GDPR and Contract Changes

By Ashley La Bolle 12 March 2018 Announcements, Industry News, Product Updates

If you’re reading this, chances are you have questions about the GDPR and how EPAG is preparing. We’ve got answers!

The GDPR can be approached in terms of three fundamental concepts:

1. Consent and Control

2. The Right to Erasure

3. Transparency

We have talked about one of these concepts in past blog posts, and today we’ll look at the third: Transparency.

Transparency is one of the core principles in the GDPR, emphasized in Article 5 of the policy, which states that personal data must be “processed lawfully, fairly and in a transparent manner in relation to the data subject,” and must be collected for “specified, explicit and legitimate purposes.” In short, the data subject has to be kept informed as to what data is being collected and how that data is being used.

One of the main ways that we inform our clients about how their data is being used is through our contracts, and we are now ready to share more information about the upcoming changes to our reseller and end-user agreements, which are being made as part of our GDPR implementation efforts.

Before we dive into the specifics, I want to emphasize again how important it is to read the GDPR for yourself, and to engage legal counsel who is competent to support your business through the process of coming into compliance with the GDPR.

As we work in partnership with our clients to ensure that we accept, collect, process, and share personal data in a GDPR-compliant manner, there will be changes to our contracts, in the form of either a stand-alone Data Processing Agreement or an Addendum to the Reseller Agreement and Domain Registration Agreement. Regardless of whether we take the stand-alone-agreement or addendum route, there are a few things that you need to be aware of as a reseller.

Changes to Our Contracts with Registries

As a registrar, we have a Registry/Registrar Agreement in place with every registry with which we are accredited. We expect that many of these Agreements will be updated by the affected registries to be compliant with the GDPR. To this point, however, we have seen inconsistent approaches from the European ccTLD registries, and no GDPR-related contract updates from gTLD registries. We are working together with other industry groups to standardize a model for what these contractual changes will look like; without a standardized approach, we would have to negotiate individual amendments with each registry, a difficult undertaking to complete by May 25, 2018, given the number of registries with which we partner.

Working Toward an Industry-Standard Approach to Contracts

Given the changes we expect to see from registries, changes we expect registrars will make, and changes that we believe will be recommended by ICANN, we are hopeful that industry-standards will develop in the coming weeks which we can incorporate in our changes to our own agreements. These efforts are ongoing, but once a final decision about exact language has been made, we will update you. While we appreciate that uncertainty around these changes is difficult, we hope that an industry-standard amendment will make things easier for both our resellers and the industry as a whole. At the same time, we know that we cannot wait too long before sharing those changes with you. If the industry-wide amendment is not ready for distribution by the end of March, then in early April we will send our own contract changes out to our partners.

Changes to Our Contract with Reseller Partners

Our amendments to our reseller agreement will outline the obligations for both ourselves and our clients that are necessary to ensure that every user on our platform is fully protected in a way that aligns with the GDPR. We expect that contract changes will track certain standardized language that has been approved by the European Commission in years past, such as this European Commission decision, which provides some standardized contract language for data sharing.

Here are some of the changes that you can expect to see in our Reseller Agreement, which governs the services we provide to resellers. These updated requirements will apply both to us and to our resellers:

Data Storage

  • All personal data must be stored securely and handled with appropriate protections.
  • Any subcontractors who are allowed to access data must also have adequate security in place.

Data Sharing

  • Any data sharing must be done in accordance with the GDPR.
  • Data that is shared must be maintained securely by both the sending and the receiving parties.
  • Any data exporter will be liable for damages suffered by the data subject for any violations of the GDPR.

Disclosure

  • The data subject will be informed about the collection and sharing of their personal data in a GDPR-compliant manner.
  • All contracted parties (including EPAG, Tucows, and the reseller partner) agree to work cooperatively with Data Protection Authorities if questions arise about the use and sharing of personal data.

Changes to Our Contract with Registrants (End-Users)

For our Domain Registration Agreement, which governs our relationship with the domain registrant, changes will include:

  • Clear explanation of which data elements are required by contract — we require the registrant’s first and last name, organization name (if provided), email address, and country; Registry agreements may extend this contractual data set.
  • Confirmation that, if a third-party’s contact information is used as the domain’s administrative, billing, or technical contact, the registrant will have the appropriate contract and/or consent with that third-party to satisfy the GDPR’s requirements around data use.

Moving forward

Rest assured, there will be no major surprises found in the changes to the Reseller Contract or Domain Registration Agreement, provided your business is GDPR compliant. As always, we are taking care of the heavy lifting to minimize the effort required on your end. We hope this allows you to remain focused on your day-to-day business and whatever internal changes you may need to make to come into compliance with the GDPR. Take a look at the European Commission’s standard contract text, and keep an eye on our Blog for our future updates.