General Data Protection Regulations (GDPR)

The European Union's General Data Protection Regulation (GDPR) lays out a new set of rules for how the personal data of people living within the European Union should be handled. That being said, it embodies some great principles and concepts that we believe in at Enom. We want to pass these protections and rights on to our customers, regardless of where they happen to live.

The purpose of the GDPR

The GDPR helps protect privacy in the digital age. The European Union views personal data protection as nothing less than a fundamental human right. Although other existing privacy laws are already in effect, the GDPR is different in its scope of applicability because significant fines may be levied for non-compliance.

The GDPR can be broken down into three main concepts:

Consent and control
  • Your personal information belongs to you.

  • Only you can decide where it gets used.

  • To work with any of your data, we have to let you know what we need your information for and ask you for your consent to use it. We must collect the minimum amount of information we need to complete the job.

  • We can't use the information we've gathered for something else without asking you if that's ok.

Transparency
  • Transparency means that you have the right to know if your personal data is being processed, along with why, how, and who is processing it.

  • It also means that in the event of a security breach where your data may have been exposed, we have to let you know as soon as possible that it's happened and tell you what happened, what we're doing to fix it, and what you should do to protect yourself.

  • This type of information empowers each person to respond in the way they think is best in each circumstance to protect their privacy.

The right to be forgotten
  • The right to be forgotten allows you to revoke your consent to access your personal information.

  • Enom will have to erase all individual records, giving them a fresh start.

  • This requirement is not without consequences or limitations. Some services can't be provided without personal information, and sometimes personal information must be kept for public interest or relating to legal claims.

  • This right to erasure applies only to data that's used because we have consent and does not apply to data that's used because it's required as part of a contract.

Back to top

GDPR when not in the European Union

While the rules outlined in GDPR apply only to EU-local individuals, changes to how data is collected and handled will happen globally as companies modify their existing practices to ensure they comply with these new regulations. Enom believes in the principles that the GDPR upholds, and we, along with other key players in our industry, feel that extending the benefits of the GDPR to registrants worldwide is simply the right thing to do.

We'll be empowering our clients to understand what information we hold and how it's used, to give consent to us for that use, and to request data erasure in cases where consent cannot be provided.  

Back to top

Effects of GDPR

These data privacy protections touch almost every domain onboarding process and lifecycle aspect. We're keeping two things in mind: our need to operate within the bounds of legal requirements and our commitment to keeping domain purchase and management as straightforward, simple, and instantaneous as possible for the end user.

Enom does not share personal data beyond what's needed to provide your ordered service. We've never sold our clients' personal information, and we certainly aren't going to start now.

Back to top

GDPR and my Enom registration agreement

One of the main ways we inform our clients about how their data is being used is through our contracts and end-user service agreements, which have been updated as part of our GDPR implementation efforts.  

Back to top

The right to erasure

Article 17 of the GDPR outlines the data subject's right to erasure, also known as the right to be forgotten. It gives each person the right to request that a controller like Enom erase their personal data. It also requires us to comply with any such request as long as one of six specific legal grounds applies. On top of this, it states that in cases where the controller has made personal data public, they must reach out to any other controller who is processing the data and inform them about the request for erasure so that the appropriate steps can be taken. Finally, Article 17 lays out several exceptions where the right to erasure does not apply. Most importantly, if the data is required in order for the Controller to fulfill legal obligations (e.g. retain for tax records), then it is not subject to the right to erasure. These also include instances when the processing of data is necessary for exercising the right of freedom of expression and information, or the establishment, exercise or defence of legal claims.

Back to top

Personal data

Personal data is any information related to an identified or identifiable living individual. Different information collected together can identify a particular person and constitute personal data. Personal data that has been de-identified, encrypted, or pseudonymized but can be used to re-identify a person remains personal data and falls within the scope of the law.

  • Examples of personal data: Name, surname, address, email address, IP, personal ID, cookie ID; firstname.lastname@company.com
  • These are not considered personal data: info@company.com, company name, or legal entities.

Data processed as part of fulfilling our service contract will be kept for the lifetime of the service, plus up to ten years after the service's termination.

