[anti-abuse-wg] GDPR - positive effects on email abuse

In message <f4fd7e89-f816-a3b4-471a-b405632bf2f6 at key-systems.net>, 
Volker Greimann <vgreimann at key-systems.net> wrote:

>If you buy land, there is a legal requirement to get yourself 
>registered. This legal basis is sufficient grounds for data processing 
>under the GDPR under Art 6 I c) ("processing is necessary for compliance 
>with a legal obligation to which the controller is subject").

I am very glad that you have explicitly clarified this exception to the
GDPR rules, as it allows me to ask a question which has, quite frankly,
befuddled me ever since this whole GDPR versus WHOIS lunacy began.

As I understand it, the binding contractual obligations which all individual
domain name registrants have committed to include the requirment to provide
accurate WHOIS data, with the understanding that this information will be
published.

Also and similarly, as I understand it, domain name registrars and registries
(with the exception of the ccTLDs) have all contractually committed themselves
(to ICANN) to actually publish this data.

Could someone please explain to me then how these pre-existing contractual
obligations somehow fall outside of the exception stated in GDPR Art 6 I c?

In what sense are these pre-existing contractual obligations not "legal
obligations", as defined, presumably, within the GDPR framework?


Regards,
rfg