The General Data Protection Regulation (GDPR 2016/679) entered into force on 25 May 2018. To comply with this regulation, we have adapted our procedures and documents.
As the registry manager of the .eu extension and its variants in other scripts, we work with global registrars from around the world who offer our domain name extensions to end users. Within the context of domain name registration, we act as the ‘controller’ (data controller) of domain name holders’ registration data. Our registrars process domain name holders’ registration data on our behalf, and are therefore ‘processors’ (data processor) of that data.
The illustration below provides a visual interpretation of how domain name holders’ data flows, and of the controller and processor role within the GDPR framework.
Since the launch of the .eu extension, we have taken our role as data controller seriously. For this reason, we abide by the following measures which strengthen the security of the personal data we process:
- We store personal data in servers located in EU countries;
- We are ISO/IEC 27001 certified;
- We are ISO 22301:2012 certified;
- We carry out regular internal auditing against defined metrics to assess the ongoing success of data protection compliance across our organisation;
- We have appointed a Data Protection Officer (DPO) and set up a privacy team.
- We use secure email to provide copies of personal data to data subjects upon receipt of data access requests;
- We systematically conduct data protection impact assessments in the initial stages of new projects or processes involving personal data;
If you are an individual who wishes to register a domain name and are concerned about the visibility of your personal email address, you may provide any functioning email address that does not personally identify you at the time of registration. If you are an individual holding a domain name and are concerned about the visibility of your personal email address, you may contact your registrar to update your registration data.
Some registrars grant the option to their customers (domain registrants) to use a different email address for publication on the web-based WHOIS. The use of a different email address is subject to an agreement between you and your registrar.
As the data controller, we are responsible for correctly and efficiently responding to domain name holders’ requests to access their personal data. Holders can request to access their data through our online Data Access Request form or via their My .eu account.
In summary, our organisational adaptations as they relate to the GDPR are as follows:
- The following documents have been updated and automatically apply as of 16 May 2018:
You may register a .eu domain name as an individual (or ‘natural person’) or as an organisation (legal entity). A ‘natural person’ is defined as an individual person acting without separate legal status, while an ‘organisation’ is generally understood as a legal entity or an individual acting with separate legal status or personality. The choice to identify either as an individual or an organisation belong to you, and has a consequence on the amount of information visible on the web-based WHOIS , as indicated below:
- Information displayed for legal entities holding a domain name is limited to:
- Email address
- Information displayed for individuals holding a domain name is limited to:
- Email address
Domain name holders can view all of their data via their My.eu account.
If you are a EURid accredited registrar, you can access information about how our GDPR implementation affects you through the registrar extranet.