[Gnso-epdp-team] Input on responsibilities

Thomas Rickert epdp at gdpr.ninja
Wed Nov 7 21:43:54 UTC 2018

Please find attached language - that will surely require further tweaking - describing the points I outlined in our call on Tuesday. Please note that I used text we wrote for the eco GDPR Domain Industry Playbook as a basis to save me some drafting work. I am not trying to sell the playbook, though, so we can completely rewrite things. 

I know that Diane, Dan, Trang and others have offered to work on this, but due to other commitments, I have not been able to consult with them because staff asked me to share something on the list today in preparation of tomorrow’ call. I am sorry for this as I would have preferred to work with a small team on this before bothering the entire group with the input.

All the best,

Changes to be made to the initial report as of line 900

EPDP Team Preliminary Recommendation #17

The EPDP Team recommends that ICANN enters into a Joint Controller Agreement (JCA) with the contracted parties. 
In addition to the legally required components of such agreement, the JCA shall specify the responsibilities of the respective parties for the processing activities as described below. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that have the primary interest in the processing 

Rationale and background:

The text in the attached document should follow.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Input EPDP on responsibilities.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 23186 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181107/7a664b46/InputEPDPonresponsibilities-0001.docx>
-------------- next part --------------

When the table starting line 988 comes:

Instead of ICANN purposes, the following language should be used:

Purposes for processing personal data that should be governed by ICANN Org via a Consensus Policy. 
Note there are additional purposes for processing personal data, which the contracted parties might pursue, such as billing customers, but these are outside of what ICANN and its community should develop policy on or contractually enforce.

Then, as a starting point, in the „responsible party“ column, we should just mention the party or parties tagged as controllers or joint controllers, but delete the words joint controller, processors or controllers, so that we only have the responsible parties listed. This, we will need to review as a team. 

More information about the Gnso-epdp-team mailing list