What is the GDPR and how does it affect me?
What is the GDPR?
The European Union’s General Data Protection Regulation (GDPR) lays out a new set of rules for how the personal data of people living within the European Union should be handled. That being said, it embodies some really great principles and concepts that we believe in here at Enom, and we want to pass these protections and rights on to all of our customers, regardless of where they happen to live.
Though it can be fairly complex and far-reaching, at a high level, the GDPR can be broken down into three main concepts:
- Consent and control
- The right to be forgotten
Consent and control
This can be brought down to the very simple idea that your personal information belongs to you and only you can decide where it gets used. In order to work with any of your data, we have to let you know what we need your information for and ask you for your consent to use it. We have an obligation to only collect the minimum amount of information that we need to get the job done, and we can’t use the information we’ve already gathered for something else without asking you if that’s ok.
The security of your personal data is our priority which means this is a part of the GDPR that we never want to have to use. Transparency means that in the event of a security breach where your personal data may have been exposed, we have to let you know as soon as possible that it’s happened and tell you what happened, what we’re doing to fix it and what you should do protect yourself. This type of information empowers each person to respond in the way they think is best in each circumstance in order to protect their own privacy.
The right to be forgotten
This is one of the most powerful tools that the GDPR gives people – a fresh start. It gives you the ability to revoke your consent to access your personal information. When this happens, Enom will have to essentially erase all record of the individual, giving them a fresh start. This requirement is not without consequences or limitations: some services can’t be provided without personal information, and sometimes personal information has to be kept for reasons of public interest or relating to legal claims. This right to erasure applies only to data that’s used because we have consent, and does not apply to data that’s used because it’s required as part of fulfilling a contract.
- What is the purpose of the GDPR?
- I’m not in the EU, why do I have to care about the GDPR?
- How will the GDPR affect me?
- How does the GDPR affect my Enom Registration Agreement?
- How do I find out more about the right to erasure?
- What is considered personal data?
- How long do you keep personal data?
- How will Enom obtain my consent?
- What sort of personal data will Enom process via contract?
- What sort of personal data will Enom process via consent?
- Why is consent sometimes required and sometimes optional? Why are some TLDs and services asynchronous while others are synchronous?
- How are products grouped together on the Data use consent settings page?
- Why is my domain pre-consented? I haven’t yet provided consent.
- I don’t want to consent, what are my options?
- If my service is canceled because I withdrew consent, will I receive a refund?
- Why does the order that my services are listed on the Data use consent settings page change?
- Does the consent request timeout?
- What triggers the consent request to be sent?
- Who receives the consent request?
- Can the consent request be sent to any other email on my account, like the domain admin, billing, or tech contacts?
- Can the consent request emails and Whois verification emails be combined?
- How will Whois change?
- Why can’t I see real contact information in the public Whois anymore?
- Is it possible to opt-in to the display of real data in the public Whois?
- Will the public Whois output still display domain dates, status, nameservers, and sponsoring registrar?
- What is the difference between the gated Whois and the ID Protect (Whois privacy) Whois?
- In the gated Whois, what data will be displayed?
- Will the changes to the Whois affect non-EU domain registrants?
- Will the gated Whois show information for privacy-protected domains?
- Is ID Protect (Whois privacy) still recommended?
- Doesn’t ICANN policy require something different?
- How do these changes affect incoming transfer processes?
- What is the Tiered Access Directory (gated Whois)?
Frequently asked questions
1. What is the purpose of the GDPR?
The GDPR helps protect privacy in the digital age. The European Union views the protection of personal data as nothing less than a fundamental human right, alongside other rights such as freedom of expression, freedom of thought, and the right to a fair trial. Although there are other existing privacy laws in effect already, the GDPR is different in its scope of applicability, and because significant fines may be levied for non-compliance.
