<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Thank you Leon, <br>
</p>
<p>I do note that the legal vs. natural question has been discussed
to death and I object to re-opening this issue as part of the
legal questions. I do not believe that this question will provide
any benefit to our deliverations regardless of the response and
would only serve to further delay the ultimate result of our work
due to the debates that will likely follow. <br>
</p>
<p>I also disagree with some of the statements made with regard to
the first question. Whether such parties have a legitimate
interest or not is not something that should be asserted but must
first be questioned and then proven in every single case a request
is being made. <br>
</p>
<p>As for sub-question c, the identity of a requestor is an
important part of the information of the data subject as he would
not be able to exercise his rights if he does not know where and
by whom his data is processed. <br>
</p>
<p>For subquestion d, the decision of whether to release the data to
a requestor lies with the data controller regardless of whether
the data subject objects. <br>
</p>
<p>I do not understand what is meant by subquestion e. <br>
</p>
<p>Best regards,</p>
<p>Volker <br>
</p>
<div class="moz-cite-prefix">Am 27.09.2019 um 19:46 schrieb Leon
Sanchez:<br>
</div>
<blockquote type="cite"
cite="mid:FDDC36A4-A518-4825-BBAC-28CB6A5AE7F6@board.icann.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Dear colleagues,
<div class=""><br class="">
</div>
<div class="">Below you will find a submission from SSAC for our
consideration.</div>
<div class=""><br class="">
</div>
<div class="">Dear support staff,</div>
<div class=""><br class="">
</div>
<div class="">Could you please add these questions to the roster
and include them in future call agendas?</div>
<div class=""><br class="">
</div>
<div class="">Kind regards,</div>
<div class=""><br class="">
</div>
<div class="">León<br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">Inicio del mensaje reenviado:</div>
<br class="Apple-interchange-newline">
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;" class=""><span
style="font-family: -webkit-system-font, Helvetica Neue,
Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);"
class=""><b class="">De: </b></span><span
style="font-family: -webkit-system-font, Helvetica Neue,
Helvetica, sans-serif;" class="">"Greg Aaron" <<a
href="mailto:greg@illumintel.com" class=""
moz-do-not-send="true">greg@illumintel.com</a>><br
class="">
</span></div>
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;" class=""><span
style="font-family: -webkit-system-font, Helvetica Neue,
Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);"
class=""><b class="">Asunto: </b></span><span
style="font-family: -webkit-system-font, Helvetica Neue,
Helvetica, sans-serif;" class=""><b class="">questions
for Bird & Bird</b><br class="">
</span></div>
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;" class=""><span
style="font-family: -webkit-system-font, Helvetica Neue,
Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);"
class=""><b class="">Fecha: </b></span><span
style="font-family: -webkit-system-font, Helvetica Neue,
Helvetica, sans-serif;" class="">27 de septiembre de
2019, 12:43:02 GMT-5<br class="">
</span></div>
<div style="margin-top: 0px; margin-right: 0px;
margin-bottom: 0px; margin-left: 0px;" class=""><span
style="font-family: -webkit-system-font, Helvetica Neue,
Helvetica, sans-serif; color:rgba(0, 0, 0, 1.0);"
class=""><b class="">Para: </b></span><span
style="font-family: -webkit-system-font, Helvetica Neue,
Helvetica, sans-serif;" class=""><<a
href="mailto:gnso-epdp-team@icann.org" class=""
moz-do-not-send="true">gnso-epdp-team@icann.org</a>>,
<<a href="mailto:leon.sanchez@board.icann.org"
class="" moz-do-not-send="true">leon.sanchez@board.icann.org</a>><br
class="">
</span></div>
<br class="">
<div class="">
<div class="WordSection1" style="page: WordSection1;
caret-color: rgb(0, 0, 0); font-family: Helvetica;
font-size: 12px; font-style: normal; font-variant-caps:
normal; font-weight: normal; letter-spacing: normal;
text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration: none;">
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">Dear Leon
et al:<o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class=""><o:p
class=""> </o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">Following
up on the first round of answers from Bird & Bird
and the F2F, SSAC would like to following to be
reviewed by the legal sub-team and sent to Bird &
Bird. We’ve tried to make sure that these are new
questions and are not duplicative of info we got from
the first batch. The SSAC team feels these are
important questions to ask per the current work and
the charter.<o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class=""><o:p
class=""> </o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">BALANCING,
AND RIGHT TO OBJECT:<o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">
The defense of networks, the prevention of fraud,
resisting cybercrime, and indicating possible criminal
acts or threats to public security to a competent
authority are tasks performed by third parties who are
not law enforcement or government agencies. Such
parties have legitimate interests in making data
requests under GDPR, notably under Article 6(1)f; see
also Recitals 47, 49, and 50. We are considering
balancing where the data subject may be infringing
upon the rights of others, and the safety of
third-party requestors who deal with cybercrime. The
third-party purposes above also require timely
responses to data requests.<o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">Assume
that registrars notify their registrants up-front of
the purposes of data collection, under what
circumstances the data may be released, the right to
object, etc. <span class="Apple-converted-space"> </span><o:p
class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">a.
When a data controller receives a legitimate
third-party data request, under what circumstances is
the controller required under GDPR to explicitly
notify the data subject that a request has occurred,
and/or that it has provided data to a third party?<span
class="Apple-converted-space"> </span><o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">b.
