Privacy Policy

This is the Privacy Policy of PuntuEUS Fundazioa. Your privacy is very important for us, and through this policy we wish to make clear what personal data we process about you, why and for how long we process it, and how you can exercise your rights to manage it.

We invite you to read this privacy policy carefully so you have a good understanding about how we protect your personal data.

PuntuEUS Fundazioa

PuntuEUS Fundazioa is a non-profit entity registered with the Registry of Foundations of the Basque Country with the following details:

  • Name: PuntuEUS Fundazioa
  • Address: Arriola 2, Donostia, Gipuzkoa
  • ID number: G75060178
  • Email address (privacy matters): dba@domeinuak.eus

Does this privacy policy apply to you?

This privacy policy applies to you if you have come into contact with us, either as a contact associated with a domain name registered under the .eus Top Level Domain, as an individual who works for a party with whom we have a contractual relationship, as a subscriber to our newsletter, as a visitor to our websites, or through any other means of contact by which you  may have reached us (via email, telephone, events, etc).

Your personal data may be collected via the following methods: through the Domain Name registration processes via our network of accredited registrars, via e-mail, via telephone, via fax, by attendance at an event, by using cookies or other technologies to track visitors on our websites, through communication from suppliers or partners, or by completing a form on our websites, or via any other means.

What personal data do we process about you?

Personal data is any information relating to an identified or identifiable natural person (i) that you voluntarily provide to us (e.g. through our online forms on our website),

(ii) that has been provided to us by your registrar for the registration of your domain name

(iii) that we collect from your attendance at our events or visits to our website(s).

In the context of our business activities and in order to provide you with good service and to improve our services where possible, we may process the following personal data about you: your name, your email, the organization you work for, your job title, your personal address, your language preference, your gender, your age, your unique identification alias in our system, your Domain Name, financial data including data related to your bank account or credit card information, judicial data in relation to Domain Names, your IP address, pictures and video footage.

Since it is not possible to register a domain name directly with us, we collect your personal data from the company through which you registered your Domain Name. That company may be one of our accredited registrars or one of its resellers who collects your personal data on our behalf.

For which purposes do we process your personal data?

We process your personal data for various purposes:

In order to be able to offer the best possible services for your Domain Name, we must collect some personal data in relation to your Domain Name. This also allows us to identify you and get in touch with you directly in relation to your Domain Name registration, if and when needed.

We use your personal data to maintain and build long-term and sustainable relationships and to execute the contract we may have. We use your personal data to respond to your inquiries, to fulfill your requests, and/or to send you administrative information.

Your personal data may be used to comply with applicable regulations, to respond to requests or claims from public and government authorities, including public and government authorities outside your country of residence, or to protect our rights, privacy, safety or property, and/or our entities.

We may use your personal data to send you promotional messages, marketing, information about the .eus community, and other information that may be of interest to you.

Principles observed in the collection and processing of personal data

PuntuEUS Fundazioa will observe the following principles to govern its Processing of Personal Data, that will

  • only be Processed lawfully, fairly, and in a transparent manner in relation to the registered name holders and other data subjects (“lawfulness, fairness, and transparency”);
  • be obtained only for specified, explicit, and legitimate purposes, and will not be further processed in any manner incompatible with those purposes (“purpose limitation”);
  • be adequate, relevant, and not excessive in relation to the purposes for which they are processed (“data minimization”);
  • be accurate and, if necessary, kept current, as appropriate to the purposes for which they are Processed (“accuracy”);
  • not be kept in a form that permits identification of the registered Name Holder and other data subjects for longer than necessary for the permitted purposes(“storage limitation”); and
  • be processed in a manner that ensure appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical organizational measures (“integrity and confidentiality”).

Who has access to you Personal Data?

Only our qualified staff has unrestricted access to this data. No third parties – other than registrars in circumstances justifiable by needs of the performance of the registration of the domain name – may have direct access to the data that we keep.

We may process your personal data based on different legal grounds:

  • The processing may be necessary to comply with our legal obligations as a registry or as a data controller.
  • The processing may be necessary for the execution of your contract with us.
  • The processing is necessary for the protection of our legitimate interests, in particular: the economic, commercial and financial interests, business continuity, security and confidentiality of customer information and products and the security of digital and physical infrastructure.
  • The processing may be based on the consent you have provided in connection for activities of the PuntuEUS Fundazioa.

