Privacy, Data Protection and the GDPR as it relates to the .AS Domain Registry (V 1.0)

Introduction

The European General Protection Regulation comes into effect for most of Europe from 25 May 2018.

Historically, the .AS Domain Registry has maintained a strong privacy-oriented policy since we began operation in June 1997. We have never shared our zone file with third parties, including ICANN or the IANA. We have never sold Registrant, Administrative, Technical, nor Billing contact information to third parties.

Additionally, we have limited sharing of our data to the maximum extent possible. Generally, when asked for such information, the Registry’s response has almost always been “No.” There are exceptions to this of course, both in the past and continuing forward subsequent to the implementation of the GDPR, as, for example, when executing a transfer of a domain from one Registrar to another, or in response to a request from law enforcement back-stopped by a subpoena.

We will continue this policy of minimal data sharing to third parties when the GDPR comes into effect.

Changes to “whois”

The Port 43 “whois” will further limit what little information that we have always provided, blocking the Registrant’s name if the Registrant is a person rather than a Corporate entity.

The web based “whois”, available at https://www.nic.as, will also block the Registrant’s name in the case that the registrant is an individual, rather than a Corporate entity.

Use of your Data

In the course of registering domain names, we do store or process personal information. Personal data is defined as information that relates to an identified or identifiable individual.

So how do we treat and process your personal data?

Here are a couple of examples.

If you make a payment to us using a credit or debit card, you have to provide us with your name, the billing postal address of your credit or debit card, as well as some additional information that is required for us to successfully have our bank process your payment. In this case, your credit or debit card details are passed from us to our bank so that they can process your payment.

If you are associated with a Registration (either as the Registrant, or any of the Administrative, Technical, or Billing Contacts), we need to collect some personal information about you, such as your name, address, telephone number and email address so that we can contact you about the domain name if we have to, and also to be able to verify your identity if you contact us.

Your Rights

You can ask us at any time to let you know:

(a) What personal information we possess

(b) How we specifically process this information

and we will provide you this explanation. This information will be provided via registered postal mail for security purposes once we have verified your identity and recipient postal address.

You also have the right to request an explanation from us regarding:

(a) The purpose of the processing of your personal data

(b) The categories of personal data that we hold

(d) The time period for which we expect to store your data and whether or not we take any decisions automatically on the basis of your personal data

You also have the right to request that we correct, erase, or restrict processing of the data about you in our possession, subject to the requirements regarding the minimum amount of data we must hold in order to maintain a valid domain registration.

You may also ask us to inform you about the source of the data, which will usually be from you yourself, your agent ("registrar") or your company (if listed as a contact person for them).

Lastly, if you remain dissatisfied with anything related to how we are holding or processing your personal data, you may lodge a complaint with the appropriate Data Protection Authority.

If you have questions or concerns regarding our data privacy policy, please email the Registry at registration-staff@nic.as with the subject line beginning “GDPR Question”.