Re: GDPR and PKI

vds · ‎04-11-2018

Hi all,

I'm trying to understand the implication of GDPR for operators of publicly available PKIs.

Should operators be considered data controllers?

From Art.4 the definition of controller says: "determines the purposes and means of the processing of personal data". But in this case is really the operator "defining the purpose"?

The operators are allowing/helping the data subject to publicly share a set of personal data with the entire Internet, is that considered processing?

Thanks, vds

https://www.linkedin.com/in/vincenzo-di-somma-80b4a72/

ashishgangar · ‎04-12-2018

Hello

It depends on type of data processing activity and ownership of the data.

PKI operators could act as a data controller and processor depending on the nature of data processing and ownership.

What aspect of data processing activity are you referring to?

Please provide examples.

Thanks

Ash

tsutherburg · ‎04-12-2018

Good Morning

I think you are asking the wrong question.

Do the companies in question do business in the EU? And if so, do they hold any information/collect any information regarding those customers?

IE the type of business really does not matter.

If so, then, IMO, these business' have compliance issues regarding GDPR. Even if they are not doing anything with that data you would still be considered a Data Controller and need to comply with GDPR requirements.

I am not an expert on GDPR. This is just my opinion.

Thanks

Tim