The General Data Protection Regulation (GDPR 2016/679) entered into force on 25 May 2018. To comply with this new regulation, we have adapted our procedures and documents.
As the registry manager of the .eu extension and its variants in other scripts, we work with registrars from around the world who offer our domain name extensions to end users. Within the context of registration, we act as the ‘controller’ (data controller) of domain name holders’ registration data. Our registrars process domain name holders’ registration data on our behalf, and are therefore ‘processors’ (data processor) of that data.
The illustration below provides a visual interpretation of how domain name holders’ data flows, and of the controller and processor role within the GDPR framework.
Since the launch of the .eu extension, we have taken our role as data controller seriously. For this reason, we abide by the following measures to strengthen the security of the personal data we process:
- We store personal data in servers located in EU countries;
- We are ISO/IEC 27001 certified;
- We are ISO 22301:2012 certified;
- We carry out regular internal auditing against defined metrics to assess the ongoing success of data protection compliance across our organisation;
- We have appointed a Data Protection Officer (DPO) and set up a privacy team.
- We use secure email to provide copies of personal data to data subjects upon receipt of data access requests;
- We systematically conduct data protection impact assessments in the initial stages of new projects or processes involving personal data;
If you are an individual who wishes to register a domain name and are concerned about the visibility of your personal email address, provide a functioning one that does not personally identify you at the time of registration. If you are an individual holding a domain name and are concerned about the visibility of your personal email address, you can contact your registrar to update your registration data.
As the data controller, we are responsible for correctly and efficiently responding to domain name holders’ requests to access it. Holders can request to access their data through our online Data Access Request form or via their My .eu account.
In summary, our adaptations as they relate to the GDPR are as follows:
- The following documents have been updated and automatically apply as of 16 May 2018:
- Personal data available in the web-based WHOIS has been reduced in the following ways:
- Information displayed for legal entities holding a domain name is limited to:
- Email address
- Information displayed for individuals holding a domain name is limited to:
- Email address
Domain name holders can view all of their data through their My.eu account.
If you are a EURid accredited registrar, you can access information about how our GDPR implementation affects you through the registrar extranet.