<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \(Cuerpo en alfa";
panose-1:2 2 6 3 5 4 5 2 3 4;}
@font-face
{font-family:inherit;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Helvetica Neue";
panose-1:2 0 5 3 0 0 0 2 0 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.gmail-m-7276502107029738542apple-tab-span
{mso-style-name:gmail-m_-7276502107029738542apple-tab-span;}
span.EstiloCorreo19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:575211133;
mso-list-template-ids:622602042;}
@list l1
{mso-list-id:724455217;
mso-list-template-ids:-1276616304;}
@list l2
{mso-list-id:1747530214;
mso-list-template-ids:-95925104;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style></head><body lang=ES link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'>Exactly, GDPR is about both citizens and residents.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'>Anyone living in EU is also protected.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'>If Afrinic host mailing list and databases with may contain EU-person data, it is subjected to GDPR. There is no doubt in that.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black'>After all, what it really matters is that Maurituis has an explicit agreement adopting an equivalent regulation to the GDPR.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black'>Regards,<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'>Jordi<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'>@jordipalet<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'><o:p> </o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div><p class=MsoNormal style='margin-left:35.4pt'>El 12/7/19 9:29, "John Walu" <<a href="mailto:walu.john@gmail.com">walu.john@gmail.com</a>> escribió:<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><div><p class=MsoNormal style='margin-left:35.4pt'>@ Owen<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'>Interesting insights.<o:p></o:p></p><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>True GDPR is EU person-specific rather than EU Citizen specific. U also rightly point out this is a broader term compared to the narrow citizen specific term I had imagined. Dont you then think that this expands the risk exposure rather than limit it?<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Either way, what of the AfriNIC data related to resource members who happen to be both African and European (and you and I know many of them ;-) Does their data held in AfriNIC databases then fall under GDPR?<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Anyway, the best thing for the Board to do is to carry out a GDPR Impact Assessment and share the report with the community about the risks or otherwise of GDPR in their processes/systems.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>rgds.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>walu <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div></div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p><div><div><p class=MsoNormal style='margin-left:35.4pt'>On Fri, Jul 12, 2019 at 3:52 AM Owen DeLong <<a href="mailto:owen@delong.com">owen@delong.com</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p><div><p class=MsoNormal style='margin-left:35.4pt'><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:35.4pt'>On Jul 10, 2019, at 00:51 , John Walu <<a href="mailto:walu.john@gmail.com" target="_blank">walu.john@gmail.com</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p><div><div><p class=MsoNormal style='margin-left:35.4pt'>@ Owen <o:p></o:p></p><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>GDPR territorial scope extends beyond Europe since its is EU citizen specific rather than geo-specific.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><a href="https://gdpr-info.eu/art-3-gdpr/" target="_blank">https://gdpr-info.eu/art-3-gdpr/</a><o:p></o:p></p></div></div></div></blockquote><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'>Nope… It’s EU PERSON specific, not EU citizen.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>EU Person has a rather odd definition, but it is a superset of EU citizens (or more accurately citizens of member nations).<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>However…<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>GDPR only pertains in so far as the data processing is related to:<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:95.4pt;text-indent:-18.0pt;mso-list:l2 level1 lfo1;vertical-align:baseline'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol;color:#333333'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:12.0pt;font-family:"Helvetica Neue";color:#333333'>the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:95.4pt;text-indent:-18.0pt;mso-list:l2 level1 lfo1;vertical-align:baseline'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol;color:#333333'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:12.0pt;font-family:"Helvetica Neue";color:#333333'>the monitoring of their behaviour as far as their behaviour takes place within the Union.<o:p></o:p></span></p><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div></div><div><p class=MsoNormal style='margin-left:35.4pt'>Since AfriNIC specifically doesn’t offer services in the EU, and doesn’t monitor the behavior of anyone to the best of my knowledge, the applicability is suspect at best.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal style='margin-left:35.4pt'>In other words, anyone (Data controller/processor) handling EU citizen data is automatically subject to the GDPR in the event of a data breach - irrespective of their geo-locality.<o:p></o:p></p></div></div></div></blockquote><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'>You also seem to have missed this part:<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:65.4pt;text-indent:-18.0pt;mso-list:l0 level1 lfo2;vertical-align:baseline'><![if !supportLists]><span style='font-size:12.0pt;font-family:"inherit",serif;color:#333333'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:12.0pt;font-family:"inherit",serif;color:#333333'>This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.