44

Is name, surname and email in the Git commit history a personal information according to the coming GDPR (General Data Protection Regulation) and is there any special treatment required?

Git is a distributed system and therefore it is probably impossible to have a complete control of it - especially for opensource projects.

EDIT: It is also probably impossible to delete any information from the Git history. If the Git history contains any personal information, is it OK not being able to erase the information on request?

feetwet
  • 22,409
  • 13
  • 92
  • 189
Oldrich Svec
  • 541
  • 4
  • 4

2 Answers2

10

I believe in this regard there is a legitimate interest to not delete this information.

You would have to perform a legitimate interest assessment, but for us (with private repositories) the reason would be to ensure that if in the future any malicious or illegal code was found that was knowingly committed to a repository there is trail and a way of understanding who did it.

rrrr-o
  • 201
  • 2
  • 5
2

In the case of Git the user is submitting that data themselves along with the commit, so it is reasonable to assume they consent to it being stored since that is explicitly what they are asking the git server to do.

Users may however withdraw that consent later on. For a site like Github where it is made clear that projects not marked as private may be distributed and copied by other users outside of Github's control, there is little that could be done. This is similar to DMCA infringements and the like - at most they can ask Github to scrub data from their systems, but can't expect Github to scrub other people's computers or the rest of the internet for them.

In general though Git does allow such information to be retroactively removed from commits, which would likely be a reasonable request, especially for private repos.

user
  • 1,896
  • 1
  • 11
  • 23