Updated - EPDP Team - Temp Spec Input - Part 1

In order to facilitate the triage of the temporary specification as outlined in the EPDP Team charter as the first deliverable, please work with your appointing organization team members to complete the following survey. Your input is expected to be received by Monday, 6 August 2018 19:00UTC. The language below is verbatim from the Temporary Specification for gTLD Registration Data (see https://www.icann.org/resources/pages/gtld-registration-data-specs-en).

Question Title

* 1. Your name

Question Title

* 2. EPDP Team Appointing Organization on whose behalf your filling out this survey

Question Title

* 3. Please consider section 1 Scope:

1.1. Terms used in this Temporary Specification are defined in Section 2.

1.2. This Temporary Specification applies to all gTLD Registry Operators and ICANN-accredited Registrars.

1.3. The requirements of this Temporary Specification supersede and replace the requirements contained in Registry Operator's Registry Agreement and Registrar's Registrar Accreditation Agreement regarding the matters contained in this Temporary Specification. To the extent there is a conflict between the requirements of this Temporary Specification and the requirements of Registry Operator's Registry Agreement and Registrar's Registrar Accreditation Agreement, the terms of this Temporary Specification SHALL control, unless ICANN determines in its reasonable discretion that this Temporary Specification SHALL NOT control. For purposes of clarity, unless specifically addressed and modified by this Temporary Specification, all other requirements and obligations within Registry Operator's Registry Agreement and Registrar's Registrar Accreditation Agreement and consensus policies remain applicable and in force.

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 4. Please consider section 2 Definitions and Interpretations:

The terms "MAY", "MUST", "MUST NOT", "REQUIRED", "RECOMMENDED", "SHALL", "SHALL NOT", "SHOULD NOT" and "SHOULD" are used to indicate the requirement level in accordance with RFC2119, which is available at http://www.ietf.org/rfc/rfc2119.txt.

"Consent", "Controller", "Personal Data", "Processing", and "Processor" SHALL have the same definition as Article 4 of the GDPR.

"gTLD" SHALL have the meaning given in the Registrar Accreditation Agreement.

"Interim Model" means the Interim Model for Compliance with ICANN Agreements and Policies in Relation to the European Union's General Data Protection Regulation published at https://www.icann.org/en/system/files/files/gdpr-compliance-interim-model-08mar18-en.pdf [PDF, 922 KB] and as may be amended from time to time.

"Registered Name" SHALL have the meaning given in the Registrar Accreditation Agreement.

"Registered Name Holder" SHALL have the meaning given in the Registrar Accreditation Agreement.

"Registrar Accreditation Agreement" means any Registrar Accreditation Agreement between a Registrar and ICANN that is based on that certain 2013 Registrar Accreditation Agreement approved by the ICANN Board on June 27, 2013 ("2013 Registrar Accreditation Agreement") or any successor to such agreements that is approved by the ICANN Board.

"Registration Data" means data collected from a natural and legal person in connection with a domain name registration.

"Registration Data Directory Services" refers to the collective of WHOIS, Web-based WHOIS, and RDAP services.

"Registry Agreement" means any gTLD registry agreement between Registry Operator and ICANN, including any Registry Agreement that is based on the new gTLD Registry Agreement approved by the ICANN Board on 2 July 2013, as amended ("Base Registry Agreement").

If a term is capitalized but not defined in this Temporary Specification, such term SHALL have the meaning given to it in the Registry Agreement or Registrar Accreditation Agreement, as applicable.

Unless otherwise specifically provided for herein, the term "or" SHALL NOT be deemed to be exclusive.

When Registry Operator and Registrar are referenced together in a provision of this Temporary Specification, each such provision represents a separate requirement and obligation of each Registry Operator and each Registrar pursuant to its respective Registry Agreement or Registrar Accreditation Agreement.

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 5. Please consider section 3 Policy Effective Date:

This Temporary Specification is effective as of 25 May 2018.

