The protection of your privacy is one of our main objectives.
Register S.p.A. (hereinafter (hereinafter “Controller” or “Data Controller” or “Company” or “Register”), with registered office in Viale della Giovine Italia 17, Florence, CAP 50122, undertakes to constantly protect the privacy of its users on-line. This document outlines our policy on privacy, explaining how your personal data are managed when using our services, and to enable you to give express consent to the processing of your personal data while being aware of the website sections requiring the entry of such data. Note that the various sections of the web sites of Register (hereinafter “Site”) requiring entry of your personal data may contain specific disclosure options in accordance with art. 13 of the Regulation (EU) 2016/679 (hereinafter “Regulation” or "GDPR"), which must be viewed by you before providing the requested data. The information and data supplied by you or otherwise acquired when registering for the various services of Register, (for example to register domain names, to supply an email account, to supply a certified email account (PEC), supply web space, supply hosting services, supply other accessory services, hereinafter referred to in general as “Services”), will be processed in observance of the provisions of the GDPR and the obligations for confidentiality that form the basis of the work of Register.
In accordance with the provisions of the GDPR and the Legislative Decree 196/2003 and its subsequent amendments (hereinafter “Italian Data Protection Code”), the processing operations carried out by Register will comply with the principles of lawfulness, fairness, transparency, purpose and retention limitation, data minimisation, accuracy, integrity and confidentiality.
1. Data Controller, Data Protection Officer and Representative in the United Kingdom
2. Personal data undergoing processing
a. Browsing data
b. Data processed during engagement with social media
c. Data provided voluntarily by the data subject
d. Domain name registration data
e. Traffic data
g. Data processed in the context of the PEC service
h. Data processed in the context of the SPID service
3. Purposes of the processing, legal basis and mandatory or optional nature of the processing
4. Recipients of personal data
5. Transfer of personal data
6. Retention of personal data
7. Data subjects’ rights
1. Data Controller, Data Protection Officer and representative in the United Kingdom
The controller of the processing operations carried out through the Site is Register. The Data Controller’s organisation comprises a Data Protection Officer (hereinafter “DPO”). The DPO is available for any information regarding the processing of the personal data carried out by Register. It is possible to contact the DPO by writing to dpo(at)register.it.
With specific regard to the activities carried out by Register through the services of Facebook Inc., as described in Section 3 (h) of this policy, Register acts as a joint controller of the processing together with Facebook Inc.: please refer to Section 3 (h) of this policy for more information.
Register has designated as its representative in the United Kingdom the company Namesco Limited, with registered office in Acton House, Perdiswell Park, Worcester, WR3 7GD. The representative may be contacted at the following e-mail address: dc(at)names.co.uk.
2. Personal data undergoing processing
Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
We inform you that the personal data undergoing processing - depending also on how you intend to use the Services - may consist of an identifier such as the name, e-mail address, ID number, location data, online identifier, purchases made and other data enabling you to be identified or identifiable, depending on the type of Services requested (hereinafter "Personal Data").
In particular, the Personal Data processed through the Site are the following:
a. Browsing data
The computer systems and software procedures used for operation of the Register web site acquire, during routine operation, some personal data, the transmission of which is considered implicit in the use of the Internet communication protocols. This information is not collected to be associated with identified persons, but which in their nature may, through processing and associations with data retained by third parties, enable the identification of users. This category of data includes IP addresses or domain names of the computer used by the users to connect to the site, URI (Uniform Resource Identifier) addresses of the requested resources, the time of the request, the method used to submit the request to the server, the dimensions of the file obtained in the response, the numerical code indicating the status of the response sent by the server (successful, error, etc.) and other parameters regarding the operating system and IT environment of the user. These data are used exclusively to retrieve anonymous statistical information on use of the present site and the sites of our clients, and to ensure correct operation of the latter, identify faults and/or abuse, and are deleted immediately after processing. The same data may be used to ascertain responsibility in the hypothetical case of computer crime harmful to the site or third parties: with the exception of this case, the data on web contacts are not stored for more than fourteen days, unless specific requests are made by the user (e.g. access to the user's personal pages within Register summarising services used, information published etc.).
b. Data processed during engagement with social media
Besides filling out the appropriate registration form, you can register to the Services if you have a Facebook profile by just clicking on the "Login with Facebook" button. In this case, Facebook will automatically send Register some of your Personal Data, indicated in the pop-up window, which appears upon applying, and you will not need to fill out any other forms. If, instead, you are already a registered user of Register and also have a Facebook profile, you can choose to associate your Register account to your Facebook account by clicking on "Login with Facebook" and then on "Associate Account": this way, your Register identification code will be associated to your Facebook user code, and you can then directly authenticate yourself by just clicking on "Login with Facebook” to your Register control panel without entering any credentials.
