GDPR and the RIPE NCC

The General Data Protection Regulation (GDPR) aims to strengthen EU citizens' personal data protection rights and imposes heavy fines on businesses (both within and beyond the EU) that infringe these rights. The GDPR was adopted in April 2016 by the EU and came into effect on 25 May 2018.

We ensure that we comply with the GDPR, not only in relation to the personal data held in the RIPE Database, but for all personal data that we process.

As we continue monitoring and evaluating our processes inline with the GDPR principles, we have been publishing updates with our findings on RIPE Labs:

For more information on how the RIPE NCC is processing the personal data it collects, please refer to the RIPE NCC Privacy Statement.

Below are yearly reports outlining the GDPR requests we received, along with any data breach incidents. Before we take any action on a GDPR request, we first verify that the requester is the data subject of whom the request is about.

In 2024, we received 86 GDPR requests in total.

85 requests were from individuals requesting that we delete their personal data.
We complied with 52 requests to delete the personal data of the individuals that contacted us.
We could not comply with 32 requests because the personal data in question belonged to a third party and was managed by a third-party account.
One request asked us to confirm whether we are processing any personal data concerning the requester. We complied with the request.

We also had four data breach incidents involving:

One single instance of unauthorised access to 14 SSO accounts;
The unauthorised disclosure of a number of email addresses;
One email containing invoices sent to the wrong recipient; and
Unauthorised access to the servers of a third party that processes data on our behalf for our Dubai office.

Only the latter incident required disclosure to the Data Protection Authorities, which we complied with.

In 2023, we received 11 GDPR requests in total.

Nine were from individuals requesting that we delete their personal data.
Two were requests that we confirm whether we are processing personal data concerning the relevant requesters and, if so, to provide them access to their data.

In two cases where third parties we had engaged for the facilitation of a provision of a RIPE NCC service were processing the individuals’ personal data on our behalf, we contacted these third parties and received their confirmation that they had deleted the relevant data upon our request. In one case, we received a request to delete personal data, but no personal data related to this individual was found.

Regarding the requests for access to the individual’s personal data, we have complied with one of them. The other one was not completed as the requester did not respond to our authentication request.

We also had a security incident that involved the exposure of personal data from our intranet to an external service. We had our intranet’s data deleted from this service and reported the incident to the Data Protection Authorities.

In 2022, we received 8 requests from individuals to delete their personal data.

6 requests were complied with and we deleted the relevant personal data found in our systems.
1 request, we took no action as there were legitimate reasons to retain the relevant personal data. This consisted of contact information associated with a maintainer object in the RIPE Database. It is crucial that we retain this type of information in order to preserve the integrity of the RIPE Registry and demonstrate the chain of custody over Internet number resource registration.
1 request could not be completed as the requestor did not respond to our authentication requests.

In 2021, we received 10 requests from individuals to delete their personal data.

6 of these requests were approved and processed.
2 of these requests, we took no action or partial action, as there were legitimate reasons to retain personal data. This consisted of contact information of existing members and association with a maintainer object in the RIPE Database. It is crucial that we retain this type of information to preserve the integrity of the RIPE Registry and demonstrate the chain of custody over Internet number resource registration. Partial action related to the deletion of personal data that would not affect the integrity of the RIPE Registry.
2 of these requests, the requests were not finalised because the requestors did not respond to our authentication requests.

In 2020, we received 7 requests from individuals to delete their personal data.

2 of these requests were approved and processed.
2 of these requests, we took no action or partial action, as there were legitimate reasons to retain personal data. This consisted of contact information of existing members and association with a maintainer object in the RIPE Database. It is crucial that we retain this type of information to preserve the integrity of the RIPE Registry and demonstrate the chain of custody over Internet number resource registration. Partial action related to the deletion of personal data that would not affect the integrity of the RIPE Registry.
1 of these requests, the requests were not finalised because the requestors did not respond to our authentication requests.
1 of these requests was withdrawn by the requester.
1 of these requests saw no action taken.

In 2019, we received 10 requests from individuals.

4 of these requests were approved and processed.
5 of these requests no personal data was found.
1 of these requests, the requests were not finalised because the requestors did not respond to our authentication requests.

GDPR and the RIPE NCC

GDPR on RIPE Labs

GDPR Transparency Reports

GDPR Transparency Report 2024

GDPR Transparency Report 2023

GDPR Transparency Report 2022

GDPR Transparency Report 2021

GDPR Transparency Report 2020

GDPR Transparency Report 2019