<div dir="ltr">With respect to enforcement, presumably some complaint process and usage monitoring would be in place and the operator would retain the right to cut someone off if they were abusing the system? </div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Oct 7, 2019 at 1:48 PM Alan Woods <alan@donuts.email> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thanks all for the discussion on this. The core question what is this statement actually safeguarding?<div><br></div><div>Taken at its simplest, we are asking the disclosee to undertake, on the record, that they shall process the data as per the law permits. (the question of 'proper' retention periods is a mere subset of this); unless we have evidence to the contrary, which tends to confirm that this is not the case (past complaints of conviction etc), it is not in our power to verify this statement (unless of course we are so empowered by the relevant national powers that be). <div><br></div><div>I agree with Marc, we must place a realistic emphasis on the ability to enforce, (as the gating questions rightly noted). If we merely are paying lip service to a confirmation that the entity or person to whom we are disclosing data to is 'compliant' with applicable data protection law. A 'tick box' assertion is of little value in assessing legality. We would require some form of objective proof for this assertion to mitigate<b> <i>legal liability</i>.</b> Definitely agree that it is worthwhile to get the assertion as a matter of <b><i>contractual obligation</i></b>, as it enables a disclosing controller to call in an indemnity for a breach this condition in the contract; but it provides little or no comfort to the disclosing controller as to whether that disclosure is legally permitted or not. This is falling into that trap of legal liability vs getting an indemnification in the contract . </div><div><br></div><div>In short I approve of us asking the question, 'are you compliant with the law?' It is a good assertion to get on the record, <b><u><i>BUT</i></u></b> I would suggest having the answer does not really make our action to disclose more likely to be 'legally sound', it just makes it easier for us to claim indemnification for a breach of contract. </div><div><br></div><div>Sorry - long winded but I think we should get our 'safe-guard' priorities straight here !</div><div><br></div><div>Alan</div><div><br></div><div> <br clear="all"><div><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><table style="padding:0px;margin:10px 0px;border:none"><tbody><tr><td style="vertical-align:middle;padding:0px 7px 0px 0px"><a href="http://donuts.domains" rel="nofollow" target="_blank"><img alt="Donuts Inc." height="75" src="https://storage.googleapis.com/signaturesatori/customer-C02zzlf7k/images/-54f9d8ac97e7f575bf497d10ac1f1aafafddf8afceab5f269d49034f01b3217b.png" width="75"></a></td><td style="vertical-align:middle;padding:0px 7px 0px 0px;text-align:left">
<div style="font-family:tahoma,sans-serif;font-size:14px;line-height:17px;font-weight:bold;color:black"><span style="font-size:12px"><span style="font-family:arial,helvetica,sans-serif"><span style="color:rgb(51,51,51)">Alan Woods</span></span></span></div>
<div><span style="font-size:12px"><span style="font-family:arial,helvetica,sans-serif"><span style="color:rgb(51,51,51)">Senior Compliance & Policy Manager, Donuts Inc.</span></span></span>
<hr><span style="font-size:11px"><span style="font-family:arial,helvetica,sans-serif"><span style="color:rgb(51,51,51)">The Victorians, </span></span></span></div><div><font color="#333333" face="arial, helvetica, sans-serif"><span style="font-size:11px">15-18 Earlsfort Terrace<br style="background-color:rgb(34,34,34)">
Dublin 2, County Dublin</span></font><br style="color:rgb(214,214,214);font-family:"open sans";font-size:12px;background-color:rgb(34,34,34)"><font color="#333333" face="arial, helvetica, sans-serif"><span style="font-size:11px">
Ireland</span></font><br>
<span style="font-size:11px"><span style="font-family:arial,helvetica,sans-serif"></span></span><br>
<span style="line-height:36px"><a href="https://www.facebook.com/donutstlds" rel="nofollow" target="_blank"><img src="http://storage.googleapis.com/signaturesatori/icons/facebook.png"></a> <a href="https://twitter.com/DonutsInc" rel="nofollow" target="_blank"><img src="http://storage.googleapis.com/signaturesatori/icons/twitter.png"></a> </span><a href="https://www.linkedin.com/company/donuts-inc" rel="nofollow" target="_blank"><span style="font-size:14px"><img src="http://storage.googleapis.com/signaturesatori/icons/linkedin.png"></span></a></div>
</td></tr></tbody></table><br>
</div><div><span style="font-size:12pt;font-family:Cambria,serif">Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . </span><span style="font-size:12pt;font-family:Cambria,serif">Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.</span><br></div></div></div></div></div></div></div></div></div></div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Oct 7, 2019 at 5:03 PM Volker Greimann <<a href="mailto:vgreimann@key-systems.net" target="_blank">vgreimann@key-systems.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>In fact this raises an interesting question as processing "in
