[members-discuss] is the RIPE NCC GDPR compliant ?

Please to not misuse the term GDPR.

First, the GDPR does not prohibit any handling of personal data.
It does instead insist in writing down:
 - which personal data is acquired, handled, stored, and deleted.
 - who is involved in those steps.
 - why do you use this data for what.
 - who is responsible for the step.

If a given data handling is necessary due to a lot of predefined reasons,
it's sufficient to name them. Otherwise describe the reasoning.
Necessary data handling does not require active consent, but only information.

If you ask for consent for a special data handling, this implies, that
the data handling is optional. If the consent is not given from the other
party, you have to skip those data handling steps while fulfil your other
obligations. So if you can't provide the service without dealing with
this specific data, do not ask for consent!

Some comments on Whois at ICANN.

ICANN missed to describe use cases for Whois, but centralized the database
(ThickWhois). Therefore they run into problems with the GDPR, got sued,
and established the EPDP for temporary changes to long term contracts.

There are two options for ICANN (AFAIS):
 a Provide a privacy-proxy framework and
   make registrant data optional.
 b Switch to a ultra thin whois by publishing
   the chain of contracts in the whois
   together with a reference to the whois server of
   the contractual partner. (see whois.iana.org)

Option a is favoured, but renders whois useless and will result
in shutting whois services down, despite the LEA, IP lawyers, and
anti-abuse still crying.

Option b would allow to respect the local law for each contract,
but disclose the reseller chains. The registries, registrars, and
resellers will cry.

Summary for RIPE: If the RIPE community has use cases for Whois,
describe it according to the GDPR and keep it running.