<div dir="ltr"><div dir="ltr"> Thanks Chris for this and for putting pen to paper! <div><br></div><div>Note as it is still early in the US, I have not been able to fully canvas my colleagues on this, so this is just my own observations at this point. As much as I appreciate this, I do fear it does not provide us with anything more than a restatement of the recital. If we are aiming for this to be meaningful, it needs more. I am unsure as to how this "guidance" operationally provides any help to a CP to voluntarily follow this guidance - it merely says they should follow the law - which I hope we all agree is a truism, and does not reach the level of guidance. This is all about the <b><i><u>what</u></i></b>, and not the <b><i><u>how </u></i></b>and doesn't tend to provide any detail as to a reliable method, as there is no real input as to what a reasonable safeguard actually is, or even what we are safeguarding against in truth. </div><div><br></div><div>As the public comment noted, and as I hope we have been consistently open on, the RYSG continues to be supportive of guidance as the outlining of the legal obligations may be helpful for some CPs who are not as familiar with the expectations of data privacy law - but we continue to hold reservations as to the true utility of the guidance, as although well meaning, lacks any true guidance as to how to practically achieve such objectives. I mean this as no slight to the efforts of the team, but a large portion of this guidance is simply written as a statement of an outcome, and not how to arrive safely at that outcome. </div><div><br></div><div><br></div><div>Although I do not wish to create anything that could be considered as 'legal advice' (as this will create massive liability for ICANN in both enforcement and expectation), I do think we should not try to reinvent the wheel here. Why not just borrow heavily from the actual wording as used by the EDPB in their letter of 5th July 2018. (<a href="https://edpb.europa.eu/sites/default/files/files/file1/icann_letter_en.pdf" target="_blank">https://edpb.europa.eu/sites/default/files/files/file1/icann_letter_en.pdf</a>) paragraph 3. I understand that Laureen expressed a belief that the recitals of the GDPR were of more a persuasive authority than the letter of the EDPB; however, given that the EPDB are the body tasked with enforcement, and they have not only referenced recital 14, but expanded on the interpretation therein, it would be remiss of us to exclude it. I personally welcomed the additional insight into the recital from their primary 'enforcement' POV. I have had a stab at tailoring it to make it provide guidance, whilst still accepting that there may be more than one way to achieve this (hence why this MUST be voluntary, as to say otherwise will make this legal advice). It still does not engage in much of the HOW, but it provides more detail as to the WHY, to enable the CPs to individually consider how they can rise to the challenge, if they feel they can. </div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><i><font color="#0000ff">"The GDPR does not apply to the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.[FN: Recital 14, GDPR] While the contact details of a legal person are outside the scope of the GDPR, the contact details concerning natural persons are within the scope of the GDPR, as well as any other information relating to an identified or identifiable natural person [FN Art 4(1), GDPR] , The mere fact that a registrant is a legal person does not necessarily justify unlimited publication of personal data relating to natural persons who work for or represent that organization, such as natural persons who manage administrative or technical issues on behalf of the registrant. </font></i></div><div><i><font color="#0000ff"><br></font></i></div><div><i><font color="#0000ff">For example, the publication of the personal email address of a technical contact person consisting of <a href="mailto:firstname.lastname@company.com">firstname.lastname@company.com</a> can reveal information regarding their current employer as well as their role within the organization. Together with the address of the registrant, it may also reveal information about his or her place of work. In light of these considerations, personal data capable of identifying individual employees (or third parties) acting on behalf of the registrant should not be made publicly available by default in the context of WHOIS/RDAP. Any publication by a contracted party must include sufficient safeguards to prevent the identification of any such natural person, directly or indirectly (e.g. use of clearly generic contact email information "<a href="mailto:admin@domain.com">admin@domain.com</a>").</font></i></div></blockquote><div><br></div><div><br></div><div>I hope this is constructive. </div><div><br></div><div><br></div><div>Alan </div><div><br></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div></div></div></div></div></div></div></div><div dir="ltr"><div style="font-family:sans-serif;font-size:13px"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><table style="padding:0px;margin:10px 0px;border:none"><tbody><tr><td style="vertical-align:middle;padding:0px 7px 0px 0px"><a href="http://donuts.domains/" rel="nofollow" style="color:rgb(17,85,204)" target="_blank"><img alt="Donuts Inc." height="75" src="https://storage.googleapis.com/signaturesatori/customer-C02zzlf7k/images/-54f9d8ac97e7f575bf497d10ac1f1aafafddf8afceab5f269d49034f01b3217b.png" width="75"></a></td><td style="vertical-align:middle;padding:0px 7px 0px 0px"><div style="font-family:tahoma,sans-serif;font-size:14px;line-height:17px;font-weight:bold;color:black"></div><div><table style="font-family:Arial,Helvetica,sans-serif;padding:0px;margin:10px 0px;border:none"><tbody><tr><td style="vertical-align:middle;padding:0px 7px 0px 0px"><div style="font-family:tahoma,sans-serif;font-size:14px;line-height:17px;font-weight:bold;color:black"><span style="font-size:12px"><span style="font-family:arial,helvetica,sans-serif"><span style="color:rgb(51,51,51)"><br>Alan Woods</span></span></span></div><div><span style="font-size:12px"><span style="font-family:arial,helvetica,sans-serif"><span style="color:rgb(51,51,51)">Senior Manager, Compliance & Policy, Donuts Inc.