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 6. Please consider section 4. Lawfulness and Purposes of Processing gTLD Registration Data:

4.1. ICANN's mission, as set forth in Bylaws Section 1.1(a), is to "coordinate the stable operation of the Internet's unique identifier systems." Section 1.1(a) describes in specificity what this mission entails in the context of names. While ICANN's role is narrow, it is not limited to technical stability. Specifically, the Bylaws provide that ICANN's purpose is to coordinate the bottom-up, multistakeholder development and implementation of policies "[f]or which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries" [Bylaws, Section 1.1(a)(i)], which is further defined in Annex G-1 and G-2 of the Bylaws to include, among other things:

- resolution of disputes regarding the registration of domain names (as opposed to the use of such domain names, but including where such policies take into account use of the domain names);
- maintenance of and access to accurate and up-to-date information concerning registered names and name servers;
procedures to avoid disruptions of domain name registrations due to suspension or termination of operations by a registry operator or a registrar (e.g., escrow); and
- the transfer of registration data upon a change in registrar sponsoring one or more registered names.

4.2. The Bylaws articulate that issues surrounding the provision of Registration Data Directory Services (RDDS) by Registry Operators and Registrars are firmly within ICANN's mission. The Bylaws provide further insight into the legitimate interests designed to be served by RDDS. For example, the Bylaws specifically obligate ICANN, in carrying out its mandate, to "adequately address issues of competition, consumer protection, security, stability and resiliency, malicious abuse issues, sovereignty concerns, and rights protection" [Bylaws Section 4.6 (d)]. While ICANN has neither the authority nor expertise to enforce competition or consumer protection laws, and is only one of many stakeholders in the cybersecurity ecosystem, the provision of RDDS for legitimate and proportionate uses is a critical and fundamental way in which ICANN addresses consumer protection, malicious abuse issues, sovereignty concerns, and rights protection – enforcing policies that enable consumers, rights holders, law enforcement and other stakeholders to access the data necessary to address and resolve uses that violate law or rights.

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 7. Please consider section 4. Lawfulness and Purposes of Processing gTLD Registration Data:

4.3. Accordingly, ICANN's mission directly involves facilitation of third party Processing for legitimate and proportionate purposes related to law enforcement, competition, consumer protection, trust, security, stability, resiliency, malicious abuse, sovereignty, and rights protection. ICANN is required by Section 4.6(e) of the Bylaws, subject to applicable laws, to "use commercially reasonable efforts to enforce its policies relating to registration directory services," including by working with stakeholders to "explore structural changes to improve accuracy and access to generic top-level domain registration data," "as well as consider[ing] safeguards for protecting such data." As a result, ICANN is of the view that the collection of Personal Data (one of the elements of Processing) is specifically mandated by the Bylaws. In addition, other elements of the Processing Personal Data in Registration Data by Registry Operator and Registrar, as required and permitted under the Registry Operator's Registry Agreement with ICANN and the Registrar's Registrar Accreditation Agreement with ICANN, is needed to ensure a coordinated, stable and secure operation of the Internet's unique identifier system.

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 8. Please consider section 4. Lawfulness and Purposes of Processing gTLD Registration Data:

4.4. However, such Processing must be in a manner that complies with the GDPR, including on the basis of a specific identified purpose for such Processing. Accordingly, Personal Data included in Registration Data may be Processed on the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose Personal Data is included in Registration Data, and only for the following legitimate purposes:

4.4.1. Reflecting the rights of a Registered Name Holder in a Registered Name and ensuring that the Registered Name Holder may exercise its rights in respect of the Registered Name;

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 9. Please consider section 4. Lawfulness and Purposes of Processing gTLD Registration Data:

4.4. However, such Processing must be in a manner that complies with the GDPR, including on the basis of a specific identified purpose for such Processing. Accordingly, Personal Data included in Registration Data may be Processed on the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose Personal Data is included in Registration Data, and only for the following legitimate purposes:

4.4.2. Providing access to accurate, reliable, and uniform Registration Data based on legitimate interests not outweighed by the fundamental rights of relevant data subjects, consistent with GDPR;

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 10. Please consider section 4. Lawfulness and Purposes of Processing gTLD Registration Data:

4.4. However, such Processing must be in a manner that complies with the GDPR, including on the basis of a specific identified purpose for such Processing. Accordingly, Personal Data included in Registration Data may be Processed on the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose Personal Data is included in Registration Data, and only for the following legitimate purposes:

4.4.3. Enabling a reliable mechanism for identifying and contacting the Registered Name Holder for a variety of legitimate purposes more fully set out below;

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 11. Please consider section 4. Lawfulness and Purposes of Processing gTLD Registration Data:

