GDPR for HEXONET Resellers
The General Data Protection Regulation, GDPR, is a European legislation to protect the privacy and personal information of individuals living in the European Union. The purpose of the Regulation is to regulate data protection in a uniform manner throughout the EU, to give EU citizens better control over their personal data and regulate how controllers (companies and organizations) may use personal data.
Even if you are not a European reseller or you don't even have a single customer who lives in Europe, you will be affected since the changes that HEXONET must make are universal and system wide. Moreover, resellers too are subject to the GDPR and its punitive fines. The good news is that HEXONET is trying to as much of the heavy lifting for you. The bad news is that some aspects of GDPR only you the reseller can do. We are here to help.
Understand the GDPR Regulation
Though HEXONET is minimizing the effects of GDPR on our resellers, you are still required to read up on the GDPR and understand its impact on your operations, systems, processes, and service agreements. Ignorance is not an excuse. To help, here are some places to start on getting familiar with GDPR:
Read how HEXONET is compliant with GDPR and read our Reseller GDPR policy
As a reseller of HEXONET you can be assured we are GDPR compliant. Information on HEXONET GDPR compliance and our Reseller GDPR policies are on our website here.
Confirm the Reseller Data Processing Agreement Addendum
The GDPR places different responsibilities on protecting personal data depending on whether an company or organization is a "Controller" or a "Processor" of that data. And as a reseller, you are acting as a processor to collect and transfer registration data on our behalf. The Data Processing Agreement Addendum outlines how you are to processes personal data on our behalf in a GDPR compliant way. Resellers must have agreed to, signed and submit our Reseller Data Processing Agreement to become or maintain their reseller status.
More Service Agreement changes pending
Every service agreement from HEXONET will be adjusted to be compliant with GDPR. It is the reseller's responsibility to read all the updates and changes to our policies as they are announced. The underlying registries and ICANN are in a state of flux right now and as a result multiple changes to the following agreements may ensue:
- Terms of Service
- Website Use
- Registrant Agreement
- Reseller Agreement
- SSL Agreement
- DNS Agreement
- Aftermarket Agreement
- gTLD Domain Registration Policies
- ccTLD Domain Registration Policies
Domain Registration Changes under GDPR for Resellers
HEXONET is working to save our resellers time and work. For the most part, most domain extensions (for now) have minimal changes. However, since GDPR is new for the domain name industry and also for most registries, there is a potential for changes with larger impacts in the near future.
A. WHOIS Output - Privacy of Personal Data
The WHOIS output is changing, but the results depend on the type of underlying registry.
- ccTLD registries in the European Union (respective registry controls its own WHOIS). Most EU based registries, even now, either completely or partially do not publish registrant data for individuals. Please be aware that WHOIS output is not consistent across countries, for instance, it is required by local danish law that .DK domain name show registrant information irregardless of GDPR.
- ccTLD registries rest of the World (respective registry controls its own WHOIS). Most registries outside of the EU are not changing their WHOIS and many do not hide the registrant data. If your customers registers one of these domain names their personal data may be exposed through the respective registry's WHOIS.
- gTLD registries (registrar is joint controller of the WHOIS). HEXONET will redacting all personal data elements in the WHOIS output. For the registrant email though, a link will be provided to a web form where third parties can contact the registrant, administrative or technical contact without them knowing the underlying email address. Resellers wishing to reuse a non-branded version of the web form they can point to https://send-message.ispapi.net.
For TLDs that you resell, provide in your own registrant/registration agreement links to the domain policies of the respective registries. By providing these legal links, your customer/registrant has to agree to the whois policy of the domain extension they are purchasing. Moreover, since the WHOIS is changing the most for gTLDs (personal data is completely disappearing), you may wish to inform your customers and support staff of the redaction.
B. WHOIS Output - Opt-In to Make Public Personal Data
Some of your customers may wish (consent) to have parts or in full their person data publicly displayed in the WHOIS for gTLDs. Registrants can turn on this feature in the Control Panel by consenting and agreeing to the terms of publication. This feature will also be available via the API, which we recommend resellers implement with a consent flag to record the registrants agreement for disclosure.
C. WHOIS Output - Disclosure Exceptions for Legal and Abuse
Though generally, personal information for a domain registration may now be hidden (protected) some entities like law enforcement, consumer protection, quasi-governmental or other similar authorities have the right to disclosure. Additionally, commercial law firms and attorneys may require contact information for issues of trademark, copyright and the like. Resellers may want to inform their customers/registrants that these agencies can still gain access to their personal information upon a valid request.
D. Form of Authorization Not Required for Incoming Transfers for gTLDs
Incoming domain name transfers used to require express authorization from either the Registered Name Holder or the Administrative Contact through the Standardized Form of Authorization (FOA). Now, only a valid authorization code is needed to process the transfer.
Once the domain transfer has completed, the registrant, administrative, technical and billing contacts will be empty. Resellers must notify their customers to re-enter all the proper and true contact data again. Failure to re-enter the contact data will increase the risk of losing the domain name. Moreover, HEXONET will be notifying resellers of domain names in their accounts with prolonged empty contacts, which is against both HEXONET and registry policies.
E. Expect More Changes to Specific TLDs
As stated before, with the industry still making changes for GDPR, resellers should expect more changes and updates for the next several months. HEXONET will always try to minimize the impact to resellers if possible. And we will do our best to provide all the information and advanced notice available to us.