Procedure for Disclosure of Domain Contact Data

The following page describes the procedure Gandi will follow before disclosing domain contact data.



This document is intended for:

  • The individuals or legal entities designated as the owner, administrative, technical, and billing contacts for domain names (the “Domain Contacts”) whose data provided when registering a domain name may be communicated

  • Third parties requesting Domain Contact data

  • Gandi Group employees who may be required to transmit Domain Contact information


Except for Domain Contacts who “opt-in”, personal data are masked in Gandi’s responses to “Whois” queries, in accordance with the rules set forth by ICANN or the Registries and the laws relative to the protection of personal data.

However, third parties (as defined below in II) may request that Domain Contact information be disclosed to them.

This procedure defines the terms and conditions according to which Gandi may or may not disclose this information.

Scope of application:

This procedure is aimed solely at the disclosure of Domain Contact data (owner, administrative, technical, billing, reseller if applicable) hidden in responses to “Whois” queries.

This procedure is not intended for:

  • Disclosure of contact data of hosting service owners.

  • Disclosure of other data collected or processed (correspondence, IP address logs, etc.).

This information is protected by professional secrecy.


Data disclosure requests must be addressed to Gandi’s legal department:

For any access requests to nonpublic registration data related to generic top-level domains (gTLDs) you can also submit your request via the ICANN Registration Data Request Service (RDRS):

In accordance with the principle of minimization, only specifically requested data fields may be disclosed.

II. The contact to whom the request relates is an individual

Gandi distinguishes between two categories of applicants:

  • Trusted third parties: the authorities of the countries of the European Economic Area (EEA) or of a country recognized as ensuring an adequate level of protection of personal data by the European Commission being authenticated as such;

  • Mere third parties: authorities of non-EEA or non-adequate countries, trademark rights holders, law firms, party to a dispute, etc.

A. The applicant is a trusted third party

Gandi verifies the authenticity of the applicant (via attached documents, SPF, IP address, e-mail address, etc.). In case of doubt or refusal to provide additional information, the applicant is considered as a mere third party.

Trusted third parties can send disclosure requests to Gandi without referring to a specific legal text. The legitimate interest of their application is presumed here.

However, the trusted third party will have to justify that its request is not abusive. For example, the applicant should mention the context of the investigation or case (fraud, identity theft, etc.).

B. The applicant is a mere third party

1. Need for identification

Any third party requesting the disclosure of Domain Contact data must justify its own identity and the capacity in which it is making the request. In addition, any person acting on behalf of a third party will have to prove formal authorization from the third party. Gandi may request any additional supporting documents, at its discretion.

Only lawyers registered with a bar association are exempt from the requirement to provide proof of such authorization, which is then presumed on the basis of their rules of professional conduct.

3. Assessment of the relevance of the application

In order to assess the relevance of the request, Gandi takes into account, in a non-exhaustive way: the domain name itself, the use that may be made of it, the content to which it could point, or the number of requests for data disclosure.

Gandi evaluates the relevance of the request at its sole discretion.