4.4. However, such Processing must be in a manner that complies with the GDPR, including on the basis of a specific identified purpose for such Processing. Accordingly, Personal Data included in Registration Data may be Processed on the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose Personal Data is included in Registration Data, and only for the following legitimate purposes:

4.4.4. Enabling a mechanism for the communication or notification of payment and invoicing information and reminders to the Registered Name Holder by its chosen Registrar;

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 12. Please consider section 4. Lawfulness and Purposes of Processing gTLD Registration Data:

4.4. However, such Processing must be in a manner that complies with the GDPR, including on the basis of a specific identified purpose for such Processing. Accordingly, Personal Data included in Registration Data may be Processed on the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose Personal Data is included in Registration Data, and only for the following legitimate purposes:

4.4.5. Enabling a mechanism for the communication or notification to the Registered Name Holder of technical issues and/or errors with a Registered Name or any content or resources associated with such a Registered Name;

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 13. Please consider section 4. Lawfulness and Purposes of Processing gTLD Registration Data:

4.4. However, such Processing must be in a manner that complies with the GDPR, including on the basis of a specific identified purpose for such Processing. Accordingly, Personal Data included in Registration Data may be Processed on the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose Personal Data is included in Registration Data, and only for the following legitimate purposes:

4.4.6. Enabling a mechanism for the Registry Operator or the chosen Registrar to communicate with or notify the Registered Name Holder of commercial or technical changes in the domain in which the Registered Name has been registered;

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 14. Please consider section 4. Lawfulness and Purposes of Processing gTLD Registration Data:

4.4. However, such Processing must be in a manner that complies with the GDPR, including on the basis of a specific identified purpose for such Processing. Accordingly, Personal Data included in Registration Data may be Processed on the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose Personal Data is included in Registration Data, and only for the following legitimate purposes:

4.4.7. Enabling the publication of technical and administrative points of contact administering the domain names at the request of the Registered Name Holder;

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 15. Please consider section 4. Lawfulness and Purposes of Processing gTLD Registration Data:

4.4. However, such Processing must be in a manner that complies with the GDPR, including on the basis of a specific identified purpose for such Processing. Accordingly, Personal Data included in Registration Data may be Processed on the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose Personal Data is included in Registration Data, and only for the following legitimate purposes:

4.4.8. Supporting a framework to address issues involving domain name registrations, including but not limited to: consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection;

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 16. Please consider section 4. Lawfulness and Purposes of Processing gTLD Registration Data:

4.4. However, such Processing must be in a manner that complies with the GDPR, including on the basis of a specific identified purpose for such Processing. Accordingly, Personal Data included in Registration Data may be Processed on the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose Personal Data is included in Registration Data, and only for the following legitimate purposes:

4.4.9. Providing a framework to address appropriate law enforcement needs;

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 17. Please consider section 4. Lawfulness and Purposes of Processing gTLD Registration Data:

4.4. However, such Processing must be in a manner that complies with the GDPR, including on the basis of a specific identified purpose for such Processing. Accordingly, Personal Data included in Registration Data may be Processed on the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose Personal Data is included in Registration Data, and only for the following legitimate purposes:

4.4.10. Facilitating the provision of zone files of gTLDs to Internet users;

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 18. Please consider section 4. Lawfulness and Purposes of Processing gTLD Registration Data:

4.4. However, such Processing must be in a manner that complies with the GDPR, including on the basis of a specific identified purpose for such Processing. Accordingly, Personal Data included in Registration Data may be Processed on the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose Personal Data is included in Registration Data, and only for the following legitimate purposes:

4.4.11. Providing mechanisms for safeguarding Registered Name Holders' Registration Data in the event of a business or technical failure, or other unavailability of a Registrar or Registry Operator;

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 19. Please consider section 4. Lawfulness and Purposes of Processing gTLD Registration Data:

4.4. However, such Processing must be in a manner that complies with the GDPR, including on the basis of a specific identified purpose for such Processing. Accordingly, Personal Data included in Registration Data may be Processed on the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose Personal Data is included in Registration Data, and only for the following legitimate purposes:

4.4.12. Coordinating dispute resolution services for certain disputes concerning domain names; and

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 20. Please consider section 4. Lawfulness and Purposes of Processing gTLD Registration Data:

4.4. However, such Processing must be in a manner that complies with the GDPR, including on the basis of a specific identified purpose for such Processing. Accordingly, Personal Data included in Registration Data may be Processed on the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose Personal Data is included in Registration Data, and only for the following legitimate purposes:

4.4.13. Handling contractual compliance monitoring requests, audits, and complaints submitted by Registry Operators, Registrars, Registered Name Holders, and other Internet users.

