[Gnso-epdp-team] For your review - Clarifying Legal Questions Table

Mon May 27 13:55:38 UTC 2019

A few questions regarding these questions:

Am 25.05.2019 um 01:02 schrieb Georgios.TSELENTIS at ec.europa.eu:
>
> Dear Caitlin, colleagues,
>
> Please find below questions on the topics of the legal memos from the GAC:
>
> *Accuracy*
>
> . If current verification statistics provide that a large number of 
> data is inaccurate isn't that a metric to deduce that the accuracy 
> principle is not served in a reasonable manner as demanded by the GDPR?
>
Please clarify the accuracy principle with regard to the obligations of 
the data controller/data processor. For example, is this principle 
directed at protecting third parties from the provision of inaxccurate 
data by the data subject or at protecting the data subject against 
incorrect processing by the processor/controller? Does the principle 
provide for an obligation of the data processor/controller to verify the 
accuracy of the data provided by the data subject and make corrections 
without input from the data subject?
>
> . According to the GDPR all personal data are processed based on the 
> principle that they are necessary for the purpose for which they are 
> collected. If those data are necessary, how can the purpose be served 
> while the data are inaccurate?
>
This question is too general as it clearly depends on the purpose and 
cannot be answered without looking at each purpose individually.
>
> . How does the accuracy principle in connection to the parties' 
> liability has to be understood in light of the accountability 
> principle of the GDPR? What are the responsibilities of ICANN and the 
> contracted parties (who are subject to the GDPR) under Chapter IV pf 
> the GDPR? If the contracted parties (as data controllers) engage third 
> entities as processors (e.g. to provide data back-up services), what 
> are the responsibilities of these entities?
>
Do we really need to throw money at this obvious answer: Sub-processors 
of proessors are bound by the same obligations under the GDPR as the 
processors.
>
> *Natural or non-natural persons*
>
> . How is the (inaccurate or accurate) designation by the registrant 
> about her status as non-natural person considered personal data 
> information? If it's not is the analysis about whether the accuracy 
> principle applies relevant?
>
As the data provided by the non-natural person registrant can contain 
personal information of a natural person, can a differentiation only by 
self-designated status of the registrant grant absolute legal protection 
to contracted parties against claims for unwanted publication of 
personal data contained in the data provided by the non-natural person?

> . How would the analysis provided take into account the possibility 
> for registrants who are natural persons to "opt-in" for a full 
> publication of their personal data? Indeed it might be the case that 
> some of these registrants might wish to ensure their details are 
> available on WHOIS.
>
What steps would be required to ensure that any opt-in solution is 
sufficient consent for the publication of all data that may be contained 
in a registration data set?
>
> *Technical contact *
>
> Most of the issue for not allowing this seems to be around the 
> inability to verify if the RNH has obtained consent from the technical 
> contact. When the CP's verify the email address could consent also be 
> confirmed for the term of the registration?
>
Is confirmation of consent obtained by email sufficient in all cases to 
assume consent for publication of the personal information of a data 
subject even if no verification of ownership of that email address by 
the data subject can be performed?

> *General question:*
>
> . How could anonymisatio/pseudonymisation techniques be of help in 
> complying with the GDPR while also allowing for additional disclosure 
> of certain data elements? E.g. use of anonymised/pseudonymised emails 
> and names, in particular in the context of registrations by legal persons.
>
Can anonymised/pseudonymised versions email (addresse)s and names 
themselves be considered personal data, and if so, under what circumstances?
>
-- 
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of 
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in 
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190527/e7af75d8/attachment-0001.html>