[members-discuss] is the RIPE NCC GDPR compliant ?

Hi everyone,

this e-mail is addressed to the RIPE NCC, but because they have 
continuously ignored the issues raised at the RIPE Meeting in Amsterdam, 
I am going to formally ask them to fix these things which, I believe, 
are not GDPR compliant.

1. Ticketing system

- when someone wants to open a ticket with the RIPE NCC, the only way to 
do that is by sending an e-mail. It would be stupid to ask users to send 
e-mail without attachments (in order to open the ticket) and then go to 
the LIR Portal and upload documents to that ticket but it seems the RIPE 
NCC is asking exactly that from the members.

- when someone sends an e-mail to the RIPE NCC and includes documents 
(RIPE NCC often requests company registration documents and - sometimes 
- copies of passports/IDs) the links to those documents hosted on 
zendesk are returned to the sender and (sometimes) all the LIR contacts. 
If that e-mail is forwarded to anyone, it includes the zendesk links and 
therefore anyone that receives the RIPE NCC e-mail or a forward of that 
e-mail will receive links to company registration documents and IDs of 
people.

I doubt this is GDPR compliant and I would like a response from the RIPE 
NCC on why they have not fixed this issue even if it was reported 4 
months ago.

Several ways to fix this:

- e-mails sent by zendesk should not include any link

- allow users to create tickets and communicate to the RIPE NCC via the 
LIR Portal and stop e-mail communication with members

2. RIPE DB

The RIPE NCC Customer Services Department forcefully (*) creates person 
objects in the RIPE Database _MAINTAINED BY THE MAINTAINER OF THE 
LIR!!!_ for the people that sign a contract with the RIPE NCC. It also 
forces companies that use role objects associated with their resources 
to actually have a person object referenced in the role object (so no 
circular reference or a reference to an other role object). Why is the 
RIPE NCC using the LIR's maintainer to create users without even 
requesting the LIR's acceptance? What else is the RIPE NCC creating with 
the LIR's maintainer?

I was under the impression that creating and publishing thousands of 
person objects in the RIPE Database may not be GDPR compliant. Actually, 
there was a discussion in Amsterdam about this and the general 
understanding is that companies that do this will be contacted by the 
RIPE NCC to stop doing it and clean up their data. Well, who will listen 
to an organization that does exactly what they should not be doing?

Why would you need to use a person object in the RIPE DB if a role 
object is an option?

Oh, to make things worse, every time someone registers an additional 
LIR, the RIPE NCC keeps creating duplicate objects instead of re-using 
the ones already created *by them*.


Dear RIPE NCC, when will you update your procedures to be GDPR compliant?


(*) We have created the following objects in the RIPE Database for 
<LIR>'s public profile:

[...]

ORGANISATION: 
https://apps.db.ripe.net/db-web-ui/#/lookup?source=ripe&key=<ORG>&type=organisation
MNTNER: 
https://apps.db.ripe.net/db-web-ui/#/lookup?source=ripe&key=<MNT>&type=mntner
ROLE: 
https://apps.db.ripe.net/db-web-ui/#/lookup?source=ripe&key=<ROLE>&type=role

*ADMIN-C: 
https://apps.db.ripe.net/db-web-ui/#/lookup?source=ripe&key=<PERSON>&type=person**
**TECH-C: 
https://apps.db.ripe.net/db-web-ui/#/lookup?source=ripe&key=<PERSON>&type=person*

Kind regards,

Elvis

-- 
Elvis Daniel Velea
V4Escrow LLC
Chief Executive Officer
E-mail: elvis at v4escrow.net
Mobile: +1 (702) 970 0921

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.ripe.net/ripe/mail/archives/members-discuss/attachments/20190220/85e401ab/attachment.html>