[Gnso-epdp-team] ICANN Org Response to question re. Organization field
marika.konings at icann.org
Tue Nov 20 01:38:04 UTC 2018
Dear EPDP Team,
Hereby the ICANN Org response to the following question:
Question: 1.) Has ICANN given any thought to scenarios where the „Organization“ field might contain personal information? 2.) As the Organization field shall be populated on an optional basis, has ICANN given any thought to a consent requirement or, where another legal basis than Art. 6 I a GDPR was considered, what legal basis shall be applicable based on what rationale?
Response: The organization field, which is an optional field, was one of the topics of discussion among the community during the development of the Cookbook. See sections 5.4 and 5.5 of the Cookbook<https://www.icann.org/en/system/files/files/gdpr-compliance-interim-model-08mar18-en.pdf>.
Additionally, the 5 July 2018 letter<https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-05jul18-en.pdf> from the European Data Protection Board states: “The GDPR does not apply to the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.” Recital 14 of the GDPR states: “This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.”
Registrars have always been obligated to inform and obtain consent from the registrants regarding what data elements are collected, what data elements are published, what data elements are optional, and the intended uses and recipients of the data. (See for example Section II.J.7.b<https://www.icann.org/resources/unthemed-pages/raa-1999-11-10-en#IIJ7b> in the 1999 RAA and Section 188.8.131.52<https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en#184.108.40.206> of the 2013 RAA.)
The Temporary Specification relies on 6(1)(f) as the legal basis for the mandatory publication of certain fields, including registrant organization. As noted in our original response, the registrant organization field refers to a legal person and not a natural person. The registrant may give consent for publication of additional fields, for example, the registrant name field.
In considering the applicability of the possible legal bases and after consultations with the community, it was determined that 6(1)(f) was the most appropriate legal basis to support the stated goal of complying with the GDPR while maintaining the existing WHOIS to the greatest extent possible.
This response will get added to the Q&A section on the wiki: https://community.icann.org/x/ahppBQ.
Caitlin, Berry and Marika
Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN)
Email: marika.konings at icann.org<mailto:marika.konings at icann.org>
Follow the GNSO via Twitter @ICANN_GNSO
Find out more about the GNSO by taking our interactive courses<https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_gnso&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=Cg5uQf0yAfw-qlFZ0WNBfsLmmtBNUiH0SuI6Vg-gXBQ&e=> and visiting the GNSO Newcomer pages<https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gnso.icann.org_files_gnso_presentations_policy-2Defforts.htm-23newcomers&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=tT-E2RoAucUb3pfL9zmlbRdq1sytaEf765KOEkBVCjk&e=>.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnso-epdp-team