</span></span></span> <hr><div></div></div></td></tr></tbody></table><div style="color:rgb(136,136,136)"><span style="font-size:11px"><span style="color:rgb(51,51,51)">Donuts</span></span></div><div style="color:rgb(136,136,136)"><span style="font-size:11px"><span style="color:rgb(51,51,51)">Ground Floor</span></span></div><div style="color:rgb(136,136,136)"><span style="font-size:11px"><span style="color:rgb(51,51,51)">Le Pole House</span></span></div><div style="color:rgb(136,136,136)"><span style="font-size:11px"><span style="color:rgb(51,51,51)">Ship Street Great</span></span></div><div style="color:rgb(136,136,136)"><span style="font-size:11px"><span style="color:rgb(51,51,51)">Dublin 8</span></span></div></div><div><br><span style="font-size:11px"><span style="font-family:arial,helvetica,sans-serif"></span></span><br><span style="line-height:36px"><a href="https://www.facebook.com/donutstlds" rel="nofollow" style="color:rgb(17,85,204)" target="_blank"><img src="http://storage.googleapis.com/signaturesatori/icons/facebook.png"></a> <a href="https://twitter.com/DonutsInc" rel="nofollow" style="color:rgb(17,85,204)" target="_blank"><img src="http://storage.googleapis.com/signaturesatori/icons/twitter.png"></a> </span><a href="https://www.linkedin.com/company/donuts-inc" rel="nofollow" style="color:rgb(17,85,204)" target="_blank"><span style="font-size:14px"><img src="http://storage.googleapis.com/signaturesatori/icons/linkedin.png"></span></a></div></td></tr></tbody></table><br></div><div><span style="font-size:12pt;font-family:Cambria,serif">Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . </span><span style="font-size:12pt;font-family:Cambria,serif">Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.</span><br></div></div></div></div></div></div></div><div dir="ltr"><br><div><br></div></div></div></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Aug 12, 2021 at 11:57 AM LEWIS-EVANS, Christopher via Gnso-epdp-team <<a href="mailto:gnso-epdp-team@icann.org">gnso-epdp-team@icann.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-GB">
<p><span style="font-family:"microsoft sans serif";color:red;font-size:10pt"><b>OFFICIAL
</b></span></p>
<div class="gmail-m_-4733305962724484996WordSection1">
<p class="MsoNormal" style="margin-left:36pt"><span lang="EN-US" style="font-size:14pt;font-family:Arial,sans-serif;color:black">Suggested text for recommendation 4 as discussed on the last call, believe it should go between current 2 and 3.<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:36pt"><span lang="EN-US" style="font-size:14pt;font-family:Arial,sans-serif;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-left:36pt"><span lang="EN-US" style="font-size:14pt;font-family:Arial,sans-serif;color:black">Thanks<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:36pt"><span lang="EN-US" style="font-size:14pt;font-family:Arial,sans-serif;color:black">Chris<u></u><u></u></span></p>
<p class="MsoNormal" style="margin-left:36pt"><span lang="EN-US" style="font-size:14pt;font-family:Arial,sans-serif;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-left:36pt"><span lang="EN-US" style="font-size:14pt;font-family:Arial,sans-serif;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-left:36pt"><span lang="EN-US" style="font-size:14pt;font-family:Arial,sans-serif;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-left:36pt"><span lang="EN-US" style="font-size:14pt;font-family:Arial,sans-serif;color:black"><u></u> <u></u></span></p>
<p class="MsoNormal" style="margin-left:36pt"><span lang="EN-US" style="font-size:14pt;font-family:Arial,sans-serif;color:black">The GDPR protects natural persons in relation to the processing of their personal data. "It does not cover the processing
of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person." This allows for disclosure of legal persons’ data because
it is outside the remit of GDPR. Nevertheless, when processing legal persons’ data, safeguards should be put in place to ensure that personally identifying data about a natural person is not disclosed within data marked as a legal person.<u></u><u></u></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10pt;font-family:Verdana,sans-serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p align="left"><span></span></p><p align="left">
<span style="line-height:115%;font-size:11pt"><font face="Verdana" size="2">This information is supplied in confidence by the NCA. The
NCA is not listed as a Public Authority under the Freedom of Information Act
2000. Any information supplied by, or relating to, the NCA is also subject to
an absolute exemption.</font></span></p><p align="left"><font size="2"> </font><span style="line-height:115%;font-size:11pt"><font face="Verdana" size="2">It may also be subject to exemption under other UK
legislation. Onward disclosure may be unlawful, for example, under data
protection legislation. Requests for disclosure to the public must be<span style="color:black"> r</span>eferred to the NCA FOI single point of contact, by
email on </font><a href="mailto:StatutoryDisclosureTeam@nca.gov.uk" target="_blank"><font color="#0000ff" face="Verdana" size="2">StatutoryDisclosureTeam@nca.gov.uk</font></a><font face="Verdana"><font size="2">.<span style="color:black"> </span>All email sent and received by the NCA is
scanned and subject to assessment. Messages sent or received by NCA staff are
not private and may be the subject of lawful business monitoring. Email may be
passed at any time and without notice to an appropriate branch within the NCA,
on authority from the Director General or their Deputy for analysis. This email
and any files transmitted with it are intended solely for the individual or entity
to whom they are addressed. If you have received this message in error, please
contact the sender as soon as possible.</font> </font></span></p><p> </p>
</div>
_______________________________________________<br>
Gnso-epdp-team mailing list<br>
<a href="mailto:Gnso-epdp-team@icann.org" target="_blank">Gnso-epdp-team@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a><br>
_______________________________________________<br>
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy" rel="noreferrer" target="_blank">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://www.icann.org/privacy/tos" rel="noreferrer" target="_blank">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</blockquote></div></div>