In our third article on the GDPR, we’re looking at the legal basis for processing personal data in the RIPE Database when it refers to an individual resource holder or contact person. We will also outline the relevant obligations of the responsible parties.
Legal grounds for lawful personal data processing
In order for the processing of personal data to be lawful, it must be done on a legitimate basis, as defined in Article 6.1 of the GDPR:
‘Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’
Personal data of a resource holder
As our previous article mentioned, the RIPE NCC has a mandate from the RIPE community to register and distribute Internet number resources and maintain an Internet number resource registry. While the RIPE community defined the purposes of the RIPE Database, the RIPE NCC is responsible for operating it.
The RIPE Database contains registration information about Internet number resources and, in particular, information about the natural or legal persons that hold these resources. The contact details consist of (legal) name, (business) email address, (business) phone and fax numbers, and (business) legal and postal address(es).
Contact details of the parties responsible for specific Internet number resources are essential for the smooth and uninterrupted operation of Internet and connectivity. The RIPE Database facilitates communication between the people responsible for networks to address technical issues, allowing for quick coordination between operators that do not have a direct relationship.
For the purpose described above, it is clear that the processing of personal data referring to a resource holder is necessary for the performance of the registry function, which is carried out in the legitimate interest of the RIPE community and the smooth operation of the Internet globally (and is therefore in accordance with Article 6.1.f of the GDPR).
Personal data of a resource holder’s contact person
When resource holders are legal persons, they must provide contact details for the individuals responsible for the networks the Internet number resources correspond to, and/or responsible for maintaining information in the RIPE Database. This is also the case for resource holders that are individuals but do not want to have this role themselves.
The contact details usually refer to the technical and administrative employees of a resource holder and consist of names along with a (business) email address, phone, fax number and postal address.
Contact details are entered into the RIPE Database by the resource holder themselves, or by a person appointed by the resource holder to be responsible for inserting and updating this information. This person is identified by the maintainer object (“mnt-by:”) and is referred to as the “maintainer”.
The purpose for which personal data is requested and made publicly available in the RIPE Database is always the same: ‘Facilitating coordination between network operators (network problem resolution, outage notification etc.)’.
However, when the resource holder appoints another individual to perform this role, they must obtain the consent of the person(s) whose personal data will be inserted in the RIPE Database before their data is inserted (in accordance with Article 6.1.a of the GDPR).
“Consent” is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or clear affirmative actions signifies agreement to the processing of personal data relating to him or her”.
In order for “consent” to serve as the legal ground of a processing activity, the resource holder be able to demonstrate that the individual has consented to the processing of their personal data and has been informed of their right to withdraw their consent at any time. A potential withdrawal, however, will not affect the lawfulness of any processing that took place before this withdrawal. It is important to highlight that, under the law, consent will not be considered as freely given if the individual has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Depending on the relationship between the resource holder and the person(s) they decide to designate as their contact person(s) for the purposes of the RIPE Database, consent may be obtained via their business relationship. For example, if the resource holder and their contact persons are engaged via an employment relationship, consent may be obtained through this relationship.
It must be highlighted that in an employment context there is a presumable imbalance of power between the employer and the employee. In order for the consent to be valid as the legal basis, the employer must prove that there would not be any adverse consequences if the employee declined to give consent (see Art.29 Working Party Guidelines on Consent under Regulation 2016/79: ‘There might be situations when it is possible for the employer to demonstrate that consent actually is freely given and employees can give free consent in exceptional circumstances, when it will have no adverse consequences at all whether or not they give consent.’).
In any case, if a person disagrees with their (business) contact details being made publicly available in the RIPE Database, it is the responsibility of the resource holder to provide a different person’s contact details or provide their own contact details.
The RIPE NCC considers that it is the responsibility of the one who inserts the data in the RIPE Database (i.e. the maintainer) to ensure that they have obtained valid consent for the processing to take place.
Responsible party’s obligations
As mentioned above, the responsible parties are identified by the maintainer object (referenced by the “mnt-by:” attribute in any data object), which is mandatory for all objects in the RIPE Database, and indicates who is really responsible for specific personal data recorded in the RIPE Database.
In summary, the maintainer is responsible for:
- The accuracy of the personal data they insert into the RIPE Database, that it is appropriate for the purpose of the RIPE Database and that it is kept up-to-date
- Informing the data subjects that their data is being processed, of the purposes of the RIPE Database, the RIPE NCC's role, and the maintainer’s role as the responsible party
- Receiving the data subject's consent (before their personal data is entered)
- Handling any request from persons whose personal data is inserted regarding correction or deletion of personal data
- Accepting liability for any damage resulting from the data being inaccurate, not relevant or out-of-date, and any damage resulting from not informing the data subjects, or receiving their consent or not handling their requests
These responsibilities are already described in the RIPE Database Terms and Conditions and the resource holders, including the maintainers, are contractually bound to these obligations.
Compliance with obligations by the RIPE NCC and by the resource holder
The personal data of a resource holder is provided to the RIPE NCC during the membership application process (when the relevant party applies to become a RIPE NCC member) and when a sponsoring LIR requests Internet number resources on behalf of an End User.
During the membership application process, the RIPE NCC must inform the applicant of how their data will be used, for what purposes, and the interests of the RIPE community that are being served. The applicant must provide an affirmative act of acceptance of the RIPE Database Terms and Conditions.
When a RIPE NCC member requests resources on behalf of an End User, it is the member’s responsibility to inform the End User about the use of their data in the RIPE Database and to ensure that the registration information remains correct and accurate.
With regard to the personal data of a resource holder’s contact person, the maintainer is contractually obliged to inform the relevant data subject about the processing operations, the purposes of the RIPE Database and to ensure they obtained their consent for this processing.
The RIPE NCC is currently reviewing the relevant procedures and documentation, in order to ensure that all the necessary information is provided in a clear and transparent manner to the parties involved.