Privacy Policy - Domain Name Registration
Last update: 08/07/2024
1. Roles and responsibilities in the processing of domain name registration data
The domain name (often referred to simply as a “domain”) is a name associated with an IP address on the internet.
A domain is made up of several parts, one of which is the extension, also called the top-level domain (“TLD”), which is the part of the domain that appears after the dot.
There are two categories of TLDs:
- Generic TLDs (generic top-level domains or “gTLDs”) such as .com, .org, .info, .biz, etc., which have international reach;
- National TLDs (country code top-level domain or “ccTLD”), i.e., domains that refer to a country. For example, the ccTLD for Spain is .es.
Three different parties are involved in the process of registering a domain name: Register, Registrar and Registrant.
The term “Register” refers to a national or international body responsible for establishing the rules and procedures for the allocation of domain names, registration management and primary name servers for the various TLDs.
For example, in Spain, the “.es” ccTLD is maintained by RED.es (https://www.red.es/es).
The full list of Registers and related policies can be found at this link: https://www.iana.org/domains/root/db, and on the UBILIBET website at this link: https://www.ubilibet.com/en/legal/tld-and-gtld-policies/
The term “Registrar” refers to an organisation authorised by UBILIBET to carry out operations on the TLD domains for which it is accredited. The Registrar of a gTLD domain name can be verified by accessing the ICANN service available on this page: https://lookup.icann.org/. To check the Registrar of a ccTLD domain, on the page https://www.iana.org/domains/root/db, you can find the web address of the relevant Register, which provides the whois/RDAP individual Register look-up service.
Lastly, the term “Registrant” or “Holder” refers to the natural or legal person who registers a domain name.
In practice, to register a domain name, the Registrant submits an application to the Registrar who, in turn, forwards the application to the competent Register, which determines whether the registration conditions are met. If the evaluation is satisfactory, the domain name will be registered in the name of the Holder, who will become the assignee and, therefore, can claim rights in accordance with the applicable legislation, for the periods specified in the relevant service contract.
Upon registration of a domain name with a gTLD extension, the Personal Data relating to the beneficiary and Registrant of the domain name in question will normally be published, and thus disseminated, in the public WHOIS/RDAP database, and will be searchable using the data search tool (https://lookup.icann.org/en) made available by ICANN for domain names with a gTLD extension.
Domain names with ccTLD extensions may be published in the WHOIS databases managed by the relevant Registers, in accordance with the policies of each Register.
UBILIBET normally acts as Data Controller in connection with the processing of data for the registration and management of domain names.
However, the privacy function of UBILIBET as Registrar is decided on a case-by-case basis by the Register competent for the gTLD or ccTLD for which registration is requested. In the event that UBILIBET is appointed as Data Processor by the competent Register, on the basis of non-negotiable provisions of the contract between UBILIBET and that Register, in relation to the processing activities associated with the management of these specific domain extensions, information about the processing and requests to exercise the Data Holder’s rights (see paragraph 8 hereof) shall be addressed to the competent Register for the domain extension to be registered.
In addition, if additional Personal Data of third parties is required to register a domain name (such as, among other things, the contact details of the Administrator – or “Admin-C” – and the Technical Manager – or “Tech-C” – of a given domain name), the Registrar usually acts as Processor with respect to such Personal Data. In this case, you, as a Client of UBILIBET , act as the sole Data Controller, assuming all legal obligations and responsibilities. In this way, you give the broadest possible indemnity against any objection, claim, request for compensation for damages due to the processing, etc., which may be brought against UBILIBET by such third parties if their data have been processed in breach of the applicable regulations on the protection of Personal Data. In any event, if you provide the Personal Data of third parties as part of the registration of a domain name, you must ensure from that point onwards – assuming all related liability – that this particular processing activity is based on an adequate legal basis in accordance with Articles 6 or 49 (c) GDPR, which gives legal grounds for the processing of the Data in question.