In the same way, Register gives you the possibility of associating your Register account to any Google, Twitter and LinkedIn accounts. In such cases too, these social media sites will automatically send Register some of your Personal Data, indicated in the pop-up window, which appears upon applying.
c. Data provided voluntarily by the data subject
When using specific Services (such as Register promotions allowing the assignment of domain names to third parties, or as part of the exchange of e-mails or other messages with the operators of our Customer Care), the Personal Data of third parties that you submit to the Service Manager may undergo processing. In such case, you are considered an independent data controller, assuming all the obligations and responsibilities of law. To this effect, you fully indemnify in this regard Register against any complaints, claims and demands for compensation for damages arising from processing, etc., that may be received by Register from third parties whose Personal Data have been processed through the use of the Services, in violation of the applicable rules on personal data protection. In any case, if you provide or in other way process Personal Data of third parties in using the Service, you henceforth guarantee - assuming all related responsibilities - that this specific processing is grounded on an appropriate legal basis (for example, the data subject’s consent) in accordance with art. 6 of the GDPR, which legitimizes the processing of the information in question.
d. Domain names registration data
e. Traffic data
As part of the e-mail service, Register processes certain data for the transmission of communications on the electronic communications network. These data are listed in Legislative Decree no. 109 of 30 May 2008, and are specifically:
- IP address used, e-mail address and any further sender ID;
- IP address and fully qualified domain name of the mail exchanger host for SMTP technology, or any type of host for a different technology used in the transmission of communication;
- e-mail address and any further ID of the recipient of the communication;
- IP address and fully qualified domain name of the mail exchanger host (for SMTP technology), or any type of host (for a different technology used) that delivered the message;
- IP address used by the recipient for receiving and/or browsing e-mail messages, irrespective of the technology or protocol used;
- date and (GMT) time of the log-in and log-off of the user of an Internet-based e-mail service, along with the IP address used, irrespective of the technology and protocol applied;
- Internet service used.
These data are processed and retained by Register to provide the service and by legal obligation - specifically, for detecting and suppressing criminal offences - adopting stringent security measures that make them accessible only to specially authorized persons in writing, who access them exclusively prior to a request of the judicial authority, accompanied by a reasoned order issued by a public prosecutor and, in any case, with highly sophisticated authentication techniques provided for by law. As required by law, the personal data are retained by Register for the purpose of ascertaining and prosecuting crime for six years after their collection. Additionally, the data are processed by Register for the typical activities following from the provision of the service (for instance, for documentation purposes in the event of billing disputes or payment claims, for fraud detection, and to carry out analysis on behalf of the customers), in accordance with the law. In such case, the personal data are retained, meanwhile adopting stringent security measures as provided for by law, for six months from their collection, and subsequently deleted.
g. Data processed in the context of the PEC service.
For specific information on the data processing activities performed by Register as data controller in the context of the PEC services, please refer to the “Informativa privacy PEC”, available at the following link: https://www.register.it/company/legal/informativa-privacy-pec/. (information notice available only in Italian).
h. Data processed in the context of the SPID service.
For specific information on the data processing activities performed by Register as data controller in the context of the SPID services, please refer to the “Informativa privacy SpidItalia”, available at the following link: https://www.register.it/assistenza/manuali-spid/ (information notice available only in Italian).
