With this document, we will provide you with information on what data we collect from you and how this data will be further processed. Please note that there are numerous parties involved when domain names are registered and these parties are placed all over the world. There are country code Top Level Domains (ccTLDs) for which the Registries establish policies according to their own processes while registries operating generic Top Level Domains (gTLDs) are required to follow policies established by the Internet Corporation for Assigned Names & Numbers and the global multistakeholder community. While gTLD operators have individual policies, many operational aspects are prescribed by ICANN‘s policies and contracts to ensure interoperability at the global level.
As a consequence, there is a huge variety of policies and treatment of personal data and – depending on the domain name you register – the parties are subject to jurisdictions in the country of their operations and have to follow laws applicable to them.
2. Where to find information on GDPR compliance and privacy policies?
As a general rule, we try to offer all domain registrations in compliance with the GDPR, i.e. there are contracts and policies giving us the required assurances on their processing of personal data. Where data is transferred outside the EU, we try to get our partners to use EU model clauses or other legal instruments. However, not all registries and other partners we work with do operate in compliance with GDPR for various reasons. As we are striving to offer a huge variety of TLDs, there are numerous cases where the registry does not particularly address European customers and where there might not even be a legal requirement for them to be compliant. In such cases, we still want to offer domain registrations to our customers and customers should be free to register domain names should they wish to do knowing the associated risks, see Art. 49 I b GDPR.
We ask you to review the policies issued by the registries of the TLDs you wish to register one or more domain names with. For registries that are compliant with the GDPR, you will likely find information on what data is collected, what it is used for and how long it is retained. For the TLDs that you do not find such information on, please assume there is no GDPR compliance. That means that we cannot make any statements about how your data will be processed. It will be processed for registering the domain name, maintaining the registration and making the domain name resolve via the DNS. Additionally, all your data might be published in a Whois database, passed on to third party or data that is not publicized might be made available to requesting parties based on parameters that we do not know. Therefore, please consider carefully whether you want to take these risks and whether you want to potentially use a privacy or proxy service to increase the level of protection of your personal data.
In order to give you a general overview of the implications for personal data and domain name registrations, please find below a high-level summary, which may not be applicable to all scenarios. For details information you need to go to the website mentioned above.
3. Which parties are involved in domain registrations?
For ccTLDs, typically there is the registry and an accredited registrar (hereinafter referred to as registrar).
For gTLDs, the same applies as above, but additionally, there is ICANN and additional parties that are involved as mandated by ICANN, namely escrow agents for registries and registrars for backup purposes and an Emergency Backend Operator (EBERO), who takes over registry operations in case of a registry failure.
Where we do not have our own accreditation, we resell domain names from a registrar that has an accreditation.
4. Controller, Contact, Data Protection Officer
According to our assessment, ICANN, Registries and Registrars are joint controllers for data processing that is required to carry out domain name registrations, maintaining those including domain name transfers and trades, making the domain names resolve and making available information via the Whois service. Where we act as a reseller, we are a data processor on behalf of the accredited Registrar.
With respect to registration data, ICANN’s role is establishing the policies on aspects including the collection and publication of data as well as to ensure that the system is secure, stable and resilient. ICANN contractually requires the Registrars to process personal data and enforces these contractual obligations, which – in part – are policies established by ICANN’s multistakeholder community. ICANN also requires the contracted parties to submit reports regularly.
The Registry’s role is to maintain a central repository of all domain name registrations and to make these resolve via the Domain Name System (DNS). The Registry does not offer domain name registrations directly to registrants.
It is the Registrar’s role to offer domain name registrations and potentially other services to the Registrants. According to ICANN’s requirements, the registration data is collected by the Registrar and then transferred to the Registry.
In most cases, the Registry will be the controller and the Registrar is a processor on behalf of the Registry with roles as defined above.
You may contact us here:
Our data protection officer can be contacted here:
5. The data we collect
In order to be able to register domain names, we need to collect registration data. Registration data are the following data elements in most cases:
- Domain Name
- Registrant Name
- Registrant Organization
- Registrant Street
- Registrant City
- Registrant Postal Code
- Registrant Province
- Registrant Country
- Registrant Phone
- Registrant Phone Ext
- Registrant Fax
- Registrant Fax Ext
- Registrant Email
The same data elements as for the Registrant apply to the Admin-C and Tech-C.
