EPDP Team Phase 2 Working Definitions
Note: these working definitions are intended to ensure that the same meaning is associated with the different terms that are used throughout the EPDP Team deliberations. These working definitions are by no means intended to limit the scope or predetermine the outcome of the EPDP Team’s deliberations. Once the EPDP Team finalizes its deliberations, it will revisit these working definitions and adjust them, as needed, so that they align with the EPDP Team’s recommendations. This alignment should also consider definitions that have been adopted in the context of other efforts such as the Privacy and Proxy Services Accreditation Implementation (PPSAI).
◉ Right of access (by the data subject) refers to the right of individuals to obtain a copy of their personal data related to a domain name registration.
◉ The request of third parties for access to provision of a dataset necessary to achieve the purpose of non-public gTLD domain name registration data through disclosure policy that is fully compliant with applicable law and developed as a result of the EPDP. [Note: the EPDP Team did not agree to the formulation of this working definition; however, it remains as the Chair’s proposed definition.]
◉ Disclosure refers to provision of non-public data to third parties plus ICANN through a disclosure policy that is fully compliant with GDPR and developed as a result of the EPDP.
◉ Technical Study Group Unified Access Model (TSG UAM) – refers to a model for third-party queries for non-public gTLD domain name registration data, which places ICANN as the coordinating party for such queries. The TSG UAM should be seen as one example of a System for Standardized Access/Disclosure (SSAD). UAM and SSAD may not be synonymous.
◉ System for Standardized Access/Disclosure (SSAD) – refers to the framework and requirements for coordinating third-party queries for non-public gTLD domain name registration data. This system, or parts thereof, may be centrally coordinated by ICANN, a third party, or not at all. The EPDP Team will make this determination, and corresponding policy recommendation(s).
◉ Accreditation – refers to the process or action of recognizing a person as having a particular identity, possibly with an associated affiliation or status.
◉ Authentication – refers to the process or action of verifying the identity of a requestor.
◉ Authorization – refers to determination that certain data may be disclosed to a certain (authenticated and accredited) user.
◉ Data Controller – refers to a person or entity who (either alone or jointly or in common with other persons or entities) determines the purposes for which and the manner in which any personal data are processed.
◉ Data Processor - refers to a natural or legal person, public authority, agency or other body which processes personal data on behalf of a controller.
◉ Data retention – refers to the policies of persistent data and records management for meeting legal and business data archival requirements.
◉ Data destruction – refers to the process of permanently and irrevocably deleting data stored on tapes, hard disks and other forms of electronic media so that it is completely unreadable and cannot be accessed or used for unauthorized purposes.
◉ De-identifying or anonymizing data – refers to the process of retaining data for use but rendering it non-personal.
◉ Privacy service - refers to a service by which a Registered Name is registered to a Customer as the Registered Name Holder, but for which alternative, reliable contact information is provided by Provider for display in the Registration Data Directory Service rather than the Customer’s contact information in the Registration Data Directory Service.
◉ Proxy service – refers to a service through which Provider, as the Registered Name Holder, licenses use of a Registered Name to a Customer in order to provide the Customer use of such Registered Name, and Provider’s contact information is displayed in the Registration Data Directory Service rather than the Customer’s contact information.
◉ Affiliated privacy / proxy provider – refers to a provider that, directly or indirectly, through one or more intermediaries, Controls, is controlled by, or is under common control with, an ICANN accredited registrar.
◉ Accredited privacy / proxy provider – refers to a provider that is “accredited” by ICANN and at a minimum, (i) observes the identified and set minimum standards designated by ICANN for the provision of Privacy and/or Proxy Services, and (ii) is recognized by ICANN as an entity meeting the minimum standards, and (iii) enters into an accreditation agreement with ICANN that sets forth the rules and procedures applicable to the provision of the Privacy and/or Proxy Services.
◉ Legitimate interest – In the context of GDPR, a claim of a legitimate interest in personal data results in a trigger for the balancing test described under Article 6(1)(f), which is commonly considered to include an analysis of: (1) the requestor’s existing, specific and articulated interest; (2) the requestor’s necessity in processing the data; and (3) a balancing of the rights and freedoms of the data subject.
◉ Legal obligation - an obligation under applicable national or international laws or regulations which the data controller and/or data processor is subject to (not a contractual obligation).