[wwweston]

About GDPR: is it possible that holding data in a non-storage/volatile medium could be legally distinct from non-volatile storage, especially if it's essentially syncing with an authoriative data source that's responsible for managing GDPR? Because if not, it seems to me every proxy and persistence layer runs legal risks....

[jmnicolas]

To be honest I have no idea. But since our supplier still hasn't implemented the mandatory 4 months max data retention I'm not taking any risk.

[iovrthoughtthis]

No. GDPR covers any processing. Simply having the data pass through your machines / software makes you a part of the chain of processors / controllers.

They do.