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 21. Please consider section 4. Lawfulness and Purposes of Processing gTLD Registration Data:

4.5. In considering whether Processing of Personal Data contained in Registration Data is consistent with Article 6(1)(f) of the GDPR1, the GDPR requires ICANN to balance the legitimate interests described above with the interests, rights, and freedoms of the affected data subject. ICANN finds that the Processing is proportionate for the following reasons:

4.5.1. The Processing of the limited Personal Data identified in this Temporary Specification is necessary to achieve the legitimate interests identified, as documented in many stakeholder comments and submissions over the course of a 12-month community consultation. This Processing specifically includes the retention of Personal Data already collected and the ongoing collection of Personal Data;

4.5.2. The tiered/layered access framework for RDDS identified in the Interim Model, and implemented in this Temporary Specification, is specifically designed to minimize the intrusiveness of Processing while still permitting necessary Processing;

4.5.3. Processing under the tiered/layered access framework as required by this Temporary Specification minimizes the risk of unauthorized and unjustified Processing;

4.5.4. This Temporary Specification contains requirements to ensure that Registered Names Holders are notified about the contemplated Processing and about their rights with respect to such Processing;

4.5.5. This Temporary Specification contains requirements to ensure that appropriate records of Processing activities will be maintained to meet the accountability obligations set forth in the GDPR.

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 22. Please consider Appendix A: Registration Data Directory Services:

1. Registration Data Directory Services
This Section modifies the relevant requirements of following: (i) the Registration Data Directory Service (WHOIS) Specification of the 2013 Registrar Accreditation Agreement; (ii) in the case of a Registry Agreement that is modeled after the Base Registry Agreement, Section 1 of Specification 4 of the Base Registry Agreement; (iii) in the case of a Registry Agreement that is not modeled on the Base Registry Agreement, the provisions of such Registry Agreement that are comparable to the provisions of Section 1 of Specification 4 of the Base Registry Agreement; and (iv) provision 10 of the Registry Registration Data Directory Services Consistent Labeling and Display Policy.

1.1. Registrar and Registry Operator MUST operate a Registration Data Access Protocol (RDAP) service. ICANN and the community will define the appropriate profile(s) by 31 July 2018. ICANN will subsequently give notice to implement such service, and Registrar and Registry Operator SHALL implement the service no later than 135 days after being requested by ICANN. Registrar and Registry Operator MAY operate a pilot RDAP service before the date upon which an RDAP service is required.

1.2. RDDS Search Capabilities

1.2.1. Where search capabilities are permitted and offered, Registry Operator and Registrar MUST: (1) ensure such search capability is in compliance with applicable privacy laws or policies; (2) only permit searches on data otherwise available to the querying user, based on whether the user only has access to data publicly available in RDDS or whether the user has access to non-public Registration Data; (3) only provide results otherwise available to the querying user based on whether the user only has access to data publicly available in RDDS or whether the user has access to non-public Registration Data; and (4) ensure such search capability is otherwise consistent with the requirements of this Temporary Specification regarding access to public and non-public Registration Data.

1.2.2. Where search capabilities are permitted and offered, Registry Operator and Registrar MUST offer search capabilities on the web-based Directory Service and the RDAP service (when implemented).

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 23. Please consider Appendix A: Registration Data Directory Services:

2. Requirements for Processing Personal Data in Public RDDS Where Processing is Subject to the GDPR

2.1. Registry Operator (except where Registry Operator operates a "thin" registry) and Registrar MUST apply the requirements in Sections 2 and 4 of this Appendix to Personal Data included in Registration Data where:
i. the Registrar or Registry Operator is established in the European Economic Area (EEA) as provided in Article 3(1) GDPR and Process Personal Data included in Registration Data;
ii. the Registrar or Registry Operator is established outside the EEA and offers registration services to Registered Name Holders located in the EEA as contemplated by Article 3(2) GDPR that involves the Processing of Personal Data from registrants located in the EEA; or
iii. the Registrar or Registry Operator is located outside the EEA and Processes Personal Data included in Registration Data and where the Registry Operator or Registrar engages a Processor located within the EEA to Process such Personal Data.

