Important update 1: Email Support is being transitioned to Webforms. Click here for more information.

General Data Protection Regulations (GDPR)

The European Union's General Data Protection Regulation (GDPR) sets out rules for how the personal data of people living within the European Union must be handled. Enom believes in the principles the GDPR embodies and extends these protections and rights to our customers, regardless of where they live. This article explains the purpose of the GDPR and how it affects your data, consent choices, and WHOIS information.

The purpose of the GDPR

The GDPR helps protect privacy in the digital age. The European Union views personal data protection as a fundamental human right. While other privacy laws are already in effect, the GDPR is different in its scope of applicability because significant fines may be levied for non-compliance.

The GDPR can be broken down into three main concepts:

Consent and controlYour personal information belongs to you, and only you can decide where it gets used. To work with any of your data, we must tell you what we need it for and ask for your consent to use it. We collect the minimum amount of information needed to complete the job, and we cannot use the information we have gathered for something else without asking you first.
TransparencyTransparency means you have the right to know if your personal data is being processed, along with why, how, and who is processing it. In the event of a security breach where your data may have been exposed, we must let you know as soon as possible what happened, what we are doing to fix it, and what you should do to protect yourself. This information empowers each person to respond in the way they think is best to protect their privacy.
The right to be forgottenThe right to be forgotten allows you to revoke your consent to access your personal information, after which Enom must erase all individual records. This requirement has limitations: some services cannot be provided without personal information, and sometimes personal information must be kept for public interest or legal claims. The right to erasure applies only to data used because we have consent, not to data required as part of a contract.

GDPR when not in the European Union

While the GDPR rules apply only to EU-local individuals, changes to how data is collected and handled are happening globally as companies modify their practices to comply. Enom believes in the principles the GDPR upholds and, along with other key players in our industry, feels that extending the benefits of the GDPR to registrants worldwide is the right thing to do.

We empower our clients to understand what information we hold and how it is used, to give consent for that use, and to request data erasure in cases where consent cannot be provided.

Effects of the GDPR

These data privacy protections touch almost every aspect of the domain onboarding process and lifecycle. We keep two things in mind: our need to operate within legal requirements, and our commitment to keeping domain purchase and management as straightforward, simple, and instantaneous as possible for the end user.

Enom does not share personal data beyond what is needed to provide your ordered service. We have never sold our clients' personal information, and we are not going to start now.

GDPR and your Enom registration agreement

One of the main ways we inform clients about how their data is used is through our contracts and end-user service agreements, which have been updated as part of our GDPR implementation efforts.

The right to erasure

Article 17 of the GDPR outlines the data subject's right to erasure, also known as the right to be forgotten. It gives each person the right to request that a controller like Enom erase their personal data, and requires us to comply as long as one of six specific legal grounds applies. In cases where the controller has made personal data public, it must inform any other controller processing the data about the erasure request so the appropriate steps can be taken. Finally, Article 17 lays out several exceptions where the right to erasure does not apply. Most importantly, if the data is required for the controller to fulfill legal obligations (for example, retaining tax records), it is not subject to the right to erasure. Exceptions also include instances where processing data is necessary for exercising the right of freedom of expression and information, or for the establishment, exercise, or defence of legal claims.

Personal data

Personal data is any information related to an identified or identifiable living individual. Different pieces of information collected together can identify a particular person and constitute personal data. Personal data that has been de-identified, encrypted, or pseudonymized but can be used to re-identify a person remains personal data and falls within the scope of the law.

  • Examples of personal data: name, surname, address, email address, IP address, personal ID, cookie ID, firstname.lastname@company.com.
  • Not considered personal data: info@company.com, company name, or legal entities.

Data processed as part of fulfilling our service contract is kept for the lifetime of the service, plus up to ten years after the service's termination.

Enom holds any data processed under the legal basis of consent for the same period as contract-based data, unless that consent is withdrawn. In that case, the erasure process begins at the time of withdrawal and may take up to 60 days to complete.

Note: Enom will direct you to cancel services. Upon canceling the service, your choice to withdraw consent will take effect.

Understanding consent for your personal data

Obtaining your consent

We send every domain owner a consent request as part of the domain registration, transfer, or owner update process, unless we already have consent on file for that consent group. In the consent request, we disclose all uses of your personal data required by a contract to provide the requested domain service. We also ask for your consent for data uses where our legal basis is your consent. Where we already have consent on file, we process the new registration based on those existing consent choices.

Once you have provided consent, you are given access to a consent management page where you can review, modify, or revoke your consent choices at any time.

Enom processing via contract

Any data that must be processed to register a domain or provide another service type is covered under a contract:

  • First name
  • Last name
  • Organization (if provided)
  • Email address
  • Country

Certain domain registries require additional information to complete registrations. In these cases, we include a point about processing those additional pieces of registrant data in our contract.

Enom processing via consent

We request consent from someone when:

  • We process any personal data that is not essential to provide the service. For example, we do not require the owner's phone number for most domain registrations, but collecting it provides a backup verification method.
  • The data is required by a third party with whom we do not yet have a GDPR-compliant contract. For example, a registry might require the domain owner's postal address to complete a registration. Without a GDPR-compliant contract with that registry, we must request consent to process and share this extra data before completing the registration.

Where you do not grant consent and the service can still be provided without using your personal data, we use a combination of contractual data and placeholders for any data elements that can only be processed with consent.

Data sharing preferences page

Each service or product offered through Enom falls into a particular consent group within our system. Once the consent preference is logged for a group, that choice applies to any future purchases of products within that same group.

