as quickly as it can given the resources at it's disposal. More resources (e.g., people's time) can only make it better. /p