Under what circumstances do data subjects
have the right to object under GDPR to the release of
their data to third parties? Per Bird & Bird's
Question 3 memo, ICANN's use cases do not involve
profiling or highly sensitive data categories (race,
political affiliation, etc.), and "a decision to
release information via the SSAD is would not in
itself have legal effect on the data subject."<o:p
class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">c.
Are data controllers ever required to
notify the data subject of the<span
class="Apple-converted-space"> </span><i class="">identity</i><span
class="Apple-converted-space"> </span>of a
third-party requestor?<o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">d.
Please confirm: when a data subject objects
to processing, the decision to release the data
resides with the data controller?<span
class="Apple-converted-space"> </span><o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">e.
If a registrant must be notified of a
request and then be given the opportunity to object,
please explain how this process can be reconciled with
or integrated into a SSAD that is designed to provide
timely data exchange when possible and does not
involve "a decision based solely on automated
processing". (See Bird & Bird's Question 3 memo,
paragraph 1.12.) <span class="Apple-converted-space"> </span><o:p
class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class=""><o:p
class=""> </o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">LEGAL
VERSUS NATURAL PERSONS:<o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">Registration
data submitted by legal person registrants may contain
the data of natural persons. For example the contact
data they provide may include a natural person's name
and email address. Legal person registrants also have
the ability to publish non-personally identifiable
contact data ("<a href="mailto:admin@companyname.com"
style="color: rgb(149, 79, 114); text-decoration:
underline;" class="" moz-do-not-send="true">admin@companyname.com</a>")
should they desire.<o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">If
registrants are required to self-identify as either a
natural or legal person, then:<o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">a.
Can registrars rely on that self-identification? <span
class="Apple-converted-space"> </span><o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">b.
Can registrars make the contact data submitted by
legal person registrants publicly available in RDS
(WHOIS), by stating that it is the responsibility of a
legal person registrant to obtain consent from any
natural person whose data it submits? <span
class="Apple-converted-space"> </span><o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">Please
state any considerations, such as the ability of the
registrant to correct its data.<o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">As part of
the analysis, please examine the policies of the
Internet protocol (IP address) registries RIPE NCC
(the registry in Europe, based in the Netherlands) and
ARIN (the registry in North America, which has
customer contacts in Europe). These registries
publish the data of natural persons who are subject to
the GDPR, publicly via their WHOIS services, by
placing the choice and responsibility on their
registrants, who are legal persons. IP addresses and
domain names are two sides of the same coin, and these
IP address registries state mission justifications and
collection purposes similar to those in ICANN's
Temporary Specification. See:<o:p class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">1) “How
We're Implementing the GDPR: Legal Grounds for Lawful
Personal Data Processing and the RIPE Database”:<o:p
class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class=""><a
href="https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database"
style="color: rgb(149, 79, 114); text-decoration:
underline;" class="" moz-do-not-send="true">https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database</a><o:p
class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">2) “How
We're Implementing the GDPR: The RIPE Database”:<span
class="Apple-converted-space"> </span><a
href="https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database"
style="color: rgb(149, 79, 114); text-decoration:
underline;" class="" moz-do-not-send="true">https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database</a><o:p
class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">3)
"Personal Data Privacy Considerations At ARIN":<span
class="Apple-converted-space"> </span><a
href="https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/"
style="color: rgb(149, 79, 114); text-decoration:
underline;" class="" moz-do-not-send="true">https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/</a><o:p
class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">4) ARIN
"Data Accuracy":<span class="Apple-converted-space"> </span><a
href="https://www.arin.net/reference/materials/accuracy/" style="color:
rgb(149, 79, 114); text-decoration: underline;"
class="" moz-do-not-send="true">https://www.arin.net/reference/materials/accuracy/</a><o:p
class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">5) ARIN
Registration Services Agreement, paragraph 3:<span
class="Apple-converted-space"> </span><a
href="https://www.arin.net/about/corporate/agreements/rsa.pdf"
style="color: rgb(149, 79, 114); text-decoration:
underline;" class="" moz-do-not-send="true">https://www.arin.net/about/corporate/agreements/rsa.pdf</a><o:p
class=""></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;" class="">6) ARIN
Privacy Policy:<span class="Apple-converted-space"> </span><a
href="https://www.arin.net/about/privacy/"
style="color: rgb(149, 79, 114); text-decoration:
underline;" class="" moz-do-not-send="true">https://www.arin.net/about/privacy/</a></div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Gnso-epdp-legal mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Gnso-epdp-legal@icann.org">Gnso-epdp-legal@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-epdp-legal">https://mm.icann.org/mailman/listinfo/gnso-epdp-legal</a>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/policy">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/tos">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</pre>
</blockquote>
<div class="moz-signature">-- <br>
Volker A. Greimann<br>
General Counsel and Policy Manager<br>
<strong style="border-bottom: 3px solid #5C46B5">KEY-SYSTEMS GMBH</strong><br>
<br>
T: +49 6894 9396901<br>
M: +49 6894 9396851<br>
F: +49 6894 9396851<br>
W: <a class="moz-txt-link-abbreviated" href="http://www.key-systems.net">www.key-systems.net</a><br>
<br>
Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835<br>
CEO: Alexander Siffrin<br>
<br>
Part of the CentralNic Group PLC (LON: CNIC) a company registered
in England and Wales with company number 8576358.</div>
</body>
</html>