Procedure for Disclosure of Domain Contact Data¶
The following page describes the procedure Gandi will follow before disclosing domain contact data.
PREAMBLE:¶
Recipients:¶
This document is intended for:
The individuals or legal entities designated as the owner, administrative, technical, and billing contacts for domain names (the “Domain Contacts”) whose data provided when registering a domain name may be communicated
Third parties requesting Domain Contact data
Gandi Group employees who may be required to transmit Domain Contact information
Background:¶
Except for Domain Contacts who “opt-in”, personal data are masked in Gandi’s responses to “Whois” queries, in accordance with the rules set forth by ICANN or the Registries and the laws relative to the protection of personal data.
However, third parties (as defined below in II) may request that Domain Contact information be disclosed to them.
This procedure defines the terms and conditions according to which Gandi may or may not disclose this information.
Scope of application:¶
This procedure is aimed solely at the disclosure of Domain Contact data (owner, administrative, technical, billing, reseller if applicable) hidden in responses to “Whois” queries.
This procedure is not intended for:
Disclosure of contact data of hosting service owners.
Disclosure of other data collected or processed (correspondence, IP address logs, etc.).
This information is protected by professional secrecy.
Legal framework:¶
Since the Registrar Gandi SAS is a French company, it is subject to French laws, and in particular Law No. 78-17 of January 6, 1978 relative to Data Processing, Data Files, and Individual Liberties, as amended, as well as Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, applicable as of May 25, 2018 (the “GDPR”).
As an ICANN-accredited Registrar, Gandi SAS is also subject to the 2013 “Registrar Accreditation Agreement”, to which is added the “Temporary gTLD Registration Data Specification” adopted on May 17, 2018 via ICANN Board Resolutions 2018.05.17.01 and 2018.05.17.09.
Other rules specific to certain TLDs (in particular ccTLDs) are likely to apply depending on the TLDs concerned, in particular concerning the disclosure of Domain Contact data.
This procedure is adopted in accordance with the aforementioned rules to which Gandi SAS is subject, as well as with its Contracts and notably its Privacy Policy. The Domain Contacts are thus informed that their data may be disclosed. However, they will not be notified of a disclosure.
As the “Whois” service will eventually be replaced by the so-called “RDAP” (Registration Data Access Protocol) service, which implements differentiated access according to the quality of the requesters, this procedure is intended to be forward-looking.
PROCEDURE:¶
Data disclosure requests must be addressed to Gandi’s legal department: legal@support.gandi.net.
For any access requests to nonpublic registration data related to generic top-level domains (gTLDs) you can also submit your request via the ICANN Registration Data Request Service (RDRS): https://www.icann.org/rdrs-en
In accordance with the principle of minimization, only specifically requested data fields may be disclosed.
I. The contact referred to in the request is a legal entity¶
Contact data relating to legal entities may be freely disclosed to any person upon request, except for the “Name” and “Email” fields insofar as they may contain personal data.
Example for a request for contact data disclosure of “[Company name]”’s owner:
Non-public contact data: |
Data subject to disclosure: |
|---|---|
Registrant Name: [Firstname Lastname]
Registrant Organization: [Company name]
Registrant Street: [Number/Street name]
Registrant City: [city name]
Registrant State/Province:
Registrant Postal Code: [postal code]
Registrant Country: [country code]
Registrant Phone: [phone number]
Registrant Phone Ext:
Registrant Fax: [fax number]
Registrant Fax Ext:
Registrant Email: [email address]
|
Registrant Organization: [Company name]
Registrant Street: [Number/Street name]
Registrant City: [city name]
Registrant State/Province:
Registrant Postal Code: [postal code]
Registrant Country: [country code]
Registrant Phone: [phone number]
Registrant Phone Ext:
Registrant Fax: [fax number]
Registrant Fax Ext:
Registrant Email: [email address]
|
Here, the “Registrant Name” field is not disclosed as it contains personal data.
If the “Registrant Name” and “Registrant Email” fields are generic, they may also be disclosed.
Example for a contact data disclosure request of “[Company name]” ‘s “Admin”: |
|---|
Admin Name: NOC [Company name]
Admin Organization: [Company name]
Admin Street: [Number/Street name]
Admin City: [city name]
Admin State/Province:
Admin Postal Code: [postal code]
Admin Country: [country code]
Admin Phone: [phone number]
Admin Phone Ext:
Admin Fax: [fax number]
Admin Fax Ext:
Admin Email: [generic email address]
|
In case of ambiguity as to whether the requested data is personal or not, it will be considered as being that of a natural person, and therefore Gandi will apply the procedure relating to the data disclosure of an individual.
II. The contact to whom the request relates is an individual¶
Gandi distinguishes between two categories of applicants:
Trusted third parties: the authorities of the countries of the European Economic Area (EEA) or of a country recognized as ensuring an adequate level of protection of personal data by the European Commission being authenticated as such;
Mere third parties: authorities of non-EEA or non-adequate countries, trademark rights holders, law firms, party to a dispute, etc.
A. The applicant is a trusted third party¶
Gandi verifies the authenticity of the applicant (via attached documents, SPF, IP address, e-mail address, etc.). In case of doubt or refusal to provide additional information, the applicant is considered as a mere third party.
Trusted third parties can send disclosure requests to Gandi without referring to a specific legal text. The legitimate interest of their application is presumed here.
However, the trusted third party will have to justify that its request is not abusive. For example, the applicant should mention the context of the investigation or case (fraud, identity theft, etc.).
B. The applicant is a mere third party¶
1. Need for identification¶
Any third party requesting the disclosure of Domain Contact data must justify its own identity and the capacity in which it is making the request. In addition, any person acting on behalf of a third party will have to prove formal authorization from the third party. Gandi may request any additional supporting documents, at its discretion.
Only lawyers registered with a bar association are exempt from the requirement to provide proof of such authorization, which is then presumed on the basis of their rules of professional conduct.
2. Legal criteria¶
Where the applicant is a mere third party, it is essential that he or she should refer to:
Applicable law, including the relevant points of the GDPR.
In the case of a gTLD, the Temporary Specification;
In the case of a ccTLD, the rules of the Registry in question authorizing the disclosure of data, if they exist.
In any event, the applicant must give reasons for his or her request in law and in fact to allow Gandi to assess the legitimate interest of the applicant.
3. Assessment of the relevance of the application¶
In order to assess the relevance of the request, Gandi takes into account, in a non-exhaustive way: the domain name itself, the use that may be made of it, the content to which it could point, or the number of requests for data disclosure.
Gandi evaluates the relevance of the request at its sole discretion.