51

I just got one of those GDPR mails from gitlab.com, which pointed me to a Web page where I had to accept some terms and conditions. The same as everywhere, except this passage:

(For GitLab Contributors Only) As part of my voluntary contribution to any GitLab project, I acknowledge and agree that my name and email address will become embedded and part of the code, which may be publicly available. I understand the removal of this information would be impermissibly destructive to the project and the interests of all those who contribute, utilize, and benefit from it. Therefore, in consideration of my participation in any project, I hereby waive any right to request any erasure, removal, or rectification of this information under any applicable privacy or other law and acknowledge and understand that providing this information is a requirement under the agreement to contribute to the GitLab project.

As far as I understood GDPR, this passage is just plain bullocks and they're trying to get away with arguably the most difficult bit of GDPR, especially if you consider their argument. I can feel their pain, but it also just doesn't feel like this is made possible by GDPR and if GitLab would deny or not completely fulfil such a deletion request, it would be liable to litigation. Am I correct in this?

Note: I'm not trying to put GitLab in a bad spot here, they're just the first (only?) ones that included this kind of passage in their agreement.

sleske
  • 9,071
  • 4
  • 29
  • 65
rubenvb
  • 573
  • 4
  • 7

2 Answers2

72

Yes, their waiver has no legal basis and is invalid under the GDPR. They should have hired a better lawyer.

GDPR rights cannot be waived (mrllp.com).

The last bit should have been:

Therefore, in consideration of my participation in any project, I understand that retaining my name and email address, as described above, does not require my consent and that the right of erasure, as spelled out in the GDRP Article 17 (1) b does not apply. The legal basis for our lawful processing of this personal data is Article 6 (1) f ("processing is necessary for the purposes of the legitimate interests pursued by the controller").

I.e. there is nothing in the GDPR that compels GitLab to erase this information, but their waiver is bogus.

Keeping track of individual contributions in a software projects is necessary for a number of reasons, including security (if somebody contributes code that jeopardizes security, you want to audit everything that person has contributed).

Free Radical
  • 3,322
  • 16
  • 28
5

(Please note that I an a random guy on the internet, not a lawyer)

Although the GDPR seems rather ill-conceived, they managed to cover this part OK:

(3) Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

...

e) legal claims.

It's already established that contributions to software are an act of writing, making you the author, with author rights and copyrights that have been established in law over the course of the past 500 years. The copyright can be granted or sold (automatically if someone is paying you for it), but the author rights cannot be waived. (The idea being someone cannot sue an author and legally take their authorship away, even if the author owes them money).

Thus the record of who-wrote-what is a legal claim and cannot be removed.

I can feel their pain, but it also just doesn't feel like this is made possible by GDPR and if GitLab would deny or not completely fulfil such a deletion request, it would be liable to litigation. Am I correct in this?

GitLab does not have the right to edit a contributor list to a codebase they do not own. It would be illegal for them to fulfill a deletion request. GDPR does not apply to the contributor list.

IKM
  • 167
  • 3