cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
vds
Newcomer I

GDPR and PKI

Hi all,

I'm trying to understand the implication of GDPR for operators of publicly available PKIs.

 

Should operators be considered data controllers?

 

From Art.4 the definition of controller says: "determines the purposes and means of the processing of personal data". But in this case is really the operator "defining the purpose"?

 

The operators are allowing/helping the data subject to publicly share a set of personal data with the entire Internet, is that considered processing?

 

Thanks, vds

 

https://www.linkedin.com/in/vincenzo-di-somma-80b4a72/
2 Replies
ashishgangar
Viewer

Hello

 

It depends on type of data processing activity and ownership of the data.

 

PKI operators could act as a data controller and processor depending on the nature of data processing and ownership.

 

What aspect of data processing activity are you referring to?

 

 

Please provide examples.

 

Thanks

Ash

tsutherburg
Newcomer I

Good Morning

 

I think you are asking the wrong question.

 

Do the companies in question do business in the EU? And if so, do they hold any information/collect any information regarding those customers?

 

IE the type of business really does not matter.

 

If so, then, IMO, these business' have compliance issues regarding GDPR. Even if they are not doing anything with that data you would still be considered a Data Controller and need to comply with GDPR requirements.

 

I am not an expert on GDPR. This is just my opinion.

 

Thanks

Tim