2. I’m not in the EU, why do I have to care about the GDPR?
While the rules outlined in GDPR apply only to EU- local individuals, changes to how data is collected and handled will happen on a global scale as companies modify their existing practices to ensure they are compliant with these new regulations. While we will try our best to minimize any disruption to our domain management and registration processes for registrants and resellers, Enom believes in the principles that the GDPR upholds, and we, along with other key players in our industry, feel that extending the benefits of the GDPR to registrants worldwide is simply the right thing to do.
What it means is that all these regulations around protecting personal information can’t just be afterthoughts, they need to be part of the system that’s on unless you turn it off. We’ll be empowering our clients to understand what information we hold and how it’s used, to give consent to us for that use, and to request erasure of data in cases where consent cannot be provided.
3. How will the GDPR affect me?
These data privacy protections touch almost every aspect of the domain onboarding process and lifecycle. We’re keeping two things in mind: our need to operate within the bounds of legal requirements, and our commitment to keeping domain purchase and management as straightforward, simple, and instantaneous as possible for the end-user.
Thinking about consent, we’ve implemented a post-purchase consent process, similar to the Registrant Verification request we send when a new domain is registered. You can find details on this process in our blog posts and our GDPR page.
We already store your data securely, but we’re doing some internal review to see how we can strengthen our protections to keep information safe. We want to make it clear that Enom does not share personal data beyond what’s needed to provide the service that you ordered. We’ve never sold our clients’ personal information, and we certainly aren’t going to start now.
When an individual is no longer our client, they may not be comfortable with Enom storing their personal data. So, we’ll also be reviewing our data retention procedures, and putting in place a method for people to request erasure of personal data from our platform.
4. How does the GDPR affect my Enom Registration Agreement?
One of the main ways that we inform our clients about how their data is being used is through our contracts and end-user service agreements, which have been updated as part of our GDPR implementation efforts.
Please check our recent blog post on GDPR-Related Contract Changes to further review the revisions made.
5. How do I find out more about the right to erasure?
Article 17 of the GDPR outlines the data subject’s right to erasure, also known as the right to be forgotten. It gives each person the right to request that a controller, such as Enom, erase their personal data. It also requires us to comply with any such request “without undue delay” as long as one of six specific legal grounds applies. On top of this, it states that in cases where the controller has made personal data public, they must reach out to any other controller who is processing the data and inform them about the request for erasure so that the appropriate steps can be taken. Finally, Article 17 lays out several exceptions where the right to erasure does not apply. These include instances when processing of data is necessary for “exercising the right of freedom of expression and information,” for “compliance with a legal obligation,” or for “the establishment, exercise or defense of legal claims.”
More details on this can also be found in our Right to be Forgotten blog post.
6. What is considered personal data?
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Personal data that has been de-identified, encrypted or pseudonymized but can be used to re-identify a person remains personal data and falls within the scope of the law.
- Examples of personal data: Name, surname, address, email address, IP, personal ID, cookie ID; firstname.lastname@example.org
- These are not considered personal data: email@example.com, company name, or legal entities
7. How long do you keep personal data?
Data processed as part of fulfilling our service contract will be kept for the lifetime of the service, plus up to ten years after the service’s termination.
Any data that we process under the legal basis of consent will be held by Enom for the same period as the contract-based data unless that consent is withdrawn, in which case the erasure process begins at the time of withdrawal of consent, and may take up to 60 days to complete. Please note that for asynchronous services, Enom will direct you to cancel services. Upon canceling the service, your choice to withdraw consent will take effect.
Please note: Your Domain service provider (reseller) may retain data for a shorter or longer period than Enom.
Understanding consent for your personal data
1. How will Enom obtain my consent?
We plan on launching two new consent-related processes:
- An initial consent request
We will send every domain owner a consent request as part of the domain registration, transfer, or owner update process unless we already have consent on file for that consent group. In the consent request, we will disclose all the uses of your personal data that are required by a contract in order for us to provide the requested domain service. We will also request consent from you for those data uses where our legal basis is your consent. In cases where we do already have consent on file, we will process the new registration based on those existing consent choices.
- A method for you to update consent preferences and revoke consent
Once you’ve provided consent, you will be given access to a consent management page where you can review and modify your consent choices on an ongoing basis, or revoke your consent at any time.
