[Gnso-epdp-team] FW: FW: [Ext] Fwd: Additional language for roles and responsibilities

[Marika Konings]

FYI

From: "Plaut, Diane" <Diane.Plaut at corsearch.com>
Date: Tuesday, November 20, 2018 at 8:55 AM
To: Marika Konings <marika.konings at icann.org>, Thomas Rickert <epdp at gdpr.ninja>
Subject: Re: [Gnso-epdp-team] FW: [Ext] Fwd: Additional language for roles and responsibilities

Marika- I sent the clarification language and Thomas asked me to re-send it this morning.

Diane Plaut
General Counsel and Privacy Officer
[cid:image001.png at 01D3CA70.18FC1D40]
Direct +1 646-899-2806 
diane.plaut at corsearch.com<mailto:diane.plaut at corsearch.com>

220 West 42nd Street, 11th Floor, New York, NY 10036, United States
www.corsearch.com [corsearch.com]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.corsearch.com_&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=qMu6zU8vGeWmsDQAjG2SohubHS6MzFryXCsgRbeLVYY&s=AfAsXTfdT2IuuJDRpiyFAPgm6YbD4W59cAoNei55ty4&e=>
Join Corsearch on   Twitter [twitter.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_corsearch&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=qMu6zU8vGeWmsDQAjG2SohubHS6MzFryXCsgRbeLVYY&s=TDy9L2IcA0MwFLKXXBTsvhK9AC3QSbwCwdfcSCJgFfU&e=>  Linkedin [linkedin.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_2593860_&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=qMu6zU8vGeWmsDQAjG2SohubHS6MzFryXCsgRbeLVYY&s=VCrykN9YNTUkTsgtHAZ0M2QvlYuVnxg0dj9k9XJKQxw&e=>  Trademarks + Brands [trademarksandbrands.corsearch.com]<https://urldefense.proofpoint.com/v2/url?u=http-3A__trademarksandbrands.corsearch.com_&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=qMu6zU8vGeWmsDQAjG2SohubHS6MzFryXCsgRbeLVYY&s=RIB86TuM0-vqrCS4EeIFDNzkyI7YT3_ADhwsjy__P8M&e=>
Customer Service/Platform Support: 1 800 SEARCH1™ (1 800 732 7241)
Corsearch.USCustomerService at corsearch.com<mailto:Corsearch.USCustomerService at corsearch.com>

Confidentiality Notice: This email and its attachments (if any) contain confidential information of the sender. The information is intended only for the use by the direct addressees of the original sender of this email. If you are not an intended recipient of the original sender (or responsible for delivering the message to such person), you are hereby notified that any review, disclosure, copying, distribution or the taking of any action in reliance of the contents of and attachments to this email is strictly prohibited. If you have received this email in error, please immediately notify the sender at the address shown herein and permanently delete any copies of this email (digital or paper) in your possession.



From: "Plaut, Diane" <Diane.Plaut at corsearch.com>
Date: Monday, November 19, 2018 at 9:15 AM
To: Marika Konings <marika.konings at icann.org>, Thomas Rickert <epdp at gdpr.ninja>
Subject: Re: [Gnso-epdp-team] FW: [Ext] Fwd: Additional language for roles and responsibilities

Dear Thomas-

I am unable to be on the call today due to a last minute internal matter but suggest the following edited version (minor) that I think more accurately describes our work and the legal picture. Please let me know your thoughts or outputs from the call.

Through the course of the EPDP and the work of the EPDP Team to date, the facts have indicated that there may likely exist a joint controller relationship between the parties in issue (the Registrars, Registries and ICANN). The EPDP Team understands that the determination of a joint controller relationship between requires work at a greater level of granularity than in this report. During the further work of the EPDP and negotiations that will subsequently take place between the CPH and ICANN in relation to memorializing this relationship when entering into a Joint Controller Agreement (JCA), the parties shall conduct a detailed review of the individual processing activities and the actions to be taken by the respective parties. A clear demarcation of the processing activities covered by the JCA versus those carried out by either party outside the scope of the JCA shall be documented and reflected both in the private, as well as in the public version of the JCA.

The JCA shall ensure that the risks of data processing are shared adequately based on whose interests are concerned. Also, the JCA shall include indemnifications to ensure that no party shall ultimately be liable for another parties’ wrongdoing.

The JCA shall recognize that parties are currently using third parties’ services or otherwise work with third parties, such as:

- Data Escrow Agents
- EBEROs
- Registry Service Providers
- Registrar as a Service Providers
- Resellers
- Dispute Resolution Providers
- the TMCH.

This may or may not include processing of personal data by those third parties. Where personal data is processed by third parties, the respective joint controller will need to ensure that the data processing is carried out in a way compliant with GDPR, and if needed, will enter into Data Processing Agreement(s) with said third party provider/processor. However, conditional to GDPR compliance, nothing in the JCA shall prevent the respective joint controller from engaging third parties and entering into the required agreements without further authorization from the other joint controllers.

