[tapland]

Possibly on the network facing side of the business in the form of logs that get purged when old, but I have yet to see any IMEIs, possibility to log texts, call histories etc, but if they are sent there will be a trail in the network.

Could probably send the GDPR-request to Huawei and Ericsson as well.

Just keeping track of phones permissions in the network 100 times/second is an insane amount of data, but there could be leaks/compromised systems somewhere in the User -> Apps -> Phone -> Network -> Provider chain.

[h0mEDw]

I'm not familiar with how GSM networks operate. Why would I send a request to Huawei or Ericsson? Don't they just provide networking equipment? Or do they also provide services, part of which may be relevant for end user privacy?

[jgibson]

My info may be a little dated, but yes, most of these companies (Huawei, Ericsson, Alcatel-Lucent, etc) also provide network services and ops to run the network.

[Jolter]

Disclaimer: I work at Ericsson but am not directly involved in any network operations.

Ericsson provides operations service for a number of telecom operators. This means, the operators own the equipment and make the decisions, while Ericsson does the maintenance, supervision and troubleshooting of the network. This is usually done on contracts of three to ten years, after which time the operator may choose to renew or to contract with one of our competitors.

I could certainly be wrong, but my impression is that in this scenario Ericsson is not the data custodian according to the GDPR. It would be interesting to know what the outcome is, if anyone were to make a GDPR request to my employer.

[h0mEDw]

Good to know, thank you! It should be enough to harass one's provider, but perhaps a more broad approach will work.