3. Purposes of processing, legal basis and mandatory or discretionary nature of processing
The purposes of the processing we intend to carry out, following your express consent where necessary, are the following:
a. to allow us to provide the Services you requested and the subsequent, independent management of your control panel, which you will access by registering and creating your user profile on providing the Services, including the collection, retention and processing of data for the establishment and subsequent operational, technical and administrative management of the relationship arising from the provision of the Services, and the exchange of messages during the course of the relationship;
b. to allow you to browse and explore Register websites;
d. to fulfil legal, accounting and tax obligations: this processing is legitimate under art. 6(1)(c) of the GDPR. Once the Personal Data has been provided, the processing may indeed be necessary to comply with legal obligations to which Register is subject; and in those cases, it is not possible for the users to object to this processing, since it is a processing operation deriving from legal obligations;
e. to carry out direct marketing activities via e-mail for services similar to those you have subscribed to, unless you objected to such processing initially or in subsequent communications, in order to pursue Register’s legitimate interests to promote products and services which you may be reasonably interested in; this processing is based on the assumption of lawfulness under art. 130, paragraph 4 of the Italian Data Protection Code: “if the owner of the processing uses, for the purpose of direct sale of its products or services, the e-mail address provided by the data subject in the context of the sale of a product or service, the consent of the data subject may not be required, provided that these services are similar to those being sold and the data subject, who is adequately informed, does neither at first nor in the occasion of subsequent communications refuse such uses. The Data Subject, at the time of collection and at the time of sending any communication made for the purposes referred to in this paragraph, is informed of the possibility to object at any time to the processing, in an easy manner and free of charge"; objections to this processing have no impact on the use of services;
f. to conduct studies, research, market statistics; to send you advertising and information material, commercial information, or surveys to improve the service (“customer satisfaction”) via e-mail or SMS, and/or over the telephone through operator and/or through the official pages of Register on social media as well as through your control panel, if you are a Register customer; furthermore, if you are a Facebook user, you may see Register advertising banners on your Facebook profile (hereinafter reference will be made to the activities listed herein as "Marketing"): the processing of your data for Marketing purposes is based on your consent pursuant to art. 6(1)(a) of the GDPR. You may object to the processing of your data for Marketing purposes through your control panel, or by sending a request from the Site or through the mechanism specified in the footer of commercial e-mails, or by writing to dpo(at)register.it. Objections to this processing have no impact on the use of services. From time to time, Register carries out specific joint Marketing activities, together with other companies of the team.blue Group, acting as joint controllers with Register. In particular:
i. sending personalized advertising material via e-mail, jointly with the company Iubenda S.r.l., with registered offices in via San Raffaele, 1 - 20121 Milan ("iubenda"). The sending of advertising material concerns services offered by iubenda. In particular, the activity consists of uploading a list of domains relating to Register's customers, associated with their e-mail address, on a platform managed by iubenda, on the basis of Register's legitimate interest in carrying out joint marketing activities with other companies of the team.blue Group. Subsequently, iubenda scans the domains in order to detect any non-compliance of the website with respect to the privacy legislation and, in case one or more non-compliances are detected, links the scan results with each e-mail address uploaded to the platform, based on iubenda's legitimate interest in carrying out joint marketing activities with other Group companies. This activity will be performed only where you have previously given your consent to Register in order to carry out Marketing activities; therefore, the legal basis of this processing activity is your consent, pursuant to art. 6 (1) (a) of the Regulation. Register has agreed with iubenda that Register will act as the main contact point for the exercise of your rights: therefore, you can object to this processing in the same ways indicated above in relation to Marketing activities and you can in any case exercise the rights indicated in paragraph 7 below by writing to dpo(at)register.it.
g. only with regard to certain services, the data may be processed for disclosing to third parties for their marketing purposes, namely to provide you with information and/or to propose offers on products, services or initiatives offered or promoted by other companies of the team.blue Group and/or its affiliates and/or subsidiaries and/or other business partners and outsourcers who act as independent data controllers: this processing is also based on your consent, pursuant to art. 6(1)(a) of the GDPR, which may be given specifically; any refusal to grant consent has no effect on the use of the services;
i. solely for purposes of security and prevention of fraudulent conduct, on the basis of a legitimate interest of Register in preventing fraud and deception to its own detriment or to the detriment of its customers, pursuant to art. 6(1)(f) of the GDPR and on the basis of Recital 47 of the GDPR, which expressly provides that the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data subject, as well as on the basis of various balances of interests carried out by the Controller which do not show that the processing operations in question are detrimental to the Data Subject’s fundamental rights and freedoms. In particular, such activities shall include:
ii. anti-spam: Register reserves the right to refuse activation or to block email accounts or hosting of its customers from which spamming or phishing activities originate. Where possible, Register will proceed to verify the identity of the customer in order to carry out the necessary investigations and, only in the event of no response or where false documents are set, will put in place the block. This activity involves the processing of personal data such as e-mail addresses, copy of ID documents, photos and traffic data and finds its legal basis in article 6 (1) (f) and Recitals 47 and 49 of the GDPR, which refer to the legitimate interest of the Controller;
iii. checks on the usage of hosting: if there is an exceptional increase in the disk space used by the customer, the Company – limiting itself to external checks that neither have an impact on the Personal Data of the customer, nor include the identification of the content that has been uploaded – attempts to determine whether there are unlawful uses of the service (both in terms of contractual or regulatory provisions), in order to notify the customer, to protect its rights and to ensure the security of its systems.
