- Purposes for processing your data
- Where to find information on GDPR compliance and privacy policies?
- Which parties are involved in domain registrations?
- Controller, Contact, Data Protection Officer
- The data we collect
- Legal basis for the collection
- Transfer of data to the Registry
- Processing of data by third parties
- Disclosure of data
- Retention periods
- Your rights
Please note that there are numerous parties involved when domain names are registered and these parties are placed all over the world. There are country code Top Level Domains (ccTLDs) for which the registries establish policies according to their own processes while registries operating generic Top Level Domains (gTLDs) are required to follow policies established by the Internet Corporation for Assigned Names & Numbers (ICANN) and the global multistakeholder community. While gTLD operators have individual policies, many operational aspects are prescribed by ICANN's policies and contracts to ensure interoperability at the global level.
As a consequence, there is a huge variety of policies and treatment of personal data and - depending on the domain name you register - the parties are subject to jurisdictions in the country of their operations and have to follow laws applicable to them.
In order to register domain names with us or transfer domain names to us, you need an account.
You will need to provide some personal data during the registration process:
- Contact Name (First Name, Last Name), Address, City, Zip Code, Country Phone number, E-Mail address
In case you are registering an account as a company, we furthermore collect the following data:
- Company/Organization, Tax registration number
We will use this data for identification of customers and to administer your account. Additionally, the data will be used to pre-fill your domain name registration forms when you register a domain name. Legal basis for processing is Art 6 I b) GDPR.
Additionally, you may provide the following data optionally during the registration of an account with us:
- Fax number, State, Mobile Number
This data will be processed for the legitimate interest of additional verification and easier communication. Legal basis for processing is Art 6 I f) GDPR.
Furthermore, you will choose a User-ID and a password to log into your account. Please make sure that no unauthorized person gets access to the log-in credentials for your account.
A registered account is necessary to register domain names with us.
Note that if you do not make manual changes in your account, your account data will be used as Registration Data. As the case may be, this can be registrant data, admin-c data, tech-c data or billing-c data.
Purposes for processing your data
We process your data for different purposes.
Your account data is processed to enable us to invoice you and send you information on the domain names that you manage in your account.
The Registration Data is processed for different purposes and the purposes depend on the domain name you register and the policies that are applicable to it. In all cases, Registration Data is processed to
- activate a Registered Name and allocate it to you,
- establish your rights in a Registered Name and ensure that you may exercise your right in the use, maintenance and disposition of the Registered Name;
- enable communication with you on matters relating to the Registered Name, e.g. by the registry, ICANN and us;
- provide mechanisms for safeguarding your Registration Data in the event of a business or technical failure of a registrar or registry, or unavailability of a registrar or registry;
The above purposes are pursued by us as well as by ICANN and registries.
The following purposes are primarily pursued by ICANN when it comes to gTLDS, namely
- to process Registration Data if necessary to handle contractual compliance monitoring requests or compliance complaints initiated by ICANN or third parties for registries and registrars;
- operationalize policies for the resolution of disputes regarding or relating to the registration of domain names (as opposed to the use of such domain names, but including where such policies take into account use of the domain names), namely, the UDRP, URS, PDDRP, RRDRP, and the TDRP; and
- enabling validation to confirm that Registered Name Holder meets gTLD registration policy eligibility criteria voluntarily adopted by Registry Operator and that are described or referenced in the Registry Agreement for that gTLD.
Where to find information on GDPR compliance and privacy policies?
As a general rule, we try to offer all domain registrations in compliance with the GDPR, i.e. there are contracts and policies giving us the required assurances on their processing of personal data. Where data is transferred to third countries, we try to get our partners to use EU model clauses or other legal instruments. However, not all registries and other partners we work with do operate in compliance with GDPR for various reasons. As we are striving to offer a huge variety of TLDs, there are numerous cases where the registry does not particularly address European customers and where there might not even be a legal requirement for them to be compliant with the GDPR. In such cases, we still want to offer domain registrations to our customers and customers should be free to register domain names should they wish to do so knowing the associated risks, see Art. 49 I b GDPR.
We ask you to review the policies issued by the registries of the TLDs you wish to register one or more domain names with. For registries that are compliant with the GDPR, you will likely find information on what data is collected, what it is used for and how long it is retained. For the TLDs that you do not find such information on, please assume there is no GDPR compliance. That means that we cannot make any statements about how your data will be processed. It will be processed for registering the domain name, maintaining the registration and making the domain name resolve via the DNS. Additionally, all your data might be published in a Whois database, passed on to third party or data that is not publicized might be made available to requesting parties based on parameters that we do not know. Therefore, please consider carefully whether you want to take these risks and whether you want to potentially use a privacy or proxy service to increase the level of protection of your personal data.
In order to give you a general overview of the implications for personal data and domain name registrations, please find below a high-level summary, which may not be applicable to all scenarios. For detailed information you need to go to the website mentioned above.
Which parties are involved in domain registrations?
For ccTLDs, typically there is the registry and an accredited registrar (hereinafter referred to as registrar).
