The General Data Protection Regulation, GDPR, is a European legislation to protect the privacy and personal information of individuals living in the European Union.
The purpose of the Regulation is to regulate data protection in a uniform manner throughout the EU, to give EU citizens better control over their personal data and regulate how controllers may use personal data. On the other hand, it shall ensure free flow of personal data within the EU and to regulate the export of personal data outside the EU.
Even though GDPR is European legislation, 1awww is extending the privacy and personal information protections for all our customers. Whether or not you live in the European Union, the rules and application of GDPR will serve to protect your personal data when purchasing or using any product or service with 1awww - registration of a domain name, obtaining an SSL certificate, ordering a website, etc. 1awww is fully compliant with the GDPR for all our direct customers.
As a Spain based company, 1awww has been required to comply with years of strict European privacy laws, many of which form the basis of GDPR. Therefore, 1awww's existing policies, processes, operations, and infrastructure are already GDPR compliant. The single main focus for 1awww now is working with the registries, third party service providers, and industry governing bodies, our partners, who are working towards becoming GDPR compliant themselves or in the worst case not care about GDPR completely. Here is the GDPR schedule of actions and updates.
At the time of publishing this information (mid May 2018), many partners and registries in the domain industry are still in the process of reviewing their own policies. Thus, 1awww will update our policies, contracts and information to you subsequent to finalization of these third parties.
For many years 1awww has been compliant with German and Spanish privacy regulation (much of these laws form the basis for GDPR) and as such 1awww respects the privacy of our customers and visitors and is committed to protecting their personal information. We have further updated our policies and operations to be compliant with GDPR and will continue to work with our customers and partners to ensure ongoing compliance. Below, you find an overview of some of the principles enshrined in the GDPR, which we adhere to:
When registering a domain name, there are multiple parties involved and they all have distinct roles and responsibilities. Below, we offer a rough overview of the processing activities occurring when domain names are registered. However, you must read the policies issued by the registries operating the extension or Top Level Domain that you are interested in or have already registered as these policies vary a lot. The domain policies are found here:
There are different concepts with respect to who is a controller and processor, which can be seen from the documentation by the registry.
For ccTLD registrations, typically the registry is the controller and we act as the processor on behalf of the registry for registering the domain name and maintaining the registration as well as making the domain name technically available via the Domain Name System (DNS).
For gTLD registrations, the registry, ICANN and the registrars are widely considered joint controllers for registration data. ICANN’s role is establishing the policies on aspects including the collection and publication of data as well as to ensure that the system is secure, stable and resilient. ICANN contractually requires the registrars to process personal data and enforces these contractual obligations, which - in part - are policies established by ICANN’s multistakeholder community.
The registry’s role is to maintain a central repository of all domain name registrations and to make these resolve via the Domain Name System (DNS). The registry does not offer domain name registrations directly to registrants. The registry is required to report on its activities to ICANN on a regular basis and ICANN may request registration data for contractual compliance purposes.
It is the registrar’s role to offer domain name registrations and potentially other services to the registrants. According to ICANN’s requirements, the registration data is collected by the registrar and then transferred to the registry.
Additionally, 1awww is acting as controller for the purpose of managing your account, invoicing and customer support.
Where we are the controller according to Art. 4 VII GDPR, you may contact us here:
1awww Internet-Service-Provider, Calle Club 2 / Camino Velilla 1, E-18690 Almuñécar
What data do we collect?
The data elements we need to collect depend on the registry’s requirements. As a minimum, these data elements are:
The same data elements might be required for additional contacts, such as Admin-C, Tech-C or Billing-C.
Additionally, we will collect the following data elements to create your customer account.
The data that you yourself store when you use our services, e.g. web spaces and servers, are automatically stored. The data for backup copies are also stored in our backup systems!
Log data when you visit our websites or use our services. However, this connection data is mainly used to secure our systems and may be evaluated statistically and anonymously! Under no circumstances will this data be used to create motion profiles and/or link them to other data! Only in cases of unlawful use (e.g. hacking/spam) will this data be further processed in our systems for further analysis and security purposes!
Please note that the use of third-party products offered in our hosting systems may lead to the storage of your data (possibly also personal data) in third-party systems, also in third countries:
Third-party products are offered e.g. in Plesk or cPanel, which allows you to easily register free SSL certificates or use CDN services to increase the performance of your websites. When you register for these or other services, additional data is automatically transmitted, usually the e-mail address. Third-party products may request additional personal data or customers may use these services to process all data about them. In this case, customers automatically conclude a data processing contract with the providers of the third-party products and it is the responsibility of the customer to check the conformity of these third-party products with the DSGVO before activating these services!
Registries have diverging policies on what data they request to be collected and transferred to the registry. Our collection of account holder data and registration data is based on Art. 6 I b GDPR to perform the contract. A registry may have policies that require the transfer of data to them based on that same clause or, where the transfer is not based on Art. 6 I b GDPR, it may be based on Art. 6 I f GDPR to enable the registry to run a central repository of registration data to help with the confirmation of ownership or with transfer disputes or to allow for the registry to conduct security checks or mitigate DNS abuse.
ICANN requires data to be escrowed by registries and registrars so that they can be requested by ICANN for the purpose of handing the data over to a registrar that takes over in case of registrar failure or to a succeeding registry or the so called Emergency Backend Operator (EBERO) in case of registry failure. The legal basis for that is Art. 6 I f GDPR.
ICANN also requires all gTLD registrations to be subject to UDRP and URS to facilitate the resolution of disputes. These policies are part of all gTLD domain name registration contracts. Your personal data might be transferred to the dispute resolution providers and the complainant during these procedures (Art. 6 I b GDPR).
There might be additional or other dispute resolution policies where data might be disclosed in a comparable fashion.
Disclosure of registration data depends on registry policies and applicable legal requirements. Please check the registry’s policies for details and in case of uncertainty, please use privacy or proxy services if you want to limit the distribution and publication of your data. Please note we are offering domain names from countries all over the world and not all of the operators need to be compliant with GDPR. Hence, there might be no limitations for the publication of registration data via Whois, so please be advised about the risk that your personal data might be widely shared where unfettered access to Whois data is given.
For gTLDs, personal data of the registrant or other contacts will not be published except for province and country for the registrant.
We will make available a web form for contacting the Registrant, the Admin-C and Tech-C.
More data will only be published based on an opt-in, i.e. consent by the registrant that can be withdrawn at any time.
The registry might need to disclose data to requesting third parties, if there is a legal obligation to disclose e.g. to law enforcement authorities (Art. 6 I c GDPR), in connection with URDP and URS (Art. 6 I b GDPR) or where a legitimate third party interest exists (Art. 6 I f GDPR). Details on the parameters on the basis of which data can be revealed may vary from registry to registry. ICANN will likely work on a globally applicable scheme for that including the accreditation of certain Whois requestor groups in due course.
If you want to file a disclosure request, please contact email@example.com.
Your data is deleted without undue delay if and to the extent that the purpose of data collection has been reached resp. ceases to exist. The data processed by us will be deleted at the latest after expiry of statutory retention periods. We adhere to the requirements of Art. 17, 18 GDPR. If you have given your consent to the data collection, the data will be deleted immediately after receipt of an appropriate revocation.
Please note that there might be retention periods required by ICANN. Your data might need to be stored for a period of 2 years after the end of the domain name registration by the parties involved.
You also have the right to lodge a complaint with a supervisory authority about the processing of your personal data by the controller.
last updated 22.05.2018