2.2. For fields that Sections 2.3 and 2.4 of this Appendix requires to be "redacted", Registrar and Registry Operator MUST provide in the value section of the redacted field text substantially similar to the following: "REDACTED FOR PRIVACY". Prior to the required date of implementation of RDAP, Registrar and Registry Operator MAY: (i) provide no information in the value section of the redacted field; or (ii) not publish the redacted field.

2.3. In responses to domain name queries, Registrar and Registry Operator MUST treat the following Registrant fields as "redacted" unless the Registered Name Holder has provided Consent to publish the Registered Name Holder's data:
·      Registry Registrant ID
·      Registrant Name
·      Registrant Street
·      Registrant City
·      Registrant Postal Code
·      Registrant Phone
·      Registrant Phone Ext
·      Registrant Fax
·      Registrant Fax Ext

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 24. Please consider Appendix A: Registration Data Directory Services:

2. Requirements for Processing Personal Data in Public RDDS Where Processing is Subject to the GDPR
2.4. In responses to domain name queries, Registrar and Registry Operator MUST treat the following fields as "redacted" unless the contact (e.g., Admin, Tech) has provided Consent to publish the contact's data:
·      Registry Admin/Tech/Other ID
·      Admin/Tech/Other Name
·      Admin/Tech/Other Organization
·      Admin/Tech/Other Street
·      Admin/Tech/Other City
·      Admin/Tech/Other State/Province
·      Admin/Tech/Other Postal Code
· Admin/Tech/Other Country
·      Admin/Tech/Other Phone
·      Admin/Tech/Other Phone Ext
·      Admin/Tech/Other Fax
·      Admin/Tech/Other Fax Ext

2.5. In responses to domain name queries, in the value of the "Email" field of every contact (e.g., Registrant, Admin, Tech):

2.5.1. Registrar MUST provide an email address or a web form to facilitate email communication with the relevant contact, but MUST NOT identify the contact email address or the contact itself.

2.5.1.1. The email address and the URL to the web form MUST provide functionality to forward communications received to the email address of the applicable contact.

2.5.1.2. Registrar MAY implement commercially reasonable safeguards to filter out spam and other form of abusive communications.

2.5.1.3. It MUST NOT be feasible to extract or derive the email address of the contact from the email address and the URL to the web form provided to facilitate email communication with the relevant contact.

2.5.2. Registry Operator MUST provide a message substantially similar to the following: "Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name."

2.6. Notwithstanding Sections 2.2, 2.3, 2.4, and 2.5 of this Appendix, in the case of a domain name registration where a privacy/proxy service used (e.g. where data associated with a natural person is masked), Registrar MUST return in response to any query full WHOIS data, including the existing proxy/proxy pseudonymized email.

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 25. Please consider Appendix A: Registration Data Directory Services:

3. Additional Provisions Concerning Processing Personal Data in Public RDDS Where Processing is not Subject to the GDPR
Registry Operator and Registrar MAY apply the requirements in Section 2 of this Appendix (i) where it has a commercially reasonable purpose to do so ,or (ii) where it is not technically feasible to limit application of the requirements as provided in Section 2.1 of this Appendix.

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 26. Please consider Appendix A: Registration Data Directory Services:

4. Access to Non-Public Registration Data

4.1. Registrar and Registry Operator MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject pursuant to Article 6(1)(f) GDPR.

4.2. Notwithstanding Section 4.1 of this Appendix, Registrar and Registry Operator MUST provide reasonable access to Personal Data in Registration Data to a third party where the Article 29 Working Party/European Data Protection Board, court order of a relevant court of competent jurisdiction concerning the GDPR, applicable legislation or regulation has provided guidance that the provision of specified non-public elements of Registration Data to a specified class of third party for a specified purpose is lawful. Registrar and Registry Operator MUST provide such reasonable access within 90 days of the date ICANN publishes any such guidance, unless legal requirements otherwise demand an earlier implementation.

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 27. Please consider Appendix A: Registration Data Directory Services:

5. Publication of Additional Data Fields
Registrar and Registry Operator MAY output additional data fields, subject to the Data Processing requirements in Appendix C.

Having reviewed this section I support this section as is:

Yes

No strong opinion

No

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 28. If there is any further input you want to provide on the sections referenced above that will help inform further deliberations, please use this comment box.