
Gitlab does not comply with GDPR - asciick
https://reddit.com/r/europrivacy/comments/8oymby/source_code_hoster_gitlab_is_not_respecing_the/
======
MatthewWilkes
They've most likely been mislead by very poor advice on marketing
communications. Under GDPR a company can rely on "legitimate interest" as
their lawful basis for processing for marketing purposes. However, this
ignores the older PECR rules that say that electronic marketing requires
consent.

Requiring users to agree to the a new privacy policy or updated terms and
conditions is obviously still fine. GDPR does not restrict companies from
requiring that their users agree to terms as part of their provision of
services.

As far as I can tell from this post, the only problem is that GitLab have used
the guidance for postal marketing when they're doing electronic marketing.
Yes, it's not compliant, but references to the UDHR and the general tone of
this suggest the user has a prior grievance and they're trying to over-inflate
this issue.

------
jhurewitz
GitLab has a strict opt in policy for processing personal information for
marketing for all users, even in jurisdictions where opt in is not required.
We very much respect the privacy of our users. With regard to services,
consent isn't required since the personal information we process is necessary
for providing the services. There seems to be confusion on what consent is
needed for.

------
brodock
Regarding the displaying of public activity in your public profile:

While we don't use any page tracking or anything like Google Analytics (or
equivalents like Piwik) in the application, nor the activity is generated from
that, we understand that there are people who would prefer to not have that
information publicly available: [https://gitlab.com/gitlab-org/gitlab-
ce/issues/38604](https://gitlab.com/gitlab-org/gitlab-ce/issues/38604)

On the other hand, some would like to opt-in to provide even more information
(in the form of the contribution calendar) to have their activity in private
projects counted as well: [https://gitlab.com/gitlab-org/gitlab-
ce/issues/14078](https://gitlab.com/gitlab-org/gitlab-ce/issues/14078) (to
match feature parity on how it works in GitHub).

We are listening and we intended no harm.

------
FollowSteph3
I wonder how long before the GDPR starts to act AND if it will have teeth...

~~~
johannes1234321
since a week the teeth are active and lawyers started to send out their
letters. The two years with it being law without teeth are over.

~~~
rocci5
How do you think they'll try to regulate a non EU company.

"Hey American incorporated company, we fine you EUR 150,000"

"K"

How would it be enforced?

~~~
johannes1234321
It can be enforced in multiple ways. For instance by going after the European
ad business or just yesterday a ruling of the European Court of Justice was
published stating that Europeans who run a "Facebook Page" take some of the
responsibility
[http://curia.europa.eu/juris/document/document.jsf?text=&doc...](http://curia.europa.eu/juris/document/document.jsf?text=&docid=202543&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=298398)
(this s not about GDPR, but older rights, but shows how European organizations
can go after US corps)

