On the 25th of May 2018, the General Data Protection Regulation or GDPR becomes effective. This regulation was created to protect personal data of private individuals within the European Union. What can you expect from Openprovider with respect to the GDPR?
Openprovider is working on a Processor Agreement and a Sub Processor Agreement which clearly define which data we collect for what purpose and which define your and our responsibilities with respect to personal data. Those agreements will be additional to the general Terms and Conditions and you will be able to accept the agreements from your control panel from the second half of April 2018. You will have sufficient time to review and accept the agreements.
A reference to the processor and sub processor agreement will be added to our Terms and Conditions. We will provide you with 30-days notice of this change, in line with §14.2 of Openprovider’s Terms and Conditions.
Data collection will not change on short term. Openprovider collects two types of data:
- Data that we use ourselves: the data that we collect about you, our customer, are required for the performance of the service: creating your account, sending invoices, newsletters, … Of course you can unsubscribe from our newsletters at any moment, but please know that this is our primary means of communication for important updates to our products, services, terms and prices.
- Data collected for product delivery: the data that we collect about yourcustomers (the domain contacts and the contacts of other products and services) will not notably change. Almost all providers will keep requiring full contact data for operational and legal purposes, though these data are not shared publicly anymore.
We are investigating how we can finetune our data collection and retention: data elements that are not used at all may be removed; data elements that are used for specific extensions only will be removed as soon as no such domains are linked to that contact anymore. Unused contacts in Openprovider will be removed with a notification.
In all cases, our system (control panel and API) will be fully backwards compatible – we do not force changes from your side.
For our product domain registration, you will face the biggest changes in the whois. Most European registries already show a limited set of data in their whois registers because of current privacy laws, and we will see these data being minimized even further. In many cases no personal data will be shown at all.
For generic extensions (gTLDs), the registrar community is working together with ICANN and the European DPAs on a solution that meets both the requirements of GDPR and ICANN policies. By the end of March 2018, a proposed interim model has been published by ICANN that allows registries and registrars to hide all personal data from the whois, except for the organization name, the state and country (for legal purposes) and a replacement for the e-mail address (either an anonymized e-mail address of a web form). Access to full whois data is possible only for selected purposes and only through an accreditation process (for example, law enforcement organizations).
Discussions between the registrar community and ICANN are still going on on the topic of gTLD transfers. At this moment ICANN’s transfer policy requires the gaining registrar to send an e-mail to the owner and/or administrative contact (the so-called “Form of Authorization” or “FOA”), but that won’t be obvious anymore after the whois gets limited. Details about such change are unknown yet, though the efforts of the registrar community aim at making this FOA no longer mandatory. If ICANN will adopt that approach, an authorization code and removal of the transfer lock are sufficient to transfer a gTLD domain name. This would make the process similar to that of many ccTLDs. As soon as any breakthroughs happen, we will inform you.
As you see, the efforts on the GDPR will be continuous. You can find any updates in our knowledge base.