2. The Personal Data processed
With regard to the processing of personal data carried out as part of the domain name registration service, it should be noted that UBILIBET will only carry out the processing strictly necessary to provide the service and to manage the billing and accounting of the domain name, unless additional processing is carried out in accordance with an appropriate legal basis pursuant to Article 6 of the GDPR (e.g., consent), which gives legal grounds for the processing of the data in question.
The data collected by UBILIBET as part of a domain name registration request includes only the data strictly necessary to provide the service that the Data Holder provides at the domain name registration stage, and which is listed in the Service Order available at this address:
https://www.ubilibet.com/en/legal/condiciones-generales-de-servicio/
TLD and gTLD policies
In some specific cases, UBILIBET may request a copy of an identity document for particularly sensitive operations, such as requests to delete a domain name or requests for a change of assignee.
Providing such data is in itself optional; however, in the absence of such data, UBILIBET will not be able to provide the requested service.
3. Purpose of processing
The processing carried out by UBILIBET is based on the principles of fairness, legality, transparency and protection of the privacy of the data subject.
The information and data you (the Client) provide is used exclusively:
- for the purposes of registration and management of the domain name, which involves verification of the data provided for registration, billing and accounting management of the domain name, assistance and support in its management, ancillary operations such as requests for deletion, transfer or change of holder, as well as communication of important information about the renewal of the domain (“Provision of the Service”);
- for security purposes and the prevention of fraudulent conduct (“Prevention of abuse and fraud”);
- to comply with legal obligations, in particular those arising from the current legislation on domain name registration (“Compliance”)
- to disclose the data necessary for registration to independent third party data controllers, such as the competent Registers, as the case may be, for the domain extension to be registered (“Disclosure of data to independent third party data controllers”);
- to protect the industrial property rights of third parties, or to verify reports of abuses allegedly committed by you to the detriment of third parties, e.g., for the protection of industrial property rights (“Protection of the legitimate interests of third parties”).
4. Legal basis for the processing and provision of personal data
The processing for the purpose of providing the service and disclosing data to independent third party controllers is necessary for the performance of the service contract between you and UBILIBET, in accordance with Article 6(1)(b) GDPR. The provision of such data is in itself optional; however, in the absence of such data, UBILIBET will not be able to provide the requested service.
Processing for the purposes of preventing abuse and fraud is based on UBILIBET’s legitimate interest in preventing fraud and fraudulent acts committed to its detriment or to the detriment of its clients or third parties, in accordance with Article 6(1)(f) GDPR and on the basis of Recital 47 GDPR.
Processing for the purposes of protecting the legitimate interests of third parties is based on the legitimate interest of such third parties to protect their rights, such as industrial property rights, or in case of alleged abuse by you to the detriment of such third parties. This processing activity is legitimate in accordance with Article 6(1)(f) GDPR.
Processing for the purposes of compliance is legitimate in accordance with Article 6(1)(c) GDPR. Once Personal Data has been provided, further processing may be necessary in order to comply with certain legal obligations applicable to the Register. This type of processing may not be subject to objection, as it is based on legal obligations.
5. Recipients of personal data
For purposes strictly related to the provision of the service, the Personal Data of the domain name holder (as well as of third parties such as Admin-C and Tech-C, if necessary to register the specific domain name with the competent Register) may be disclosed to third parties acting as independent Data Controllers.
Specifically, this data shall be disclosed to the national and foreign Registers to which UBILIBET must send the technical and administrative documentation required by sectoral legislation, as well as to any other parties accredited for the registration of domain names with extensions for which the Register is not accredited. The latter generally act as Data Processors on behalf of UBILIBET.
The exchange of data with independent third party Data Controllers is necessary for the provision of the Service and has its legal basis in Article 6(1)(b) GDPR.
Registers shall process Registrants’ data to keep the domain name register up to date and to ensure compliance with relevant applicable laws and policies. We invite you to consult the privacy notices published by the relevant Register from time to time.
