So if I understand GDPR correctly: If I want a service/business to remove all my personal data, they have to comply with it in a certain timespan or get in trouble with the law.
If I understand federation correctly: All posts get replicated on federated instances all over the fediverse.
My question: If I e.g. want lemmy.world to remove my data, all my posts etc are still up on lemmy.ml right? As they just have a copy of these posts?
Would I as a customer have to contact every single instance to get my data removed? Or how does GDPR compliance work with lemmy?
Or am I completely misunderstanding how GDPR works?
I think you might have to contact all the instances yourself, depending on what the relationship between the instances is. Neither instance is really contracting with the other for data processing; it’s more like one instance publishes something and the other instances download and republish it, and everyone agrees that that is what they are supposed to do. So if you and your affiliates have to delete someone’s data from a GDPR demand, it can’t really apply to just other people who copied it?
I am, of course, three European lawyers in a trench coat, and this is impeccable legal advice that physically cannot be wrong.