Transfer of personal data to SWITCH regarding the registration of
.ch domain names under GDPR:
What is the legal situation?
Starting position: conflict GDPR and WHOIS database
ICANN requires registries to publicly publish various personal data of the domain name holder
in the WHOIS database. However, the EU General Data Protection Regulation (GDPR),
which will be directly applicable as from May 25th 2018, prohibits under the principle of data
minimisation an excessive collection of personal data and, in general, the processing of personal
data without justification. Most WHOIS databases in their current form are therefore not
compliant with the GDPR.
SWITCH as registry of the ccTLD “.ch“ would like to inform registrars with the present letter,
whether and why they may continue to transfer personal data to SWITCH regarding registration
of .ch domain names and whether or why SWITCH may continue to make this data publicly
accessible in the WHOIS database.
Justification for data processing by SWITCH
SWITCH as registry requires registrars to disclose various data in order to register a .ch domain
name. Many of these data are personal data, which is why a justification is required for
the processing of the data according to GDPR (Art. 6 GDPR). However, the GDPR does not
apply to SWITCH as registry in the absence of the conditions set out in Art. 3 (2) GDPR and
a justification for its processing is therefore not required. Nevertheless, SWITCH has a legal
basis for data processing, as listed below, which would also serve as a justification under the
As the registry of the .ch domain names, SWITCH is bound by the Ordinance on Internet
Domains (OID) of 5 November 2014 (SR 784.104.2). Art. 10 para. 1 lit. a OID obliges SWITCH
in its function as registry to ensure the installation, management and updating of a WHOIS
database, among other things. Art. 46 para. 1 OID specifically requires the publication of the
following information in the WHOIS database:
– designation of the allocated domain name and ACE string (lit. a);
– full name and postal adress of the holder of the domain name (lit. b);
– with an activated domain name: data of the assigned name servers (lit. c);
– name and postal address of the person with technical responsibility (lit. f);
– if a domain name is or is not protected by the DNSSEC system (lit. g);
– date of the first allocation of the domain name (lit. h);
– full name of the registrar acting on the behalf of the holder of the domain name concerned
Art. 24 para. 2 lit. b no. 2 OID then requires the disclosure of the holder’s e-mail address to
the registry for the processing of a registration application. SWITCH therefore also requires
the registrar to provide the e-mail address, but which is not published in the WHOIS database.
In this respect, SWITCH has a legal basis according to Art. 6 (c) GDPR respectively a legitimate
interest as a result of the implementation of Swiss law according to Art. 6 (b) GDPR for
storing and publishing the data in the WHOIS. Thus, there is a justification and the processing
of the personal data mentioned would be lawful even if the GDPR were applicable.
The legal basis for the lawful transfer of personal data by the registrars to SWITCH is
Art. 6 (1) (b) GDPR, as the disclosure of the data to SWITCH is required for the registration
of a domain and thus for the performance of the contract with the holder. Foreign registrars
may also transfer data to SWITCH from the point of view of transfer of personal data to third
countries, as Switzerland as a third country offers an adequate level of data protection pursuant
to the adequacy decision of the European Commission.
Conclusion: Legality of data transfer to SWITCH
In summary, SWITCH and the registrars have a justification for processing the following personal
– domain name
– name and postal adress of the holder
– name and postal adress of the person with technical responsibility
– the full name of the registrar
– e-mail address of the holder
Even after May 25th 2018, registrars will therefore continue to be able to transfer the personal
data mentioned to SWITCH for the registration of .ch domain names without infringing the
We will keep you informed about further developments in connection with data protection and
will be happy to answer any questions and concerns at any time.