WHOIS, TMCH & SSL Guidance

WHOIS, TMCH & SSL Guidance

Introduction

Welcome to Lexsynergy’s guidance on how personal data is handled when you apply to register a domain name, apply to register with the Trademark Clearinghouse or apply for an SSL certificate.

This guidance supplements our privacy notice (which explains how we use personal data that we collect and where we decide the purposes and means for which it that data is processed).

1. Applying to register, transfer or update a domain name

When you apply to register, transfer or update a domain name, in most cases, it is necessary to supply ownership, administrative and/or technical details (often called WHOIS) to certain bodies.  It is normally possible for you to choose whether or not to use personal information or more generic information (e.g. ‘Domain Administrator’ and [email protected]) or whether to use our privacy service or (where applicable) our local presence service but – in some cases – you will need to provide personal information and in further cases you may have to supply particular personal information (e.g. ID documents or an ID number).  If you supply personal information, what will happen to that information will depend on the type of domain name:

  1. country code top-level domains (ccTLDs).  These are country-specific domains like ‘.co.uk’, ‘.co.za’ and ‘.ca’  In this case, the personal information will be sent to the registry that operates the relevant ccTLD.  They are the controller.  We act as a processor for the registries.
  2. generic top-level domains (gTLDs).  These are non-country-specific domains like ‘.com’, ‘.net’, ‘.info’, ‘.biz’, ‘.sucks’ and ‘.global’.  In this case, the personal information will handled in one of two ways:
    1. sent to the registry that operates the relevant gTLD.  (The registry will also provide this information to the Internet Corporation for Assigned Names and Numbers, incorporated and registered in California, USA (ICANN) on request.)  This is what happens for most gTLDs (e.g. ‘.info’, ‘.biz’, ‘.sucks’ and ‘.global’).  ICANN and the relevant registry are the controllers.  We act as a processor for ICANN and the registries.
    2. sent to:
      • ICANN’s nominated escrow provider for storage.  This is presently Iron Mountain Inc.  (The personal information held by Iron Mountain Inc. will be disclosed to ICANN in the event of (for example) our bankruptcy.); and
      • on request, ICANN and/or the registry (registrar, if it is a domain name transfer) that operates the relevant gTLD. 

This is what happens for ‘.com’ and ‘.net’.  ICANN and the relevant registry are the controllers.  Iron Mountain Inc. is a processor for ICANN.  We act as a processor for ICANN and the registries.

The above will also occur where:

  • you amend the information for a domain (for example, changing the owner’s details);
  • we choose (or are required to) cease the use of our privacy service.

2. International transfers

ICANN and Iron Mountain, Inc. are located outside of the EEA.  The registries may – depending on the domain – be located outside of the EEA.

Where you provide us with personal information to be transmitted outside of the EEA, one or more of the following will apply:

  • the transfer will be to a country that has been deemed to provide an adequate level of protection for personal data by the European Commission.  For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries
  • the transfer will be to a recipient that is based in the US and is part of the Privacy Shield (which requires them to provide similar protection to personal data shared between the Europe and the US). For further details, see European Commission: EU-US Privacy Shield; and/or
  • you will have either:
    1. given your explicit consent by agreeing to our terms and conditions (where you are an individual and are registering the domain for yourself) which explain these transfers in more depth; or
    2. obtained the explicit consent from the relevant individual (where you are registering the domain on behalf, or in the name of, someone else), as required by our terms and conditions which explain these transfers in more depth.

This also applies where:

  • you amend the information for a domain (for example, changing the owner’s details);
  • we choose (or are required to) cease the use of our privacy service.

3. Applying to register with the ‘Trademark Clearinghouse’ (Chip S.A., incorporated and registered in Luxembourg with number B62506, whose registered office is at 21, rue Léon Laval, 3372 Leudelange)

When you apply to register with the Trademark Clearinghouse (TMCH), it is necessary to supply details of registered trade marks, their owner (and, where applicable, contact details for a representative of the owner) to the TMCH.  The owner or their representative will be an individual so this will be personal information.  The TMCH is the controller.  We act as a processor for the TMCH.

The TMCH’s privacy notice is available here.

4. Applying for an SSL Certificate with Our Chosen SSL Certificate Provider from Time to Time

When you apply for an SSL certificate, it is necessary to supply details of the applicant to the SSL certificate provider (who will be located in the EEA).  In some cases, the applicant will be an individual so this will be personal information.  The SSL certificate provider is the controller.  We act as a processor for the SSL certificate provider.

If you would like details of the SSL certificate provider that we are using (or intend to use) in a specific case, please contact us.