GDPR

The General Data Protection Regulation (GDPR 2016/679) entered into force on 25 May 2018. To comply with this new regulation, we have adapted our procedures and documents.

As the registry manager of the .eu extension and its variants in other scripts, we work with global registrars from around the world who offer our domain name extensions to end users. Within the context of domain name registration, we act as the ‘controller’ (data controller) of domain name holders’ registration data. Our registrars process domain name holders’ registration data on our behalf, and are therefore ‘processors’ (data processor) of that data.

The illustration below provides a visual interpretation of how domain name holders’ data flows, and of the controller and processor role within the GDPR framework.

Since the launch of the .eu extension, we have taken our role as data controller seriously. For this reason, we abide by the following measures which strengthen the security of the personal data we process:

  • We store personal data in servers located in EU countries;
  • We are ISO/IEC 27001 certified;
  • We are ISO 22301:2012 certified;
  • We carry out regular internal auditing against defined metrics to assess the ongoing success of data protection compliance across our organisation;
  • We have appointed a Data Protection Officer (DPO) and set up a privacy team.
  • We use secure email to provide copies of personal data to data subjects upon receipt of data access requests;
  • We systematically conduct data protection impact assessments in the initial stages of new projects or processes involving personal data;

 

If you are an individual who wishes to register a domain name and are concerned about the visibility of your personal email address, you may provide any functioning email address that does not personally identify you at the time of registration. If you are an individual holding a domain name and are concerned about the visibility of your personal email address, you may contact your registrar to update your registration data.

 

Some registrars grant the option to their customers (domain registrants) to use a different email address for publication on the web-based WHOIS. The use of a different email address is subject to an agreement between you and your registrar.

 

As the data controller, we are responsible for correctly and efficiently responding to domain name holders’ requests to access their personal data. Holders can request to access their data through our online Data Access Request form or via their My .eu account.

 

In selected cases, we may need to provide certain domain name holders’ personal data based on legitimate interest, to a third party who has completed and submitted a Personal Data Disclosure form. Requests for disclosure will be carefully checked before it is granted. Any information containing a copy of personal data will be sent in a secure (encrypted) manner. Our Privacy Policy describes this process in further detail.

 

In summary, our organisational adaptations as they relate to the GDPR are as follows:

  • A new Privacy Policy is online, including information about what types of personal data we process, for what purpose, and how we do so.

You may register a .eu domain name as an individual (or ‘natural person’) or as an organisation (legal entity). A ‘natural person’ is defined as an individual person acting without separate legal status, while an ‘organisation’ is generally understood as a legal entity or an individual acting with separate legal status or personality. The choice to identify either as an individual or an organisation belong to you, and has a consequence on the amount of information visible on the web-based WHOIS , as indicated below: 

  • Information displayed for legal entities holding a domain name is limited to:
    • Company
    • City
    • Region
    • Country
    • Email address
    • Language
  • Information displayed for individuals holding a domain name is limited to:
    • Email address
    • Language

Domain name holders can view all of their data via their My.eu account.

 

If you have any questions related to personal data processing at EURid, please contact us at [email protected] or [email protected].

If you are a EURid accredited registrar, you can access information about how our GDPR implementation affects you through the registrar extranet.