GDPR data privacy laws to impact domain name registration
Data privacy laws aren’t new to Luxembourgish companies who've been subject to them at national and European levels since before DCL group, our parent company, was founded 18 years ago. As with all prior data privacy directives, we will comply with the GDPR. The changes coming to domain name registration at EuroDNS.
Data privacy directives a top priority
Several provisions of the GDPR require European entities to audit, evaluate, and improve their current and future operations so that personal data protection is front and centre. This “privacy by default” requirement ensures that EuroDNS has internally reviewed each of its processes to ensure that we (1) never collect more data than we need to in order to provide services and (2) have measures in place to protect this data.
For our IT service professionals, such operational overhauling is nothing new. Our technical team is periodically doing this all the time to ensure that our platform remains secure and at the leading edge of technology. However, the GDPR is also imposing certain documentation obligations which are completely new.
Indeed, we’ve had to create a dedicated registry detailing every processing operation we are conducting in the course of our business along with certain data that the GDPR requires us to record.
With more than 30,000 customers, several hundred providers and registries, and more than a thousand different services and extensions, creating this registry wasn’t simple. (On top of recording operations involving EuroDNS customers data, we’ve needed to include data about our employees, providers, and resellers.)
Although cumbersome, this exercise has enabled us to further improve our internal processes by reducing the sets of personal data we are collecting and the duration for which we are retaining them.
While those improvements will not be visible to our customers, the following will.
GDPR privacy policy, one page to rule them all
The GDPR requires that we detail in “clear and plain language” the manner by which we are collecting and processing personal data, i.e. one shall not use what one learned at law school when drafting this text.
Behold the EuroDNS Privacy Policy page. Previously, we had information pertaining to personal data scattered around our website. But it is now consolidated onto one unique page.
On this page you will find a description of the way in which EuroDNS processes customers’ personal data, along with the details of each entity to whom EuroDNS is disclosing this data.
The procedure to obtain, rectify, and request the deletion of any personal data by a data subject - you - is also described. And the details of EuroDNS's Data Protection Officer are published on this space as well.
We did our best to avoid any legalese, but if you believe this page isn’t clear and easy to understand, feel free to contact us.
GDPR's affect on domain name registration
If you're reading this post, you must be somewhat familiar with how domain name registrations work. As you already know, the registration of a domain name requires a registry to add a record to its database. This record is needed to show that a certain string of characters is registered to a particular registrant.
For this reason, EuroDNS will continue to share a registrant’s details with an applicable registry. However, communicating these details with the registry doesn’t mean they will be published for the whole world to see. Which is why, depending on the registry, your details could be transferred but will not be published.
Anonymising personal data related to EEA-based ccTLDs
Every national TLD within the EEA (Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United-Kingdom) is directly subject to the GDPR and, as such, will require the implementation of specific measures to anonymise personal data of registrants.
The measures implemented will differ depending on the registry but, at minimum, a registrants’ name, phone number, and part of their postal address will be hidden from public eye. Registries will provide third parties requesting more detailed personal data an alternate means of communication.
WHOIS database management: gTLD thin model
From a WHOIS database perspective, there are two types of generic extensions:
- The thick model where a registry manages for itself the WHOIS database for its extension
- The thin model where each registrar manages the WHOIS database of the domain names registered by its customers.
In the latter case, where EuroDNS has full control over WHOIS management, we will proceed as follows: every registrant that is a natural person will have their first and last names, and phone and fax numbers redacted. Only their city, state, postal code, and country will be published. Their email will also be replaced by a generic email alias which will forward every email sent to it to the registrant's hidden email address.
WHOIS database management: gTLD thick model
Under the thick model, the information published will depend on the specific registry’s decision. All should (normally) follow ICANN’s model.
As of now, some registries - .AMSTERDAM, .CAT, .FRL and .TEL - have already implemented a means by which registrants can refuse the publication of their personal data in the registry's database.
Other registries - .WIEN and .PARIS - have made their models known but have not yet implemented them.
Domain name registration for other ccTLDs
Lastly, with regards to national extensions for countries and territories outside the EEA, registries will naturally not comply with GDPR as they have no obligation to do so.
Individuals wanting to register under those extensions and still maintain a minimum level of privacy – even though it is understood that full compliance with GDPR data privacy regulations under those extensions cannot be achieved – are advised to make use of EuroDNS's WHOIS Domain Privacy service if allowed by the registry.
If you have any questions about the GDPR or how these data privacy regulations will impact your current or future domain name registrations, feel free to contact us. We'll be glad to answer your questions.