Here is what .EU is doing about GDPR (more sensible than many other registries)

The .EU registry announced how they are going to treat whois details and what will be publicly published after GDPR goes into full effect today. Their plan is more sensible than many other registries even though .eu registrants are based (or are supposed to be based) 100% in the European Union.

Personal data available in the web-based WHOIS has been reduced in the following ways:

  • Information displayed for legal entities holding a domain name is limited to:
    • Company
    • City
    • Region
    • Country
    • Email address
    • Language
  • Information displayed for individuals holding a domain name is limited to:
    • Email address
    • Language

If you are an individual who wishes to register a domain name and are concerned about the visibility of your personal email address, provide a functioning one that does not personally identify you at the time of registration. If you are an individual holding a domain name and are concerned about the visibility of your personal email address, you can contact your registrar to update your registration data.

In short, just get a free gmail email address without your name in it. Simple?

Domain name holders can view all of their data through their My.eu account.

The only thing that I don’t see is an option to opt-out of whois privacy. Maybe this will come later?

Here are the complete details:

The General Data Protection Regulation (GDPR 2016/679) comes into force on 25 May 2018. To comply with this new regulation, we have adapted our procedures and documents.

As the registry manager of the .eu extension and its variants in other scripts, we work with registrars from around the world who offer our domain name extensions to end users. Within the context of registration, we act as the ‘controller’ (data controller) of domain name holders’ registration data. Our registrars process domain name holders’ registration data on our behalf, and are therefore ‘processors’ (data processor) of that data.

The illustration below provides a visual interpretation of how domain name holders’ data flows, and of the controller and processor role within the GDPR framework.Since the launch of the .eu extension, we have taken our role as data controller seriously. For this reason, we abide by the following measures to strengthen the security of the personal data we process:

  • We store personal data in servers located in EU countries;
  • We are ISO/IEC 27001 certified;
  • We are ISO 22301:2012 certified;
  • We carry out regular internal auditing against defined metrics to assess the ongoing success of data protection compliance across our organisation;
  • We have appointed a Data Protection Officer (DPO) and set up a privacy team.
  • We use secure email to provide copies of personal data to data subjects upon receipt of data access requests;
  • We systematically conduct data protection impact assessments in the initial stages of new projects or processes involving personal data;

If you are an individual who wishes to register a domain name and are concerned about the visibility of your personal email address, provide a functioning one that does not personally identify you at the time of registration. If you are an individual holding a domain name and are concerned about the visibility of your personal email address, you can contact your registrar to update your registration data.

As the data controller, we are responsible for correctly and efficiently responding to domain name holders’ requests to access it. Holders can request to access their data through our online Data Access Request form, which will be made available as of 16 May 2018, or via their My .eu account.

In select cases, we may need to provide certain domain name holders’ personal data based on legitimate interest from a third party who has filled out and submitted a Personal Data Disclosure form. Any request for disclosure will be carefully checked before it is granted. Any information containing a copy of personal data will be sent in a secure (encrypted) manner. Our Privacy Policy describes this process in further detail.

In summary, our adaptations as they relate to the GDPR are as follows:

  • A new Privacy Policy is online, including information about what types of personal data we process, for what purpose, and how we do so.
  • The following documents have been updated and will automatically apply as of 16 May 2018:
  • Personal data available in the web-based WHOIS has been reduced in the following ways:
  • Information displayed for legal entities holding a domain name is limited to:
    • Company
    • City
    • Region
    • Country
    • Email address
    • Language
  • Information displayed for individuals holding a domain name is limited to:
    • Email address
    • Language

Domain name holders can view all of their data through their My.eu account.

Sold.Domains

About Konstantinos Zournas

Konstantinos studied Computer Engineering and Computer Science in London and lives in Athens, Greece. He works on domain names, websites and software development. Has been online since 1995 & domaining since 2002.

2 comments

  1. Still, what appears in the WHOIS of the domain’s Registrar depends on that Registrar’s policies.

    The info above can only be viewed via the WHOIS tool at Eurid.eu. It’s no different than e.g. GoDaddy and their alleged “anti-spam” measures.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.