The General Data Protection Regulation (GDPR 2016/679) entered into force on 25 May 2018. To comply with this new regulation, we have adapted our procedures and documents.

As the registry manager of the .eu extension and its variants in other scripts, we work with registrars from around the world who offer our domain name extensions to end users. Within the context of registration, we act as the ‘controller’ (data controller) of domain name holders’ registration data. Our registrars process domain name holders’ registration data on our behalf, and are therefore ‘processors’ (data processor) of that data.

The illustration below provides a visual interpretation of how domain name holders’ data flows, and of the controller and processor role within the GDPR framework.

Since the launch of the .eu extension, we have taken our role as data controller seriously. For this reason, we abide by the following measures to strengthen the security of the personal data we process:

  • We store personal data in servers located in EU countries;
  • We are ISO/IEC 27001 certified;
  • We are ISO 22301:2012 certified;
  • We carry out regular internal auditing against defined metrics to assess the ongoing success of data protection compliance across our organisation;
  • We have appointed a Data Protection Officer (DPO) and set up a privacy team.
  • We use secure email to provide copies of personal data to data subjects upon receipt of data access requests;
  • We systematically conduct data protection impact assessments in the initial stages of new projects or processes involving personal data;


If you are an individual who wishes to register a domain name and are concerned about the visibility of your personal email address, provide a functioning one that does not personally identify you at the time of registration. If you are an individual holding a domain name and are concerned about the visibility of your personal email address, you can contact your registrar to update your registration data.


As the data controller, we are responsible for correctly and efficiently responding to domain name holders’ requests to access it. Holders can request to access their data through our online Data Access Request form or via their My .eu account.


In select cases, we may need to provide certain domain name holders’ personal data based on legitimate interest from a third party who has filled out and submitted a Personal Data Disclosure form. Any request for disclosure will be carefully checked before it is granted. Any information containing a copy of personal data will be sent in a secure (encrypted) manner. Our Privacy Policy describes this process in further detail.


In summary, our adaptations as they relate to the GDPR are as follows:

  • A new Privacy Policy is online, including information about what types of personal data we process, for what purpose, and how we do so.
  • Personal data available in the web-based WHOIS has been reduced in the following ways:
  • Information displayed for legal entities holding a domain name is limited to:
    • Company
    • City
    • Region
    • Country
    • Email address
    • Language
  • Information displayed for individuals holding a domain name is limited to:
    • Email address
    • Language

Domain name holders can view all of their data through their account.


If you have any questions related to personal data processing at EURid, please contact us at [email protected] or [email protected].

If you are a EURid accredited registrar, you can access information about how our GDPR implementation affects you through the registrar extranet.