EPDP Team - Temp Spec Input - Part 2

In order to facilitate the triage of the temporary specification as outlined in the EPDP Team charter as the first deliverable, please work with your appointing organization team members to complete the following survey. Your input is expected to be received by Wednesday, 8 August 2018 19:00 UTC. The language below is verbatim from the Temporary Specification for gTLD Registration Data (see https://www.icann.org/resources/pages/gtld-registration-data-specs-en).

Question Title

* 1. Your name

Question Title

* 2. EPDP Team Appointing Organization on whose behalf your filling out this survey

Question Title

* 3. Please consider section 5. Requirements Applicable to Registry Operators and Registrars:

5.1. Publication of Registration Data. Registry Operator and Registrar MUST comply with the requirements of, and MUST provide public access to Registration Data in accordance with, Appendix A attached hereto ("Appendix A").

5.2. Registrar and Registry Operator Service Level Agreement. Registry Operator and Registrar acknowledge that in its implementation of a Registration Data Access Protocol (RDAP) service, they MUST comply with additional Service Level Agreements. ICANN and the contracted parties will negotiate in good faith the appropriate service levels agreements by 31 July 2018. If the contracted parties and ICANN are unable to define such Service Level Agreements through good faith negotiations by such date, ICANN will require Registrar and Registry Operator to comply with Service Levels that are comparable to those service levels already existing in their respective agreements with respect to RDDS.

Having reviewed this section I support this section as is:

Yes

No strong opinion

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 4. Please consider Section 5: Requirements Applicable to Registry Operators and Registrars:

5.3. Data Escrow. Registry Operator and Registrar MUST comply with the additional requirements concerning Registration Data escrow procedures set forth in Appendix B attached hereto ("Appendix B").

5.4. Data Processing Requirements. Registry Operator and Registrar MUST comply with the requirements of, and MUST Process Personal Data in accordance with the terms and conditions set forth in Appendix C attached hereto ("Appendix C").

5.5. International Data Transfers between Registry Operator, Registrar, and ICANN. In the course of performing the requirements under this Temporary Specification, the Registry Agreement, and Registrar Accreditation Agreement, Registry Operator, Registrar and/or ICANN MAY be required to transfer Personal Data to a country that is not deemed adequate by the European Commission per Article 45(1) of the GDPR. In such a case, ICANN, Registry Operator, and/or Registrar MUST transfer Personal Data on the basis of adequate safeguards permitted under Chapter V of the GDPR, including the use of Standard Contractual Clauses (2004/915/EC) (or its successor clauses), and ICANN, Registry Operator and/or Registrar MUST comply with such appropriate safeguards.

Having reviewed this section, I support this section as is:

Yes

No Strong Opinion

If you responded ‘NO’, please provide proposed edits and rationale supporting these edits. Please identify sections/sub-sections as appropriate.

Question Title

* 5. Please consider Section 5: Requirements Applicable to Registry Operators and Registrars:

5.6. Uniform Rapid Suspension (URS). Registry Operator and Registrar MUST comply with the additional requirements for the 17 October 2013 URS High Level Technical Requirements for Registries and Registrars set forth in Appendix D attached hereto ("Appendix D").

5.7. ICANN Contractual Compliance. Registry Operator and Registrar MUST provide reasonable access to Registration Data to ICANN upon reasonable notice and request from ICANN for the purpose of investigating compliance-related inquiries and enforcement of the Registry Agreement, Registrar Accreditation Agreement, and ICANN Consensus Policies.

Having reviewed this section I support this section as is:

Yes

No strong opinion

If you responded ‘NO’, please provide proposed edits and rationale supporting these edits. Please identify sections/sub-sections as appropriate.

Question Title

* 6. Please consider section 6. Requirements Applicable to Registry Operators Only:

6.1. Bulk Registration Data Access to ICANN. Registry Operator MUST comply with, and MUST provide ICANN with periodic access to Registration Data in accordance with Appendix F attached hereto ("Appendix F").

6.2. Registry Monthly Reports. ICANN and Registry Operators will negotiate in good faith appropriate additional reporting requirements with respect to its implementation of RDAP by 31 July 2018. If ICANN and Registry Operators are unable to define such additional reporting requirements through good faith negotiations by such date, ICANN will require Registry Operator to comply with additional reporting requirements that are comparable to those already existing in its Registry Agreement with respect to RDDS.

