Views:

This article contains Frequently Asked Questions about GDPR:

What is GDPR?Who is impacted by GDPR?
Is Web.com the Controller or Processor of data?When does GDPR go into effect?
What do I need to do in order to comply with GDPR?What is Web.com doing to achieve compliance?
Whom should I contact for privacy-related issues?Does Web.com maintain a data retention policy?
When personal data is no longer needed by Web.com for processing, accounting, or other legal reasons, will it systematically be deleted?How will Web.com manage DSARs (Data Subject Access Requests) from its EU customers?
How will Web.com manage DSARs (Data Subject Access Requests) from Resellers, Affiliates, and Private Label Partners?How long will it take Web.com to process a DSAR?
Are there circumstances where requests to be “forgotten” cannot be processed?How will Web.com manage WHOIS masking for EU residents?
Will Web.com be implementing tiered access for its WHOIS database?How will domain transfers work in a post-GDPR environment?

For general information on GDPR, visit: https://www.eugdpr.org. Please click here for a list of definitions that apply to the GDPR regulation.

What is GDPR?

GDPR stands for General Data Protection Regulation. This is a new regulation which will govern the data privacy of EU residents by:

  • Harmonizing data protection across EU member states
  • Requiring clear and conspicuous Consent
  • Providing Data Subjects with more powerful rights to their data and imposes tighter limits on the use of personal data
  • Placing more responsibility on companies Processing those individuals’ Personal Data

Who is impacted by GDPR?

The GDPR aims to protect all residents of the EU. The GDPR is applicable to nearly all EU organizations and non-EU organizations if they:

  • Offer goods or services to EU residents, and/or
  • Monitor the behavior of EU residents

Is Web.com the Controller or Processor of data?

That depends on the service that Web.com is offering to its customers. Please click here to see Article 4 of the GDPR which defines the different roles and responsibilities for both Data Controllers and Data Processors

As part of our compliance efforts, Web.com has established a GDPR task force. If you are a business which resells Web.com services, you may determine it is beneficial to establish your own internal team to review and ensure compliance with the GDPR obligations.  

When does GDPR go into effect?

The GDPR will be effective May 25, 2018.

What do I need to do in order to comply with GDPR?

Please click here to read the full text of the regulation. We recommend you review the regulation and any responsibilities you may have, which will differ depending on your business or organizations activities and practices.  As Web.com progresses its compliance efforts, we may reach out to you with more information, relevant to our relationship with you. 

What is Web.com doing to achieve compliance?

  • We are taking a global approach to compliance and driving a centralized data privacy program with privacy by design at its core. 
  • We have established an internal GDPR task force made up of key members from all major departments throughout the company.
  • We are engaging top of the line privacy management software and consulting with international firms and privacy experts. 
  • Additionally, Web.com is already one of only approximately 2,600 companies to be Privacy Shield certified.  
  • We are continuously educating, supporting and guiding our stakeholders with training, FAQs, and online resources.

Whom should I contact for privacy-related issues?

Please email privacy@web.com.

Common Terms Associated with the GDPR Regulation

Here is a list of terms and their corresponding definitions, common to the GDPR regulation, as referenced in this article: 

TermDefinition
Personal Data

Personal Data means any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data can include but is not limited to name, email address, posts on social networking websites, medical information, and computer IP address.

Data Processor Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.
Consent Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.
Processing Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 
Data Controller Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Subject Data Subject means an identified or identifiable natural person.

Does Web.com maintain a data retention policy?

Yes.  In addition to GDPR, Web.com, as a publicly traded company, complies with a number of regulations that include financial and data retention obligations. These include, but are not limited to, Securities and Exchange Commission (SEC) regulations, Sarbanes-Oxley Act (SOX), Health Insurance Portability & Accountability Act (HIPAA), and The Payment Card Industry Data Security Standard (PCI DSS).     

When personal data is no longer needed by Web.com for processing, accounting, or other legal reasons, will it systematically be deleted?

Yes, in accordance with our data retention policy, personal data will systematically be deleted when it is no longer needed for processing, accounting, or other legal reasons.     

How will Web.com manage DSARs (Data Subject Access Requests) from its EU customers?

