GDPR Policy for Resellers


GDPR Policy for Resellers

The General Data Protection Regulation, GDPR, is a European legislation to protect the privacy and personal information of individuals living in the European Union.

The purpose of the Regulation is to regulate data protection in a uniform manner throughout the EU, to give EU citizens better control over their personal data and regulate how controllers may use personal data. On the other hand, it shall ensure free flow of personal data within the EU and to regulate the export of personal data outside the EU.

Below, you find information on how we deal with personal data, what the parties involved are and what their respective roles are.

For resellers of 1awww's products and services, regardless of whether you have European customers or not, the GDPR changes will effect all accounts since the new policies will be applied universally. Therefore, all resellers are required to read and understand the GDPR requirements, policy changes and then apply them in their business processes, practices, and operations to be compliant, otherwise, resellers will might be subject to large and punitive fines. The good news is that 1awww will do much of the heavy lifting for you, but some changes for GDPR, like notices and disclosure, can only be done by the reseller. Please note that GDPR compliance is relevant to you even if you are based outside the EU and you might also need to appoint a representative in the EU.

1awww's GDPR Process and Schedule

As a Spanish based company, 1awww has been required to comply with years of strict European privacy laws, many of which form the basis of GDPR. Therefore, 1awww's existing policies, processes, operations, and infrastructure are already GDPR compliant. The single main focus for 1awww now is working with the registries, third party service providers, and industry governing bodies, our partners, who are working towards becoming GDPR compliant themselves or in the worst case not care about GDPR completely. Here is the GDPR schedule of actions and updates.

  • GDPR Domain Security Update - gTLD domain name authorization codes and transfer locks
  • GDPR Reseller Policy Publication
  • Reseller Data Processing Agreement
  • New GDRP functionality in the Control Panel and API

At the time of publishing this information (mid May 2018), many partners and registries in the domain industry are still in the process of reviewing their own policies. Thus, 1awww will update our policies, contracts and information to you subsequent to finalization of these third parties.

1awww GDPR Compliance

For many years 1awww has been compliant with German and Spain privacy regulation (much of these laws form the basis for GDPR) and as such 1awww respects the privacy of our customers and visitors and is committed to protecting their personal information. We have further updated our policies and operations to be compliant with GDPR and will continue to work with our resellers and partners to ensure ongoing compliance. Below, you find an overview of some of the principles enshrined in the GDPR, which we adhere to:

  1. Lawfulness, fairness and transparency. All personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
  2. Purpose Limitation. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. We only process personal data to the extent required to achieve the original purpose. There is no further processing or sharing of personal data outside of the original purpose.
  3. Data Minimisation. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Collecting as little personal data as possible is our default way of operating and by doing so it makes protecting and comply with privacy regulation easier.
  4. Data Accuracy. Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. We require our customers and resellers to keep up to date their personal data as integral part of our Terms of Service. We regularly purge and permanently delete accounts with the respective personal data if customers can't be contacted or do not respond account inquiries.
  5. Storage Limitation. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  6. Integrity and Confidentiality. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Security of data and systems is one of 1awww's top priorities. Our core architecture is multi-tiered with encryption and access credentials between tiers to ensure the highest level of protection. Organizationally, only authorized personnel that need access to personal data in the procurement or support of a service or product have access rights. We are also committed to providing notice within 24 hours if a data breach were to ever occur, which will include an explanation of the breach, resolution activities, and advice to customers on how to protect themselves.
  7. Data Subject Rights. The following rights can be claimed against the controller:
  8. Right of access by the data subject, Art. 15 GDPR
  9. Right to rectification, Art. 16 GDPR
  10. Right to erasure (‘right to be forgotten’), Art. 17 GDPR
  11. Right to restriction of processing, Art. 18 GDPR
  12. Right to data portability, Art. 20 GDPR
  13. Right to object, Art. 21 GDPR

You also have the right to lodge a complaint with a supervisory authority about the processing of your personal data by the controller.

