Hi everyone,
this e-mail is addressed to the RIPE NCC, but because they have continuously ignored the issues raised at the RIPE Meeting in Amsterdam, I am going to formally ask them to fix these things which, I believe, are not GDPR compliant.
1. Ticketing system
- when someone wants to open a ticket with the RIPE NCC, the only way to do that is by sending an e-mail. It would be stupid to ask users to send e-mail without attachments (in order to open the ticket) and then go to the LIR Portal and upload documents to that ticket but it seems the RIPE NCC is asking exactly that from the members.
- when someone sends an e-mail to the RIPE NCC and includes
documents (RIPE NCC often requests company registration documents
and - sometimes - copies of passports/IDs) the links to those
documents hosted on zendesk are returned to the sender and
(sometimes) all the LIR contacts. If that e-mail is forwarded to
anyone, it includes the zendesk links and therefore anyone that
receives the RIPE NCC e-mail or a forward of that e-mail will
receive links to company registration documents and IDs of people.
I doubt this is GDPR compliant and I would like a response from the RIPE NCC on why they have not fixed this issue even if it was reported 4 months ago.
Several ways to fix this:
- e-mails sent by zendesk should not include any link
- allow users to create tickets and communicate to the RIPE NCC
via the LIR Portal and stop e-mail communication with members
2. RIPE DB
The RIPE NCC Customer Services Department forcefully (*) creates
person objects in the RIPE Database _MAINTAINED BY THE MAINTAINER
OF THE LIR!!!_ for the people that sign a contract with the RIPE
NCC. It also forces companies that use role objects associated
with their resources to actually have a person object referenced
in the role object (so no circular reference or a reference to an
other role object). Why is the RIPE NCC using the LIR's maintainer
to create users without even requesting the LIR's acceptance? What
else is the RIPE NCC creating with the LIR's maintainer?
I was under the impression that creating and publishing thousands of person objects in the RIPE Database may not be GDPR compliant. Actually, there was a discussion in Amsterdam about this and the general understanding is that companies that do this will be contacted by the RIPE NCC to stop doing it and clean up their data. Well, who will listen to an organization that does exactly what they should not be doing?
Why would you need to use a person object in the RIPE DB if a
role object is an option?
Oh, to make things worse, every time someone registers an additional LIR, the RIPE NCC keeps creating duplicate objects instead of re-using the ones already created *by them*.
Dear RIPE NCC, when will you update your procedures to be GDPR compliant?
(*) We have created the following objects in the RIPE Database for <LIR>'s public profile:
[...]
ORGANISATION:
https://apps.db.ripe.net/db-web-ui/#/lookup?source=ripe&key=<ORG>&type=organisation
MNTNER:
https://apps.db.ripe.net/db-web-ui/#/lookup?source=ripe&key=<MNT>&type=mntner
ROLE:
https://apps.db.ripe.net/db-web-ui/#/lookup?source=ripe&key=<ROLE>&type=role
ADMIN-C:
https://apps.db.ripe.net/db-web-ui/#/lookup?source=ripe&key=<PERSON>&type=person
TECH-C:
https://apps.db.ripe.net/db-web-ui/#/lookup?source=ripe&key=<PERSON>&type=person
Kind regards,
Elvis
-- Elvis Daniel Velea V4Escrow LLC Chief Executive Officer E-mail: elvis@v4escrow.net Mobile: +1 (702) 970 0921