The new data protection regulation: GDPR

On the 25th of May 2018, the General Data Protection Regulation or GDPR will become effective. This regulation aims to protect personal data of private individuals within the European Union. What can you expect from Openprovider with respect to the GDPR?

Processor agreement

Openprovider is working on a Processor Agreement and a Sub Processor Agreement. These agreements would clearly define which data we collect for what purpose. They would define your and our responsibilities with respect to personal data. Both agreements will be additional to the general Terms and Conditions. You will be able to accept the agreements from your control panel from the second half of April 2018. You will have sufficient time to review and accept the agreements.

We will add a reference to the processor and sub processor agreement to our Terms and Conditions. We will provide you with a 30-day notice of this change, in line with §14.2 of Openprovider’s Terms and Conditions.

Data collection and the GDPR

Data collection will not change on a short term. Openprovider collects two types of data:

• Data that we use ourselves: these are the data that we collect about you, our customer. These data are required for the performance of services: creating your account, sending invoices, newsletters, etc. Of course, you can still unsubscribe from our newsletters at any moment. Do be aware that newsletters are our primary means of communication for important updates to our products, services, terms and prices.
• Data collected for product delivery: these are the data that we collect about your customers (domain contacts and the contacts of other products and services). This form of data collection will not notably change. Almost all providers will keep requiring full contact data for operational and legal purposes, although these data are not shared publicly anymore.

We are investigating how we can finetune our data collection and retention. Data elements that are unused may be removed. Data elements that are necessary for specific extensions are only removed as soon as no such domains are linked to that contact anymore. We will remove unused contacts in Openprovider with a notification.

In all cases, our system (control panel and API) will be fully backwards compatible. We do not force changes from your side.

Whois

For our product domain registration, you will face the biggest changes in the Whois. Most European registries already show a limited set of data in their Whois registers because of current privacy laws. We will see that the GDPR will minimize these visible data even further. In many cases, no personal data will be visible at all.

For generic extensions (gTLDs), the registrar community is working together with ICANN and the European DPAs on a solution that meets both the requirements of GDPR and ICANN policies. At the end of March 2018, a proposed interim model was published by ICANN. This model would allow registries and registrars to hide all personal data from the Whois, except for the organization name, the state and country (for legal purposes) and a replacement for the e-mail address (either an anonymized e-mail address of a web form). Access to full Whois data is possible only for selected purposes. Moreover, you will need to go through an accreditation process (for example, in the case of law enforcement organizations).

Transfers

Discussions between the registrar community and ICANN on the topic of gTLD transfers are still ongoing. At this moment, ICANN’s transfer policy requires the gaining registrar to send an e-mail to the owner and/or administrative contact (the so-called “Form of Authorization” or “FOA”). However, after the Whois is limited, that will not be obvious anymore.

Details about the change are yet unknown. The efforts of the registrar community aim at making this FOA no longer mandatory. If ICANN adopts that approach, you would only need an authorization code and removal of the transfer lock to transfer a gTLD domain name. This would make the process similar to that of many ccTLDs. As soon as any breakthroughs happen, we will inform you.

As you see, the efforts on the GDPR will be continuous. You can keep track of updates in our Knowledge Base.