[Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion
Alan Woods
alan at donuts.email
Wed Jan 30 13:40:54 UTC 2019
Dear all,
I am perplexed, if not a little bit frustrated by continuous tendency to
wordsmith matters out of existence here.
So this end, and regardless of the ultimate settling of Roles and
Responsibilities can we just go back to basic principles and remind
ourselves of the GDPR's requirements:
*Art 28:* (processor) "Processing by a processor shall be governed *by a
contract or other legal act*" *[emphasis added] *
*Art 26:* (Joint Controllers) "They shall in a transparent manner determine
their respective responsibilities for compliance with the obligations under
this Regulation, in particular as regards the exercising of the rights of
the data subject and their respective duties to provide the information
referred to in Articles 13 and 14, *by means of an arrangement between them*
" *[emphasis added] *
I appreciate this is likely where Trang's suggestion is deriving from and I
have no real issue with the concept of 'Arrangement' - but can we please be
very clear, that as a contracted party, who's lead DPA is clearly going to
be Ireland (as will also be the case for a number of other CPs), my
interpretation MUST be led by the laws which will be applicable to me,
which is the Data Protection Act, 2018
<http://www.irishstatutebook.ie/eli/2018/act/7/section/79/enacted/en/html#sec79>.
Section 79. which states:
" Where 2 or more controllers jointly determine the purposes and means of
the processing of personal data (in this Part referred to as “joint
controllers”), they shall determine their respective responsibilities for
compliance with this Part in a transparent manner* by means of an agreement
in writing between them*, save in so far as the said responsibilities are
determined by the law of the European Union or the law of the State. *[emphasis
added] *
So regardless of whether or not we are considered Processors, Controllers
or Joint controllers at some point in time, CPs will require a Contract
(or more correctly an addendum to our existing contracts) with ICANN, in
writing, that governs the processing of data.
So long as it is clear, on the record, that whatever word is used, be it
agreement, arrangement, or Ketubah, it means a legally binding instrument,
then I'm fine with it.
Kind regards,
Alan
[image: Donuts Inc.] <http://donuts.domains>
Alan Woods
Senior Compliance & Policy Manager, Donuts Inc.
------------------------------
The Victorians,
15-18 Earlsfort Terrace
Dublin 2, County Dublin
Ireland
<https://www.facebook.com/donutstlds> <https://twitter.com/DonutsInc>
<https://www.linkedin.com/company/donuts-inc>
Please NOTE: This electronic message, including any attachments, may
include privileged, confidential and/or inside information owned by Donuts
Inc. . Any distribution or use of this communication by anyone other than
the intended recipient(s) is strictly prohibited and may be unlawful. If
you are not the intended recipient, please notify the sender by replying to
this message and then delete it from your system. Thank you.
On Tue, Jan 29, 2019 at 1:18 AM Trang Nguyen <trang.nguyen at icann.org> wrote:
> Thank you, Sarah and Kristina for circulating revised text for
> recommendation 13. We would like to make one additional suggestion: replace
> “…negotiates and enters into required data protection agreements…” with
> “…develop and implement any required data protection arrangements…”
> Referring to an “arrangement” instead of an “agreement” would provide
> greater flexibility during implementation, which might take the form of an
> agreement, a policy, or a specification. Accordingly, the following
> sentence should also refer to “arrangement” instead of “agreement.”
>
> Also, we would like to ask for clarity on the sentence regarding
> indemnification. Implementation discussions will work out the details of
> allocation of responsibility and liability and it’s not clear that
> liability should necessarily always rest with the party or parties that
> determine(s) the purposes and means of processing, for example in the case
> of a data breach. We look forward to additional discussions with the EPDP
> Team on this.
>
>
>
> Dan and Trang
>
> ICANN Org Liaisons
>
>
>
> *From: *Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> on behalf of
> "Rosette, Kristina via Gnso-epdp-team" <gnso-epdp-team at icann.org>
> *Reply-To: *"Rosette, Kristina" <rosettek at amazon.com>
> *Date: *Monday, January 28, 2019 at 5:14 PM
> *To: *"gnso-epdp-team at icann.org" <gnso-epdp-team at icann.org>
> *Subject: *Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of
> the Parties - email list discussion
>
>
>
> All,
>
>
>
> Subject to a friendly amendment, RySG supports the RrSG proposed text for
> Recommendation 13. Our friendly amendment is to change “shall” to “should”
> in the 3rd sentence.