2. What sort of personal data will Enom process via contract?
Any data that must be processed in order to register a domain, or provide any other type of service, will be covered under a contract. We will be updating our Registration Agreement and Reseller Agreement to include mention of all these essential pieces of data:
- First name
- Last name
- Organization (if provided)
- Email address
Certain domain registries require additional information in order to complete domain registrations, and in these cases, we will include in our contract a point about processing those additional pieces of registrant data.
3. What sort of personal data will Enom process via consent?
We will request consent from someone when:
- We give the option of processing any piece of personal data that isn’t essential or necessary to provide the service. For example, for most domain registrations, we don’t require the owner to provide their phone number, but by collecting this piece of data we are able to provide a backup verification method.
- The data is required by a third party, with whom we do not yet have a GDPR-compliant contract. For example, a registry might require that the domain owner’s postal address be on file in order to complete a domain registration. If we don’t have a GDPR-compliant contract with this particular registry, we would have to request consent from you to process and share this extra piece of personal data before completing the registration.
4. Why is consent sometimes required and sometimes optional? Why are some TLDs and services asynchronous while others are synchronous?
The data elements that Enom or the GDPR-compliant provider requires are collected and processed under the legal basis of a contract. However, for some TLDs and services, the provider requests additional pieces of data for which there is no legal contractual basis to process. When this is the case, we will ask you for consent to share these additional pieces of data with the provider.
In most cases, even if you, the registrant, should withhold or fail to provide consent, Enom is still able to immediately register the domain by sending the registry a combination of the contractual data and placeholders for any data elements that can only be processed with consent. We refer to such services as “synchronous”—they can be registered right away, without the use of additional personal data beyond that which is covered in the contract.
For some TLDs, however, placeholder data will not be accepted by the registry, and because we don’t have assurance from the registry that the data will only be used in ways that conform with modern data privacy regulations such as the GDPR, Enom cannot in good conscience provide the actual data to the registry without your consent. We refer to these types of services as “asynchronous” — because the service cannot be provided without sharing certain pieces of the registrant’s personal data with the service provider, and there is no GDPR-compliant contract to protect the data, we need the registrant’s permission to share it before we proceed. This permission must be provided in the form of affirmative consent.
5. How are products grouped together on the Data use consent settings page?
Each service or product offered through Enom falls into a particular consent group within our system, and once the consent preference is logged for a group, that choice is applied to any future purchases of products within that same group.
In order for two (or more) products to fall within the same consent group, they must be:
- Offered through the same service provider
- Contractually require the same data elements
- And must request the same consent-based data elements
For example, a registry might operate multiple TLDs and for each of them contractually require the owner’s name, email, and country, but also request consent to process the owner’s phone number. These TLDs would fall into the same consent group, and once you set your consent preferences for one of these TLDs, your choice would be applied to all future purchases of other TLDs within this group. This means that no future consent request emails would be sent to you for purchases within this group. However, if this same registry offers another TLD for which they request consent to process the owner’s postal address, in addition to their phone number, you would receive a consent request upon purchasing this TLD, as it would fall into a distinct consent group.
Enom groups products this way so we’re able to reduce the number of consent requests you receive while ensuring you have complete control over which elements of your personal data are shared and with whom.
6. Why is my domain pre-consented? I haven’t yet provided consent.
For asynchronous domains and services which were active prior to the GDPR coming into full effect on May 25, 2018, the consent status is set to “yes-consent” by default. This is because you were considered to have consented to the data processing by purchasing the service, as the GDPR’s enhanced data protection requirements were not in effect at the time of purchase.
If you wish to revoke consent for a product which currently reflects a “yes-consent” status, you must uncheck the box and submit, at which point you will be prompted to cancel the service. We explain more about this process in the I don’t want to consent question.
7. I don’t want to consent, what are my options?
It depends on the product. If it is a synchronous service, where we are able to substitute placeholder data for any consent-based personal data, we will gladly do so, and you won’t experience any change to your product or service.
