[Gnso-epdp-team] “Action item #4: Alex and Thomas to collaborate on redrafting §4.4 (introductory paragraph), Appendix A.4. and Appendix C2.”

Thu Sep 6 18:19:48 UTC 2018

Thanks Thomas.

A few high level thoughts on this.

First, regarding the challenge of not being overly GDPR specific while
still accounting for other privacy regimes my suggestion is that we
continue to reference the GDPR to remove ambiguity.  These references
should be considered an example of an/the important and relevant privacy
principle vs. an absolute reference.    (Thomas -  I think/hope this is in
line with your statement at the end of the call earlier)

Second, I'll note that you removed the reference to Article 2 (Material
Scope).   The reason we believe it is important to include this reference
is because it specifies where the GDPR doesn't apply.  By default these
discussions, and the policy we create, must be based on a concrete
understanding of the scope of GDPR.  Having said that I understand other
parts of the temp spec allow the option to apply application beyond the
scope of the GDPR.  As you know our position is that this is a bad idea -
and we can debate that when we get to it.  However I see the expansion of
scope in those instances as an exception - not the rule.

Finally, separating the purposes as you outlined (and suggested last week
by MarkSV), is a great way to progress this discussion.   At the end of the
call I believe there was a suggestion from Benedict that perhaps we need
three sections (ICANN, R&R's, 3rd parties) which I would support as it will
ensure clarify and specificity (as required by GDPR).

Thanks.
Alex

On Thu, Sep 6, 2018 at 6:05 AM Thomas Rickert <epdp at gdpr.ninja> wrote:

> Hi all,
> While Alex (and Diane) and I have discussed this and exchanged e-mail on
> this, we have not come to a final text. Nonetheless, Alex and I agreed we
> should share what we have and talk you through the points we struggled
> with.
>
> Best,
> Thomas
>
>
> However, such Processing must be in a manner that complies with the GDPR.
> In particular, the principles laid down in Art. 5 GDPR must be abided by,
> e.g. there must be a specified, explicit and legitimate purposes.
> Additionally, a legal basis from the catalogue in Art. 6 I GDPR must be
> given. These are:
>
>
>    1. a) the data subject has given consent to the processing of his or
>    her personal data for one or more specific purposes;
>    2. b) processing is necessary for the performance of a contract to
>    which the data subject is party or in order to take steps at the request of
>    the data subject prior to entering into a contract;
>    3. c) processing is necessary for compliance with a legal obligation
>    to which the controller is subject;
>    4. d) processing is necessary in order to protect the vital interests
>    of the data subject or of another natural person;
>    5. e) processing is necessary for the performance of a task carried
>    out in the public interest or in the exercise of official authority vested
>    in the controller;
>    6. f) processing is necessary for the purposes of the legitimate
>    interests pursued by the controller or by a third party, except where such
>    interests are overridden by the interests or fundamental rights and
>    freedoms of the data subject which require protection of personal data, in
>    particular where the data subject is a child.
>    7.
>
> Purposes pursued by ICANN which correspond to its own organizational
> mission and mandate:
>
> [Bulletpoint list]
>
> Purposes pursued by other interested third parties
>
> [Bulletpoint list]
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team

-- 
___________
*Alex Deacon*
Cole Valley Consulting
alex at colevalleyconsulting.com
+1.415.488.6009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20180906/d3f63616/attachment-0001.html>