Never has a domain owner had so much control over the disclosure of their personal data as they will after the introduction of the GDPR. But just because the GDPR’s directives apply uniformly throughout Europe does not mean that the necessary changes will be implemented uniformly across various registries.
Unfortunately, the approaches that European ccTLD registries are taking to regulate the processing of personal data vary widely.
Many European registries will no longer display personally identifying data for private persons in their Whois. However, if a domain is registered to an organization, it is possible that the registry may choose to publish the contact details of the organization in their public Whois. The GDPR applies specifically to personal data, meaning that this appraoch is likely legal under new GDPR guidelines. To prevent personal data in an organization contact from being displayed in a public Whois, we recommend taking the following measures, where allowed by the relevant registry:
- Use roles rather than personal names for Organization contact details. For example, instead of writing “John Doe” for the name in the organization field, use the role “Host Master”.
- Use role email addresses rather than personal email addresses. For example, instead of using “firstname.lastname@example.org” for the email address, use a generic company email address like “email@example.com”.
- Where possible, clean up existing contact data to remove personal data from any organization contacts.
- Remind domain registrants of their obligation to provide you with correct data and to keep that data up to date. This will ensure that the registrant is able to manage their consent preferences using the contact email provided with the domain order.
These tips give registrants the added advantage that their organization is not reliant on a particular person (for example during a transfer), should that person be out of the office or no longer employed by the company.