GDPR and GitHub

With GDPR coming in just over a month, how will GitHub manage data removal requests from an EU user?  According to the new regulation, users have the ability to request complete removal of all data they’ve provided.  Our lawyers tell us that this includes code.  There is explicitly no grandfathering clause.

Will GitHub remain a stable platform if an EU resident files a removal request for their commits going back years?


This post was moved to a different board that fits your topic of discussion a bit better. This means you’ll get better engagement on your post, and it keeps our Community organized so users can more easily find information.

As you’ll notice, your Topic is now in the How to use Git and GitHub board. No action is needed on your part; you can continue the conversation as normal here.

1 Like

Thanks for reaching out to us about this.

GitHub is currently working towards GDPR readiness and we plan to be compliant by the time the law comes into effect on May 25, 2018. We’re not able to  comment on what any specific processes and practices will look like at this time, but in the  meantime you are welcome to review our current Privacy Statement and our Global Privacy Practices.

We are currently compliant with Privacy Shield, and you can view our compliance certificate here.

Additionally, GitHub is already compliant with GDPR in regards to in-scope data removal requests. So if there is something that you want help removing, please contact Support via the Contact Form.

I hope that helps and let us know if you have any further questions!

1 Like

Hi Lee-Dohm,

are there already news on this issue?

If I understand correctly, we might need a contract by May 25 that covers details on data processing by GitHub on behalf of our company.

Best from Konstanz



See the announcement on the GitHub blog for details on this issue. From the blog post:

If you are a Corporate Terms of Service customer and you need a Data Protection Agreement with us, please contact support. We will be happy to provide one. Please understand that with the GDPR compliance deadline coming up, our volume of requests is high, but we will respond to you as promptly as possible

1 Like

I would also like to know more about this question, which doesn’t seem to be addressed anywhere:

@neilfraser wrote:


Will GitHub remain a stable platform if an EU resident files a removal request for their commits going back years?

Unfortunately, we’re not able to give legal advice. We recommend that you consult with your own legal counsel.

1 Like

I am not a lawyer, but as far as I understand, GDPR deals with the processing of personal data — such as Name, Sex, Adresses, E-Mail. 

Most of your commits actual payloads (such as bug fixes and code changes) are not personal data.

They will apart from author information such as E-Mail and Name — which might well be covered under GDPR regulations.

For those Article 17 “right to be forgotten” could apply, but most probably would not be applied for the reasons stated here: 

Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;


(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; […]

But bis disclaimer, for actual legal advise talk to a lawyer.

1 Like

The definition of Personal Data, in GDPR, seems including Name and E-mail.

Article 4 (

  1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
1 Like

GitHub doesn’t seem to be complying to GDPR regulation. I sent multiple data removal requests and they keep dancing around it coming back to “the content is not in violation of our Terms of Service,” which has nothing to do with removal requests.