[Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

Sun Jan 27 01:02:59 UTC 2019

Thanks Diane.

If "data protection agreements" provides sufficient flexibility, then I would suggest deleting the reference to Joint Controller Agreement.  Otherwise I would retain the Article 28 reference as I believe there are circumstances when the controller/processor relationship may be or may become relevant.

Cheers,

CD

> On 26 Jan 2019, at 02:53, Plaut, Diane <Diane.Plaut at corsearch.com> wrote:
> 
> Chris –
>  
> The change still provides flexibility by the verbiage “data protection agreements.”
>  
> Sincerely,
>  
> Diane
>  
> Diane Plaut
> General Counsel and Privacy Officer
> <image001.png>
> Direct +1 646-899-2806 
> diane.plaut at corsearch.com <mailto:diane.plaut at corsearch.com> 
> 220 West 42nd Street, 11th Floor, New York, NY 10036, United States
> www.corsearch.com <http://www.corsearch.com/> 
> Join Corsearch on   Twitter <https://twitter.com/corsearch>  Linkedin <https://www.linkedin.com/company/2593860/>  Trademarks + Brands <http://trademarksandbrands.corsearch.com/>
> Customer Service/Platform Support: 1 800 SEARCH1™ (1 800 732 7241)
> Corsearch.USCustomerService at corsearch.com <mailto:Corsearch.USCustomerService at corsearch.com>  
>  
> Confidentiality Notice: This email and its attachments (if any) contain confidential information of the sender. The information is intended only for the use by the direct addressees of the original sender of this email. If you are not an intended recipient of the original sender (or responsible for delivering the message to such person), you are hereby notified that any review, disclosure, copying, distribution or the taking of any action in reliance of the contents of and attachments to this email is strictly prohibited. If you have received this email in error, please immediately notify the sender at the address shown herein and permanently delete any copies of this email (digital or paper) in your possession.
>  
>  
> From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org <mailto:gnso-epdp-team-bounces at icann.org>> on behalf of Chris Disspain <chris at disspain.uk <mailto:chris at disspain.uk>>
> Date: Saturday, January 26, 2019 at 7:15 AM
> To: Kurt Pritz <kurt at kjpritz.com <mailto:kurt at kjpritz.com>>
> Cc: EPDP <gnso-epdp-team at icann.org <mailto:gnso-epdp-team at icann.org>>
> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion
>  
> Hello All,  <>
>  
> Apologies for taking a couple of days to respond. I am concerned by:
> The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties.
> I thought we had discussed this and agreed a way forward. I don’t understand why we would strike the reference to a Data Processing Agt and leave the reference to a Joint Controller Agt. I thought we had agreed that we needed flexibility. 
>  
> 
> Cheers, 
>  
> CD
> 
> On 23 Jan 2019, at 15:22, Kurt Pritz <kurt at kjpritz.com <mailto:kurt at kjpritz.com>> wrote:
> 
> Hi Everyone:
> With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.)
> Discussion 
> The language below is the same language proposed by the small team that reviewed the comments, but modified: 
> as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and
> by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements.
>  
> This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued.
> I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered.
> Proposed Recommendation #13 Language
> The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.]
> Action: 
> Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed.
> Deadline: Monday, 28 January, additional email discussion might follow depending on responses. 
> Sincerely,
> Kurt
>  
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org <mailto:Gnso-epdp-team at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190126/256950e6/attachment-0001.html>