Annex
ANNEX
.PT WHOIS POLICYWHOIS is a widely used search and response Transmission Control Protocol – TCP – that provides name registration data for Internet domains.
ccTLD.PT has used the WHOIS service since 2000, in strict compliance with relevant legislation. In broad terms, WHOIS is a free, public directory that can be accessed to identify data associated with domain name registration and maintenance.
Although not entirely new, harmonization of State Member personal data protection rules within the European Union, in accordance with European Council and Parliament Regulation 2016/679 which sets out the treatment and protection of personal data and how it may be transmitted, dated 27 April 2016, and that will replace Directive 95/46/CE (General Data Protection Regulation) as from 25 May 2018, reinforces the protection of personal data rights and brings numerous challenges to organizations regarding its implementation and control.
One of GDPR’s main challenges is the need to ensure that WHOIS is compliant with the new legal framework whilst upholding Top Level Domain – TLD - management best practices. Based on principles of transparency and publicity, TLDs promote online trust for all stakeholders, by providing namely:
• Access to accurate, trustworthy and up to date registry data;
• Contact details for owners and domain managers;
• Access to personal data which has not been made public through ARBITRARE – an Industrial
property, Domain and Company Name Arbitrage Centre. ARBITRARE is an entity that is empowered by law to pursue criminal investigation procedures, namely as regards protection of consumer, industrial property, communications, security, public health and general commercial rights.
The balance between the need to safeguard WHOIS’ guiding principles, namely those of proportionality, transparency, quality and minimal treatment of personal data, and the defense of an individual’s basic rights as regards personal data protection, is one of the major concerns of member states, organizations and in particular of those responsible for managing top level domains like .PT.
As from 25 May and based on the rules set out in the General Data Protection Regulation, and on public recommendations from CENTR – Council European National Top-Level Domain Registries, ICANN – Internet Corporation for Assigned Names and Numbers and RIPE – Network Coordination Center, and from other relevant peers, all data made public over WHOIS will have to have received informed, willing and express consent from its respective owners, according to the following guidelines:
I. After registration of a .pt domain, the data listed in appendix will be included on WHOIS;
II. As regards the data collected, personal contact data associated with the domain name will only
made public through the WHOIS protocol, on whois.pt.pt and online over dns.pt, if informed, willing, and express consent is given;
III. When a domain name is registered, owners of personal data must fill in a consent form according to the instructions provided upon registration of the respective domain;
IV. Owners of personal data may withdraw their consent at any time by accessing their reserved area online. Equally, authorization of public disclosure may be given at any time following the same procedure;
V. In the case of domains registered and managed by accredited registrars, and in accordance with the terms of the protocol established with .PT, it is the latter’s responsibility to make available, upon request, statements of consent from the owners of personal data;
V. In the case of domains registered and managed by accredited registrars, and in accordance with the terms of the protocol established with .PT, it is the latter’s responsibility to make available, upon request, statements of consent from the owners of personal data;
VI. If consent to share personal data has not been given, the online version available at www.pt.pt, will only provide anonymous details for the purpose of general contact or to relate violations or abuse;
VII. Only valid domain name registration data will be provided;
VIII. For domains registered prior to 25 May 2018, .PT will strive to obtain consent for disclosure of
personal data over WHOIS, however disclosure will not be made of the entities for whom consent has not been obtained;
IX. ARBITRARE, the legal authorities empowered to pursue criminal investigation procedures, and whose mission is to control and prevent violation of the law regarding protection of consumer, industrial property, communications, security, public health and general commercial rights, may approach .PT to request personal data that has not been made public over WHOIS.
These principles may be revised in accordance with relevant legislation at the time, as is also the case for recommendations from national and international entities specialized in these matters, as regards namely the creation of an accreditation system for individuals or companies to be given privileged access to data not provided over WHOIS. Codes of conduct may also be created whose principles might impact the principles listed above and as such lead to additional changes.
Lisbon, 10 April, 2018