v. profiling aimed at obscuring some Register’s offers to customers who connect from and / or pay from non-EU countries, in particular from countries included in a "Black List" drafted by Register on the basis of anti-fraud analyses. If you cannot access the offers for these reasons, you can always contact Register's support in order to overcome this block.
vi. verification of the identity of Register’s customers by requesting photos or other documents suitable for this assessment. This activity is carried out in the following cases: i) where you purchase one or more servers (dedicated or virtual) for the first time, ii) in the event that the Company receives reports relating to violation of industrial or intellectual property rights by third parties, or where such violations are independently detected by Register, iii) the customer is identified as fraudulent by the automatic control system referred to in section 3 (i) (i) above.
4. Recipients of personal data
For the purposes referred to in Section 3 above, your Personal Data may be shared with the following recipients (“Recipients”):
a. persons, companies or professional firms which typically acts as data processors on behalf of Register, such as: i) individuals, companies, or professional firms providing Register with advice and consulting in accounting, administrative, legal, tax, financial and debt collection matters related to the provision of the Services; ii) subjects to engage with in order to provide the Services and which typically act as autonomous data controllers (for instance, the national and international Registration Authorities to send the technical and administrative documentation and Maintainer forms to, the authorities that manage the WHOIS database containing the personal data of the domain name assignees or the company Iron Mountain Intellectual Property Management Inc., designated by Icann as escrow agent, credit card payment service providers (Mercury Payments and Banca Sella), etc.) iii) persons or companies authorised to perform technical maintenance (including maintenance of network equipment and electronic communications networks) and which typically act as data processors;; iv) MaxMind Inc., a company specialized in anti-fraud services that acts both as data controller and as data processor on behalf of the Company;
b. subjects, bodies or authorities, which typically act as autonomous data controllers, to disclose your Personal Data to in accordance with the provisions of law or under the orders of the authorities (for example, during the course of criminal investigations, Register may receive requests from the judicial authority to provide traffic logs);
c. persons authorized by Register to process the Personal Data required for carrying out activities strictly related to the provision of the Services, who have committed themselves to confidentiality or have an appropriate legal obligation of confidentiality, for example Register's employees;
d. business partners, which typically act as autonomous data controllers, for their own autonomous and separate purposes, only if you have given your specific consent;
e. auditing firms, which typically act as autonomous data controllers;
f. other companies of the team.blue Group, of which Register is a part. The team.blue Group, consisting of several brands and subsidiaries, can improve coordination and resource allocation by sharing data internally. This enables more efficient collaboration on product, campaign, and customer service improvements. Personal Data may be shared between companies belonging to the team.blue Group for the production of marketing statistics, internal administrative purposes, and reporting purposes, but only in the amount necessary for the intended purpose and based on appropriate security measures to prevent unauthorized access or disclosure.
The full list of Recipients is available by sending a written request to dpo(at)register.it.
5. Transfer of personal data
Some of your Personal Data are shared with Recipients who may be located outside the European Economic Area. Register ensures that your Personal Data are processed by these Recipients in accordance with the GDPR. Indeed, transfers can be based on an adequacy decision or on the Standard Contractual Clauses approved by the European Commission.
For further information please send a written request to dpo(at)register.it.