6.3. Registry-Registrar Agreements.

6.3.1. Registry Operator MUST include Processing provisions in its Registry-Registrar Agreement with Registrar concerning the handling of Personal Data in a manner that complies with applicable requirements of Article 28 of the GDPR.

6.3.2. Registry Operator MAY amend or restate its Registry-Registrar Agreement to incorporate data Processing terms and conditions (which itself contains EU Model Clauses to govern international data transfers, where applicable between the respective parties) substantially similar to the requirements provided at <<https://www.icann.org/resources/pages/gtld-registration-data-specs-en/#6>> without any further approval of ICANN, provided that Registry Operator MUST promptly deliver any such amended or restated Registry-Registrar Agreement to ICANN. Upon ICANN's receipt thereof, such amended or restated Registry-Registrar Agreements will be deemed to supplement or replace, as applicable, the approved Registry-Registrar Agreement that is attached as an appendix (if any) to Registry Operator's Registry Agreement.

Having reviewed this section I support this section as is:

Yes

No strong opinion

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 7. Please consider section 7. Requirements Applicable to Registrars Only:

Registrar SHALL provide notice to each existing, new or renewed Registered Name Holder stating:

7.1. Notices to Registered Name Holders Regarding Data Processing. Registrar SHALL provide notice to each existing, new or renewed Registered Name Holder stating:

7.1.1. The specific purposes for which any Personal Data will be Processed by the Registrar;

7.1.2. The intended recipients or categories of recipients of the Personal Data (including the Registry Operator and others who will receive the Personal Data from Registry Operator);

7.1.3. Which data are obligatory and which data, if any, are voluntary;

7.1.4. How the Registered Name Holder or data subject can access and, if necessary, rectify Personal Data held about them;

7.1.5. The identity and the contact details of the Registrar (as controller) and, where applicable, of the Registrar's representative in the European Economic Area;

7.1.6. The contact details of Registrar's data protection officer, where applicable;

7.1.7. The specified legitimate interest for Processing under Article 6(1)(f) of the GDPR;

7.1.8. The recipients or categories of recipients of the Personal Data, if any;

Having reviewed this section I support this section as is:

Yes

No strong opinion

If you responded 'NO', please provide your rationale as well as proposed changes. Please identify sections/sub-sections as appropriate.

Question Title

* 8. Please consider section 7. Requirements Applicable to Registrars Only:

Registrar SHALL provide notice to each existing, new or renewed Registered Name Holder stating:

7.1.9. Where applicable, the fact that the Registrar intends to transfer Personal Data: (i) to a third country or international organization and the existence or absence of an adequacy decision by the Commission; or (ii) in the case of transfers referred to in Articles 46 or 47 of the GDPR, or the second subparagraph of Article 49(1) of the GDPR, reference to the appropriate or suitable safeguards and how to obtain a copy of them or where they have been made available.

7.1.10. The period for which the Personal Data will be stored, or if it is not possible to indicate the period, the criteria that will be used to determine that period;

7.1.11. The existence of the right to request from the Registrar access to, and rectification or erasure of Personal Data, or restriction of Processing of Personal Data concerning the Registered Name Holder or data subject, or to object to Processing, as well as the right to data portability;

7.1.12. Compliance with Article 6(1)(a) and Article 9(2)(a) of the GDPR, where the Registrar relies on consent of the Registered Name Holder for Processing;

7.1.13. The right of the Registered Name Holder or data subject to lodge a complaint with a relevant supervisory authority;

7.1.14. Whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Registered Name Holder is obliged to provide the Personal Data, and the possible consequences of failure to provide such Personal Data; and

7.1.15. The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the data subject.

The requirements of this Section 7.1 shall supersede and replace the requirements of Section 3.7.7.4 of the Registrar Accreditation Agreement.

Having reviewed this section I support this section as is:

Yes

No Strong Opinion

If you responded ‘NO’, please provide proposed edits and rationale supporting these edits. Please identify sections/sub-sections as appropriate.

Question Title

* 9. Please consider section 7. Requirements Applicable to Registrars Only:

7.2. Additional Publication of Registration Data.

7.2.1. As soon as commercially reasonable, Registrar MUST provide the opportunity for the Registered Name Holder to provide its Consent to publish the additional contact information outlined in Section 2.3 of Appendix A for the Registered Name Holder.

7.2.2. Registrar MAY provide the opportunity for the Admin/Tech and/or other contacts to provide Consent to publish additional contact information outlined in Section 2.4 of Appendix A.

