[gnso-rds-pdp-wg] CIRCL - Luxembourg CERT Statement on WHOIS

[Tapani Tarvainen]

On Apr 13 19:28, farzaneh badii (farzaneh.badii at gmail.com) wrote:

> the recital 49 of GDPR

> Lets look at the text:  "The processing of personal data to the extent
> strictly necessary and proportionate for the purposes of ensuring network
> and information security, i.e. the ability of a network or an information
> system to resist, at a given level of confidence, accidental events or
> unlawful or malicious actions that compromise the availability,
> authenticity, integrity and confidentiality of stored or transmitted
> personal data, and the security of the related services offered by, or
> accessible via, those networks and systems, by public authorities, by
> computer emergency response teams (CERTs), computer security incident
> response teams (CSIRTs), by providers of electronic communications networks
> and services and by providers of security technologies and services,
> constitutes a legitimate interest of the data controller concerned."
> 
> I am not clear whether this recital is actually talking about the public
> availability of data. It is talking about the processing of data.

Publication is just a special case of processing.

But the requirement "strictly necessary and proportionate" is pretty
high bar, and I find all but unthinkable that making personal details
publicly visible to the entire world would pass it.

Arguing that Article 32 justifies it is a bit surprising. At first
reading I reach exactly opposite conclusion, taking the "risk" there
to mean risk to personal data, rather than as a general risk that
would justify less strict treatment of personal data.

-- 
Tapani Tarvainen