Answer ID: 9060
New GDPR Privacy Policy (May 25th, 2018)
*Also see the help article from our affiliate, Enom, here: General Data Protection Regulations (GDPR)
GDPR (General Data Protection Regulation) is a new privacy policy regulation established by the EU, pertaining to companies doing business with customers in the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU (from wikipedia).
The GDPR helps protect privacy in the digital age. The European Union views the protection of personal data as nothing less than a fundamental human right, alongside other rights such as freedom of expression, freedom of thought, and the right to a fair trial. Although there are other existing privacy laws in effect already, the GDPR is different in its scope of applicability and because significant fines may be levied for non-compliance.
The GDPR replaces the 1995 EU Data Privacy Directive, harmonizing privacy laws across the EU. Once it comes into effect on May 25, 2018, it will be law in all EU member states.
Though it’s complex and far-reaching, at a high level, the GDPR can be understood in terms of three fundamental concepts:
1. Consent and Control
Clear, informed consent and individual control over the use of personal data are basic rights in the GDPR. Any business collecting or processing personal data must not only obtain consent to do so, but must also explain what they need the information for. What’s more, they’re only allowed to collect the minimum amount of information required to get the job done and can’t use the info for any purpose other than that to which the individual initially agreed. This puts the individual in charge of how their info is used from the very start.
2. Transparency
The GDPR imposes requirements around how companies should address security breaches that expose sensitive personal information. In the event of a breach, anyone whose information may have been exposed must be notified as soon as possible, and that notice should include an explanation of what happened, what’s being done to fix it, and what those affected should do to protect themselves. This type of information empowers each person to respond in the way they think is best in each circumstance in order to protect their own privacy.
3. The right to be forgotten
Under these new rules, EU-local individuals have the right to revoke consent for a service provider to use their data. When this happens, the provider must essentially erase all record of the individual, giving them a fresh start. This requirement is not without consequences or limitations: some services can’t be provided without personal information, and sometimes personal information has to be kept for reasons of public interest or relating to legal claims.
Domain WHOIS information under the GDPR policy
With the GDPR privacy policy (effective May 25th, 2018), domain WHOIS information is no longer displayed publicly, but is still available for "legitimate parties" via a gated access system.
Doing a WHOIS search (like at tucowsdomains.com/whois-search) will still show some information like the domain registrar, expiration date, and sometimes a link to a contact form in order to contact the domain registrant.
We will implement a new “gated Whois” system. Under this new system:
- The registrant, admin, and technical contact information for registered domains will no longer be visible in the public Whois database.
- "Full" Whois data for registered domains will only be accessible to legitimate and accredited third-parties, such as law enforcement, members of the security community, and intellectual property lawyers.
- This "full" Whois data will be limited to those personal data elements that we have obtained permission to process, either via contract or via consent of the data subject.
This switch to a gated Whois is being made in an effort to reconcile our GDPR-imposed restrictions with our ongoing obligations as an accredited registrar. As of May 25, 2018, registrant information—name, organization, address, phone number, and email—will be considered personal data that can no longer be published in the public Whois. However, we feel authenticated access to this information, in a specific and limited manner, must be provided to those with legitimate reasons to request it. A gated Whois system will allow for this, while also ensuring that private information remains guarded from the general public.
There is additional consent needed to process certain personal information The consent is optional, but may be needed in particular circumstances. You can offer this consent via an email we send to you.
We will request consent from the data subject when:
- We give the option of processing any piece of personal data that isn’t essential or necessary to provide the service. For example, for most domain registrations, we don’t require the registrant to provide their phone number, but by collecting this piece of data we are able to provide a backup verification method.
- The data is required by a third party, with whom we do not yet have a GDPR-compliant contract. For example, a registry might require that the registrant’s postal address be on file in order to complete a domain registration. If we don’t have a GDPR-compliant contract with this particular registry, we would have to request consent from the data subject to process and share this extra piece of personal data before completing the registration.
Information about the impact of the implementation of the new GDPR Privacy Policy on your account can be found here:
- Enom GDPR info and FAQ's: https://help.enom.com/hc/en-us/articles/360003534951-GDPR-Customer-FAQ
- Reseller GDPR FAQ's from Enom: https://help.enom.com/hc/en-us/articles/360003302691-GDPR-Reseller-FAQ
- Changes to Domain transfer process: https://www.enom.com/blog/changes-to-the-domain-transfer-process/
- How will the GDPR impact Whois?: https://www.enom.com/blog/will-gdpr-impact-whois/
More general information about the GDPR policy can be found here:
Note: If wanted, you can now make your WHOIS domain contact information publicly visible again by enabling the "WHOIS Publicity".
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article