GDPR guidelines for resellers

The European Union's General Data Protection Regulation (GDPR) came into effect on May 25, 2018, and changed how companies collect and manage personal data. GDPR lays out a new set of rules for how people's personal data within the European Union should be handled. However, the implementation of GDPR results in some policy changes and common questions in the following areas.

How Enom processes data

Resellers can review Enom's data-sharing practices. It is in our best interest and that of our resellers and registrants to prepare for heightened data sharing and privacy standards. Enom believes in the principles that the GDPR upholds, and we, along with other key players in our industry, feel the benefits of the GDPR to registrants worldwide.

Consent and contract Any data that Enom or the registry/service provider requires to provide a TLD or other product will be processed on a contract basis. It will be included in our contractual agreement with the registrant. We do not need to send a consent request to process this data. Any additional pieces of data requested by the registry but not included in the contract can only be processed with consent from the registrant.
Data controller and processor The Data Controller determines what data will be processed/selects the means of processing data, while the processor handles the data based on the requirements set by Controllers. Enom doesn't have a direct relationship with the domain owner. We have a contractual one, as required by ICANN and other TLD policies. To enter into our contract to sell a customer a domain name, we need certain pieces of personal data, such as the registrant’s first and last name, organization name (if provided), email address, and country. So, the legal basis for us to process those pieces of data is the performance of a contract, and we are a Controller for those data elements.
Data timeline Data processed from our service contract is kept for the lifetime of the service, plus up to 10 years after the service’s termination. Enom will hold any data we process under the legal basis of consent for the same period as the contract-based data unless consent is withdrawn. In this case, the erasure process begins and can take 60 days to complete.
ICANN policy ICANN policy has been updated in response to the GDPR and other worldwide data privacy legislation. When ICANN requirements for registrars conflict with our legal obligations, we will follow the law first and comply with ICANN as best we can.

Back to top

GDPR and whois information

Resellers can access all the Whois contact data that we hold for their end-users within the reseller control panel. Data can only be shared when necessary to fulfill the intended purpose of the data collection. The public Whois system was incompatible with the principles of data privacy that the GDPR affirms. Registrant information is now redacted for privacy on whois lookups and can be made public by adding whois publicity to that domain. Public Whois output will still display domain dates, status, nameservers, and sponsoring registrar. 

Back to top

Gated Whois information

The gated Whois is a portal where accredited third parties can access “full” Whois information, and the output available here includes personal data that is hidden from the public Whois. If the domain has ID protection, the privacy masking data will be displayed publicly and within the gated Whois. This means that contact privacy details, including a contact privacy email, will be displayed for domains with ID protection in the gated Whois. For a helpful visual snapshot of the Whois differences, check out our Whois changes blog post. The Whois output for privacy-protected domains will be the same in both the public and gated Whois. We will continue to require a court order or other legal documentation for access to this information, as we do today.

WHOIS contact ability service

When a person uses the form to send a message to the domain owner, we will send an email to the registrant and the sender.

Note: While the registrant may receive your message, they may not reply. Enom cannot control whether the registrant responds or not. Enom does not reach out to registrants on behalf of interested parties.



The registrant's email address will receive an email with the sender's message.


Back to top

Consent management process

When a registrant visits their data sharing preferences, they will find an up-to-the-minute list of all the active products they have registered. The Enom data sharing preferences information page includes an exhaustive list of the TLDs and services offered through Enom and the data elements required under the contract or used only with consent.

Registry data sharing

For many TLDs, the registry provider requests data for which there is no contractual basis to process. In this case, we will ask the registrant for consent to share these additional pieces of data with the provider. In most cases, even if the registrant should withhold or fail to provide consent, Enom can immediately register the domain by sending the registry a combination of the contractual data and placeholders for any data elements that can only be processed with consent. These domains can be registered immediately without using additional personal data beyond what is covered in the contract. If the registrant withholds or revokes consent, any existing services will remain active, and any pending orders will be processed normally. Enom will simply substitute placeholder data for any consent-based personal data.

