[Gnso-epdp-team] ICANN org response to EPDP question

Ayden Férdeline icann at ferdeline.com
Sat Nov 17 19:06:50 UTC 2018

Could the answer not have been, a Data Protection Impact Assessment was/is required under all three of the scenarios outlined in paragraph three of this response? Indeed, in advice from the Article 29 Working Party (attached), they suggest, "In cases where it is not clear whether a DPIA is required, the WP29 recommends that a DPIA is carried out nonetheless as a DPIA is a useful tool to help data controllers comply with data protection law."

Best wishes, Ayden

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Saturday, 17 November 2018 01:40, Caitlin Tubergen <caitlin.tubergen at icann.org> wrote:

> Dear EPDP Team,
> Below, please find ICANN org’s response to a question from today’s EPDP Meeting.
> Thank you.
> Best regards,
> Marika, Berry and Caitlin
> QUESTION:  Is ICANN.org considering doing a DPIA, given the need for them to sort out their role?
> RESPONSE: A similar [question](https://mm.icann.org/pipermail/gnso-epdp-team/2018-October/000527.html) was asked by the EPDP Team on 1 October 2018 to which ICANN org provided a response, which restated John Jeffrey’s comment on an [8 October 2018 webinar](https://participate.icann.org/p29vt2uxodx/). To recap:
> In general, a DPIA is designed to (a) describe the processing and purpose of processing of personal data, including where applicable the legitimate interest pursued by the controller, (b) assess the processing necessity and proportionality, and (c) help manage the risks to the rights and freedoms of data subjects resulting from the processing. The elements of a DPIA are more fully described in Article 35(7) of the GDPR.  Under Article 35(1), a DPIA is only required where a type of processing is “likely to result in a high risk to the rights and freedoms of natural persons”.
> ICANN org considered conducting a DPIA since early in the discussion of GDPR and gTLD registration data. One of the issues is when to do a DPIA that is most timely and useful--should the DPIA be conducted on the original requirements in the registry and registrar agreements, on the Temporary Specification which is temporary, or on the new requirements being discussed in the EPDP? We continue to evaluate whether that assessment should be performed and, if so, when.
> We are preparing some FAQs to provide further background on this topic, which we plan to publish next week. We will share with the EPDP Team a link to the FAQs once published.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181117/6dba1cf5/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wp248_enpdf.pdf
Type: application/pdf
Size: 1051655 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181117/6dba1cf5/wp248_enpdf-0001.pdf>

More information about the Gnso-epdp-team mailing list