> If this tweet is being interpreted as namecheap granting permission to someone to try and access customers' data, it actually is against GDPR for namecheap to do so.
I’m not sure that’s a credible interpretation, the CEO betting against you being able to work around their data protection measures does not turn you into a processor.
The big question is whether CEO betting against you being able to work around their data protection counts as namecheap permitting you to access that data.
If it does not (which IMHO is a reasonable interpretation), there is no issue and that's just empty boasting. But if it does, that's a violation - GDPR prohibits namecheap to allow anyone outside of company to handle that data without a proper controller-processor contract.
Not being a processor is a bad thing in this case, because being a processor is the only way how this can proceed legally. If you're not a processor, it's a violation for namecheap to give you that data; and if you're not a processor, it's a violation for you to process that data since you're also not a controller, you did not legally obtain this from the data subject, this is also not a purely household activity, no other exceptions seem to apply so the default condition applies i.e. that it's illegal for you to handle that data as you have no legal basis permitting it. (GDPR is a deny-by-default law; processing of private data is lawful if and only if specific conditions listed in GDPR are met. If some private data 'fell out of a truck', you can't legally do stuff with it).
I’m not sure that’s a credible interpretation, the CEO betting against you being able to work around their data protection measures does not turn you into a processor.