<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'>Dear EPDP Team,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>In reviewing outstanding items for the Initial Report, no volunteers came forward to draft text for Charter Questions k2, l4 and m4 regarding responsibilities in processing data. Accordingly, Support Staff drafted the following proposed text: <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;color:black'>k) ICANN's responsibilities in processing data<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:11.0pt;color:black'>k2) In addition to any specific duties ICANN may have as data controller, what other obligations should be noted by this EPDP Team, including any duties to registrants that are unique and specific to ICANN’s role as the administrator of policies and contracts governing gTLD domain names?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:black'> <o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;color:black'>l) Registrar's responsibilities in processing data<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:11.0pt;color:black'>do registrars undertake solely at ICANN's direction?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:black'>l4) What are the registrar's responsibilities to the data subject with respect to data processing activities that are under ICANN’s control?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:black'> <o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;color:black'>m) Registry's responsibilities in processing data<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:11.0pt;color:black'>m4) What are the registry's responsibilities to the data subject based on the above?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;color:black'>Proposed response:</span></b><span style='font-size:11.0pt;color:black'> </span><span style='font-size:11.0pt'>The EPDP Team took note of the GDPR requirements and notes that in instances where the EPDP Team has classified ICANN as a Controller, ICANN would be expected to comply with the law. However, the EPDP Team is not recommending additional requirements for ICANN at this time.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Similarly, the EPDP Team took note of the GDPR requirements and notes that in instances where the EPDP Team has classified Registries and Registrars as Controllers, or Processors, the Registry and/or Registrar would be expected to comply with the law. However, the EPDP Team is not recommending additional requirements for contracted parties at this time.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>--<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>The draft text is also attached for ease of marking up. Please let us know if you have any concerns with the above.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Best regards,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Marika, Berry and Caitlin<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>