<div dir="ltr">
<p class="MsoNormal"><span lang="FR">Hello SM / Kris,</span></p>
<p class="MsoNormal"><span lang="FR"> </span></p>
<p class="MsoNormal"><span lang="FR">1.<span> </span>Est-ce légal qu’AfriNIC procède à
l’audit et à la récupération des ressources? Oui.</span></p>
<p class="MsoNormal"><span lang="FR">2.<span> </span>L’exigence de faire l’audit en toute
transparence constitue-t-elle un risque de violation du NDA ?</span></p>
<p class="MsoNormal"><span lang="FR">Nous ne pensons
pas que ça soit le cas car les informations échangées ne sont pas mises sur la
place publique et sont manipulées exclusivement<span>
</span>par AfriNIC. </span></p>
<p class="MsoNormal"><span lang="FR"></span></p>
<p class="MsoNormal"><span lang="FR">3.<span> </span>La publication du rapport : celle-ci ne
constitue pas un risque de violation du NDA les données personnelles ne sont
pas publiées et la version actuelle de la proposition n’impose pas de les
publier. Pour éviter toute équivoque, nous nous proposons de spécifier
clairement dans la section 3.6<span> </span>de ne pas
publier les données personnelles pour ne pas violer le NDA.</span></p>
<p class="MsoNormal"><span lang="FR">En rapport avec
la DPA, est-ce le modèle de rapport proposé sur la liste <span> </span>et présenté sous [1] expose t’il a une violation
quelconque ? </span></p>
<p class="MsoNormal"><span lang="FR">Si oui quel type
de données y contribue ?</span></p>
<p class="MsoNormal"><span lang="FR"> </span></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Bien cordialement.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">[1] </p>
<p class="MsoNormal">Description of "members” in AFRINIC context may at some
points looks like:</p>
<p class="MsoNormal">A- How many members have been reviewed :</p>
<p class="MsoNormal"><span> </span>- By type:<span> </span>LIR, End-users, etc…</p>
<p class="MsoNormal"><span> </span>- By Category:<span> </span>Extralarge, Large, Medium, small, etc…</p>
<p class="MsoNormal">B- Type of ressources involved:<span> </span>ASN, IPv4 ,IPv6</p>
<p class="MsoNormal">C- Level of compliance</p>
</div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Dec 11, 2016 at 3:55 PM, Kris Seeburn <span dir="ltr"><<a href="mailto:seeburn.k@gmail.com" target="_blank">seeburn.k@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div>People,</div><div><br></div><div>You may want to note that afrinic staff review already stated these:</div><div><br></div><div><span class=""><ul style="color:rgb(51,51,51);font-family:Helvetica,Arial,FreeSans,sans-serif;font-variant-ligatures:normal;background-color:rgb(238,238,238)"><li><em>The requirement that the review be conducted with "full transparency" may be in conflict with privacy provisions in NDAs, in the RSA, or in law.</em></li><li><em>The requirement to publish a "compliance report" may be in conflict with privacy provisions in NDAs, in the RSA, or in law.</em></li></ul></span><div>I’ve already voiced that there be a revisit to this policy differently but i think pointing this in the DPA should be noted. Unless the NDA and RSA are modified to state that there is no confidentiality…. If that is the case.</div></div><div><br></div><div>These may help guide all. The data controller is an appointed staff of afrinic. Whether we state Mauritian law or else the NDA. In essence we need to note what is Public information and what is Private and confidential information.</div><div><br></div><div><br></div><div><div id="m_-3878510581784387672viewlet-below-content-body" style="box-sizing:border-box;color:rgb(51,51,51);font-family:'Open Sans',Helvetica,Arial,sans-serif;font-size:14.3px;font-variant-ligatures:normal;background-color:rgb(255,255,255)"></div></div><div><br></div><div>
<p class="MsoNormal" style="line-height:normal"><a name="m_-3878510581784387672__Toc66683978"><b><span style="font-size:18.0pt;font-family:"Times New Roman"">29.