6. Data retention
The Personal Data processed for the purposes referred to in Section 3 (a-b-c) will be retained for the period deemed strictly necessary to fulfil the stated purposes. In any case, since the Personal Data are processed for the provision of the Services, Register will retain the Personal Data for the period allowed by Italian law to protect its interests (art. 2946 et seq. of the Italian Civil Code). In particular, in order for the Company to be able to demonstrate that it has correctly fulfilled its contractual obligations, Register will retain the data necessary for this purpose for the period of time pursuant to Italian law establishing limitations for bringing actions for breaches of contract.
Personal Data processed for the purposes referred to in Section 3 (d) will be retained for the period required by the specific obligation or by applicable law. By way of example, as already specified traffic data will be retained for judicial purposes for six years from their generation; otherwise, they will be retained for six months; invoices will be kept for ten years.
For the purposes referred to in Section 3 (f) (Marketing), your Personal Data may, instead, be processed until you withdraw your consent or until three years after you have ceased to be a Register customer, or if you have only registered to the Site and have not purchased any products or services. Register has, in any case, the possibility to retain your Personal Data for the period allowed by Italian law to protect its interests (art. 2947 (1) (3) of the Italian Civil Code). With specific regard to the Marketing activity indicated in section 3 (f)(i), your data will be deleted from the platform once the e-mail sending activity has taken place. For the purposes referred to in section 3 (h) (Profiling), the retention criteria of your Personal Data are those that govern the processing of data for Marketing purposes. For the purposes referred to in section 3(i)(i) (anti-fraud), the data are kept for the time necessary for the Company to be able to prevent and combat fraudulent conduct carried out through the Site, such as, for example, benefiting from the same promotion several times without being entitled to it. For the purposes referred to in section 3(i)(ii) (anti-spam), the data will be retained for the entire duration of your contractual relationship with the Company.
With regard to traffic data, as already mentioned, such data are retained for six months after its generation for the purpose of providing the service and for six years for the purpose of ascertaining and prosecuting crimes; for the purposes referred to in section 3(i)(iii) (audits on hosting usage), the data will be retained for the period of time that the customer uses the service. For the purposes referred to in section 3 (i) (vi) (identity verification), Register will process Personal Data up to the time allowed by Italian law to protect its interests (Article 2946 et seq. of the Italian Civil Code).
For the purposes referred to in section 3 (l) (Marketing Automation), your Personal Data will be processed until your consent is withdrawn or, in any case, if you are a user not registered on the Site, for 14 days or, if you is a registered user, for 2 months.
For the purposes referred to in section 3(m), your Personal Data will be processed for 25 months from the gathering.
Further information on the data retention periods and the criteria adopted in determining these periods may be requested in writing from the Data Controller or from the DPO.
7. Data subjects’ rights
Notwithstanding the obligations or faculties to retain the Data described in paragraph 6 above, you are entitled at any time to request access your Personal Data, to correct, erase or object, under the conditions provided for by Art. 21 of the GDPR, to their processing; you are entitled to request the restriction of their processing in the cases provided for by art. 18 of the GDPR, and to obtain, in a structured and commonly used and machine-readable format, the data regarding you (data portability), in the cases under art. 20 of the GDPR.
Requests are sent in writing from here or by sending a written request to dpo(at)register.it. To exercise the right to portability and obtain further information on its content, please open the following link: https://www.register.it/portabilita-dei-dati/?lang=en.
It should be noted that, if you request erasure of your Personal Data but you have not withdrawn the previously given your consent for the purposes set out in paragraph 3(g), you may continue to receive any promotional e-mails previously scheduled for the time frame between the deletion of your Data and the technical time of a few hours necessary to update the systems for sending promotional e-mails.
Furthermore, in the case of requests from data subjects regarding the reporting of abuse in the use of the Services or of spamming - activities already prohibited by contract as set out in par. 8 of the General Conditions of Service - carried out by a Register Customer (it should be noted that such customer typically acts as a data controller pursuant to the GDPR), and in the case of any further requests for the exercise of the rights under art. 15 and ensuing articles of the GDPR, Register, without going into the details of the request, will, on the one hand, promptly inform the customer/data controller and, on the other, provide the data subjects with the details of the customer/data controller.
In any case, you will always be entitled to file a complaint with the competent supervisory authority (the Italian Data Protection Authority), pursuant to art. 77 of the GDPR, if you believe that the processing of your data violates applicable law, as well as to seek judicial redress through the courts (art. 79 of the GDPR).
Previous version valid till 09/07/2023 available here