Dear Sergey,

Thank you for your email. All personal data obtained by the RIPE NCC is handled in accordance with Dutch law and European Union data protection legislation, as required for an organisation operating in the Netherlands.

The RIPE NCC Privacy Statement is publicly available on the RIPE website, and describes the situations in which personal data may be requested and the RIPE NCC's responsibilities when handling such data:
http://www.ripe.net/legal/privacy-statement.html

Please note the following sections:
- "Except as described herein or when under a statutory duty to do so, the RIPE NCC does not share or transfer any personal data." [Section 2.1]
- "The RIPE NCC maintains a high level of physical security and protection for all its computer and network facilities, and, in particular, for those in which personal information may be stored." [Section 3]

As a registry, the RIPE NCC has a mandate to ensure the accuracy of our registration data. Verifying the identity of LIR representatives is directly relevant to this mandate.

I hope this clarifies the RIPE NCC's position in relation to this matter.

Best regards,

Andrew de la Haye
Chief Operations Officer, RIPE NCC





On Oct 20, 2010, at 11:25 AM, Sergey Myasoedov wrote:

Hello,

I would like to talk about personal data protection. After the audit process, NCC demands
that we send them, together with the contract, the ID of person who signs the End User
assignment contract (even if the contract is signed by a person on behalf of company).

It seems strange: the CEO of company that wants IP resources signs the contract, probably
stamps it and suddenly (!) RIPE NCC asks for the ID of CEO. We (LIR) have no choice on such
operations - we should request ID or RIPE NCC will not assign resources for our customers.

Even more, RIPE NCC requires scans of ID, and this action violates local laws in some
countries (for example, CZ or RU). In Russia, personal data can be processed only after a
special agreement (except some cases mentioned in the law), but we will send the ID images
without any special agreements to the NCC.

I tried to find some statements on data protection in the RIPE NCC or on any guarantee of
confidentiality, but no such information found in the standard service agreement or any
policy documents.

On these grounds, I would like to initiate a change. RIPE NCC should have data protection
procedures or RIPE NCC should not request personal IDs of third parties.


--
Sergey