With whom do we share your personal data?

We never sell your personal data to anyone. To the extent permitted by applicable law, and for, among others, he performance of the domain name registration agreement, your personal data may be disclosed to the following parties:

Escrow, back-end, and storage providers: In order to guarantee the activities of the Registry Operator that enable the registration of your domain name, we need to store and back-up all registration data, including your personal data.

Third parties: Your personal data may be disclosed to third parties including governmental authorities for legitimate reasons.

ICANN: The Internet Corporation for Assigned Names and Numbers may be provided with your data in connection with your .eus domain name registration, as required in our Registry Agreement with ICANN.

Auditors: To ensure our business operations are correctly assessed, auditors may have access to your personal data.

When we share your personal data, we seek to instruct the recipients where possible to process your personal data in accordance with our instructions.

What are your rights in relation to your personal data?

Unless your request is deemed excessive or unfounded, you may exercise the following rights in relation to your personal data:

  • You have the right to request information concerning your personal data.
  • You have the right to request a copy of all your data in a standard format.
  • You have the right to modify or correct your personal data if it is wrong.
  • You have the right to request the restriction of certain processing activities in certain circumstances.
  • You have the right to object against certain processing activities.
  • You have the right to withdraw your consent.
  • You have the right to have your personal data erased in certain circumstances.
  • You can easily exercise any of your rights by completing and submitting our online form.

The exercise of some of these rights in connection with the registration of domain names may have to be conducted through the registrar of record of the domain name in question.

Additionally, you have the right to file a complaint with your local supervisory authority, when you are of the opinion that our processing of your personal data is not in compliance with applicable legislation.

Where and how long do we keep your personal data?

Your personal data is stored both electronically and manually, in-house and by third parties. We store your personal data in a form that permits identification for no longer than is necessary for the purposes for which your personal data is processed. This retention period differs based on the type of personal data processed, the purpose of processing and other factors.

As a holder of a Domain Name, we keep your personal data for one (1) years after the domain name is deleted.

The personal data of individuals that we collect outside the scope of a contract in the context of our business activities is kept until one (1) year after it becomes irrelevant.

What security measures are taken to safeguard your personal data?

We are continuously implementing and updating our security measures to help protect your personal data and other information against unauthorized access, loss, destruction, or alteration. We do our utmost to ensure that all information is stored in a safe manner and we request our service providers to apply adequate security measures.

Cookies and other tracking technologies

When you visit our websites, we may store certain information on your devices in the form of a cookie. We invite you to carefully read our cookies policy so you have a good understanding about how we apply or use cookies.

.EUS domain names’ Registration Data

This Section informs You about our processing of  Your Registation Data in accordance with ICANN mandated policies, European Union’s General Data Protection Regulation (GDPR) and other applicable data protection legislation.

Controllers

ICANN, We as Registry Operator and Your Registrar, and eventually Your reseller, are joint controllers (or Data Processors were specified) for Your data processing that is required to carry out Your Domain Name registration, as described in this Section. The main for such processing includes, among others, domain name transfers and trades, making Your domain name resolve and making available information via the Whois service.

The role of ICANN, a California based US non-for-profit corporation, is establishing the policies on aspects including the collection and publication of data as well as to ensure that the system is secure, stable and resilient.

You can find more information about ICANN here: http://icann.org

ICANN contractually requires Us and Your Registrar to process personal data and enforce these contractual obligations, which – in part – are policies established by ICANN’s multistakeholder community. ICANN also requires the contracted parties to submit reports regularly.

It is the Registrar’s, and/or the resellers’, role to offer domain name registrations and potentially other services to the Registrants. According to ICANN’s requirements, the Degistration Data is collected by the Registrar and then transferred to the Registry.

The Registry’s role is to maintain a central repository of all domain name registrations and to make domain names resolve via the Domain Name System (DNS). The Registry does not offer domain name registrations directly to registrants.

You may contact us here:

PuntuEUS Fundazioa

Arriola pasealekua 2

20018 Donostia (Gipuzkoa)

Phone: +34 943085051

E-Mail: dba@domeinuak.eus

The data we collect

As a community based TLD we have specific Registration Data requirements. The Registration Data is the full set of data referred to in this Section, including the data of all contacts and the intended use.