accordance with applicable law" may not be sufficient, for example
if the strict rules of a data protection regime the disclosing
party is subject to for some reason does not apply to the
requesting party. <br>
</p>
<p>The standard that we do want, and which I think is appropriate is
" in accordance with data protection standards equal/equivalent to
or greater than the standards applicable to the data subject and
the disclosing party".</p>
<p>Thoughts?</p>
<p><br>
</p>
<p>Volker<br>
</p>
<div>Am 04.10.2019 um 23:14 schrieb
Anderson, Marc via Gnso-epdp-team:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span style="font-size:11pt">EPDP Team,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">I’m still
uncomfortable with the language in Building Block E on
retention and destruction of data.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-left:0.5in"><span style="color:black">The EPDP Team recommends that requestors
must confirm that they will store, protect and dispose of
the gTLD registration data in accordance with applicable
law. The requirements for data retention and destruction may
differ based on the purpose for which the data is retained;
accordingly, data processing arrangements (for example,
arrangements between the requestor and its accrediting body
or arrangements between the requestor and the controller)
are expected to contain further details with regard to the
requirements for the retention and destruction of gTLD
registration data. </span><span style="font-size:11pt"><u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:0.5in"><span style="font-size:11pt"><u></u> <u></u></span></p>
<div style="border-top:1pt solid black;border-right:1pt solid black;border-left:1pt solid black;border-bottom:none;padding:1pt 4pt 0in;margin-left:0.5in;margin-right:0in">
<p class="MsoNormal" style="border:none;padding:0in"><i><span style="color:black">Comments / concerns / questions to
be considered in relation to building block e): </span></i><span style="font-size:11pt"><u></u><u></u></span></p>
</div>
<div style="border-top:none;border-left:1pt solid black;border-bottom:none;border-right:1pt solid black;padding:0in 4pt;margin-left:0.5in;margin-right:0in">
<p class="MsoNormal" style="margin-left:0.25in;vertical-align:baseline;border:none;padding:0in">
<span style="font-size:10pt;font-family:Symbol;color:black"><span>·<span style="font:7pt "Times New Roman"">
</span></span></span><i><span style="color:black">How would this be enforced? Could
accreditation be used to track and enforce?</span></i><i><span style="font-size:11pt;font-family:Arial,sans-serif;color:black"><u></u><u></u></span></i></p>
</div>
<div style="border-right:1pt solid black;border-bottom:1pt solid black;border-left:1pt solid black;border-top:none;padding:0in 4pt 1pt;margin-left:0.5in;margin-right:0in">
<p class="MsoNormal" style="margin-left:0.25in;vertical-align:baseline;border:none;padding:0in">
<span style="font-size:10pt;font-family:Symbol;color:black"><span>·<span style="font:7pt "Times New Roman"">
</span></span></span><i><span style="color:black">Consider changing “such as GDPR” to
“including the GDPR”. </span></i><i><span style="font-size:11pt;font-family:Arial,sans-serif;color:black"><u></u><u></u></span></i></p>
</div>
<p class="MsoNormal" style="margin-left:0.5in"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">I’m ok with
the first sentence. The language updated to read “in
accordance with applicable law” is an improvement and
addresses the second bullet point from the comments/concerns
box. To note, we haven’t addressed the first bullet in the
comments/concerns box on enforcement yet.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">One concept
we have discussed but isn’t captured here is that the gTLD
registration data should be retained only as long as
necessary to achieve the purpose stated during the
disclosure request. The first sentence may be meant to
imply that, but I think this building block would benefit
from having that explicitly stated.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">The second
sentence I have a hard time following and a harder time
figuring out how it would be implemented in practice. The
first bit seems to be aimed at stating our agreed
understanding that we cannot define in policy fixed
durations around the retention and destruction of the data.
Some requests may not require any retention while others may
need years. There seems agreement that retention will need
to be determined on a case by case basis. This seems like
more of a foundational concept better suited to a Principle
than part of a Building Block. I suggest creating a new
Principle for this concept and removing it from the Building
Block.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">We are
expected to define the requirements for retention and
destruction but the second bit seems to avoid that
altogether saying some yet to be defined data processing
arrangements will contain the details of the requirements.
