So if I understand GDPR correctly: If I want a service/business to remove all my personal data, they have to comply with it in a certain timespan or get in trouble with the law.

If I understand federation correctly: All posts get replicated on federated instances all over the fediverse.

My question: If I e.g. want lemmy.world to remove my data, all my posts etc are still up on lemmy.ml right? As they just have a copy of these posts?

Would I as a customer have to contact every single instance to get my data removed? Or how does GDPR compliance work with lemmy?

Or am I completely misunderstanding how GDPR works?

  • Hotzilla@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    1 year ago

    This is incorrect, GDPR is any registery, company size or even profit/nonprofit is not relevant. Even it being digital/in paper is not relevant. If EU citizen is identifiable in registery, it must comply with GDPR.

    • oatmilkmaid@possumpat.io
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 year ago

      Apologies and thank you for the clarification, I was reading an earlier draft of GDPR that had information on companies with fewer than 250 employees. Not sure how Lemmy instances fall under this though, do you know?

      Businesses that are not engaged in processing of the personal data listed in Article 9 or Article 10 do not need to appoint a data protection officer (DPO or DPO as a Service) unless they are engaged in regular and systematic monitoring of data subjects on a “large scale”.

      • Hotzilla@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        That quote from GDPR talks about specific job role that large company is by-law requires to have, called data protection officer. He/She is responsible that company is GDPR compliant.