Information on Mandatory Data Transfers
Ascio is an ICANN (Internet Corporation for Assigned Names and Numbers) accredited registrar and offers domain name registrations for more than 800 TLDs. Whilst many of the most popular TLDs are based within the European Economic Area (“EEA”), such as the Registries for the United Kingdom (Nominet), France (Afnic) and Germany (Denic), there are a significant number of TLDs where the Registry is based outside the EEA. Even ICANN, the effective regulator for gTLDs (such as .com, .biz and info) is based in the United States of America. Only one Registry can operate a specific TLD so if customers wish to purchase a specific domain name within a TLD, the customer has to agree to the rules of the Registry operating that TLD.
Why does this matter?
Ascio is based in Denmark and is required to adhere to Danish law (and therefore EU law). Accordingly, Ascio must ensure that transfers of personal data outside the EEA are only performed subject to strict criteria. In order to register domain names in TLDs where Registries are based outside the EEA, Ascio is mandated, under the contractual terms set by the Registry, to collect and transfer data for the registration, renewal and general management of the domain name in the TLD. This data collection and transfer may include the collection and transfer of customer personal data to the Registry or other third parties acting on its behalf.
What data do we collect?
Generally, we collect three types of data in the domain name registration process:
- WHOIS data. This is the basic registration data that is required by the Registry to register a domain name so that it is legally held by a customer. Commonly, it includes registered name holder, administrative and technical contact information such as name, address, telephone number, email address and fax number.
- Transactional data. For the safe and efficient operation of verifying a registered name holder’s identity and authorisation, the Registries may require us to collect transactional data from a customer to prove certain matters relating to the management of the domain name. This may include email correspondence, written notices, IP addresses, authorisation confirmations and payment information.
- Additional Information. For unique TLDs, we may be required to collect additional information, such as memberships of trade associations and qualifications.
To whom do we send the data?
- WHOIS data. This data is transferred to the Registry during the registration process and any subsequent interaction, such as contact information changes and renewals.
- Transactional data. This is generally retained by Ascio until specifically requested by the Registry or ICANN. The Registry may request evidence of transactional data during a contractual compliance audit, following a compliance complaint or to verify a specific action requested by Ascio (for example, to prove that it was genuinely requested by the registered name holder).
- For gTLDS, a copy of the WHOIS data is escrowed to an escrow agent authorised by ICANN. At Ascio, we have contracted with Iron Mountain Intellectual Property LLC who provide the escrow services.
Where do we transfer the data?
- WHOIS data is sent directly to the Registry. For ccTLDs, the Registry is based in the relevant country (for example, .kr is the TLD for South Korea). For many Registries operating gTLDS (such as .com), these are based in the United States of America but operators of gTLD Registries can be based anywhere in the world.
- Transactional data is sent directly to the Registry.
- Escrowed WHOIS data is sent to Iron Mountain Intellectual Property LLC, a company based in the United States of America.
How often do we transfer the data?
- WHOIS data is sent to the Registry every time there is an order to the Registry. This could be registration of the domain name, renewal or any other action such as contact information changes. In practice, this means that we transfer WHOIS data to Registries on a daily basis.
- Transactional data is only sent on request. For most domain name registrations, transactional data may never be transferred.
- Escrowed WHOIS data is transferred daily at 0700UTC the day after any changes have been made by Ascio. Additionally, an export of all domain name information is transferred on a weekly basis.
How is the data transferred?
- WHOIS data is transferred to the Registry in a manner which is specified by the Registry.
- Escrowed WHOIS data is signed and encrypted before it is transferred via and SFTP connection.
- Transactional data is transferred according to the Registry requirements.
Contractual Framework for data transfers
For gTLDs, these are governed by ICANN. ICANN enters a Registry Agreement with the Registry responsible for the TLD. To become an ICANN accredited Registrar, Registrars have to enter the Registrar Accreditation Agreement with ICANN. Additionally, to then be able to offer domains in a specific TLD, Registrars must enter a Registry Registrar Agreement with the Registry. For ccTLDs, the Registrar has to enter a Registry Registrar Agreement with the Registry.
Agreements with the Registries are offered to all Registrars equally and each Registry is permitted to set its own contractual terms (for gTLDs these must meet the ICANN minimum requirements). If a customer wishes to buy a domain name for a specific TLD, it must agree and adhere to the Registry policies which will form part of the agreement with Ascio.
Where can I find more detailed Registry specific information?
In the Policies pages www.ascio.com/policies, we have set out, for each Registry, the mandatory data that is collected and transferred. Our aim is to be fully transparent about the operation of the internet and to fully describe to customers how data they provide will be both collected and used by the Registry to effectively manage domain name registrations.