A few questions regarding these questions:

Dear Caitlin, colleagues,

 

Please find below questions on the topics of the legal memos from the GAC:

Accuracy

.       If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR?

.       According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate?

.       How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities?

 

Natural or non-natural persons

.       How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant?

As the data provided by the non-natural person registrant can contain personal information of a natural person, can a differentiation only by self-designated status of the registrant grant absolute legal protection to contracted parties against claims for unwanted publication of personal data contained in the data provided by the non-natural person?

.       How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS.

 

Technical contact

Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration? 

Is confirmation of consent obtained by email sufficient in all cases to assume consent for publication of the personal information of a data subject even if no verification of ownership of that email address by the data subject can be performed?

 

General question:

.       How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons.