add tutanota.toml corrections #138
Conversation
|
Thanks for submitting this pull request. @milesmcc has been assigned to review these changes, provide feedback, and determine next steps. If you haven't already, please ensure your changes pass all the automated tests. Look in the "Checks" box below and "Files changed" tab to see test results. To learn about the PrivacySpy contribution process, check out the contribution guide.
|
privacyspy-bot
bot
added
size/S
new contributor
product
|
So this brings up an interesting case: What do we do when a company is legally required to follow certain rules based on their jurisdiction, but do not explicitly say so in their privacy policy? We've dealt with this question before, but it's worth reconsidering. @doamatto and @ibarakaiev — what do you all think? |
products/tutanota.toml
Outdated
| notes = [ | ||
| "Although their imprint describes them being based in Germany, Tutanota does not comply with Article 33 of the GDPR." | ||
| "Tutanota is based in Germany so it is legally obliged to notify users of data breaches, even if not listed in the privacy policy." |
There was a problem hiding this comment.
I don't think this is quite right — our interpretation of GDPR article 33 is that the company must notify the supervisory authority, not users themselves:
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
There was a problem hiding this comment.
Supervisory authority is defined in Art. 4, §22 and Art. 51
’supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51
|
There are really two ways to think of it: we can assume they’d play by the rules that they will notify of breaches, even if they don’t explicitly say they will, or we can have their word, per se, that they will. I can’t say that I’m in favour of the optimistic or pessimistic view, but I do think it should be explicitly mentioned that they follow the policy. |
Type of pull request: product edit
Related issues: N/A
There's a few inaccuracies and/or misleading statements in the Tutanota survey.