Hello Denis, On 11/01/24 01:40, denis walker wrote:
So personal data does not always need consent of the data subject. But you only ever refer to (a) consent.
There are indeed other possible lawful bases than consent, and this fact is precisely why I wrote (emphasis added): «Publishing this information requires *a* lawful basis, *e.g.*, consent.» Consent is however the only lawful basis singled out by the RIPE NCC in the RIPE Database Terms and Conditions and in the 2023-04 Impact Analysis, so it seems reasonable to assume that some LIRs will seek consent. Therefore we need to examine what that actually means in practice. You sum it up quite accurately below:
If we take the latest revelation in the IA on 2023-04, ALL PII needs consent, this has HUGE implications for the RIPE NCC and RIPE policy generally. We MUST have a good understanding of the legal basis for entering PII into the RIPE Database. Consent cannot be conditional. So if a resource holder who is a natural person withdraws their consent to have their PII in the database, it MUST be removed. That may leave an allocation and organisation with no identity or contacts. That would be a policy violation. BUT the resource cannot be reclaimed as that would have made the consent conditional. Also we have an abuse policy that requires all resources to have an abuse contact. If that contact is a natural person and they withdraw their consent their details must be deleted. Again that creates a policy violation. But the resource cannot be reclaimed again as that would have made the contact details consent conditional.
Your conclusion that this situation results in a policy violation, is however entirely contingent on your interpretation of the current policy as mandating the publication of the End User's (non-delegated) contact information. Under the RIPE NCC's interpretation of the current policy, on the other hand, this situation is entirely unproblematic. Under their interpretation, the LIR has, quote, «freedom to take over the responsibility as the point of contact for their End User». No PII, no GDPR, no problem. https://www.ripe.net/ripe/mail/archives/address-policy-wg/2023-November/0138...
Again you have selected just one example that can support your argument, Farmer Fred. I could have used KPN or Apple Inc as an example which would negate your argument.
KPN or Apple would not be relevant examples, as they (presumably) would use non-personal NOC roles which are not PII, and thus out of scope of the GDPR. There are certainly many End Users whose contact information is not PII, but that does not «negate» the fact that there are also many End Users whose contact information *is* PII. Both types of End Users must be catered to by the address policy. Tore & Jeroen