There are some products where this substitution is not an option; these are what we call asynchronous, as the placeholder data would end up being rejected by the registry. In these cases, we will inform you of this and explain that the only way to withdraw consent is to cancel that service. This is because, while Enom doesn’t require this consent-based data, it is required by the registry or service provider, and that registry or provider has not offered a GDPR-compliant data erasure request process. While ideally, we would replace this consent-based data with placeholder data, we are not permitted to do so by the registry or provider, and so the service would need to be canceled in order for the withdrawal of consent to have any real effect.
To see how this would affect you, we’ve created a listing of all of our services to show if they are synchronous or asynchronous.
8. If my service is canceled because I withdrew consent, will I receive a refund?
Enom does not provide a refund in the cases where you decide to cancel an active service because you wish to revoke consent.
Enom will refund any pending orders that are canceled if you choose to withhold consent. Consent requests remain pending for ten days, after which the order will default to a non-consented status, and the pending order is canceled.
9. Why does the order that my services are listed on the Data use consent settings page change?
The order in which services are presented on the Data use consent settings page is prioritized so that any actionable or important items are seen first. This means services will be listed in the following order, as they apply to you:
- New, asynchronous products still requiring consent.
- New, synchronous products still requiring consent.
- Older, asynchronous products where the consent choice has been made.
- Older, synchronous products where the consent choice has been made.
10. Does the consent request timeout?
Yes, though this only poses an issue for registrants of asynchronous services. Ten days following the initial consent request, your consent status will default to “non-consent” if we haven’t received a response and the order will be placed on hold and ultimately canceled.
Synchronous services will be unaffected by this, as Enom will continue to use placeholders for any data elements that we process until consent is given. Pending orders for asynchronous services, however, will be canceled at this 10-day mark if we haven’t yet received a response from the registrant.
11. What triggers the consent request to be sent?
The initial consent request can be triggered by the registration, update, or transfer of a domain. When you, the registrant, set your consent preferences, your choices will be logged and applied to any future purchases of products within the same consent group. However, if you purchase a service for which the provider requests additional pieces of data, beyond those for which you have already granted or withheld consent to process, you may receive another consent request.
12. Who receives the consent request?
The consent request will be sent to the registrant email address that Enom has on file for the domain or service.
13. Can the consent request be sent to any other email on my account, like the domain admin, billing, or tech contacts?
No, these requests will only be sent to the registrant’s email address. Sending a consent request to an email address other than the owner would not be considered GDPR compliant. For legal reasons, Enom will no longer process admin, billing, or technical contact information, except in cases where the registry specifically requires these contact points, and whenever possible, we will replace these fields with placeholder data.
14. Can the consent request emails and Whois verification emails be combined?
At this time, the consent request email and Whois verification email will be sent to you as two separate requests.
1. How will Whois change?
Enom will implement a new “gated Whois” system. Under this new system, the registrant, admin, and technical contact information for registered domains will no longer be visible in the public Whois database.
"Full" Whois data for registered domains will only be accessible to legitimate and accredited third-parties, such as law enforcement, members of the security community, and intellectual property lawyers, through the gated Whois. This "full" Whois data will be limited to those personal data elements that we have obtained permission to process, either via contract or via consent of the data subject.
This switch to a gated Whois is being made in an effort to reconcile our GDPR-imposed restrictions with our ongoing obligations as an accredited registrar. As of May 25, 2018, registrant information—name, organization, address, phone number, and email—will be considered personal data that can no longer be published in the public Whois. However, we feel authenticated access to this information, in a specific and limited manner, must be provided to those with legitimate reasons to request it. A gated Whois system will allow for this, while also ensuring that private information remains guarded from the general public.
You can view a snapshot of what these changes will look like or, for more context, you can read our full Whois Changes post. We've also curated a list of resources that provide helpful context and insight into how other key players are thinking about the future of Whois.
2. Why can’t I see real contact information in the public Whois anymore?
Under the GDPR, personal data may be collected and processed only when there is a legal reason to do so. This means that the public Whois system as it exists today is incompatible with the principles of data privacy that the GDPR affirms.
