https://community.isc2.org/t5/Privacy/GDPR-and-PKI/m-p/9284#M438 <P>Good Morning</P><P>&nbsp;</P><P>I think you are asking the wrong question.</P><P>&nbsp;</P><P>Do the companies in question do business in the EU? And if so, do&nbsp;they hold any information/collect any information&nbsp;regarding those customers?</P><P>&nbsp;</P><P>IE the type of business really does not matter.</P><P>&nbsp;</P><P>If so, then, IMO,&nbsp;these business'&nbsp;have compliance issues regarding GDPR. Even if&nbsp;they are not doing anything with that data you would still be considered a Data Controller and need to comply with GDPR requirements.</P><P>&nbsp;</P><P><U>I am not an expert</U> on GDPR. This is just my opinion.</P><P>&nbsp;</P><P>Thanks</P><P>Tim</P> Thu, 12 Apr 2018 11:43:47 GMT tsutherburg 2018-04-12T11:43:47Z https://community.isc2.org/t5/Privacy/GDPR-and-PKI/m-p/9268#M435 <P>Hi all,</P><P>I'm trying to understand the implication of GDPR for operators of&nbsp;publicly available PKIs.</P><P>&nbsp;</P><P>Should operators be considered data controllers?</P><P>&nbsp;</P><P>From Art.4 the definition of controller says: "determines the purposes and means of the processing of personal data". But in this case is really the operator "defining the purpose"?</P><P>&nbsp;</P><P>The operators are allowing/helping the data subject to publicly share a set of personal data with the entire Internet, is that considered processing?</P><P>&nbsp;</P><P>Thanks, vds</P><P>&nbsp;</P> Wed, 11 Apr 2018 19:38:13 GMT https://community.isc2.org/t5/Privacy/GDPR-and-PKI/m-p/9268#M435 vds 2018-04-11T19:38:13Z https://community.isc2.org/t5/Privacy/GDPR-and-PKI/m-p/9280#M436 <P>Hello</P><P>&nbsp;</P><P>It depends on type of data processing activity and ownership of the data.</P><P>&nbsp;</P><P>PKI operators could act as a data controller and processor depending on the&nbsp;nature of data processing and ownership.</P><P>&nbsp;</P><P>What aspect of data processing activity are you referring to?</P><P>&nbsp;</P><P>&nbsp;</P><P>Please provide examples.</P><P>&nbsp;</P><P>Thanks</P><P>Ash</P> Thu, 12 Apr 2018 10:13:36 GMT https://community.isc2.org/t5/Privacy/GDPR-and-PKI/m-p/9280#M436 ashishgangar 2018-04-12T10:13:36Z https://community.isc2.org/t5/Privacy/GDPR-and-PKI/m-p/9284#M438 <P>Good Morning</P><P>&nbsp;</P><P>I think you are asking the wrong question.</P><P>&nbsp;</P><P>Do the companies in question do business in the EU? And if so, do&nbsp;they hold any information/collect any information&nbsp;regarding those customers?</P><P>&nbsp;</P><P>IE the type of business really does not matter.</P><P>&nbsp;</P><P>If so, then, IMO,&nbsp;these business'&nbsp;have compliance issues regarding GDPR. Even if&nbsp;they are not doing anything with that data you would still be considered a Data Controller and need to comply with GDPR requirements.</P><P>&nbsp;</P><P><U>I am not an expert</U> on GDPR. This is just my opinion.</P><P>&nbsp;</P><P>Thanks</P><P>Tim</P> Thu, 12 Apr 2018 11:43:47 GMT https://community.isc2.org/t5/Privacy/GDPR-and-PKI/m-p/9284#M438 tsutherburg 2018-04-12T11:43:47Z