We also set up an account in order to enable you to register domain names, manage them and for us to provide technical support and invoice you.
In order to do that, we collect your account holder data, namely
- Postal Code
- Payment data
6. Legal basis for the collection
The legal basis for the collection of personal information on these contacts as well as the account holder is Art. 6 I b GDPR. For the Registrant, it is to perform the domain name registration, for the Admin-C and Tech-C it is the need to establish contact in case of administrative matters or technical issues. For the Account Holder, it is to manage the contractual relationship.
7. Transfer of data to the Registry
We are required to transfer registration data mentioned above to the Registry. The legal basis for that is Art. 6 I b GDPR where the Registry specifies that it has local presence or other eligibility requirements they need to be able to validate. For other data elements, the legal basis is Art. 6 I f GDPR when they assert a legitimate interest in e.g. identifying and investigating patterns of illegal behavior, help with ownership disputes and to operate a central repository of owner data.
8. Non-EU transfers
If we intend to transfer Personal Data to a third country or international organization and there is no adequacy decision by the European Commission, or in the case of transfers referred to in Article 46 or 47 GDPR, or the second subparagraph of Article 49(1) GDPR, we will request EU Standard Clauses or other suitable safeguards form the receiving party. These are made reference to in the terms and conditions for the respective domain registration.
9. Processing of data by third parties
We will also pass on the data to an escrow agent as required by ICANN and data transferred to the Registry needs to be escrowed by the Registry, too. That data might be transferred to an Emergency Backend Operator (EBERO) in case of Registry failure as well as to ICANN in the context of ICANN’s contractual compliance work. In these cases, we act as data processors on behalf of ICANN as the data controller.
We are using a third party provider’s white label reseller system.
10. Disclosure of data
We will not disclose personal data to third party apart from the domain name as such, unless you have opted to have your data disclosed by consenting to the publiscation. Disclosure of personal data will only occur if there is an established legal basis for such disclosure based on a case-by-case assessment. The legal basis for such disclosure might be Art. 6 I b (in case of URDP and URS), Art. 6 I c (in case of requests by competent authorities) or Art. 6 I f (based on a legitimate third party interest).
In the absence of an accreditation model adopted by ICANN, all disclosure requests will be assessed individually.
ICANN requires all gTLD registrations to be subject to UDRP and URS to facilitate the resolution of disputes. These policies are part of all gTLD domain name registration contracts. Your personal data might be transferred to the dispute resolution providers and the complainant during these procedures (Art. 6 I b GDPR).
11. Reseller Data (if applicable)
As a wholesale registrar, we only offer domain registrations and other services to resellers. Thus, we collect and otherwise process data from and about our resellers, including data on contact persons and staff.
We need this information in order to be able to manage our contractual relationship, i.e. to invoice you and to contact you. As there might be technical, administrative or legal issues, we ask you to provide contacts for these areas, but it is up to you to provide role contacts instead of data of your staff. For these data elements, we are the data controller and we need the data to perform our contract. The legal basis for this is Art. 6 I b GDPR.
12. Retention periods
The data processed by us is erased or its processing is restricted in compliance with statutory requirements, in particular Art. 17 and 18 GDPR. Unless expressly stated otherwise within the scope of this privacy statement, we erase data stored by us as soon as such is no longer required for the intended purpose. Data will be retained beyond the time at which the purpose ends only if such data is necessary for other, legally permissible purposes or if the data must continue to be retained due to statutory retention periods. In these cases, processing is restricted, i.e. it is blocked, and will not be processed for other purposes.
For registration data of gTLDs, ICANN requires us to retain the data for 2 years beyond the end of the domain registration.
13. Your rights
Pursuant to statutory provisions, you can assert the following rights vis-à-vis the data processing controller free of charge:
- Right to access by the data subject (Art. 15 GDPR);
- Right to rectification and erasure (Art. 16 and Art. 17 GDPR);
- Right to restriction of processing (Art. 18 GDPR);
- Right to data portability (Art. 20 GDPR);
- Right to object (Art. 21 GDPR).
You also have the right to lodge a complaint with a data protection supervisory authority concerning the controller’s processing of your personal data.