Register SpA with registered office in viale della Giovine Italia 17, Florence, CAP 50122 (hereinafter the "Data Controller" or "Register”) is constantly committed to protecting the privacy of its users. This document contains information on our policies regarding privacy, to give an understanding of how your Personal Data is processed in the scope of domain name registration and management activities.
In accordance with the provisions of Regulation (EU) 2016/679 (the “GDPR”) and Legislative Decree 196/2003 and subsequent amendments (the Italian "Privacy Code"), the processing carried out by Register is based on the principles of lawfulness, fairness, transparency, limitation of purpose and retention, data minimization, accuracy, integrity and confidentiality.
The corporate structure of Register includes a Data Protection Officer or "DPO"). The DPO is available to provide any information regarding the Processing of Personal Data carried out by Register. The DPO can be contacted by writing to firstname.lastname@example.org.
1. 1. Roles and responsibilities in the processing of domain name registration data
The domain name (often simply called a "domain”) is a name associated with an IP address on the Internet.
A domain is made up of several parts, one of which is the extension, also referred to as the top-level domain (“TLD”), which is the part of the domain that follows the dot.
There are two categories of TLDs:
• generic TLDs (generic top-level domain or "gTLD”): for example .com, .org, .info, .biz etc., which have international diffusion;
• National TLDs (country code top-level domain or "ccTLD”): are the domains referring to a country. For example, the ccTLD for Italy is .it.
Three different subjects are involved in the process of registering a domain name: Registry, Registrar and Registrant.
The term "Registry” refers to a national or international body responsible for establishing rules and procedures for the assignment of domain names, the management of registers and the primary nameservers of the various TLDs.
For example, in Italy, the ccTLD “.it” is maintained by the NIC.it or Registro.it, which is the Registry for the “.it” extension and is part of the "Institute of Informatics and Telematics" division of the CNR in Pisa.
The complete list of Registries and related policies can be viewed at this link: https://www.iana.org/domains/root/db and on the Register website at this link https://www.register.it/company/legal/policy-tld-e-gtld/.
The term "Registrar” refers to an organization authorized by the Registry to carry out operations on the domains of the TLD for which it has accreditation. The Registrar of a gTLD domain name can be verified by accessing the ICANN service available on this page: https://lookup.icann.org/. To check the Registrar of a ccTLD domain, on the https://www.iana.org/domains/root/db page, you can find the web address of the corresponding Registry of interest, which provides the whois/RDAP individual Registry search service.
Lastly, the term "Registrant” refers to the natural or legal person who registers a domain name.
In practice, to register a domain name, the Registrant submits a request to the Registrar who, in turn, forwards the request to the competent Registry, which determines whether the conditions for registration are met. If the assessment is successful, the domain name will be registered in the name of the Registrant, who will become the assignee and thus able to claim the rights in accordance with the applicable legislation, for the times indicated in the stipulated service contract.
After registration of a domain name with gTLD extension, the Personal Data relating to the assignee of the domain name in question will usually be published, and therefore disseminated, in the public WHOIS/RDAP database, and can be consulted using the Registration data lookup tool (https://lookup.icann.org/en) made available by ICANN for domain names with gTLD extension.
Domain names with the ccTLD extension may be published on the WHOIS databases managed by the corresponding Registries, according to the policies of each Registry.
Register typically qualifies as Data Controller with respect to the processing of data for the registration and management of domain names. However, Register’s privacy role as Registrar is decided – according to case – by the competent Registry for the gTLD or ccTLD for which registration is requested. For example, for the “.it” ccTLD, the competent Registry (NIC.it/Registro.it) takes the role of independent Data Controller and qualifies Register as Data Processor, based on the non-negotiable provisions of the contract, freely available on-line here which Register is required to stipulate with the aforementioned Authority. This means that with regard to processing activities associated with management of “.it” extensions (and all the other extensions for which the competent Registry qualifies the Registrar as Data Processor), information on the processing and requests to exercise the Data Subject rights (see section 8 of this Information) must be addressed to the Registry competent for the extension to be registered.