The EPDP Team considers it out of scope of its work to prescribe in what form JCAs will be entered into, as long as a set of the minimum requirements, as specified in the EPDP Team’s report, are met. It does appear advisable, though, to create one template, which can be amended to reflect situations that are not applicable industry-wide (such as eligibility requirements for registered name holders) and that JCAs are entered into per TLD between ICANN Org, the respective Registry Operator and registrars. A potential way to facilitate contracting would be to make the JCA part of the RRA, so there would be separate tri-party agreements between ICANN Org, the Registry Operator and each registrar.

Standardized parts of the JCA should include the information that is legally required to be provided to the data subjects to allow for the use of the same language across all TLDs, as necessary.


Diane Plaut
General Counsel and Privacy Officer
[cid:image001.png at 01D3CA70.18FC1D40]
Direct +1 646-899-2806 
diane.plaut at corsearch.com<mailto:diane.plaut at corsearch.com>

220 West 42nd Street, 11th Floor, New York, NY 10036, United States
www.corsearch.com [corsearch.com]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.corsearch.com_&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=qMu6zU8vGeWmsDQAjG2SohubHS6MzFryXCsgRbeLVYY&s=AfAsXTfdT2IuuJDRpiyFAPgm6YbD4W59cAoNei55ty4&e=>
Join Corsearch on   Twitter [twitter.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_corsearch&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=qMu6zU8vGeWmsDQAjG2SohubHS6MzFryXCsgRbeLVYY&s=TDy9L2IcA0MwFLKXXBTsvhK9AC3QSbwCwdfcSCJgFfU&e=>  Linkedin [linkedin.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_2593860_&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=qMu6zU8vGeWmsDQAjG2SohubHS6MzFryXCsgRbeLVYY&s=VCrykN9YNTUkTsgtHAZ0M2QvlYuVnxg0dj9k9XJKQxw&e=>  Trademarks + Brands [trademarksandbrands.corsearch.com]<https://urldefense.proofpoint.com/v2/url?u=http-3A__trademarksandbrands.corsearch.com_&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=qMu6zU8vGeWmsDQAjG2SohubHS6MzFryXCsgRbeLVYY&s=RIB86TuM0-vqrCS4EeIFDNzkyI7YT3_ADhwsjy__P8M&e=>
Customer Service/Platform Support: 1 800 SEARCH1™ (1 800 732 7241)
Corsearch.USCustomerService at corsearch.com<mailto:Corsearch.USCustomerService at corsearch.com>

Confidentiality Notice: This email and its attachments (if any) contain confidential information of the sender. The information is intended only for the use by the direct addressees of the original sender of this email. If you are not an intended recipient of the original sender (or responsible for delivering the message to such person), you are hereby notified that any review, disclosure, copying, distribution or the taking of any action in reliance of the contents of and attachments to this email is strictly prohibited. If you have received this email in error, please immediately notify the sender at the address shown herein and permanently delete any copies of this email (digital or paper) in your possession.



From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> on behalf of Marika Konings <marika.konings at icann.org>
Date: Monday, November 19, 2018 at 7:40 AM
To: "gnso-epdp-team at icann.org" <gnso-epdp-team at icann.org>
Subject: [Gnso-epdp-team] FW: [Ext] Fwd: Additional language for roles and responsibilities

The EPDP Team understands that a joint controller situation between ICANN Org, Registries and Registrars requires work at a greater level of granularity than in this report. During the negotiations, the parties shall conduct a detailed review of the individual processing activities and the actions to be taken by the respective parties. A clear demarcation the processing activities covered by the JCA versus those carried out by either party outside the scope of the JCA shall be documented and reflected both in the private as well as in the public version of the JCA.

The JCA shall ensure that the risks of data processing are shared adequately based on whose interests are concerned. Also, the JCA shall include indemnifications to ensure that no party shall ultimately be liable for another parties’ wrongdoing.

The JCA shall recognize that parties are currently using third parties’ services or otherwise work with third parties, such as
- Data Escrow Agents
- EBEROs
- Registry Service Providers
- Registrar as a Service Providers
- Resellers
- Dispute Resolution Providers
- the TMCH.

This may or may not include processing of personal data by those third parties. Where personal data is processed by third parties, the respective joint controller will need to ensure that the data processing is carried out in a way compliant with GDPR. However, conditional to GDPR compliance, nothing in the JCA shall prevent the respective joint controller from engaging third parties and entering into the required agreements without further authorizations from the other joint controllers.

The EPDP Team considers it out of scope of its work to prescribe in what form JCAs will be entered into, as long as a set of the minimum requirements as specified in the EPDP Team’s report, are met. It does appear advisable, though, to create one template, which can be amended to reflect situations that are not applicable industry-wide (such as eligibility requirements for registered name holders) and that JCAs are entered into per TLD between ICANN Org, the respective Registry Operator and registrars. A potential way to facilitate contracting would be to make the JCA part of the RRA, so there would be separate tri-partite agreements between ICANN Org, the Registry Operator and each registrar.

Standardized parts of the JCA should include the informations that are legally required to be provided to the data subjects to allow for the use of the same language across all TLDs as much as possible.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181120/1893cf8a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5571 bytes
Desc: image001.png
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181120/1893cf8a/image001-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 5572 bytes
Desc: image002.png
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181120/1893cf8a/image002-0001.png>