GDPR Retail, Hexonet Services Inc.

GDPR Policy for Direct Customers

Last Updated: May 29, 2018 - © HEXONET. All Rights Reserved.

The General Data Protection Regulation, GDPR, is a European legislation to protect the privacy and personal information of individuals living in the European Union.

The purpose of the Regulation is to regulate data protection in a uniform manner throughout the EU, to give EU citizens better control over their personal data and regulate how controllers may use personal data. On the other hand, it shall ensure free flow of personal data within the EU and to regulate the export of personal data outside the EU.

Even though GDPR is European legislation, HEXONET is extending the privacy and personal information protections for all our customers. Whether or not you live in the European Union, the rules and application of GDPR will serve to protect your personal data when purchasing or using any product or service with HEXONET - registration of a domain name, obtaining an SSL certificate, ordering a website, etc. HEXONET is fully compliant with the GDPR for all our direct customers.

HEXONET's GDPR Process and Schedule

As a German based company, HEXONET has been required to comply with years of strict European privacy laws, many of which form the basis of GDPR. Therefore, HEXONET's existing policies, processes, operations, and infrastructure are already GDPR compliant. The single main focus for HEXONET now is working with the registries, third party service providers, and industry governing bodies, our partners, who are working towards becoming GDPR compliant themselves or in the worst case not care about GDPR completely. Here is the GDPR schedule of actions and updates.

At the time of publishing this information (mid May 2018), many partners and registries in the domain industry are still in the process of reviewing their own policies. Thus, HEXONET will update our policies, contracts and information to you subsequent to finalization of these third parties.

HEXONET GDPR Compliance

For many years HEXONET has been compliant with German privacy regulation (much of these laws form the basis for GDPR) and as such HEXONET respects the privacy of our customers and visitors and is committed to protecting their personal information. We have further updated our policies and operations to be compliant with GDPR and will continue to work with our customers and partners to ensure ongoing compliance. Below, you find an overview of some of the principles enshrined in the GDPR, which we adhere to:

  1. Lawfulness, fairness and transparency. All personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

  2. Purpose Limitation. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. We only process personal data to the extent required to achieve the original purpose. There is no further processing or sharing of personal data outside of the original purpose.

  3. Data Minimisation. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Collecting as little personal data as possible is our default way of operating and by doing so it makes protecting and comply with privacy regulation easier.

  4. Data Accuracy. Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. We require our customers and resellers to keep up to date their personal data as integral part of our Terms of Service. We regularly purge and permanently delete accounts with the respective personal data if customers can't be contacted or do not respond account inquiries.

  5. Storage Limitation. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

  6. Integrity and Confidentiality. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Security of data and systems is one of HEXONET's top priorities. Our core architecture is multi-tiered with encryption and access credentials between tiers to ensure the highest level of protection. Organizationally, only authorized personnel that need access to personal data in the procurement or support of a service or product have access rights. We are also committed to providing notice within 24 hours if a data breach were to ever occur, which will include an explanation of the breach, resolution activities, and advice to customers on how to protect themselves.

  7. Data Subject Rights. The following rights can be claimed against the controller:

    • Right of access by the data subject, Art. 15 GDPR
    • Right to rectification, Art. 16 GDPR
    • Right to erasure (‘right to be forgotten’), Art. 17 GDPR
    • Right to restriction of processing, Art. 18 GDPR
    • Right to data portability, Art. 20 GDPR
    • Right to object, Art. 21 GDPR

    You also have the right to lodge a complaint with a supervisory authority about the processing of your personal data by the controller.

  8. Accountability. To demonstrate compliance in tangible ways, HEXONET has implemented a number of key activities to regularly review and improve our policies, organisational procedures, and technical service infrastructure to ensure we stay compliant to the highest degree.

    • Data Protection Officer (DPO): Our DPO is Andreas Konrad of law firm Rickert Rechtsanwaltsgesellschaft m.b.H (Kaiserplatz 7 - 9 53113 Bonn, Germany / Phone: +49.228748980).
    • Privacy Notices: HEXONET's Privacy Policy provides the public of what personal information we collect, how we use it, and how individuals can gain access to it to update or delete their data.
    • Audits and Privacy Impact Assessments: These reviews and checks ensure that HEXONET is continually compliant with prevailing privacy laws.
    • Special Third Party Assessment for GDPR: Specifically for compliance with GDPR, HEXONET has also contracted with legal experts to assist reworking all our service agreements, reviewing operational processes, and adjusting our systems infrastructure.

When registering a domain name, there are multiple parties involved and they all have distinct roles and responsibilities. Below, we offer a rough overview of the processing activities occurring when domain names are registered. However, you must read the policies issued by the registries operating the extension or Top Level Domain that you are interested in or have already registered as these policies vary a lot. The domain policies are found here:

Parties / Responsibilities / Controller / Processor

There are different concepts with respect to who is a controller and processor, which can be seen from the documentation by the registry.