UBILIBET may be required to disclose your personal information to the Internet Corporation for Assigned Names and Numbers (“ICANN”) in order to comply with ICANN’s policies and procedures.
ICANN also requires UBILIBET, as Registrar, to deposit a copy of the data necessary for the management of escrowed domain names with an accredited “Escrow Agent”. For this service, UBILIBET uses the company DENIC Services GmbH & Co. KG (hereinafter referred to as “DENIC”), located in Germany (Heinrich-Hertz-Str. 6, 64295 Darmstadt, Germany, info@denic-services.de) and designated by ICANN.
It should be noted that for gTLD extensions, and in some cases also for ccTLD extensions if permitted or required by the competent Register, UBILIBET may be required to disclose your data to third parties for the purposes of Preventing Abuse and Fraud, on the basis of Article 4 of the ICANN Temporary Specification for gTLD Registration Data, available at this link:
https://www.icann.org/en/system/files/files/gtld-registration-data-temp-spec-17may18-es.pdf;
or for ccTLDs, on the basis of the policies published from time to time by the competent Register.
Upon explicit and detailed request, UBILIBET may also disclose the Personal Data of a domain name to third parties, on the basis of its own legitimate interest, in order to protect its rights (including industrial property rights), and for the protection of the legitimate interests of third parties.
6. Transfer of personal data
7. Data retention
The Personal Data processed for the purposes of the Provision of the Service and Disclosure of Data to independent third party Data Controllers will be kept for as long as strictly necessary to achieve the aforementioned purposes. In addition, as this processing is carried out for the provision of the domain name registration and management service, UBILIBET will process the Personal Data for as long as permitted by Spanish law to protect its interests. In particular, it will retain the data necessary to provide evidence of the proper performance of its contractual obligations for the period required by law, which generally corresponds to the general statutory limitation period for proceedings (Article 1964.2 of the Civil Code).
For Compliance purposes, Personal Data will instead be retained for the period required by the specific obligation or applicable law.
For the purposes of Prevention of Abuse and Fraud and Protection of the legitimate interests of third parties, Personal Data will be kept for the period required by the Register to prevent and combat fraudulent conduct and to protect the legitimate interests of third parties, i.e., for 10 years.
You can obtain more information about the retention periods for Personal Data and the criteria used to determine such periods by writing to the Data Controller or the DPO.
8. Rights of the Holder/Data Subject
Without prejudice to the obligations or powers of retention of Personal Data set out in section 6, you have the right to request from UBILIBET , at any time, access to your Personal Data, their rectification, erasure or restriction of processing in the cases referred to in Article 18 GDPR, as well as to obtain the data concerning you in a structured, commonly used and machine-readable format (portability), in the cases referred to in Article 20 GDPR, for the purposes of the provision of the Service.
You have the right to object to the processing of your personal data for the purposes of abuse and fraud prevention, in the cases referred to in Article 21 of the GDPR.
Such requests can be made by writing to dpo@ubilibet.legal.
To exercise your right to portability and to obtain further information on the content, please also contact dpo@ubilibet.legal. You can also find information on this matter in our Privacy Policy, which is available at:
https://www.ubilibet.com/en/legal/cookies-policy/
In all cases, you always have the right to file a complaint with the competent Supervisory Authority (Personal Data Protection Authority) under Article 77 GDPR if you consider that the processing of your data is in contravention of the legislation in force, or to bring the matter before a court of law (Article 79 GDPR).
9. Amendments
This privacy policy is effective as of the date indicated below. UBILIBET reserves the right to amend or update the content of this Policy, in whole or in part, including in the event of changes in applicable law. If amendments to this Policy involve substantial changes to the processing of data or have a significant impact on Holders / Subjects, NOMINALIA will take appropriate care to notify them.
© NOMINALIA INTERNET S.L.U.
July 2024