Enom will hold any data that we process under the legal basis of consent for the same period as the contract-based data unless that consent is withdrawn, in which case the erasure process begins at the time of withdrawal of consent and may take up to 60 days to complete.

Note: Enom will direct you to cancel services. Upon canceling the service, your choice to withdraw consent will take effect.

Back to top

Understanding consent for your personal data

Obtaining your consent

We will send every domain owner a consent request as part of the domain registration, transfer, or owner update process unless we already have consent on file for that consent group. In the consent request, we will be sure to disclose all the uses of your personal data required by a contract for us to provide the requested domain service. We will also ask for your consent for those data uses where our legal basis is your consent. In cases where we already have consent on file, we will process the new registration based on those existing consent choices.

Once you've provided consent, you will be given access to a consent management page where you can review and modify your consent choices on an ongoing basis or revoke your consent at any time.

Back to top

Enom process via contract

Any data that must be processed to register a domain or provide any other service type will be covered under a contract. 

  • First name
  • Last name
  • Organization (if provided)
  • Email address
  • Country

Certain domain registries require additional information to complete domain registrations, and in these cases, we will include a point about processing those additional pieces of registrant data in our contract.

Back to top

Enom process via consent

We will request consent from someone when:

  • We allow the processing of any personal data that isn't essential to provide the service. For example, we don't require the owner to provide their phone number for most domain registrations. Still, by collecting this piece of data, we can provide a backup verification method.
  • The data is required by a third party with whom we do not yet have a GDPR-compliant contract. For example, a registry might require that the domain owner's postal address be on file to complete a domain registration. If we don't have a GDPR-compliant contract with this particular registry, we would have to request consent from you to process and share this extra piece of personal data before completing the registration.

In cases where you do not grant your consent and the service can still be provided without using your personal data, we will instead use a combination of the contractual data and placeholders for any data elements that can only be processed with consent.

Back to top

Data sharing preferences page

Each service or product offered through Enom falls into a particular consent group within our system. Once the consent preference is logged for a group, that choice is applied to any future purchases of products within that same group.

For two (or more) products to fall within the same consent group, they must be:

  • Offered through the same service provider
  • Contractually require the same data elements
  • And must request the same consent-based data elements

A registry might operate multiple TLDs, and each contractually requires the owner's name, email, and country but also request consent to process the owner's phone number. These TLDs would fall into the same consent group, and once you set your consent preferences for one of these TLDs, your choice would be applied to all future purchases of other TLDs within this group. This means that no future consent request emails will be sent to you for purchases within this group. However, if this same registry offers another TLD for which they request consent to process the owner's postal address, in addition to their phone number, you would receive a consent request upon purchasing this TLD, as it would fall into a distinct consent group.

Back to top

Consent request triggers

The domain registration, update, or transfer can trigger the initial consent request. When you, the registrant, set your consent preferences, your choices will be logged and applied to any future purchases of products within the same consent group. However, purchase a service for which the provider requests additional pieces of data beyond those for which you have already granted or withheld consent to process. You may receive another consent request.

The consent request will be sent to Enom's registered email address for the domain or service.

Back to top

Consent and verification emails

The consent requests will only be sent to the registrant's email address. Sending a consent request to an email address other than the owner would not be considered GDPR compliant. Enom will no longer process admin, billing, or technical contact information for legal reasons, except in cases where the registry requires these contact points. Whenever possible, we will replace these fields with placeholder data.

At this time, the consent request and Whois verification emails will be sent to you as two separate requests.

Back to top

Whois Information

Whois change

Enom implemented a gated Whois system. Under this system, the registered domain registrant, admin, and technical contact information will no longer be visible in the public Whois database.

Whois data for registered domains will only be accessible to legitimate and accredited third parties, such as law enforcement, members of the security community, and intellectual property lawyers, through the gated Whois. This Whois data will be limited to those personal data elements that we have obtained permission to process, either via contract or via consent of the data subject.

Registrant information—name, organization, address, phone number, and email—will be considered personal data that can no longer be published in the public Whois. However, we feel authenticated access to this information, in a specific and limited manner, must be provided to those with legitimate reasons to request it. A gated Whois system will allow for this while also ensuring that private information remains guarded against the general public.