I have a particularly hard time imagining what an
implementation team would make of that sentence.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">In
parenthesis are two examples, the first being a potential
arrangement between the requestor and its accrediting body.
I don’t recall that we’ve discussed this in terms of a data
processing arrangement, but we have discussed how in order
to be accredited, an accrediting body might require
adherence to a code of conduct. Such a code of conduct
might include specifics on data retention and destruction.
For example:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<ul style="margin-top:0in" type="disc">
<li style="margin-left:0in"><span style="font-size:11pt">Requestors agree that they will
store, protect and dispose of the gTLD registration data
in accordance with applicable law<u></u><u></u></span></li>
<li style="margin-left:0in"><span style="font-size:11pt">Requestors agree that they will
only retain the gTLD registration data for as long as
necessary to achieve the purpose stated in the disclosure
request<u></u><u></u></span></li>
</ul>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">If that is
what is meant here, the building block should state that.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">The second
example seems to suggest a data processing arrangement
between the requestor and the controller. I don’t recall
this being something we discussed specifically and could
potentially become unwieldy if it means every requestor
needs a contract with the controller. If on the other hand
this could be accomplished by including something along the
lines of the above bullet points in a Terms of Use document,
that might work. Again if this is what is meant, the
building block should state as much.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Thanks,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Marc<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<div>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(225,225,225);padding:3pt 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11pt">From:</span></b><span style="font-size:11pt"> Gnso-epdp-team
<a href="mailto:gnso-epdp-team-bounces@icann.org" target="_blank"><gnso-epdp-team-bounces@icann.org></a>
<b>On Behalf Of </b>Caitlin Tubergen<br>
<b>Sent:</b> Friday, September 27, 2019 4:28 PM<br>
<b>To:</b> <a href="mailto:gnso-epdp-team@icann.org" target="_blank">gnso-epdp-team@icann.org</a><br>
<b>Subject:</b> [EXTERNAL] [Gnso-epdp-team] Updated
building block E - retention and destruction of data<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><span style="font-size:11pt">Dear EPDP
Team:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Further to
EPDP Support Staff’s action, please find
<a href="https://docs.google.com/document/d/1WMhllLz5Zgm42C4Jfjiqinu32Jwiu_lhuBorzeuBKuA/edit" target="_blank">
the updated version of Building Block E (retention and
destruction of data)</a>. The edits intend to capture the
Team’s discussion from the last meeting.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">As the
building block is in the form of a Google Doc, please
provide suggested edits directly in the document by
<b>Monday, 7 October</b>. <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Thank you.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Best
regards,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Marika,
Berry, and Caitlin<u></u><u></u></span></p>
<p class="MsoNormal"><span><u></u> <u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Gnso-epdp-team mailing list
<a href="mailto:Gnso-epdp-team@icann.org" target="_blank">Gnso-epdp-team@icann.org</a>
<a href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy" target="_blank">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://www.icann.org/privacy/tos" target="_blank">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</pre>
</blockquote>
<div>-- <br>
Volker A. Greimann<br>
General Counsel and Policy Manager<br>
<strong style="border-bottom:3px solid rgb(92,70,181)">KEY-SYSTEMS GMBH</strong><br>
<br>
T: +49 6894 9396901<br>
M: +49 6894 9396851<br>
F: +49 6894 9396851<br>
W: <a href="http://www.key-systems.net" target="_blank">www.key-systems.net</a><br>
<br>
Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835<br>
CEO: Alexander Siffrin<br>
<br>
Part of the CentralNic Group PLC (LON: CNIC) a company registered
in England and Wales with company number 8576358.</div>
</div>
_______________________________________________<br>
Gnso-epdp-team mailing list<br>
<a href="mailto:Gnso-epdp-team@icann.org" target="_blank">Gnso-epdp-team@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a><br>
_______________________________________________<br>
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy" rel="noreferrer" target="_blank">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://www.icann.org/privacy/tos" rel="noreferrer" target="_blank">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</blockquote></div>
_______________________________________________<br>
Gnso-epdp-team mailing list<br>
<a href="mailto:Gnso-epdp-team@icann.org" target="_blank">Gnso-epdp-team@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a><br>
_______________________________________________<br>
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy" rel="noreferrer" target="_blank">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://www.icann.org/privacy/tos" rel="noreferrer" target="_blank">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</blockquote></div>