For gTLDs, the same applies as above, but additionally, there is ICANN and additional parties that are involved as mandated by ICANN, namely escrow agents for registries and registrars for backup purposes and an Emergency Backend Operator (EBERO), who takes over registry operations in case of a registry failure.
Where we do not have our own accreditation, we resell domain names from a registrar that has an accreditation.
Controller, Contact, Data Protection Officer
According to our assessment, ICANN, registries and registrars are joint controllers for data processing that is required to carry out domain name registrations, maintaining those including domain name transfers (changing registrars) and trades (changing ownership in a domain name), making the domain names resolve and making available information via the Whois service. Where we act as a reseller, we are a data processor on behalf of the accredited registrar.
With respect to registration data, ICANN’s role is establishing the policies on aspects including the collection and publication of data as well as to ensure that the system is secure, stable and resilient. ICANN contractually requires the registrars to process personal data and enforces these contractual obligations, which - in part - are policies established by ICANN’s multistakeholder community. ICANN also requires the contracted parties to submit reports regularly.
The registry's role is to maintain a central repository of all domain name registrations and to make these resolve via the Domain Name System (DNS). The Registry does not offer domain name registrations directly to registrants.
It is the registrar's role to offer domain name registrations and potentially other services to the registrants. According to ICANN’s requirements, the registration data is collected by the registrar and then transferred to the registry.
In most cases, the registry will be the controller and the registrar is a processor on behalf of the registry with roles as defined above.
The data we collect
In order to be able to register domain names, we need to collect Registration Data. Registration Data are the following data elements:
- Domain Name
- Registrant Name
- Registrant Organization
- Registrant Street
- Registrant City
- Registrant Postal Code
- Registrant Province
- Registrant Country
- Registrant Phone
- Registrant Phone Ext
- Registrant Fax
- Registrant Fax Ext
- Registrant Email
The same data elements as for the registrant apply to the admin-d and tech-c, if at all collected.
Legal basis for the collection
The legal basis for the collection of personal information on these contacts as well as the account holder is the necessity to process personal data for the fulfilment of a contract or to process operations necessary for the implementation of pre-contractual measures. For the registrant, it is to perform the domain name registration, for the admin-c and tech-c it is the need to establish contact in case of administrative matters or technical issues. For the Account Holder, it is to manage the contractual relationship.
Transfer of data to the Registry
We may be required to transfer registration data mentioned above to the registry. The legal basis for that is Art. 6 I b GDPR where the Registry specifies that it has local presence or other eligibility requirements they need to be able to validate. For other data elements, the legal basis is Art. 6 I f GDPR when they assert a legitimate interest in e.g. identifying and investigating patterns of illegal behavior, help with ownership disputes and to operate a central repository of owner data.
Processing of data by third parties
We will also pass on the data to an escrow agent as required by ICANN and data transferred to the Registry needs to be escrowed by the Registry, too. That data might be transferred to an Emergency Backend Operator (EBERO) in case of Registry failure as well as to ICANN in the context of ICANN's contractual compliance work. In these cases, we act as data processors on behalf of ICANN as the data controller.
Whilst we are an ICANN-accredited registrar and also accredited with aeDA, we are working with WebNic.cc as a wholesale registrar. It is WebNic’s obligation to inform data subjects, whose data we are collecting as a processor about the data processing by WebNic.
Disclosure of data
We will not disclose personal data to third party apart from the domain name as such, unless you have opted to have your data disclosed by consenting to the publication. Disclosure of personal data will only occur if there is an established legal basis for such disclosure based on a case-by-case assessment. The legal basis for such disclosure might be Art. 6 I b (in case of UDRP and URS), Art. 6 I c (in case of requests by competent authorities) or Art. 6 I f (based on a legitimate third party interest).
In the absence of an accreditation model adopted by ICANN, all disclosure requests will be assessed individually.
ICANN requires all gTLD registrations to be subject to UDRP and URS to facilitate the resolution of disputes. These policies are part of all gTLD domain name registration contracts. Your personal data might be transferred to the dispute resolution providers and the complainant during these procedures (Art. 6 I b GDPR).
The data processed by us is erased or its processing is restricted in compliance with statutory requirements, in particular Art. 17 and 18 GDPR. Unless expressly stated otherwise within the scope of this privacy statement, we erase data stored by us as soon as such is no longer required for the intended purpose. Data will be retained beyond the time at which the purpose ends only if such data is necessary for other, legally permissible purposes or if the data must continue to be retained due to statutory retention periods. In these cases, processing is restricted, i.e. it is blocked, and will not be processed for other purposes.
For registration data of gTLDs, ICANN requires us to retain the data for 18 months beyond the end of the domain registration.
Pursuant to statutory provisions, you can assert the following rights vis-à-vis the data processing controller free of charge:
- Right to access by the data subject (Art. 15 GDPR);
- Right to rectification and erasure (Art. 16 and Art. 17 GDPR);
- Right to restriction of processing (Art. 18 GDPR);
- Right to data portability (Art. 20 GDPR);
- Right to object (Art. 21 GDPR).
You also have the right to complain to a data protection supervisory authority concerning the controller's processing of your personal data.