[anti-abuse-wg] On the abuse handling policy of manitu.net (AS34240)

Volker Greimann wrote on 20/02/2021 00:39:
> It sounds GDPR legal. After all, they are telling you exactly what will 
> happen with anything that you send there, so by sending it there in full 
> knowledge, you are essentially consenting to that processing of your data.

the best that could be said in this situation is that it's not clear.

If you're reporting an abuse complaint to a responsible provider with 
clearly documented abuse processes which are carefully followed, and who 
has a good relationship with a responsible client who had clearly 
documented abuse processes which are carefully followed, then maybe this 
might ok.

OTOH if it's a bulletproof hoster with poor processes / process 
compliance and the client abuses abuse reports (e.g. uses them to 
confirm that emails are still active), then that's less likely to be in 
any way legal.

But a-priori, you don't know.

Also GDPR consent compliance isn't achieved by "telling you exactly what 
will happen with anything that you send there".  The European Data 
Protection Board has extensive documentation on GDPR interpretation:

> https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en

of which the document regarding Consent is well worth reading:

> https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en

Specifically it notes: "As a general rule, the GDPR prescribes that if 
the data subject has no real choice, feels compelled to consent or will 
endure negative consequences if they do not consent, then consent will 
not be valid".

tl,dr: ianal + the OP's case would benefit from analysis by an actual 
lawyer with competence in this complex area.  The above is purely 
speculation.

Nick