SWITCH regarding the new General Data Protection Regulation GDPR

Transfer of personal data to SWITCH regarding the registration of
.ch domain names under GDPR:

What is the legal situation?

  • Starting position: conflict GDPR and WHOIS database

    ICANN requires registries to publicly publish various personal data of the domain name holder
    in the WHOIS database. However, the EU General Data Protection Regulation (GDPR),
    which will be directly applicable as from May 25th 2018, prohibits under the principle of data
    minimisation an excessive collection of personal data and, in general, the processing of personal
    data without justification. Most WHOIS databases in their current form are therefore not
    compliant with the GDPR.
    SWITCH as registry of the ccTLD “.ch“ would like to inform registrars with the present letter,
    whether and why they may continue to transfer personal data to SWITCH regarding registration
    of .ch domain names and whether or why SWITCH may continue to make this data publicly
    accessible in the WHOIS database.

  • Justification for data processing by SWITCH

    SWITCH as registry requires registrars to disclose various data in order to register a .ch domain
    name. Many of these data are personal data, which is why a justification is required for
    the processing of the data according to GDPR (Art. 6 GDPR). However, the GDPR does not
    apply to SWITCH as registry in the absence of the conditions set out in Art. 3 (2) GDPR and
    a justification for its processing is therefore not required. Nevertheless, SWITCH has a legal
    basis for data processing, as listed below, which would also serve as a justification under the
    GDPR.
    As the registry of the .ch domain names, SWITCH is bound by the Ordinance on Internet
    Domains (OID) of 5 November 2014 (SR 784.104.2). Art. 10 para. 1 lit. a OID obliges SWITCH
    in its function as registry to ensure the installation, management and updating of a WHOIS
    database, among other things. Art. 46 para. 1 OID specifically requires the publication of the
    following information in the WHOIS database:
    – designation of the allocated domain name and ACE string (lit. a);
    – full name and postal adress of the holder of the domain name (lit. b);
    – with an activated domain name: data of the assigned name servers (lit. c);
    – name and postal address of the person with technical responsibility (lit. f);
    – if a domain name is or is not protected by the DNSSEC system (lit. g);
    – date of the first allocation of the domain name (lit. h);
    – full name of the registrar acting on the behalf of the holder of the domain name concerned
    (lit. i).

    Art. 24 para. 2 lit. b no. 2 OID then requires the disclosure of the holder’s e-mail address to
    the registry for the processing of a registration application. SWITCH therefore also requires
    the registrar to provide the e-mail address, but which is not published in the WHOIS database.
    In this respect, SWITCH has a legal basis according to Art. 6 (c) GDPR respectively a legitimate
    interest as a result of the implementation of Swiss law according to Art. 6 (b) GDPR for
    storing and publishing the data in the WHOIS. Thus, there is a justification and the processing
    of the personal data mentioned would be lawful even if the GDPR were applicable.
    The legal basis for the lawful transfer of personal data by the registrars to SWITCH is
    Art. 6 (1) (b) GDPR, as the disclosure of the data to SWITCH is required for the registration
    of a domain and thus for the performance of the contract with the holder. Foreign registrars
    may also transfer data to SWITCH from the point of view of transfer of personal data to third
    countries, as Switzerland as a third country offers an adequate level of data protection pursuant
    to the adequacy decision of the European Commission.

  • Conclusion: Legality of data transfer to SWITCH

    In summary, SWITCH and the registrars have a justification for processing the following personal
    data:
    – domain name
    – name and postal adress of the holder
    – name and postal adress of the person with technical responsibility
    – the full name of the registrar
    – e-mail address of the holder
    Even after May 25th 2018, registrars will therefore continue to be able to transfer the personal
    data mentioned to SWITCH for the registration of .ch domain names without infringing the
    GDPR.
    We will keep you informed about further developments in connection with data protection and
    will be happy to answer any questions and concerns at any time.