Am 04.01.22 um 08:39 schrieb Aki Tuomi:
We'll take a look at your patch. Can you please point out to some legal information about the Received header's GDPR incompliance, I would be interested to see it.
thanks for doing so.
the GDPR says about personal data: the EuGH has judged in 2016 (Patrick Breyer vs. Germany, C-582/14), that
- that only really needed data has to be stored
- that this data has to be used only for that declared needs
- that any other usage has to be prevented, especially by third-parties
an IP-addresses can be personal data, because the person may be identified via this IP, so they have to be handled as such.
http://curia.europa.eu/juris/documents.jsf?num=C-582/14
therefore the possibility, that others may for example see when a person was at a place (connected to an IP) has to be prevented at least in europe.
if such information is published for people with high email-activity, then it would be possible for everyone, who has access to this email (which might be really everyone on earth for example in archived mailing-lists) to track these people over the whole time.
for security-reasons we're logging any submission-request together with the origin-IP in our logs for at least seven days. so any mis-use of our service may be prosecuted even without storing this information in every email. In germany some courts judged, that if the police asks us for the IP, we've to store the log-entry at least as long, as a court needs to judge, that we have to give it to the police. (I think this is a reasonable balance between protection of personal data and legitimate public interest)
if there are further questions to this topic I'll try to reply, but you should know, that my english isn't that good, especially to explain juridicial things...
regards
d.