>
>
>
> As revised, Recommendation 13 reads:
>
>
>
> The EPDP Team recommends that ICANN Org negotiates and enters into
> required data protection agreements, as appropriate, with the Contracted
> Parties. In addition to the legally required components of such agreement,
> the agreement shall specify the responsibilities of the respective parties
> for the processing activities as described therein. Indemnification clauses
> should ensure that the risk for certain data processing is borne by either
> one or multiple parties that determine the purpose and means of the
> processing. Due consideration should be given to the analysis carried out
> by the EPDP Team in its Final Report.
>
> Kristina
>
>
>
> *From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org] *On
> Behalf Of *Sarah Wyld
> *Sent:* Monday, January 28, 2019 3:29 PM
> *To:* gnso-epdp-team at icann.org
> *Subject:* Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of
> the Parties - email list discussion
>
>
>
> Hello All,
>
> Here is the RrSG's proposed text for Rec 13:
>
> The EPDP Team recommends that ICANN Org negotiates and enters into
> required data protection agreements, as appropriate, with the Contracted
> Parties. In addition to the legally required components of such agreement,
> the agreement shall specify the responsibilities of the respective parties
> for the processing activities as described therein. Indemnification clauses
> shall ensure that the risk for certain data processing is borne by either
> one or multiple parties that determine the purpose and means of the
> processing. Due consideration should be given to the analysis carried out
> by the EPDP Team in its Final Report.
>
> The RrSG is aware that ICANN's status as controller, joint or independent,
> is not yet fully determined. As such, this proposed wording allows the
> flexibility to determine the appropriate type of data protection agreement
> following further input.
>
> --
>
> Sarah Wyld
>
> Domains Product Team
>
> Tucows
>
> +1.416 535 0123 Ext. 1392
>
>
>
> On 1/23/2019 6:22 PM, Kurt Pritz wrote:
>
> Hi Everyone:
>
> With the goal of progressing on issues via email, the leadership team has
> considered the discussion provided during the Toronto meeting and suggests
> the following compromise language to address the different positions
> expressed. (This is a resend of an earlier email with only the subject line
> of the email updated.)
>
> *Discussion*
>
> The language below is the same language proposed by the small team that
> reviewed the comments, but modified:
>
> - as suggested by Diane during the meeting to reflect that GDPR Art 28
> is unlikely to apply in this situation, and
> - by an addition (bracketed & bolded below) to reference the analysis
> in the Final Report that this team recommends the creation of Joint
> Controller Agreements, to appropriately influence the negotiation of
> GDPR-compliant agreements.
>
>
>
> This language is intended to strike a balance between those preferring to
> leave some flexibility for ICANN Org and Contracted Parties to consider the
> appropriate agreements and those preferring to be specific about the type
> of agreement to be pursued.
>
> I understand this is a complex topic that might require additional
> discussion but it is also possible that we cannot be dispositive on this
> issue prior to a lengthy contract formation discussion that extends well
> beyond our time frames. For that reason, we are taking the liberty of
> making this recommendation and hope you accept it in the spirit it is
> offered.
>
> *Proposed Recommendation #13 Language*
>
> The EPDP Team recommends that ICANN Org negotiates and enters into
> required data protection agreements such as a Data Processing Agreement
> (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate,
> with the Contracted Parties. In addition to the legally required components
> of such agreement, the agreement shall specify the responsibilities of the
> respective parties for the processing activities as described therein.
> Indemnification clauses shall ensure that the risk for certain data
> processing is borne by either one or multiple parties that determine the
> purpose and means of the processing. [*Due consideration should be given
> to the analysis carried out by the EPDP Team in its Final Report.*]
>
> *Action:*
>
> Please indicate on the mailing list whether you have any concerns about
> these modifications and/or what other aspects of this recommendation should
> be discussed.
>
> Deadline: Monday, 28 January, additional email discussion might follow
> depending on responses.
>
> Sincerely,
>
> Kurt
>
>
>
>
>
>
> _______________________________________________
>
> Gnso-epdp-team mailing list
>
> Gnso-epdp-team at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190130/9f1a6ac8/attachment-0001.html>
More information about the Gnso-epdp-team
mailing list