Dear Kurt and team, 

In advance of our substantive discussions on the elements of the RPMs within the Temp Spec (Appendix D and E), in the interests of not delaying our deliberations at that time, I believe it prudent for the EPDP team to have the opportunity to review the agreements that ICANN has with the RPM providers, (or at least the Data Processing Agreements), so as to fully consider all safeguards in place, thus tipping the balance in favor of disclosure of the data to the RPM providers.

 

As we already indicated in our triage response, we generally have no issue with the appendix (notwithstanding some process changes on the RPM review side being likely necessary). This does not absolve us however from fully considering the data flow, to confirm the appendices. Our task should be to do a thorough assessment of the required disclosure; documenting the purpose and legal basis for the disclosure; the safeguards applicable to the disclosure; and, in this case, complete our a consideration of the balance of the data subject rights.  As the contracted parties do not maintain a direct contractual relationship with any RPM provider, we will therefore need to consider the applicable data processing agreement, to confirm how that data will ultimately be processed by the RPM provider (i.e. drawing inspiration from those elements required under Art 28 of the GDPR - Data Processor Requirements). This will allow for our transparent and well rounded consideration of the data flow, the safeguards in place, leading to a strong outcome for the EPDP consideration of the appendices. 

 

As such, I would request that, in the interests of time, the EPDP now requests sight of the relevant documents (whether that be the full agreement or the applicable data processing agreements) from ICANN so that we can duly consider it in the assessment of the appendices when we arrive at that point, in the hopes of moving swiftly along. 

Kind regards,

Alan Woods