For ccTLD registrations, typically the registry is the controller and we act as the processor on behalf of the registry for registering the domain name and maintaining the registration as well as making the domain name technically available via the Domain Name System (DNS).

For gTLD registrations, the registry, ICANN and the registrars are widely considered joint controllers for registration data. ICANN’s role is establishing the policies on aspects including the collection and publication of data as well as to ensure that the system is secure, stable and resilient. ICANN contractually requires the registrars to process personal data and enforces these contractual obligations, which - in part - are policies established by ICANN’s multistakeholder community.

The registry’s role is to maintain a central repository of all domain name registrations and to make these resolve via the Domain Name System (DNS). The registry does not offer domain name registrations directly to registrants. The registry is required to report on its activities to ICANN on a regular basis and ICANN may request registration data for contractual compliance purposes.

It is the registrar’s role to offer domain name registrations and potentially other services to the registrants. According to ICANN’s requirements, the registration data is collected by the registrar and then transferred to the registry.

Additionally, HEXONET is acting as controller for the purpose of managing your account, invoicing and customer support.

Where we are the controller according to Art. 4 VII GDPR, you may contact us here:

HEXONET GmbH, Talstraße 27, 66424 Homburg, Germany

If and where data is transferred to our Canadian entity HEXONET SERVICES INC., #2235 - 6900 Graybar Road, Richmond, B.C., Canada V6W 0A5, this is legally based on the EU Standard Contractual Clauses.

What data do we collect?

The data elements we need to collect depend on the registry’s requirements. As a minimum, these data elements are:

The same data elements might be required for additional contacts, such as Admin-C, Tech-C or Billing-C.

Additionally, we will collect the following data elements to create your customer account.

Registration of Domain Names

Registries have diverging policies on what data they request to be collected and transferred to the registry. Our collection of account holder data and registration data is based on Art. 6 I b GDPR to perform the contract. A registry may have policies that require the transfer of data to them based on that same clause or, where the transfer is not based on Art. 6 I b GDPR, it may be based on Art. 6 I f GDPR to enable the registry to run a central repository of registration data to help with the confirmation of ownership or with transfer disputes or to allow for the registry to conduct security checks or mitigate DNS abuse.

Data Escrow

ICANN requires data to be escrowed by registries and registrars so that they can be requested by ICANN for the purpose of handing the data over to a registrar that takes over in case of registrar failure or to a succeeding registry or the so called Emergency Backend Operator (EBERO) in case of registry failure. The legal basis for that is Art. 6 I f GDPR.

Domain Name Disputes

ICANN also requires all gTLD registrations to be subject to UDRP and URS to facilitate the resolution of disputes. These policies are part of all gTLD domain name registration contracts. Your personal data might be transferred to the dispute resolution providers and the complainant during these procedures (Art. 6 I b GDPR).

There might be additional or other dispute resolution policies where data might be disclosed in a comparable fashion.

Disclosure of Registration Data

Disclosure of registration data depends on registry policies and applicable legal requirements. Please check the registry’s policies for details and in case of uncertainty, please use privacy or proxy services if you want to limit the distribution and publication of your data. Please note we are offering domain names from countries all over the world and not all of the operators need to be compliant with GDPR. Hence, there might be no limitations for the publication of registration data via Whois, so please be advised about the risk that your personal data might be widely shared where unfettered access to Whois data is given.

For gTLDs, personal data of the registrant or other contacts will not be published except for province and country for the registrant.

We will make available a web form for contacting the Registrant, the Admin-C and Tech-C.

More data will only be published based on an opt-in, i.e. consent by the registrant that can be withdrawn at any time.

The registry might need to disclose data to requesting third parties, if there is a legal obligation to disclose e.g. to law enforcement authorities (Art. 6 I c GDPR), in connection with URDP and URS (Art. 6 I b GDPR) or where a legitimate third party interest exists (Art. 6 I f GDPR). Details on the parameters on the basis of which data can be revealed may vary from registry to registry. ICANN will likely work on a globally applicable scheme for that including the accreditation of certain Whois requestor groups in due course.

If you want to file a disclosure request, please contact legal@hexonet.net.

Retention of Data

Your data is deleted without undue delay if and to the extent that the purpose of data collection has been reached resp. ceases to exist. The data processed by us will be deleted at the latest after expiry of statutory retention periods. We adhere to the requirements of Art. 17, 18 GDPR. If you have given your consent to the data collection, the data will be deleted immediately after receipt of an appropriate revocation.

Please note that there might be retention periods required by ICANN. Your data might need to be stored for a period of 2 years after the end of the domain name registration by the parties involved.

You also have the right to lodge a complaint with a supervisory authority about the processing of your personal data by the controller.