Unlawful disclosure of personal data</span></b></a><a name="m_-3878510581784387672_b29"></a><b><span style="font-size:18.0pt;font-family:"Times New Roman""><u></u><u></u></span></b></p><p class="MsoNormal" style="line-height:normal"><span style="font-size:12.0pt;font-family:"Times New Roman"" lang="EN-GB">(1) Any <b>data</b>
controller who, without lawful excuse, discloses personal <b>data</b> in any
manner that is incompatible with the purposes for which such <b>data</b> has
been collected shall commit an offence.</span><span style="font-size:12.0pt;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="line-height:normal"><span style="font-size:12.0pt;font-family:"Times New Roman"" lang="EN-GB">(2) Any <b>data</b>
processor who, without lawful excuse, discloses personal <b>data</b> processed
by him without the prior authority of the <b>data</b> controller on whose
behalf such <b>data</b> is or has been processed shall commit an offence.</span><span style="font-size:12.0pt;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="line-height:normal"><span style="font-size:12.0pt;font-family:"Times New Roman"" lang="EN-GB">(3) Subject
to subsection (4), any person who -</span><span style="font-size:12.0pt;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-top:12.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:108.0pt;margin-bottom:.0001pt;text-align:justify;line-height:150%"><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">(a) obtains access to personal <b>data</b>, or obtains
any information constituting such <b>data</b>, without prior authority of the <b>data</b>
controller or <b>data</b> processor by whom such <b>data</b> is kept; and</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-top:12.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:72.0pt;margin-bottom:.0001pt;text-align:justify;line-height:150%"><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">(b) discloses the <b>data</b> or information to another person,</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-top:12.0pt;text-align:justify;line-height:150%"><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">
shall commit an offence.</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="line-height:normal"><span style="font-size:12.0pt;font-family:"Times New Roman"" lang="EN-GB">(4)
Subsection (3) shall not apply to a person who is an employee or agent of a <b>data</b>
controller or processor and is <b>act</b>ing within his mandate.</span><span style="font-size:12.0pt;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="line-height:normal"><span style="font-size:12.0pt;font-family:"Times New Roman"" lang="EN-GB">(5) Any
person who offers to sell personal <b>data</b> where such personal <b>data</b>
has been obtained in breach of subsection (1) shall commit an offence.</span><span style="font-size:12.0pt;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="line-height:normal"><span style="font-size:12.0pt;font-family:"Times New Roman"" lang="EN-GB">(6) For the
purposes of subsection (5), an advertisement indicating that personal <b>data</b>
is or may be for sale, constitutes an offer to sell the personal <b>data</b>.</span><span style="font-size:12.0pt;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="line-height:normal"><span style="font-size:12.0pt;font-family:"Times New Roman"" lang="EN-GB"><br></span></p><p class="MsoNormal" style="line-height:normal"><span style="font-size:12.0pt;font-family:"Times New Roman"" lang="EN-GB">further reading:</span></p><div><br></div><div>
<p class="MsoNormal" style="line-height:normal"><a name="m_-3878510581784387672__Toc66683980"><b><span style="font-size:18.0pt;font-family:"Times New Roman"">31.
Transfer of personal data</span></b></a><a name="m_-3878510581784387672_b31"></a><b><span style="font-size:18.0pt;font-family:"Times New Roman""><u></u><u></u></span></b></p><p class="MsoNormal" style="margin-top:12.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:72.0pt;margin-bottom:.0001pt;text-align:justify;line-height:150%"><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">(1)</span><span style="font-size:7.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">
</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">Subject to subsection (2), no <b>data</b> controller shall, except with
the written authorisation of the Commissioner, transfer personal <b>data</b> to
another country. </span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-top:12.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:72.0pt;margin-bottom:.0001pt;text-align:justify;line-height:150%"><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">(2)</span><span style="font-size:7.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">
</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">The Eighth <b>data</b> <b>protection</b> principle specified in the
First Schedule shall not apply where –</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-top:12.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:108.0pt;margin-bottom:.0001pt;text-align:justify;line-height:150%"><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">(a)</span><span style="font-size:7.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">
</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">the <b>data</b> subject has given his consent to the transfer;</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-top:12.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:108.0pt;margin-bottom:.0001pt;text-align:justify;line-height:150%"><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">(b)</span><span style="font-size:7.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">
</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">the transfer is necessary –</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-top:12.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:144.0pt;margin-bottom:.0001pt;text-align:justify;line-height:150%"><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">(i)</span><span style="font-size:7.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">
</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">for the performance of a contr<b>act</b> between the <b>data</b> subject
and the <b>data</b> controller, or for the taking of steps at the request of
the <b>data</b> subject with a view to his entering into a contr<b>act</b> with
the <b>data</b> controller;</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-top:12.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:144.0pt;margin-bottom:.0001pt;text-align:justify;line-height:150%"><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">(ii)</span><span style="font-size:7.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">
</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">for the conclusion of a contr<b>act</b> between the <b>data</b>
controller and a person, other than the <b>data</b> subject, which is entered
at the request of the <b>data</b> subject, or is in the interest of the <b>data</b>
subject, or for the performance of such a contr<b>act</b>;</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-top:12.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:144.0pt;margin-bottom:.0001pt;text-align:justify;line-height:150%"><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">(iii)</span><span style="font-size:7.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">