Registrars are required to collect data on the following contacts and transfer this Registration Data to us:

  • Domain Name
  • Nameservers
  • Registrant Name
  • Registrant Organization
  • Registrant Street
  • Registrant City
  • Registrant Postal Code
  • Registrant Province
  • Registrant Country
  • Registrant Phone
  • Registrant Phone Ext
  • Registrant Fax
  • Registrant Fax Ext

The same data elements as for the Registrant apply to the Admin contact and Tech contact. The same data elements apply also for the Billing contact, being this one optional.

Intended use: additionally, You must provide the intended use for your domain name.

Legal Basis for the collection

The legal basis for the collection of personal information on these contacts is Art. 6.1.b) GDPR. For the Registrant and the intended use it is to perform the domain name registration in accordance with specific eligibility requirements and for post-registration validation for the contract performance purpose; for the Administrative Contact it is to be able to perform domain name management operations such as transfers, compliance and other; and for the Technical Contact it is contactability in case of technical issues.

When data of third parties is collected, e.g. where the Registrant, Admin Contact or Tech Contact is different from the person(s) the Registrar collects the data from, the Registrar is responsible for informing those third parties about the terms of this Registration policy, including all privacy related provisions.

ICANN, Registry and Registrar and, eventually, the Registrar’s reseller are Data Controllers.

Transfer of data to the Registry

We also require the Registrar to transfer the data mentioned above to us. The legal basis for that is Art. 6.1.f) GDPR since we have a legitimate interest in identifying and investigating patterns of illegal behavior, help with ownership disputes and to operate a central repository of owner data.

For this processing activity, ICANN and the Registry are the Data Controllers and the Registrar is the Data Processor.

Processing of data by third parties

We are using a third party Back-end Registry Service Provider (CORE Association) based in Switzerland, that is a Data Processor of Your Registration Data.

We, as Data Processors, will also pass on the data to an escrow agent as required by ICANN (Data Controller) and the data might be transferred to an Emergency Backend Operator (EBERO) appointed by ICANN in case of Registry failure.

Disclosure of data

We will not publish personal data on the whois or otherwise disclose your Registration Data to third party apart from the domain name as such except in the cases referred in the following paragraph.

Disclosure of personal data will only occur if there is an established legal basis for such disclosure based on a case-by-case assessment. The legal basis for such disclosure might be Art. 6.1.b) (in case of URDP and URS), Art. 6.1.c) (in case of requests by competent authorities) or Art. 6.1.f) (based on a legitimate third party interest).

In the absence of an accreditation model adopted by ICANN, all disclosure requests will be assessed individually.

En ausencia de un modelo de acreditación adoptado por la ICANN, todas las solicitudes de divulgación se evaluarán individualmente.

Retention of data

Registration data is deleted without undue delay if and to the extent that the purpose of data collection has been reached or ceases to exist. The data processed by us will be deleted at the latest after expiry of statutory retention periods. We adhere to the requirements of Articles 17 and 18 GDPR.

Please note that there might be retention periods required by ICANN. The registration data might need to be stored for a period of one (1) year after the end of the domain name registration by the parties involved.

The following rights can be claimed against the controller:

  • Right of access by the data subject. Art. 15 GDPR
  • Right to rectification. Art. 16 GDPR. Modifications shall be requested to your Registrar of record or Your reseller as the Registry can not perform such modification on its own.
  • Right to erasure (‘right to be forgotten’). Art. 17 GDPR Be aware that the request to erase your Data may cause the deletion of your Domain Name.
  • Right to restriction of processing. Art. 18 GDPR
  • Right to data portability. Art. 20 GDPR
  • Right to object. Art. 21 GDPR.

You have the right to lodge a complaint with a supervisory authority about the processing of personal data by the controller.

Data accuracy

You shall immediately correct and update any incorrect or inaccurate Registration Data during the term of the domain name registration.

Registration Data processing

We will only process Your Registration Data according to applicable data protection legislation and will take all technical and organizational measures to protect Your Registration Data from loss, misuse, unauthorized access or disclosure, alteration or destruction, as well as undertaking any other security measure required by applicable Law.

Contacting us

If you have any questions about this privacy policy, or if you want to exercise any of your rights here above, please contact us via dba@domeinuak.eus or https://www.domeinuak.eus/en/contact/