Back to top

Data sharing preferences page

Enom is legally obligated to collect consent from our registrants and to provide them with a straightforward, accessible means of revoking consent. The data-sharing preference page is our solution for fulfilling these obligations and is an essential part of our domain and service registration process. Enom is mentioned on the data sharing preference page to allow for a white-labelled solution for our resellers, but this commitment must be met in balance with the legal obligations we have as a data processor and controller. GDPR requires service providers to disclose what personal data they are processing, how this data is being held and processed, and by whom it is being processed, as such we are transparent about the fact that Enom is processing their data.

Back to top

Product consent order

The order in which services are presented to the registrant is prioritized so that any actionable or important items are seen first. This means services will be listed in the following order if they are available:

  1. New products that still require consent from asynchronous products
  2. New products that still require consent from synchronous products
  3. Older products where the consent choice has been made for asynchronous products
  4. Older products where the consent choice has been made for synchronous products

The data collected will depend on whether you have registered the service as an individual or an organization. Accordingly, some of the data described here may not actually be collected. Some registry and service providers will request different information if the registrant is listed as an organization than they do if the registrant is listed as an individual. Our data use information page outlines all the data we collect for each service, both on a contract and consent bases, and clearly indicates any differences between data collected for individual and organization registrant types.
Back to top

Product consent groups

Each service or product offered through Enom falls into a particular consent group within our system, and once the consent preference is logged for a group, that choice is applied to any future purchases of products within that same group.

In order for two products to fall within the same consent group, they must be:

  • Offered through the same service provider
  • Contractually require the same data elements
  • And must request the same consent-based data elements

For example, a registry might operate multiple TLDs and each of them contractually require the registrant's name, email, and country, but also request consent to process the registrant’s phone number. These TLDs would fall into the same consent group, and once the registrant sets their consent preferences for one of these TLDs, the registrant’s choice would be applied to all future purchases of other TLDs within this group. This means that no future consent request emails would be sent to the registrant for purchases within this group. However, if this same registry offers another TLD for which they request consent to process the registrant’s postal address, in addition to their phone number, the registrant would receive a consent request upon purchasing this TLD, as it would fall into a distinct consent group.

Enom groups products this way, so we’re able to reduce the number of consent requests the registrant receives while ensuring the registrant has complete control over which elements of their personal data are shared and with whom.

Back to top

Consent emails

Consent emails can be triggered by the registration, update, or transfer of a domain. When the registrant sets their consent preferences, their choices will be logged and applied to any future purchases of products within the same consent group. However, if they purchase a service for which the provider requests additional pieces of data, beyond those for which the registrant has already granted or withheld consent to process, they may receive another consent request. Enom system waits one minute before sending a consent request email, if multiple services are purchased together, a single consent request email will be sent for all services. In cases where an end-user makes multiple purchases more than one minute apart, multiple emails will be sent. Consent emails can only be sent to the registrant's address, other emails are not considered secure and would violate the GDPR.

A link to the Data Sharing Preferences page can be resent to the registrant's email by initiating a request through your control panel or via the API.

Back to top

Replying to consent emails

Our system assumes no consent until consent is granted, there is no time-out period. Enom will still send a consent request email to the registrant to ensure they have access to the data use information page even if no consent is required, we do this to fulfill our commitment to maintaining a high level of transparency. A link to the Data sharing preferences page can be resent to the registrant's email by initiating a request through your control panel or via the API
Back to top

Reseller controls and management  

Information and data management

Resellers should not alter registrant information. Certain pieces of information, such as the registrant's full name, organization, email address, and country, will always be required. We need this data for our contractual use and must be able to identify the owner of the domain, and our Domain Registrant Agreement requires the registrant to provide complete and accurate information. The list of contractually required data elements for a particular TLD or service may be longer, depending on Enom's contract with the registry or service provider.

Back to top

Placeholder data

While it is not recommended, you can choose to substitute placeholder data for any data elements that we process using consent as the legal basis when placing orders, but you cannot leave these data fields empty, although the consent-based data could be withheld and placeholders used instead, if the client decides to consent to the data being used, they may be confused to discover that even after they have consented, the data is not listed on their domain registration record.

Back to top

Resellers and the consent page

There is no option to disable the consent page or bypass it as a reseller. Enom is legally obligated to collect consent from our registrants and to provide them with a straightforward, accessible means of revoking consent. This page cannot be edited. The majority of the text on the Data use consent settings page is legal information that we are obligated to disclose, so it cannot be modified. 

Back to top

Was this article helpful? If not please submit a request here

How helpful was this article?