General Data Protection Regulation
Information on GDPR
We would like to give you a short summary on our plans to address some of the concerns arising from GDPR with regard to the processing of registration data that is currently being published in the WHOIS and how this affects domain registration services in the future.
Key-Systems is currently working to ensure to comply with the new European General Data Protection Regulation (GDPR) coming into effect on May 25, 2018 and per default we will no longer disclose personal data.
Privacy is about having control of your data and GDPR will ensure that private individuals have more control and information on how their personal information will be published and processed. While compliance with the GDPR is challenging for all involved parties, it will ultimately help to protect private data of Internet users from abuse and misuse both by restricting processing and by improving security. It will also help users to have a better picture on how their personal data is processed by whom and why, and how to take action against incorrect or illegal processing.
Processing of private data will be limited to a certain extent, especially with regard to its transmission and disclosure. However, we do not control the processing of data in every instance. Where we act as mere data processor we need to follow lawful instructions of data controllers such as ICANN and the registries in order to be able to continue to provide our services to you. This also means we will need to continue to request full contact data both for our own business purposes under the GDPR as well as the legitimate purposes of the data controllers, but we will restrict processing and data transfers as much as possible. Publication and transmission of personal data will be reduced as summarized below.
Reduced publication and transmission of Whois Data
Reduced Data provision by our Whois server
The contact data provided by our Whois server only includes data of domains managed by us in so called “Thin” Registry gTLDs, like .COM/.NET/.CC/.TV/.JOBS.
To comply with GDPR requirements, Key-Systems will reduce publication of contact data in Whois to only a few fields. All other fields will be redacted or replaced.
Reduced Data transmitted to gTLD Thick Registries
Contact data transfer to gTLD Thick Registries (like .INFO, .ORG, .XYZ, etc.) will be reduced to only a few fields as well unless we can be certain that both data transfers as well as the GDPR compliance measures taken by the Registry Operator are in full compliance with the GDPR.
In particular the data coming from our Whois server and transmitted to non-compliant gTLD Thick Registries will be reduced to:
For organizations (P-handles with organization value; respectively O-handles, if the "organization" field is filled out and no first, middle, last name is given):
- Postal Code
For Private Persons (P-handles, if no organisation is given):
Redacted or replaced fields in Whois
As mentioned above, all other fields will be redacted or replaced. Some registries offer to undisclose/disclose certain fields in Whois and support a respective EPP parameter. If a registry is supporting these parameters we set the respective fields to undisclose. If a registry is not supporting these EPP parameters or similar functions, we will not transmit the respective contact fields but instead transmit a place holder, i.e. "not disclosed".
To make sure that contact data will not be published after May 25th 2018 we will update all contact data at registries by either setting relevant fields to undisclose via EPP, or replacing them.
We expect that registries will adopt functions to undisclose/disclose certain fields in Whois during the course of this year.
Whois output and contact data transmission for TLDs Registry Account Management
The Whois output and contact data transmission for TLDs of reseller accreditations in our Registry Account Management (RAM) will be provided using the same logic our own Whois servers are using.
Opt-in to disclose data
An Opt-in to disclose data will be made available for all contact handles (Owner, Admin, Tech, Billing) in the near future. The underlying technical process is very similar to contact verification, i.e. the registrant will receive a mail to approve or decline disclosure of her or his data in Whois. This will allow each individual contact holder to select for a particular contact handle whether he wishes his data to be disclosed in the Whois. Please note that even if a contact decides to disclose his details in our system, this does not mean that the registry controlling the Whois output will also disclose this data. Work is currently ongoing at ICANN to harmonize this approach.
Data in ccTLD Whois
ccTLD Registry operate own Whois Servers and must individually comply with GDPR. We are currently in the process of reviewing the plans supplied by the Registry Operators to determine the individual approach for each ccTLD. In some cases changes to our backend connection to ccTLD registries will need to be applied where we have determined that we will not be able to process and/or transfer data under the GDPR. These planned changes will not affect the handling of the ccTLDs in our external gateways, portals and APIs, i.e. we expect no code-breaking changes for our customers.
Technical implementation will go live May 22nd 2018
Our Technical implementation will go live May 22nd 2018 for all generic TLDs that do not enforce publication of contact details (for example .BANK and .INSURANCE), including legacy gTLDs like .COM, .NET, .INFO and new gTLDs like .XYZ, .SAARLAND, .BEER.
On this day we will start to reduce Whois information of all contacts as described above.
Whois Privacy will continue to be fully available even after GDPR has become effective. Instead of displaying a link to a contact page in whois it offers the benefit of direct email forwarding and non hidden contact details of our Whois Privacy Service.