</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">in the public interest, to safeguard public security or national
security.</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-top:12.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:108.0pt;margin-bottom:.0001pt;text-align:justify;line-height:150%"><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">(c)</span><span style="font-size:7.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">
</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">the transfer is made on such terms as may be approved by the
Commissioner as ensuring the adequate safeguards for the <b>protection</b> of
the rights of the <b>data</b> subject.</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-left:72.0pt;line-height:150%"><span style="font-family:"Times New Roman"" lang="EN-GB">(3)</span><span style="font-size:7.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">
</span><span style="font-family:"Times New Roman"" lang="EN-GB">For the purpose of subsection
(2)(c), the adequacy of the level of <b>protection</b> of a country shall be
assessed in the light of all the circumstances surrounding the <b>data</b>
transfer, having regard in particular to -</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-top:12.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:108.0pt;margin-bottom:.0001pt;text-align:justify;line-height:150%"><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">(a)</span><span style="font-size:7.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">
</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">the nature of the <b>data</b>;</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-top:12.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:108.0pt;margin-bottom:.0001pt;text-align:justify;line-height:150%"><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">(b)</span><span style="font-size:7.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">
</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">the purpose and duration of the proposed processing;</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-top:12.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:108.0pt;margin-bottom:.0001pt;text-align:justify;line-height:150%"><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">(c)</span><span style="font-size:7.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">
</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">the country of origin and country of final destination;</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-top:12.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:108.0pt;margin-bottom:.0001pt;text-align:justify;line-height:150%"><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">(d)</span><span style="font-size:7.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">
</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">the rules of law, both general and sectoral, in force in the country in
question; and</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-top:12.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:108.0pt;margin-bottom:.0001pt;text-align:justify;line-height:150%"><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">(e)</span><span style="font-size:7.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">
</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman"" lang="EN-GB">any relevant codes of conduct or other rules and security measures which
are<a name="m_-3878510581784387672__Toc64105280"></a><a name="m_-3878510581784387672__Toc61409608"></a><a name="m_-3878510581784387672__Toc61409681"></a><a name="m_-3878510581784387672__Toc61423544"></a><a name="m_-3878510581784387672__Toc64010766"></a><a name="m_-3878510581784387672__Toc64015389"></a><a name="m_-3878510581784387672__Toc64089514"></a> complied with
in that country.</span><span style="font-size:12.0pt;line-height:150%;font-family:"Times New Roman""><u></u><u></u></span></p><p class="MsoNormal" style="margin-top:12.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:72.0pt;margin-bottom:.0001pt;text-align:justify;line-height:normal"><b><span style="font-size:12.0pt;font-family:"Times New Roman"" lang="EN-GB">Amended by [<a href="http://supremecourt.intnet.mu/Main/GetDoc.asp?Doc_Title=Act+No.+14+of+2009&Mode=Html&Search=No" target="_blank"><span style="color:windowtext">Act No. 14 of 2009</span></a>]</span></b><span style="font-size:12.0pt;font-family:"Times New Roman""><u></u><u></u></span></p>
</div>
</div><div><br></div><div><br></div><div>We need to see a balance and decide properly. I would like to say that i am not taking sides but we need to understand to what extent things can and cannot be reported. The mauritius DPA takes precedence from the EU Act. But still an NDA binds the resource member and afrinic within the binds of a legal clause of confidentiality that any member can recall and use against afrinic. </div><div><br></div><div>However, i am sure if we keep to a brief as i said X number of applicants received and Y numbers not accepted may be still fine but category etc., may already lead to guesswork and this may again lead to legal hassle. A compliance report as per the current state of proposal releases too much information already. </div><div><br></div><div><br></div><div>Further the RIPE NCC policy:</div><div><br></div><div><div>If you are referring to RiPE NCC policy:</div><div><br></div><div><h1 class="m_-3878510581784387672documentFirstHeading" style="box-sizing:border-box;margin:0px 0px 12px;font-family:'Open Sans',Helvetica,Arial,sans-serif;line-height:1.3em;color:rgb(88,89,91);max-width:700px;font-variant-ligatures:normal;background-color:rgb(255,255,255)">RIPE NCC Audit Activity</h1><div id="m_-3878510581784387672viewlet-below-content-title" style="box-sizing:border-box;color:rgb(51,51,51);font-family:'Open Sans',Helvetica,Arial,sans-serif;font-size:14.3px;font-variant-ligatures:normal;background-color:rgb(255,255,255)"><div class="m_-3878510581784387672documentByLine" id="m_-3878510581784387672plone-document-byline" style="box-sizing:border-box;margin:0px 0px 12px"></div></div><div id="m_-3878510581784387672viewlet-above-content-body" style="box-sizing:border-box;color:rgb(51,51,51);font-family:'Open Sans',Helvetica,Arial,sans-serif;font-size:14.3px;font-variant-ligatures:normal;background-color:rgb(255,255,255)"></div></div></div></div>...<br><br>[Message clipped] <br>______________________________<wbr>_________________<br>
RPD mailing list<br>
<a href="mailto:RPD@afrinic.net">RPD@afrinic.net</a><br>
<a href="https://lists.afrinic.net/mailman/listinfo/rpd" rel="noreferrer" target="_blank">https://lists.afrinic.net/<wbr>mailman/listinfo/rpd</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div style="text-align:center"><div style="text-align:center"><span style="color:rgb(0,0,255)"><span style="background-color:rgb(238,238,238)"><b><span style="font-family:comic sans ms,sans-serif">Serge ILUNGA KABWIKA</span></b><br></span></span></div><span style="color:rgb(0,0,255)"><span style="background-color:rgb(238,238,238)"><b><span style="font-family:comic sans ms,sans-serif"></span></b></span></span></div><div style="text-align:center"><span style="color:rgb(0,0,255)"><span style="background-color:rgb(238,238,238)"><b><span style="font-family:comic sans ms,sans-serif">Skype: sergekbk</span></b><br><b><span style="font-family:comic sans ms,sans-serif">Cell: +243814443160</span></b></span></span></div></div></div>
</div>