7.2.3. Where such Consent is sought by Registrar, the request for Consent SHALL be presented in a manner which is clearly distinguishable from other matters (including other Personal Data Processed based on a legitimate interest). The request for Consent SHALL be in an intelligible and easily accessible form, using clear and plain language. The Registered Name Holder SHALL have the right to withdraw its Consent at any time. The withdrawal of Consent SHALL NOT affect the lawfulness of Processing based on Consent obtained before the withdrawal.

7.2.4. Registrar MUST publish the additional contact information outlined in Sections 2.3 and 2.4 of Appendix A for which it has received Consent.

Having reviewed this section I support this section as is:

Yes

No strong opinion

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 10. Please consider section 7. Requirements Applicable to Registrars Only:

7.3. Uniform Domain Name Dispute Resolution Policy. Registrar MUST comply with the additional requirements for the Rules for the Uniform Domain Name Dispute Resolution Policy set forth in Appendix E attached hereto ("Appendix E").

7.4. Transfer Policy. Registrar MUST comply with the supplemental procedures to the Transfer Policy set forth in Appendix G attached hereto ("Appendix G").

Having reviewed this section I support this section as is:

Yes

No Strong Opinion

If you responded ‘NO’, please provide proposed edits and rationale supporting these edits. Please identify sections/sub-sections as appropriate.

Question Title

* 11. Please consider Appendix B: Supplemental Data Escrow Requirements:

1. Data Processing Requirements
Registry Operator and Registrar MUST respectively ensure that any data escrow agreement between Registry Operator and the Escrow Agent and/or Registrar and the Escrow Agent includes data Processing requirements consistent with Article 28 of the GDPR. Such Escrow Agent MUST provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that Processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.

Having reviewed this section I support this section as is:

Yes

No strong opinion

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 12. Please consider Appendix B: Supplemental Data Escrow Requirements:

2. International Transfers
In the course of performing the requirements under the agreement with the Escrow Agent, it may be necessary for the Escrow Agent to Process Personal Data in a country that is not deemed adequate by the European Commission per Article 45(1) of the GDPR. In such a case, the transfer and Processing will be on the basis of adequate safeguards permitted under Chapter V of the GDPR, including the use of Standard Contractual Clauses (2004/915/EC) (or its successor clauses), and the Escrow Agent and Controller MUST comply with such appropriate safeguards.

Having reviewed this section I support this section as is:

Yes

No strong opinion

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 13. Please consider Appendix B: Supplemental Data Escrow Requirements:

3. ICANN Approval
Registry Operator MAY amend or restate its respective Data Escrow Agreement to incorporate data Processing terms and conditions substantially similar to the requirements provided at <<https://www.icann.org/resources/pages/gtld-registration-data-specs-en>> without any further approval of ICANN, provided that Registry Operator and Registrar MUST promptly deliver any such amended or restated Data Escrow Agreement to ICANN. Upon ICANN's receipt thereof, such amended or restated Data Escrow Agreement will be deemed to supplement or replace, as applicable, the approved Data Escrow Agreement that is attached as an appendix (if any) to Registry Operator's Registry Agreement.

Having reviewed this section I support this section as is:

Yes

No strong opinion

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 14. Please consider Appendix B: Supplemental Data Escrow Requirements:

4. Additional Requirements
In addition to the above requirements, the data escrow agreement may contain other data Processing provisions that are not contradictory, inconsistent with, or intended to subvert the required terms provided above.

Having reviewed this section I support this section as is:

Yes

No strong opinion

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 15. Please consider Appendix F: Bulk Registration Data Access to ICANN

This Appendix replaces the requirement in: (i) Section 3.1.1 of Specification 4 of each Registry Agreement that is modeled on the Base Registry Agreement; and (ii) the relevant provision in a Registry Agreement not based on the Base Registry Agreement to provide Bulk Registration Data Access to ICANN (also called "Whois Data Specification – ICANN" in some gTLD agreements).

Contents.
Registry Operator MUST only provide the following data for all registered domain names: domain name, domain name repository object id (roid), Registrar ID (IANA ID), statuses, last updated date, creation date, expiration date, and name server names. For sponsoring registrars, Registry Operator MUST only provide: registrar name, registrar ID (IANA ID), hostname of registrar Whois server, and URL of registrar.

Having reviewed this section I support this section as is:

Yes

No strong opinion

If you responded 'NO', please provide proposed edits and rationale supporting those edits. Please identify sections/sub-sections as appropriate.

Question Title

* 16. If there is any further input you want to provide on the sections referenced above that will help inform further deliberations, please use this comment box.