[Gnso-epdp-team] FW: [Ext] Fwd: Additional language for roles and responsibilities

Mon Nov 19 12:40:07 UTC 2018

Dear All,

Please see email from Thomas below which may not have made it to the list.

Best regards,

Caitlin, Berry and Marika

Anfang der weitergeleiteten Nachricht:

Von: Thomas Rickert <thomas at rickert.net<mailto:thomas at rickert.net>>
Betreff: Additional language for roles and responsibilities
Datum: 18. November 2018 um 21:59:10 MEZ
An: "gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>" <gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>>
Kopie: Thomas Rickert <thomas at rickert.net<mailto:thomas at rickert.net>>

All,
As discussed during out last call, please find below an additional paragraph to be inserted after line 1628, i.e. at the end of Recommendation #13.

The challenge was to keep the language concise, yet cover the most urgent operational questions that came up, while not stepping over the line and do work outside the picket fence. You will decide whether these parameters were met in the language below, but I hope it will at least serve as a starting point for our discussions.

Kind regards,
Thomas

The EPDP Team understands that a joint controller situation between ICANN Org, Registries and Registrars requires work at a greater level of granularity than in this report. During the negotiations, the parties shall conduct a detailed review of the individual processing activities and the actions to be taken by the respective parties. A clear demarcation the processing activities covered by the JCA versus those carried out by either party outside the scope of the JCA shall be documented and reflected both in the private as well as in the public version of the JCA.

The JCA shall ensure that the risks of data processing are shared adequately based on whose interests are concerned. Also, the JCA shall include indemnifications to ensure that no party shall ultimately be liable for another parties’ wrongdoing.

The JCA shall recognize that parties are currently using third parties’ services or otherwise work with third parties, such as
- Data Escrow Agents
- EBEROs
- Registry Service Providers
- Registrar as a Service Providers
- Resellers
- Dispute Resolution Providers
- the TMCH.

This may or may not include processing of personal data by those third parties. Where personal data is processed by third parties, the respective joint controller will need to ensure that the data processing is carried out in a way compliant with GDPR. However, conditional to GDPR compliance, nothing in the JCA shall prevent the respective joint controller from engaging third parties and entering into the required agreements without further authorizations from the other joint controllers.

The EPDP Team considers it out of scope of its work to prescribe in what form JCAs will be entered into, as long as a set of the minimum requirements as specified in the EPDP Team’s report, are met. It does appear advisable, though, to create one template, which can be amended to reflect situations that are not applicable industry-wide (such as eligibility requirements for registered name holders) and that JCAs are entered into per TLD between ICANN Org, the respective Registry Operator and registrars. A potential way to facilitate contracting would be to make the JCA part of the RRA, so there would be separate tri-partite agreements between ICANN Org, the Registry Operator and each registrar.

Standardized parts of the JCA should include the informations that are legally required to be provided to the data subjects to allow for the use of the same language across all TLDs as much as possible.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181119/007e4d72/attachment.html>