Furthermore, if additional third party Personal Data is required in order to register a domain name (such as, but not limited to, the contact details of the Administrator - or “Admin-C” – and Technical Manager – or “Tech-C” – of a given domain name), Register typically acts as Data Processor with respect to that Personal Data. In this case, you act as independent Data Controller, assuming all legal obligations and responsibilities. In this way you grant the broadest possible indemnity against any objection, claim, request for compensation for damage due to processing, etc., which could reach Register from said third parties if their data has been processed in breach of the applicable Personal Data protection regulations. In any case, if you provide the Personal Data of third parties as part of the registration of a domain name, you must guarantee from thereon in - assuming all related responsibility - that this particular processing activity is based on an appropriate legal basis pursuant to art. 6 or 49(c) GDPR, which legitimises the processing of the data in question.
2. The Personal Data subject to processing
As regards Personal Data processing carried out as part of the domain name registration service, it should be noted that Register will only carry out the processing strictly necessary for providing the service and for the billing and accounting management of the domain name, unless further processing carried out on the basis of an appropriate legal basis pursuant to art. 6 GDPR (consent, for example).
The data collected by Register as part of a domain name registration request includes only the data strictly necessary for providing the service, which the Data Subject provides at the domain name registration stage, and is listed in the Service Order available at this address: https://www.register.it/company/legal/ods-registrazione-nomi-dominio.html.
In certain specific cases, we may request copy of an identity document for particularly sensitive operations, such as requests to erase a domain name or requests to change the assignee.
The provision of such data is in itself optional; however, in its absence, Register will not be able to provide the requested service.
3. Purpose of processing
The processing carried out by Register is based on the principles of fairness, lawfulness, transparency and the protection of Data Subject privacy.
The information and data you provide are used exclusively:
• for domain name registration and management purposes, which involves verifying the data provided for the registration, billing and accounting management of the domain name, assistance and support in its management, ancillary operations such as requests for erasure, transfer or change of owner, as well as the communication of important information on the renewal of the domain ("Provision of the Service”);
• for security purpose and the prevention of fraudulent conduct ("Abuse and Fraud Prevention”);
• to fulfil legal obligations, in particular those deriving from the legislation in force on the registration of domain names ("Compliance”);
• to communicate the data necessary for registration to independent third-party data controllers, such as the Registries competent, according to case, for the extension to be registered ("Data communication to independent third party controllers”);
• to protect the industrial property rights of third parties, or to verify reports of abuse allegedly committed by you to the detriment of third parties, for example, for the protection of industrial property rights ("Protection of legitimate third party interests").
4. Lawful basis of Processing and Provision of Personal Data
Processing for the purpose of Provision of the Service and Data communication to independent third-party controllers is necessary in order to execute the service contract between you and Register, pursuant to art. 6(1)(b) GDPR. The provision of such data is in itself optional; however, in its absence, Register will not be able to provide the requested service.
Processing for the purpose of Abuse and Fraud Prevention is based on Register's legitimate interest in preventing fraud and scams committed to its detriment or to the detriment of its customers, pursuant to art. 6(1)(f) GDPR and on the basis of Recital 47 GDPR.
Processing for purpose of Protection of legitimate third party interests is based on the legitimate interest of said third parties to protect their rights, such as industrial property rights, or in the event of abuse allegedly committed by you to the detriment of said third parties. This processing activity is legitimate pursuant to art. 6(1)(f) GDPR.
Processing for the purpose of Compliance is legitimate pursuant to art. 6(1)(c) GDPR. Once the Personal Data has been provided, further processing may be necessary to fulfil certain legal obligations to which Register is subject. This type of Processing may not be opposed, given that it is based on legal obligations.
5. Personal Data Recipients
For purposes strictly related to the provision of the service, the Personal Data of the domain name holder (as well as of third parties like Admin-C and Tech-C, if required for registering the specific domain name with the competent Registry), may be communicated to third parties acting as independent Data Controllers.
In specific terms, this data will be communicated to the national and foreign Registries to which Register is required to send the technical and administrative documentation required by sector legislation, as well as to any other subjects accredited for the registration of domain names with extensions for which Register is not accredited. The latter subjects typically act as Data Processors on behalf of Register.
The sharing of data with independent third-party Data Controllers is necessary for the Provision of the Service, and finds its lawful basis in art. 6(1)(b) GDPR.
The Registries will process the Registrants’ data to keep the register of domain names updated and to ensure compliance with the relevant applicable laws and policies. We invite you to consult the privacy notices issued by the relevant Registry from time to time.
Register may be required to communicate your personal data to the Internet Corporation for Assigned Names and Numbers (hereinafter, "ICANN"), in order to comply with ICANN policies and procedures.