<o:p></o:p></span></p><div style='border-top:solid #EAEAEA 1.0pt;border-left:none;border-bottom:none windowtext 1.0pt;border-right:none;padding:15.0pt 0cm 23.0pt 0cm;box-sizing:inherit;outline:0px'><p class=MsoNormal style='margin-left:35.4pt;vertical-align:baseline'><span style='font-size:10.5pt;font-family:"Helvetica Neue";color:#333333'>While the fact that Mauritius stupidly (IMHO) signed an agreement making this paragraph problematic, many other nations in Africa have not and so it’s again questionable whether the law can be applied to entities outside of AfriNIC that are in countries that haven’t agreed to partake in this particular brand of European overreach. (Which I admit is a trick they unfortunately learned from the gestapo tactics of the US banking regulators).<o:p></o:p></span></p></div><p class=MsoNormal style='margin-left:35.4pt'>Note also that in Article 2 we have this:<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:65.4pt;text-indent:-18.0pt;mso-list:l1 level1 lfo3;vertical-align:baseline'><![if !supportLists]><span style='font-size:12.0pt;font-family:"inherit",serif;color:#333333'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:12.0pt;font-family:"inherit",serif;color:#333333'>This Regulation does not apply to the processing of personal data:<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:12.0pt;margin-right:0cm;margin-bottom:12.0pt;margin-left:89.4pt;text-indent:-18.0pt;mso-list:l1 level2 lfo3;vertical-align:baseline'><![if !supportLists]><span style='font-size:12.0pt;font-family:"inherit",serif;color:#333333'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:12.0pt;font-family:"inherit",serif;color:#333333'>in the course of an activity which falls outside the scope of Union law;<o:p></o:p></span></p><div><p class=MsoNormal style='margin-left:35.4pt'>I’m pretty sure that AfriNIC’s issuing of IP addresses is not in any way governed by EU law. As such, the activity in question is, by my reading, exempt.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal style='margin-left:35.4pt'> Ofcourse the main issue will be if the affected EU citizen will actually file a complaint in the EU Courts or not. The second issue is whether the EU courts will find the data controller guilty and if the fined/penalized entity will to pay up or ignore given their remoteness to EU centers of power. (nb:Facebook and Google have so far been paying up ;-)<o:p></o:p></p></div></div></div></blockquote><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'>To the best of my knowledge, few, if any, of the people likely to be in the AfriNIC whois database would be EU persons since AfriNIC specifically requires the businesses they interact with to be in the AfriNIC service region. Is there a country in Africa that joined the EU without my noticing?<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Is AfriNIC bound by GDPR?<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>The simple answer is - it depends. <o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Do Afrinic processes and systems at any one point collect, store or process data that contains EU citizens?<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div></div></div></blockquote><p class=MsoNormal style='margin-left:35.4pt'>This is not the only criteria… Also it should be noted that the actual term is “EU persons” and not “EU citizens”.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Further, it only applies to EU Persons when conducting activities which fall within the scope of EU law. (see Article 2 reference above).<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>From <a href="http://Lexology.com" target="_blank">Lexology.com</a> (an article by Morgan Lewis & Bockius LLP): (<a href="https://www.lexology.com/library/detail.aspx?g=0dc9663d-ac3b-438e-adcd-1415a45f99ca" target="_blank">https://www.lexology.com/library/detail.aspx?g=0dc9663d-ac3b-438e-adcd-1415a45f99ca</a>)<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#333333;background:white'>At its core, the GDPR enumerates rights of natural persons who are present within the European Union (EU), whether or not their data is in fact in the EU. The word “citizen” does not appear in the language of the regulation, which would indicate a reluctance to simply identify rights of EU citizens as opposed to the rights of all people within the boundaries of the EU. Practically speaking, the GDPR protects the rights of anyone within its territorial reach while at the same time applying to any entity</span><a href="https://www.morganlewis.com/pubs/the-edata-guide-to-gdpr-whose-data-is-protected-under-the-gdpr" target="_blank"><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#797600;text-decoration:none'>[2]</span></a><span style='font-size:11.5pt;font-family:"Arial",sans-serif;color:#333333;background:white'> using or accessing this personal data, no matter where the data exists. Trying to decipher what this means can be confusing without a more thorough analysis of the regulation and its accompanying commentary.</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>——<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal style='margin-left:35.4pt'>If the answer is NO. Then they are not bound by GDPR.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>If the answer is YES. Then they are potentially bound by GDPR to the extent that if that data is abused/breached, then they potentially face sanctions/penalties from EU courts.<o:p></o:p></p></div></div></div></blockquote><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'>If the answer is YES, then there are more questions that need to be asked…<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>1.<span class=gmail-m-7276502107029738542apple-tab-span> </span>Is the person actually in the EU at the time the personal data is provided?<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>2.<span class=gmail-m-7276502107029738542apple-tab-span> </span>Is the person otherwise classified as an “EU Person”?