You can view a snapshot of what these changes will look like, or, for more context, you can read our full Whois Changes post. We've also curated a list of resources that provide helpful context and insight into how other key players are thinking about the future of Whois.

Back to top

Public WHOIS details

Under the GDPR, personal data may be collected and processed only when there is a legal reason to do so. This means that the public Whois system as it exists today is incompatible with the data privacy principles that the GDPR affirms.

The technical data (the top section of the current Whois output) will appear in the public-facing lookup.

Back to top

Gated Whois vs. ID Protect (Whois privacy) 

The gated Whois is a portal where accredited third parties can access  Whois information, and the output available here includes personal data hidden from the public Whois. However, the Whois output for domains with ID protect (Whois Privacy) will remain the same as it was before May 2018, both in the public Whois and in the gated Whois. This means that contact privacy details, including a contact privacy email, will be displayed for domains with ID protect (Whois Privacy) in the gated Whois. Check out our Whois changes blog post for a helpful visual snapshot of the difference.

Back to top

Displayed data in gated WHOIS

Registrant contact data which is held based on contract, and data for which we have consent, will be displayed in the gated Whois — unless the domain is privacy-protected. If the domain has ID protection, the privacy masking data will be displayed publicly and within the gated Whois.

Back to top

Non-EU domain registrants

We are applying all Whois-related changes platform-wide, meaning all registrants will receive the same data protection regardless of citizenship or location.

Back to top

Gated Whois for privacy-protected domains

Access to the gated Whois will only reveal information that was public before May 25, 2018. It will not disclose the Whois information for privacy-protected domains. The Whois output for privacy-protected domains will be the same in public and gated Whois. As we do today, we will continue to require a court order or other legal documentation to access this information.

Back to top

Whois information for privacy-protected domains

Whois privacy will continue to remain a valuable service to registrants worldwide. Even when the public Whois "goes dark," there will still be a gated Whois, where registrant data will be made available to parties with a legitimate interest. So, while the audience for registrant data will no longer be the entire public, it will still be sizable. This is where Whois privacy comes in—if privacy is active on a domain, the personal data in the registration record will remain protected from those with access to the gated Whois. The service also provides a way for third parties to contact the domain owner via the privacy service email address displayed in the Whois output. In addition, the personal data associated with a domain protected by Whois privacy will not be shared with registries.

Here's a visual guide that illustrates these differences in WHOIS output. Our Whois impacts blog post also provides a more in-depth answer to this question.

Back to top

ICANN policy

We will continue to comply with ICANN policy to the greatest extent possible, as we have always done. However, until ICANN policy has been updated in response to the GDPR and other similar worldwide data privacy legislation, we will be faced with many instances where the requirements that ICANN lays out for its registrars conflict with our legal obligations. In these instances, we will follow the law first and comply with ICANN as best we can.

Back to top

Effects on incoming transfers

We have made some minor updates to our inbound transfer process. We will now rely on the EPP code (also known as the transfer authorization code) provided by the owner as the form of authorization for inbound transfers rather than requiring an additional transfer approval step. Additionally, for each completed transfer, a registrant verification email will be sent to the owner's email address to verify the accuracy of domain contact information. Our outbound transfer process will not change.

Back to top

Tiered access directory (gated Whois)

The Tiered access directory is Enom's gated version of the whois directory. It allows accredited third parties, such as members of law enforcement, to view the contact data of domain registrants who use our platform.

WHOIS contactability service

When a person uses the form to send a message to the domain owner, we will send an email to the registrant and the sender.

Note: While the registrant may receive your message, they may not reply. Enom cannot control whether the registrant responds or not. Enom does not reach out to registrants on behalf of interested parties.

Screenshot_2022-11-02_at_5.55.17_PM.png It sends an email to the sender as well as the registrant.

Screenshot_2022-11-02_at_5.54.45_PM.png

The sender will also receive an email.

Screenshot_2022-11-02_at_5.59.46_PM.png

The registrant's email address will receive an email with the sender's message.
Screenshot_2022-11-02_at_5.55.17_PM.png

Back to top

Was this article helpful? If not please submit a request here

How helpful was this article?