Web.com has created a DSAR portal located here which can be utilized by its EU customers to submit DSAR requests. This portal is reserved for Web.com EU customers only.  

How will Web.com manage DSARs (Data Subject Access Requests) from Resellers, Affiliates, and Private Label Partners?

Web.com has created a DSAR portal located here which can be utilized by resellers, affiliates, and private label partners to submit DSAR requests on behalf of their EU customers. This portal is reserved for partner use only.  We will only process requests submitted by a partner on behalf of their EU customers. Direct customer requests will not be processed through this portal.

Please note that under GDPR, Resellers, Affiliates, and Private Label partners serve as the Data Controller. As such they are responsible for implementing their own customer facing solutions and policies in order to comply with GDPR.  

How long will it take Web.com to process a DSAR?

As per the GDPR, a DSAR will typically be handled within thirty (30) days but under extenuating circumstances may be processed within sixty (60) days.

Are there circumstances where requests to be forgotten cannot be processed? 

Yes.  Data subjects have the right to request the erasure of personal data under specific conditions. However, a number of our services, including but not limited to domain registration services, will be assessed to determine if we still need to retain the data for processing purposes.  For example, we cannot remove data we retain for an active domain name holder because the data is still relevant for registration purposes. In addition, as an accredited ICANN registrar we are contractually obligated to keep certain data regarding registered name holders for the life of the domain name plus two (2) years.  

How will Web.com manage WHOIS masking for EU residents? 

In order to comply with GDPR, and protect personally identifiable information (PII), Web.com will mask certain fields in the WHOIS output for EU residents. A sample of this output is detailed below:
Domain Name: sampledomain.com
Registry Domain ID: 142700135_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.register.com
Registrar URL: http://www.register.com
Updated Date: 2017-12-04T08:00:03Z
Creation Date: 2005-02-16T23:28:11Z
Registrar Registration Expiration Date: 2019-02-16T23:28:11Z
Registrar: Register.com, Inc.
Registrar IANA ID: 9
Reseller: 
Domain Status: clientTransferProhibited http://icann.org/epp#clientTransferProhibited
Registry Registrant ID: Statutory Masking Enabled
Registrant Name: Statutory Masking Enabled
Registrant Organization: Statutory Masking Enabled
Registrant Street: Statutory Masking Enabled
Registrant City: Statutory Masking Enabled
Registrant State/Province: 
Registrant Postal Code: Statutory Masking Enabled
Registrant Country: BE
Registrant Phone: Statutory Masking Enabled
Registrant Phone Ext.: Statutory Masking Enabled
Registrant Fax: Statutory Masking Enabled
Registrant Fax Ext.: Statutory Masking Enabled
Registrant Email: abuse@web.com
Registry Admin ID: 
Admin Name: Statutory Masking Enabled
Admin Organization: Statutory Masking Enabled
Admin Street: Statutory Masking Enabled
Admin City: Statutory Masking Enabled
Admin State/Province: Statutory Masking Enabled
Admin Postal Code: Statutory Masking Enabled
Admin Country: Statutory Masking Enabled
Admin Phone: Statutory Masking Enabled
Admin Phone Ext.: Statutory Masking Enabled
Admin Fax: Statutory Masking Enabled
Admin Fax Ext.: Statutory Masking Enabled
Admin Email: Statutory Masking Enabled
Registry Tech ID: 
Tech Name: Statutory Masking Enabled
Tech Organization: Statutory Masking Enabled
Tech Street: Statutory Masking Enabled
Tech City: Statutory Masking Enabled

Will Web.com be implementing tiered access for its WHOIS database?

At this time, Web.com does not plan to implement tiered access for its WHOIS database. However, ICANN and its Stakeholders are actively working toward a uniform solution which will help meet the needs of the broader global community.   

How will domain transfers work in a post-GDPR environment?

Web.com will comply with its obligations under the ICANN 2013 RAA (Registrar Accreditation Agreement) with regard to intra-registrar transfers as well as the Temporary Specification for gTLD Registration Data which can be found at this page.  

The information contained herein in no way constitutes legal advice. Any person who intends to rely upon or use this information in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required.