<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>If the answer to either is YES, then there are more questions that need to be asked… If both are NO, then you’re done, no GDPR for you.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>1.<span class=gmail-m-7276502107029738542apple-tab-span> </span>Is the activity in question subject to EU legal jurisdiction?<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>If you can answer NO to this (and I can’t think of an activity where AfriNIC would be collecting PII and answer yes), then again, you’re done, GDPR doesn’t apply.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal style='margin-left:35.4pt'>Either way, Mauritius has one of the <a href="http://dataprotection.govmu.org/English/Legislation/Pages/default.aspx" target="_blank">most comprehensive Data Protection legislation on the continent</a> and any data breach can actually be litigated locally (without the need for GDPR) with penalties to AfriNIC (if for example it is determined that email targets/addresses were harvested from Afrinic digital resources without consent from the data subjects).<o:p></o:p></p></div></div></div></blockquote><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'>I’ll leave the discussion of Mauritian law to those people who may be subject to it. I’m sure AfriNIC staff and applicable legal counsel can adequately address this.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Owen<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>walu.<o:p></o:p></p></div></div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p><div><div><p class=MsoNormal style='margin-left:35.4pt'>On Wed, Jul 10, 2019 at 8:04 AM Owen DeLong <<a href="mailto:owen@delong.com" target="_blank">owen@delong.com</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><p class=MsoNormal style='margin-left:35.4pt'><br><br>> On Jul 5, 2019, at 14:13 , JORDI PALET MARTINEZ via Community-Discuss <<a href="mailto:community-discuss@afrinic.net" target="_blank">community-discuss@afrinic.net</a>> wrote:<br>> <br>> Hi Alan,<br>> <br>> If the board can't investigate that, we may have a problem, because Afrinic has to comply with GDPR.<br><br>Why? AfriNIC is not located in the EU and does not solicit business with EU persons.<br><br>AfriNIC is not, by my reading, subject to the GDPR.<br><br>Even if they were, AfriNIC did not violate GDPR here. Wafa might have, but I don’t think she is subject to GDPR, either. Last I looked, Tunisia was outside EU jurisdiction.<br><br><br>> I don't know if those emails come from whois or something else, but some logs may tell.<br><br>Why is this relevant?<br><br>> I my opinion it will be nicer to get a response from Wafa, and I'm sure the community will be happy to forgive her. My intent is not to punish anyone, just to make sure that we find solutions to possible problems and mistakes and avoid repeating them.<br><br>I have no issue with the use of the email addresses. I think the far more important issue here is the message sent under color of authority which authority likely was not authorized to Wafa at the time.<br><br>Owen<br><br>> <br>> Regards,<br>> Jordi<br>> @jordipalet<br>> <br>> <br>> <br>> El 5/7/19 10:16, "Alan Barrett" <<a href="mailto:alan.barrett@afrinic.net" target="_blank">alan.barrett@afrinic.net</a>> escribió:<br>> <br>> <br>> <br>>> On 3 Jul 2019, at 15:50, JORDI PALET MARTINEZ via Community-Discuss <<a href="mailto:community-discuss@afrinic.net" target="_blank">community-discuss@afrinic.net</a>> wrote:<br>>> <br>>> I’m angrier about this as much as I think on it again.<br>>> <br>>> Can the board and the staff investigate this?<br>>> <br>>> Can all the people that got those emails confirm if they have provided voluntarily their emails or if they have participated in Afrinic lists, or if those emails are part of their Afrinic contacts, in order to understand if this personal data (emails are personal data), have been collected from Afrinic internal databases.<br>> <br>> There is no reasonable way for AFRINIC staff to investigate whether the recipients had agreed to receive the messages sent by Wafa Dahmani. There is also no reasonable way for staff to investigate whether email addresses were collected from the public WHOIS database. There is no non-public AFRINIC database that could have been used.<br>> <br>> Regards,<br>> Alan Barrett<br>> <br>> <br>> _______________________________________________<br>> Community-Discuss mailing list<br>> <a href="mailto:Community-Discuss@afrinic.net" target="_blank">Community-Discuss@afrinic.net</a><br>> <a href="https://lists.afrinic.net/mailman/listinfo/community-discuss" target="_blank">https://lists.afrinic.net/mailman/listinfo/community-discuss</a><br>> <br>> <br>> <br>> <br>> **********************************************<br>> IPv4 is over<br>> Are you ready for the new Internet ?<br>> <a href="http://www.theipv6company.com/" target="_blank">http://www.theipv6company.com</a><br>> The IPv6 Company<br>> <br>> This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.<br>> <br>> <br>> <br>> <br>> _______________________________________________<br>> Community-Discuss mailing list<br>> <a href="mailto:Community-Discuss@afrinic.net" target="_blank">Community-Discuss@afrinic.net</a><br>> <a href="https://lists.afrinic.net/mailman/listinfo/community-discuss" target="_blank">https://lists.afrinic.net/mailman/listinfo/community-discuss</a><br><br><br>_______________________________________________<br>Community-Discuss mailing list<br><a href="mailto:Community-Discuss@afrinic.net" target="_blank">Community-Discuss@afrinic.net</a><br><a href="https://lists.afrinic.net/mailman/listinfo/community-discuss" target="_blank">https://lists.afrinic.net/mailman/listinfo/community-discuss</a><o:p></o:p></p></blockquote></div></div></blockquote></div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div></blockquote></div></div><br>**********************************************<br>
IPv4 is over<br>
Are you ready for the new Internet ?<br>
http://www.theipv6company.com<br>
The IPv6 Company<br>
<br>
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.<br>
<br>
</body></html>