European General Data Protection Regulation (GDPR)
Information on GDPR
We would like to give you a brief overview of our plans for implementing the requirements of the new European General Data Protection Regulation (GDPR).
We inform you how the GDPR affects the processing of registration data currently published in the Whois and how this affects domain registration services in the future.
The GDPR is coming into effect on May 25, 2018 and per default we will no longer disclose personal data.
Privacy is about having control of your data and GDPR will ensure that private individuals have more control and information on how their personal information will be published and processed.
While compliance with the GDPR is challenging for all involved parties, it will ultimately help to protect private data of Internet users from abuse and misuse both by restricting processing and by improving security.
It will also help users to get a better idea of how their personal data is processed by whom and why, and how to take action against incorrect or illegal processing.
Processing of private data will be limited to a certain extent, especially with regard to its transmission and disclosure.
However, we do not control the processing of data on each instance.
Where we act as mere data processor we need to follow lawful instructions of data controllers such as ICANN and the registries in order to be able to continue to provide our services to you. This also means we will need to continue to request full contact data both for our own business purposes under the GDPR as well as the legitimate purposes of the data controllers, but we will restrict processing and data transfers as much as possible.Publication and transmission of personal data will be reduced as summarized below:
Reduced data publication / transmission
Reduced data provision by our whois server:
The contact data provided by our whois server only includes data of domains managed by us in so called "thin" registry gTLDs (e.g. .com, .net, .cc, .tv, .jobs). To comply with GDPR requirements, Key-Systems will reduce publication of contact data in whois to only a few fields. All other fields will be redacted or replaced.
Reduced data transmitted to gTLD "thick" registries:
Contact data transfer to so-called gTLD thick registries (e.g. .info, .org, .xyz.) will be reduced to only a few fields as well unless we can be certain that both data transfer as well as the GDPR compliance measures taken by the registry operator are in full compliance with the GDPR.
In particular, the data coming from our whois server and transmitted to non-compliant gTLD thick registries will be reduced to the following details:
- An organization, Street, City, State/Province, Postal Code, and Country in the case of organizations (O-handles, if the "organization" field is filled out and no first, middle, last name is given)
- Country and State/Province in the case of private persons (P-handles, if no organization is given)
Opt-in to disclose data
An Opt-in function to disclose data will soon be made available for all contact handles (Owner, Admin, Tech, Billing) in the near future.
The underlying technical process is very similar to contact verification, i.e. the registrant will receive a mail to approve or decline disclosure of her or his data in whois.
This will allow each individual contact holder to select for a particular contact handle whether he wishes his data to be disclosed in the whois.
Please note that even if a contact holder decides to disclose his details in our system, this does not mean that the registry controlling the Whois output will also disclose this data. Work is currently ongoing at ICANN to harmonize this approach.
Contact to an undisclosed entity
As the email address is no longer shown in whois, we will introduce the possibility to contact the registrant through a web form.
Inquiries sent through this form will be sent to the respective contact of record. The individual link to the web form will be published in whois, typically in the "Email"-Field.
Transfers from and to other registrars
We currently envision that contact data should be made available for certain purposes, in particular transfers from and to other registrars.
This would allow data transmission for transfers. However, this matter is still subject to additional reviews and may be changed accordingly.
Data in the whois of ccTLDs
ccTLD registries operate own whois Servers and must individually comply with GDPR.
We are currently in the process of reviewing the plans supplied by the registry operators to determine the individual approach for each ccTLD.
To cover all aspects of GDPR we are currently preparing new / updated agreements that will become effective on May 25, 2018:
- Data Processing Agreement
- Terms and Conditions (Redline Version)
- Domain Registration Agreement (Redline Version)
We will soon publish these documents in the legal section on our website.
Our technical implementation will go live on May 22, 2018 for all generic TLDs that do not enforce publication of contact details including legacy gTLDs such as .com, .net, .info and new gTLDs such as .xyz, .saarland, .beer.
On this day we will start to reduce whois information of all contacts as described above.
Please note that Whois Privacy Protection (Whois Proxy Service) service will continue to be fully available even after GDPR has become effective.