  1. Accountability. To demonstrate compliance in tangible ways, 1awwwhas implemented a number of key activities to regularly review and improve our policies, organisational procedures, and technical service infrastructure to ensure we stay compliant to the highest degree.
  2. Privacy Notices: 1awww's Privacy Policy provides the public of what personal information we collect, how we use it, and how individuals can gain access to it to update or delete their data.
  3. Audits and Privacy Impact Assessments: These reviews and checks ensure that 1awww is continually compliant with prevailing privacy laws.
  4. Special Third Party Assessment for GDPR: Specifically for compliance with GDPR, 1awww has also contracted with legal experts to assist reworking all our service agreements, reviewing operational processes, and adjusting our systems infrastructure.

Domain Names and Related Services Under GDPR

When registering a domain name, there are multiple parties involved and they all have distinct roles and responsibilities. Below, we offer a rough overview of the processing activities occurring when domain names are registered. However, you must read the policies issued by the registries operating the extension or Top Level Domain that you are interested in or have already registered as these policies vary a lot. The domain policies are found here:

  • gTLD domain name policies
  • ccTLD domain name policies
Parties / Responsibilities / Controller / Processor

There are different concepts with respect to who is a controller and processor, which can be seen from the documentation by the registry.

For ccTLD registrations, typically the registry is the controller and we act as the processor on behalf of the registry for registering the domain name and maintaining the registration as well as making the domain name technically available via the Domain Name System (DNS).

For gTLD registrations, the registry, ICANN and the registrars are widely considered joint controllers for registration data. ICANN’s role is establishing the policies on aspects including the collection and publication of data as well as to ensure that the system is secure, stable and resilient. ICANN contractually requires the registrars to process personal data and enforces these contractual obligations, which - in part - are policies established by ICANN’s multistakeholder community.

The registry’s role is to maintain a central repository of all domain name registrations and to make these resolve via the Domain Name System (DNS). The registry does not offer domain name registrations directly to registrants. The registry is required to report on its activities to ICANN on a regular basis and ICANN may request registration data for contractual compliance purposes.

It is the registrar’s role to offer domain name registrations and potentially other services to the registrants. According to ICANN’s requirements, the registration data is collected by the registrar and then transferred to the registry.

Additionally, 1awww is acting as controller for the purpose of managing your account, invoicing and reseller support.

If you are a reseller, you are acting as a processor to collect and transfer registration data on our behalf. Resellers must have agreed to, signed and submit our Reseller Data Processing Agreement to become or maintain your reseller status.

Where we are the controller according to Art. 4 VII GDPR, you may contact us here:

1awww Internet-Service-Provider Detlef Bracker, Calle Club 2 / Camino Velilla 1, E 18690 Almuñécar

If and where data is transferred to our Canadian entity 1awwwSERVICES INC., #2235 - 6900 Graybar Road, Richmond, B.C., Canada V6W 0A5, this is legally based on the EU Standard Contractual Clauses.

What data do we collect?

The data elements we need to collect depend on the registry’s requirements. As a minimum, these data elements are:

  • Domain Name
  • Nameservers
  • Registrant Name
  • Registrant Organization
  • Registrant Street
  • Registrant City
  • Registrant Postal Code
  • Registrant Province/State
  • Registrant Country
  • Registrant Phone
  • Registrant Phone Ext
  • Registrant Fax
  • Registrant Fax Ext

The same data elements might be required for additional contacts, such as Admin-C, Tech-C or Billing-C.

Additionally, we will collect the following data elements to create your reseller account.

  • Account holder Name
  • Account holder Organization
  • Account holder Street
  • Account holder City
  • Account holder Postal Code
  • Account holder Province/State
  • Account holder Country
  • Account holder Phone
  • Account holder Email
  • and payment data
In addition, we collect movement data which results from the use of our web hosting services and which you store on our servers!

The data that you yourself store when you use our services, e.g. web spaces and servers, are automatically stored. The data for backup copies are also stored in our backup systems!

Log data when you visit our websites or use our services. However, this connection data is mainly used to secure our systems and may be evaluated statistically and anonymously! Under no circumstances will this data be used to create motion profiles and/or link them to other data! Only in cases of unlawful use (e.g. hacking/spam) will this data be further processed in our systems for further analysis and security purposes!