ICANN also requires Register, as Registrar, to deposit copy of the data necessary for domain name management as escrow with an accredited Escrow Agent. For this service, Register uses the company NCC Group Software Resilience (NA) LLC (hereinafter, "NCC”), located in the United States and designated by ICANN.
It should be noted that for gTLD extensions, and in some cases also for ccTLD extensions if permitted or required by the competent Registry, Register may be required to communicate your data to third parties for the purpose of Abuse and Fraud Prevention, on the basis of art. 4 of the ICANN Temporary Specification for gTLD Registration Data, available at this link https://www.icann.org/resources/pages/gtld-registration-data-specs-en/#4 or for ccTLDs, on the basis of the policies issued from time to time by the competent Registry.
Upon explicit, detailed request, Register may also communicate the Personal Data of a domain name to third parties, based on its own legitimate interest, for the purpose of protecting its rights (including industrial property rights), and the Protection of legitimate third-party interests.
6. Personal Data Transfer
As part of the domain name registration services, the data is communicated to the subjects listed in section 4 of this privacy notice, which may be located outside the European Economic Area (the "EEA”), such as ICANN and NCC, or the Registry of the country of interest where the ccTLD or gTLD is to be registered.
Register ensures that the processing of your Personal Data by these Recipients takes place in compliance with the GDPR.
The lawful basis of the aforementioned transfers to the Registries competent according to case is found in art. 49(1)(b) GDPR and art. 49(1)(c) GDPR, where transfer outside the EEA is necessary for the execution of the contract between Data Subject and Data Controller, or between Data Controller and a third party on behalf of the Data Subject.
With regard to data transfer to NCC in the scope of gTLDs registrations, or in the event Register uses third party Registrars for the registration of certain gTLD extensions, the transfers are conducted on the basis of the EU Commission's Standard Contractual Clauses, pursuant to art. 46 GDPR. In such an even, copy of the Clauses is available on request, subject to redaction of the parts containing personal data.
For more information, write to dpo(at)register.it.
7. Data Retention
Personal Data processed for the purposes of Provision of the Service and Data communication to independent third-party controllers will be kept for the time strictly necessary to achieve the indicated purposes. Furthermore, given that this Processing is carried out for provision of the domain name registration and management service, Register will process the Personal Data for the time permitted by Italian law to protect its interests (Article 2946 of the Italian Civil Code and subsequent amendments). In specific terms, it will keep the data necessary to provide evidence of its correct fulfilment of its contractual obligations for the period required by the legislation, which in general corresponds to the statutory limitation period for breach of contract proceedings.
For the purposes of Compliance, Personal Data will instead be kept for the period required by the specific obligation or applicable law.
For the purposes of Abuse and Fraud Prevention and Protection of legitimate third-party interests Personal Data will be kept for period required by Register to prevent and combat fraudulent conduct and to protect the legitimate interests of third parties, i.e. for 10 years.
Further information on Personal Data retention periods and the criteria used to determine these periods can be obtained by writing to the Data Controller or the DPO.
8. Data Subject Rights
Without prejudice to the obligations or powers to retain Personal Data set forth in paragraph 6, you have the right to ask Register, at any time, for access to your Personal Data, its correction, erasure or limitation of processing in the cases contemplated by art. 18 GDPR, as well as to obtain the data concerning you in a structured, commonly used and machine-readable format (portability), in the cases contemplated by art. 20 GDPR, for the purpose of Provision of the Service.
You have the right to object to the processing of your personal data for the purpose of Abuse and Fraud Prevention, in the cases contemplated by art. 21 GDPR.
Such requests can be made by filling in this form or by writing to dpo(at)register.it.
To exercise the right to portability and obtain more information on its content, go to: https://www.register.it/portabilita-dei-dati/
In ogni caso lei ha sempre diritto di proporre reclamo all'autorità di controllo competente (Garante per la Protezione dei Dati Personali), ai sensi dell'art. 77 del Regolamento, qualora ritenga che il trattamento dei suoi dati sia contrario alla normativa in vigore, o di adire le opportune sedi giudiziarie (art. 79 del Regolamento).
In all cases, you always have the right to lodge complaint with the competent Supervisory Authority (Personal Data Protection Authority), under art. 77 GDPR, if you believe that the processing of your data is in conflict with the legislation in force, or exercise the right to an effective judicial remedy (art. 79 GDPR).