<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>A few questions regarding these questions:<br>
</p>
<div class="moz-cite-prefix">Am 25.05.2019 um 01:02 schrieb
<a class="moz-txt-link-abbreviated" href="mailto:Georgios.TSELENTIS@ec.europa.eu">Georgios.TSELENTIS@ec.europa.eu</a>:<br>
</div>
<blockquote type="cite"
cite="mid:7cc55f9f8eeb4ababc7bf5734b7c8bdf@ec.europa.eu">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US">Dear
Caitlin, colleagues,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US">Please
find below questions on the topics of the legal memos from
the GAC:<o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US">Accuracy<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US">.
If current verification statistics provide that a large
number of data is inaccurate isn't that a metric to deduce
that the accuracy principle is not served in a reasonable
manner as demanded by the GDPR?</span></p>
</div>
</blockquote>
Please clarify the accuracy principle with regard to the obligations
of the data controller/data processor. For example, is this
principle directed at protecting third parties from the provision of
inaxccurate data by the data subject or at protecting the data
subject against incorrect processing by the processor/controller?
Does the principle provide for an obligation of the data
processor/controller to verify the accuracy of the data provided by
the data subject and make corrections without input from the data
subject?<br>
<blockquote type="cite"
cite="mid:7cc55f9f8eeb4ababc7bf5734b7c8bdf@ec.europa.eu">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US">.
According to the GDPR all personal data are processed based
on the principle that they are necessary for the purpose for
which they are collected. If those data are necessary, how
can the purpose be served while the data are inaccurate?
</span></p>
</div>
</blockquote>
This question is too general as it clearly depends on the purpose
and cannot be answered without looking at each purpose individually.
<br>
<blockquote type="cite"
cite="mid:7cc55f9f8eeb4ababc7bf5734b7c8bdf@ec.europa.eu">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US">.
How does the accuracy principle in connection to the
parties' liability has to be understood in light of the
accountability principle of the GDPR? What are the
responsibilities of ICANN and the contracted parties (who
are subject to the GDPR) under Chapter IV pf the GDPR? If
the contracted parties (as data controllers) engage third
entities as processors (e.g. to provide data back-up
services), what are the responsibilities of these entities?
</span></p>
</div>
</blockquote>
Do we really need to throw money at this obvious answer:
Sub-processors of proessors are bound by the same obligations under
the GDPR as the processors. <br>
<blockquote type="cite"
cite="mid:7cc55f9f8eeb4ababc7bf5734b7c8bdf@ec.europa.eu">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US">Natural
or non-natural persons<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US">.
How is the (inaccurate or accurate) designation by the
registrant about her status as non-natural person considered
personal data information? If it's not is the analysis about
whether the accuracy principle applies relevant?</span></p>
</div>
</blockquote>
<p>As the data provided by the non-natural person registrant can
contain personal information of a natural person, can a
differentiation only by self-designated status of the registrant
grant absolute legal protection to contracted parties against
claims for unwanted publication of personal data contained in the
data provided by the non-natural person?<br>
</p>
<blockquote type="cite"
cite="mid:7cc55f9f8eeb4ababc7bf5734b7c8bdf@ec.europa.eu">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US">.
How would the analysis provided take into account the
possibility for registrants who are natural persons to
"opt-in" for a full publication of their personal data?
Indeed it might be the case that some of these registrants
might wish to ensure their details are available on WHOIS.</span></p>
</div>
</blockquote>
What steps would be required to ensure that any opt-in solution is
sufficient consent for the publication of all data that may be
contained in a registration data set?<br>
<blockquote type="cite"
cite="mid:7cc55f9f8eeb4ababc7bf5734b7c8bdf@ec.europa.eu">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US">Technical
contact
<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US">Most
of the issue for not allowing this seems to be around the
inability to verify if the RNH has obtained consent from the
technical contact. When the CP's verify the email address
could consent also be confirmed for the term of the
registration?
</span></p>
</div>
</blockquote>
<p>Is confirmation of consent obtained by email sufficient in all
cases to assume consent for publication of the personal
information of a data subject even if no verification of ownership
of that email address by the data subject can be performed?</p>
<blockquote type="cite"
cite="mid:7cc55f9f8eeb4ababc7bf5734b7c8bdf@ec.europa.eu">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US">General
question:<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US">.
How could anonymisatio/pseudonymisation techniques be of
help in complying with the GDPR while also allowing for
additional disclosure of certain data elements? E.g. use of
anonymised/pseudonymised emails and names, in particular in
the context of registrations by legal persons.</span></p>
</div>
</blockquote>
Can anonymised/pseudonymised versions email (addresse)s and names
themselves be considered personal data, and if so, under what
circumstances?<br>
<blockquote type="cite"
cite="mid:7cc55f9f8eeb4ababc7bf5734b7c8bdf@ec.europa.eu">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
</div>
</blockquote>
<div class="moz-signature">-- <br>
Volker A. Greimann<br>
General Counsel and Policy Manager<br>
<strong style="border-bottom: 3px solid #5C46B5">KEY-SYSTEMS GMBH</strong><br>
<br>
T: +49 6894 9396901<br>
M: +49 6894 9396851<br>
F: +49 6894 9396851<br>
W: <a class="moz-txt-link-abbreviated" href="http://www.key-systems.net">www.key-systems.net</a><br>
<br>
Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835<br>
CEO: Alexander Siffrin<br>
<br>
Part of the CentralNic Group PLC (LON: CNIC) a company registered
in England and Wales with company number 8576358.</div>
</body>
</html>