For two or more products to fall within the same consent group, they must:

  • Be offered through the same service provider
  • Contractually require the same data elements
  • Request the same consent-based data elements

For example, a registry might operate multiple TLDs that each contractually require the owner's name, email, and country but also request consent to process the owner's phone number. These TLDs fall into the same consent group, so once you set your consent preferences for one, your choice applies to all future purchases of other TLDs in the group, and no further consent request emails are sent for those purchases. However, if the same registry offers another TLD requesting consent to process the owner's postal address in addition to their phone number, you would receive a consent request upon purchasing it, as it falls into a distinct consent group.

Consent request triggers

The initial consent request can be triggered by domain registration, update, or transfer. When you, the registrant, set your consent preferences, your choices are logged and applied to any future purchases of products within the same consent group. However, if you purchase a service for which the provider requests additional data beyond what you have already granted or withheld consent for, you may receive another consent request.

The consent request is sent to Enom's registered email address for the domain or service.

Consent and verification emails

Consent requests are sent only to the registrant's email address; sending a consent request to any other address would not be GDPR compliant. Enom no longer processes admin, billing, or technical contact information for legal reasons, except where the registry requires these contact points. Whenever possible, we replace these fields with placeholder data.

At this time, the consent request and WHOIS verification emails are sent as two separate requests.

WHOIS information

WHOIS change

Enom implemented a gated WHOIS system. Under this system, the registered domain registrant, admin, and technical contact information is no longer visible in the public WHOIS database.

WHOIS data for registered domains is only accessible to legitimate and accredited third parties, such as law enforcement, members of the security community, and intellectual property lawyers, through the gated WHOIS. This data is limited to the personal data elements we have obtained permission to process, either via contract or via consent of the data subject.

Registrant information—name, organization, address, phone number, and email—is considered personal data that can no longer be published in the public WHOIS. We feel authenticated access to this information, in a specific and limited manner, must be provided to those with legitimate reasons to request it. A gated WHOIS system allows for this while ensuring private information remains guarded against the general public.

You can view a snapshot of what these changes look like, or read our full WHOIS changes post for more context. We have also curated a list of resources that provide context and insight into how other key players are thinking about the future of WHOIS.

Public WHOIS details

Under the GDPR, personal data may be collected and processed only when there is a legal reason to do so. This means the public WHOIS system as it exists today is incompatible with the data privacy principles the GDPR affirms. The technical data (the top section of the current WHOIS output) appears in the public-facing lookup.

Gated WHOIS vs. ID Protect (WHOIS Privacy)

The gated WHOIS is a portal where accredited third parties can access WHOIS information, including personal data hidden from the public WHOIS. However, the WHOIS output for domains with ID Protect (WHOIS Privacy) remains the same as before May 2018, in both the public and gated WHOIS. This means contact privacy details, including a contact privacy email, are displayed for domains with ID Protect in the gated WHOIS. See our WHOIS changes blog post for a visual snapshot of the difference.

Displayed data in gated WHOIS

Registrant contact data held based on contract, and data for which we have consent, is displayed in the gated WHOIS—unless the domain is privacy-protected. If the domain has ID Protect, the privacy masking data is displayed publicly and within the gated WHOIS.

Non-EU domain registrants

We apply all WHOIS-related changes platform-wide, meaning all registrants receive the same data protection regardless of citizenship or location.

Gated WHOIS for privacy-protected domains

Access to the gated WHOIS only reveals information that was public before May 25, 2018. It does not disclose the WHOIS information for privacy-protected domains, whose output is the same in public and gated WHOIS. As we do today, we will continue to require a court order or other legal documentation to access this information.

WHOIS information for privacy-protected domains

WHOIS privacy continues to be a valuable service to registrants worldwide. Even when the public WHOIS "goes dark," a gated WHOIS still makes registrant data available to parties with a legitimate interest. While the audience for registrant data is no longer the entire public, it remains sizable. This is where WHOIS privacy comes in—if privacy is active on a domain, the personal data in the registration record remains protected from those with access to the gated WHOIS. The service also provides a way for third parties to contact the domain owner via the privacy service email address displayed in the WHOIS output. The personal data associated with a domain protected by WHOIS privacy is not shared with registries.

Here is a visual guide that illustrates these differences in WHOIS output. Our WHOIS impacts blog post also provides a more in-depth answer.

ICANN policy

We continue to comply with ICANN policy to the greatest extent possible. However, until ICANN policy is updated in response to the GDPR and similar worldwide data privacy legislation, we face instances where ICANN requirements for registrars conflict with our legal obligations. In those instances, we follow the law first and comply with ICANN as best we can.

Effects on incoming transfers

We have made minor updates to our inbound transfer process. We now rely on the EPP code (also known as the transfer authorization code) provided by the owner as the form of authorization for inbound transfers, rather than requiring an additional transfer approval step. For each completed transfer, a registrant verification email is sent to the owner's email address to verify the accuracy of domain contact information. Our outbound transfer process does not change.

Tiered access directory (gated WHOIS)

The tiered access directory is Enom's gated version of the WHOIS directory. It allows accredited third parties, such as members of law enforcement, to view the contact data of domain registrants who use our platform.

WHOIS contactability service

When a person uses the form to send a message to the domain owner, we send an email to both the registrant and the sender.

Note: While the registrant may receive your message, they may not reply. Enom cannot control whether the registrant responds and does not reach out to registrants on behalf of interested parties.

The sender also receives an email.

The registrant's email address receives an email with the sender's message.

Next steps

Questions? Contact Enom Support.

How helpful was this article?

Thanks for your feedback!

Do you still need help? If so please submit a request here.