Not to derail the conversation here and turn this into a GDPR crash course. But, I think the below is relevant regarding the current discussion. https://gdpr-info.eu/chapter-1/ Now we discussed purposes in the past regarding scientific or historical whois research. But how does that work under the GDPR? https://gdpr-info.eu/art-89-gdpr/ So this gives us some more information on how that can work, though one has to keep in mind the derogations on a member state level. I use https://www.twobirds.com/en/hot-topics/general-data-protection-regulation/gd... to keep track regarding the derogations on a member state level (EU). But there are more trackers out there (ping me off list). Again this is a straightforward tool to zoom in on the relevant articles and suitable recitals under the GDPR. And if we as a group want to make the purposes to work for processing personal data I think it helps when look at those articles, or we will make the wrong assumptions. And keep in mind the GDPR originated from the EU 95/46 directives, and these are based on some really old data protection principles. I understand the desire to discuss our purposes, and it is natural we feel they are justified due to its history, but we need to get prepped for the many data protection laws that are in effect and make sure they match with the law. Hope this helps, Theo Geurts On 7-2-2018 19:15, Ayden Férdeline wrote:
Thanks for this explanation, Sam and Tapani. On this basis I am most comfortable with the existing text; that is, any purpose must satisfy at least one 'legal basis' for processing.
Kind regards, Ayden
-------- Original Message -------- On 7 February 2018 4:53 PM, Sam Lanfranco <sam@lanfranco.net> wrote:
Thanks Tapani,
I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.
On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.
<......>
So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg