GDPR and Whois

05.23.2018 - written by  in Domain names

10 Comments

The General Data Protection Regulation (GDPR), goes into effect this Friday, May 25, 2018. This new European regulation grants new rights to individuals related to the processing of their personal data and involves changes in the manner with which we collect, save, and share your data, notably your personal data as displayed in the Whois.

As a consequence of this new regulation, we have modified our “Whois” tool (the Gandi Whois is available here: https://www.gandi.net/whois) in order to obfuscate all personal data, especially the first and last name of the owner (aka the “registrant”) of a domain name.

  • When you have our (free) private Whois service activated:
    • For the owner (also called the “registrant”) of a domain name: we will hide the first and last name and instead we will display “REDACTED FOR PRIVACY”. We will continue to display the name of the organization (company, association, etc.) and an anonymized alias email address (produced by our free “anti-spam protection” service) however. We will also replace the postal address and telephone number with Gandi’s “private Whois” information.
    • For other domain contacts (admin, technical, billing): from here on out, we will replace all personal information (first name, last name, company name, postal address, telephone number, and fax) with “REDACTED FOR PRIVACY” except for the anonymized alias email address our free “anti-spam protection” service produces.
  • When you do not have the “protected Whois” option activated:
    • For the owner (also called the “registrant”) of a domain name: we will hide the first and last name and instead we will display “REDACTED FOR PRIVACY”. We will continue to display the name of the organization (company, association, etc.) and an anonymized alias email address (produced by our free “anti-spam protection” service) however. We will also replace the postal address and telephone number with “REDACTED FOR PRIVACY.”
    • For other domain contacts (admin, technical, billing): from here on out, we will replace all personal information (first name, last name, company name, postal address, telephone number, and fax) with “REDACTED FOR PRIVACY” except for the anonymized alias email address our free “anti-spam protection” service produces.

For geographic TLDs (i.e. ccTLDs that correspond to individual country codes, like .fr and .uk), we will display the data provided by the registry when they conform to the GDPR requirements. Otherwise, we’ll use the same information (see above) we’ll be using for generic TLDs like .com and .net, until the registry in question makes the necessary changes.

In any case, the most important thing to remember is this: you don’t need to take any action. The following information will always be hidden:

  • first and last name,
  • street address (only the country and state of the owner will remain public),
  • telephone and fax number,
  • email address (only the encrypted email address alias will be displayed)

We will soon be adding a feature on our website to let you display your information if you desire.

At Gandi we have always taken data privacy very seriously. GDPR represents a major reform in that area. The updates that this reform will entail, especially those related to the Whois, bring us further down the path of improving the collection of personal data and its subsequent processing in relation to domain name registration.

We will continue to keep you up to date on all the actions we take to conform with this new regulation and we are of course available to answer your questions, whatever they may be, on this subject.

Leave a Reply

    bran

    So either way, you will mark information REDACTED FOR PRIVACY? both paragraphs are the same if I am reading correctly.

      Andrew

      For the owner/registrant, no matter what, personal names will be replaced with “REDACTED FOR PRIVACY.” If whois protection is activated, the address, etc. will show the whois protection address. If it’s not activated, it will just say “REDACTED FOR PRIVACY” for the address and phone number, etc. For other domain contacts (admin, technical, billing), all of the information will be replaced with “REDACTED FOR PRIVACY”.

      Whether we show an obfuscated address or just “REDACTED FOR PRIVACY” probably doesn’t make too much difference to you, at least for now, but that difference will become more relevant again when we add the option to turn off that “REDACTED FOR PRIVACY” bit and display your info. At that point, if you have whois protection activated, it will only show the owner’s name, and then will also show our whois privacy info. If you don’t, it will show your name, address, phone number, etc.

    Wouter R.

    I was wondering if there will be any difference in the way Gandi handles requests for whois information.

    If I remember correctly Gandi used to provide full whois information to anyone who asked, as the service was meant as a protection against regular attacks (such as spammers). While the GDPR will only allow you to provide information to people with a legitimate interest, which at first glance seems to exclude people with a commercial interest.

    Is Gandi also going to change its line in this? That requesters for example have to identify themselves and provide a legitimate interest?

      Absolutely, although Gandi’s commitment to personal data protection has always been strong, there will be a difference with GDRP in that it will be now necessary to demonstrate a legitimate interest in order to obtain the information associated to a domain name holder or one of its contacts.

      Commercial purposes won’t be considered as legitimate but a request from a third party holding Intellectual Property rights will be in most cases legitimate.

      Each request will undergo a thorough review.

      Wouter R.

      @Sophie
      That’s good to hear. 🙂

    D.K.

    I gotta say this is good change, I tried to retrieve whois information of my domain from other registrar and ICANN which is already been protected by gandi for over 2 years now, and it came back with absolutely nothing, except email for three contacts of abuse@support.gandi.net, paris for registrant State/province, FR for registrant country, if someone wants to see the obfuscated email of my domain,. they have to see it on gandi’s whois service, which really added another layer of protection, good work gandi folks!
    PS: when is the v5 going to be really completely finish?

      Hi D.K., thanks for your kind comment.
      Actually, we wish V5 to never be ‘finished’, as our main objective is to deliver new features and optimisations to give our customers the best experience possible when managing their domains.
      However, V5 should be ready to welcome all our customers, wether they are resellers or have a huge quantity of domains to manage, before the end of this summer.
      Thanks for your support!

    unamico

    after the introduction of the GDPR, whois data is “blacked out” in most cases. Part of my professional activity is Open Source Intelligence (OSINT) as a court-appointed digital criminalist and I would like to know if there is a procedure for obtaining contact details for a domain registered with you or if this activity is subject to court authorization or judicial authority.
    Thanks and best regards

      Hi unamico,
      with GDPR it will be now necessary to demonstrate a legitimate interest in order to obtain the information associated to a domain name holder or one of its contacts.
      Requests from competent authorities for the purpose of investigation should be deemed legitimate, and there should not be any need for a special procedure such as a court order.
      In any case, each request will undergo a thorough review.

    Erik

    Hi,

    What about services beyond WHOIS? Such as using mail.gandi.net for email, serving content through your cloud hosting (IP logging), etc.

    Is a Data processing agreement required in those instances?