Document Name: European Commission Website: Obligations of Data Controllers

Document Link: http://ec.europa.eu/justice/data-protection/data-collection/obligations/index_en.htm

Summary:

This is a key question about whether ICANN is a data controller under the laws of the European Data Protection Directive? Data Controllers “determine 'the purposes and the means of the processing of personal data'” and it is a term that applies to both public and private sectors.  See Who can collect and process personal data?, http://ec.europa.eu/justice/data-protection/data-collection/index_en.htm (submitted as a separate document)

The EU Data Protection Directive requires Data Controllers to abide by certain principles when they process personal data.

According to the European Commission:

“Each data controller must respect the following rules as set out in the Directive:

    Personal Data must be processed legally and fairly;

    It must be collected for explicit and legitimate purposes and used accordingly;

    It must be adequate, relevant and not excessive in relation to the purposes for which it is collected and/or further processed;

    It must be accurate, and updated where necessary;

    Data controllers must ensure that data subjects can rectify, remove or block incorrect data about themselves;

    Data that identifies individuals (personal data) must not be kept any longer than strictly necessary;

    Data controllers must protect personal data against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks. They shall implement the appropriate security measures;

    These protection measures must ensure a level of protection appropriate to the data.”

Additional information:

It is hard to put it more succinctly, so I quoted directly from the European Commission webpage.