Hi All, A few last summaries coming into the subgroup. Sorry for the delay! Busy days... Best, Kathy (below and attached) Document Name: *European Commission Website: Obligations of Data Controllers* Document Link: http://ec.europa.eu/justice/data-protection/data-collection/obligations/inde... Summary: This is a key question about whether ICANN is a data controller under the laws of the European Data Protection Directive? Data Controllers “determine 'the purposes and the means of the processing of personal data'” and it is a term that applies to both public and private sectors. See /Who can collect and process personal data?, /http://ec.europa.eu/justice/data-protection/data-collection/index_en.htm (submitted as a separate document) The EU Data Protection Directive requires Data Controllers to abide by certain principles when they process personal data. According to the European Commission: “Each *data controller* must respect the following rules as set out in the Directive: Personal Data must be processed legally and fairly; It must be collected for explicit and legitimate purposes and used accordingly; It must be adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed; It must be accurate, and updated where necessary; Data controllers must ensure that data subjects can rectify, remove or block incorrect data about themselves; Data that identifies individuals (personal data) must not be kept any longer than strictly necessary; Data controllers must protect personal data against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks. They shall implement the appropriate security measures; These protection measures must ensure a level of protection appropriate to the data.” Additional information: It is hard to put it more succinctly, so I quoted directly from the European Commission webpage.