3. Is it possible to opt-in to the display of real data in the public Whois?
At this time, it is not possible to choose to have real registrant data displayed in the public Whois record. We are working on making this option available in the near future while remaining compliant with data privacy regulations.
4. Will the public Whois output still display domain dates, status, nameservers, and sponsoring registrar?
Yes. The technical data (the top section of current the Whois output) will show up in the public-facing lookup.
5. What is the difference between the gated Whois and the ID Protect (Whois privacy) Whois?
The gated Whois is a portal where accredited third-parties can access “full” Whois information, and the output available here includes personal data that is hidden from the public Whois. However, the Whois output for domains with ID Protect (Whois Privacy) will remain the same as it is prior to May 2018, both in the public Whois and in the gated Whois. This means that contact privacy details, including a contact privacy email, will be displayed for domains with ID Protect (Whois Privacy) in the gated Whois. For a helpful visual snapshot of the difference, check out our Whois changes blog post.
6. In the gated Whois, what data will be displayed?
Registrant contact data which is held based on contract, and data for which we have consent, will be displayed in the gated Whois — unless the domain is privacy-protected. If the domain has ID Protect, the Privacy masking data will be displayed both publicly and within the gated Whois.
7. Will the changes to the Whois affect non-EU domain registrants?
Yes. We are applying all Whois-related changes platform-wide, meaning all registrants will receive the same level of data protection regardless of citizenship or location.
8. Will the gated Whois show information for privacy-protected domains?
Access to the gated Whois will only reveal information which was public prior to May 25, 2018. It will not reveal the Whois information for privacy-protected domains. In fact, the Whois output for privacy-protected domains will be the same in both the public and gated Whois, and we will continue to require a court order or other legal documentation for access to this information, as we do today.
9. Is ID Protect (Whois privacy) still recommended?
Whois privacy will continue to remain a valuable service to registrants worldwide. Even when the public Whois “goes dark”, there will still be a gated Whois, where registrant data will be made available to parties with a legitimate interest. So, while the audience for registrant data will no longer be the entire public, it will still be sizable. This is where Whois privacy comes in—if privacy is active on a domain, the personal data in the registration record will remain protected from those with access to the gated Whois. The service also provides a way for third parties to contact the domain owner via the privacy service email address displayed in the Whois output, an option that will not be provided as a part of GDPR data protection. In addition, the personal data associated with a domain that is protected by Whois privacy will not be shared with registries.
10. Doesn’t ICANN policy require something different?
We will continue to comply with ICANN policy to the greatest extent possible, as we have always done. However, until ICANN policy has been updated in response to the GDPR and other similar worldwide data privacy legislation, we will be faced with many instances where the requirements that ICANN lays out for its registrars conflict with our legal obligations. In these instances, we will follow the law first and comply with ICANN as best we can.
11. How do these changes affect incoming transfer processes?
We have made some minor updates to our inbound transfer process. We will now simply rely on the EPP code (also known as the transfer authorization code) provided by the owner as the form of authorization for inbound transfers, rather than requiring an additional transfer approval step. Additionally, for each completed transfer a registrant verification email will be sent to the owner’s email address to verify the accuracy of domain contact information. Our outbound transfer process will not change.
12. What is the Tiered Access Directory (gated Whois)?
The Tiered Access Directory is Enom’s “gated” version of the Whois directory. It allows accredited third parties, such as members of law enforcement, to view the contact data of domain registrants who use our platform.
Up until May 25, 2018, the registration data for all domain names was by default published in the public Whois directory, where it was visible to any party who performed a “Whois lookup” on a domain.
With the advent of the GDPR and other similar privacy laws, the public display of this personal data has become problematic. This lead Enom to the decision to redact real contact data from the public Whois. Alongside this change, we implemented our gated Tiered Access Directory as a means for parties with a legitimate legal interest to access this personal data, while ensuring it is not unnecessarily exposed through display in the public directory.