undefined | Better HN

0 pointsDanBC7y ago0 comments

No. That article says you only need a DPO if you're a public authority or if you're processing certain data or you're processing very large amounts of data.

I'm struggling to understand why that's unclear. Is it the use of "public authority or body"?

0 comments

CobrastanJorji7y ago

Monal is an XMPP chat system. User's messages are user data, and everything it does is processing that data, in the form of broadcasting it. I suppose as long as the data doesn't count as "very large", that'd be fine, but what does very large mean?

DanBCOP7y ago

He's not monitoring the data.

He's not handling sensitive personal data.

He doesn't need a DPO.

See also the derogation for micro companies:

https://gdpr-info.eu/recitals/no-13/

> To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.

JangoSteve7y ago

For some reason, I can't reply to Max_aaa's question directly.

> How do you guaranty that nothing in the messages being handled by the server is "sensitive personal data".

You guarantee it by reading the rest of GDPR. It defines sensitive personal data separately than personal data. Sensitive personal data is defined by GDPR to be things that can be used to discriminate against the individual, such as race, ethnicity, religion, health information, credit information, age, etc.

EDIT: And what I mean to say is that if the messages aren't passing through the server or being stored on the servers, then the only info being handled by the server is the meta-data including IP address, which is not included in GDPR's definition of _sensitive_ personal data.

Max_aaa7y ago

> He's not handling sensitive personal data.

How do you guaranty that nothing in the messages being handled by the server is "sensitive personal data".

1 more reply

dragonwriter7y ago

It's not “processing user data on a large scale” that requires a DPO, but “processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.”

Hamuko7y ago

>Even though no message traffic passes through Monal’s sever

Sounds to me like they are not a) processing b) collecting message data.

j / k navigate · click thread line to collapse