So if I understand GDPR correctly: If I want a service/business to remove all my personal data, they have to comply with it in a certain timespan or get in trouble with the law.

If I understand federation correctly: All posts get replicated on federated instances all over the fediverse.

My question: If I e.g. want lemmy.world to remove my data, all my posts etc are still up on lemmy.ml right? As they just have a copy of these posts?

Would I as a customer have to contact every single instance to get my data removed? Or how does GDPR compliance work with lemmy?

Or am I completely misunderstanding how GDPR works?

    • Firipu@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      13
      ·
      1 year ago

      It seems the GDRP does not agree with you:

      To what data do the EEA GDPR and the UK GDPR apply?

      The EEA GDPR and the UK GDPR apply to all "personal data,” which includes any information relating to a living, identified or identifiable person. Examples include name, SSN, other identification numbers, location data, IP addresses, online cookies, images, email addresses, and content generated by the data subject.

      Source

    • NeoLikesLemmy@lemmy.fmhy.ml
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      1 year ago

      That’s not correct. The nickname is personal data, because it is possible to connect it to the person.

    • ritswd@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      3
      ·
      edit-2
      1 year ago

      That is the correct answer. Companies abiding by the GDPR are not required to delete your account or content at all, only Personally Identifiable Information (PII). Lemmy instances are unlikely to ask for info such as real name, phone number, postal address, etc; the only PII I can think of is the email that some (not all) instances request. Since it’s not a required field on all instances, I’m going to guess that the value of this field does not travel to other instances.

      Therefore, if you invoked the GDPR to request your PII to be deleted, all that would need to happen is for the admin of your instance to overwrite the email field of your account with something random, and it would all be in compliance. Or they could also choose the delete your account, if they prefer.

      Source: I’m a software engineer who was tasked at some point with aligning multi-billion-dollar businesses to the GDPR, who had hundreds of millions of dollars in liability if they did it wrong and therefore took it very seriously. I am now a lawyer or a compliance officer, but we took our directions from them directly and across several companies, that’s what they all told us.