When using third-party products within our hosting systems:

Please note that the use of third-party products offered in our hosting systems may lead to the storage of your data (possibly also personal data) in third-party systems, also in third countries:

Third-party products are offered e.g. in Plesk or cPanel, which allows you to easily register free SSL certificates or use CDN services to increase the performance of your websites. When you register for these or other services, additional data is automatically transmitted, usually the e-mail address. Third-party products may request additional personal data or customers may use these services to process all data about them. In this case, customers automatically conclude a data processing contract with the providers of the third-party products and it is the responsibility of the customer to check the conformity of these third-party products with the DSGVO before activating these services!

Registration of Domain Names

Registries have diverging policies on what data they request to be collected and transferred to the registry. Our collection of account holder data and registration data is based on Art. 6 I b GDPR to perform the contract. A registry may have policies that require the transfer of data to them based on that same clause or, where the transfer is not based on Art. 6 I b GDPR, it may be based on Art. 6 I f GDPR to enable the registry to run a central repository of registration data to help with the confirmation of ownership or with transfer disputes or to allow for the registry to conduct security checks or mitigate DNS abuse.

Data Escrow

ICANN requires data to be escrowed by registries and registrars so that they can be requested by ICANN for the purpose of handing the data over to a registrar that takes over in case of registrar failure or to a succeeding registry or the so called Emergency Backend Operator (EBERO) in case of registry failure. The legal basis for that is Art. 6 I f GDPR.

Domain Name Disputes

ICANN also requires all gTLD registrations to be subject to UDRP and URS to facilitate the resolution of disputes. These policies are part of all gTLD domain name registration contracts. Your personal data might be transferred to the dispute resolution providers and the complainant during these procedures (Art. 6 I b GDPR).

There might be additional or other dispute resolution policies where data might be disclosed in a comparable fashion.

Disclosure of Registration Data

Disclosure of registration data depends on registry policies and applicable legal requirements. Please check the registry’s policies for details and in case of uncertainty, please use privacy or proxy services if you want to limit the distribution and publication of your data. Please note we are offering domain names from countries all over the world and not all of the operators need to be compliant with GDPR. Hence, there might be no limitations for the publication of registration data via Whois, so please be advised about the risk that your personal data might be widely shared where unfettered access to Whois data is given.

For gTLDs, personal data of the registrant or other contacts will not be published except for province and country for the registrant.

We will make available a web form for contacting the Registrant, the Admin-C and Tech-C.

More data will only be published based on an opt-in, i.e. consent by the registrant that can be withdrawn at any time.

The registry might need to disclose data to requesting third parties, if there is a legal obligation to disclose e.g. to law enforcement authorities (Art. 6 I c GDPR), in connection with URDP and URS (Art. 6 I b GDPR) or where a legitimate third party interest exists (Art. 6 I f GDPR). Details on the parameters on the basis of which data can be revealed may vary from registry to registry. ICANN will likely work on a globally applicable scheme for that including the accreditation of certain Whois requestor groups in due course.

If you want to file a disclosure request, please contact

Retention of Data

Your data is deleted without undue delay if and to the extent that the purpose of data collection has been reached resp. ceases to exist. The data processed by us will be deleted at the latest after expiry of statutory retention periods. We adhere to the requirements of Art. 17, 18 GDPR. If you have given your consent to the data collection, the data will be deleted immediately after receipt of an appropriate revocation.

Please note that there might be retention periods required by ICANN. Your data might need to be stored for a period of 2 years after the end of the domain name registration by the parties involved.

  • The following rights can be claimed against the controller:
    • Right of access by the data subject, Art. 15 GDPR
    • Right to rectification, Art. 16 GDPR
    • Right to erasure (‘right to be forgotten’), Art. 17 GDPR
    • Right to restriction of processing, Art. 18 GDPR
    • Right to data portability, Art. 20 GDPR
    • Right to object, Art. 21 GDPR

You also have the right to lodge a complaint with a supervisory authority about the processing of your personal data by the controller.

last updated 22.05.2018