1 The processing of personal data by registrars. The processing of personal. registrars

Transcription

1 1 The processing of personal data by registrars The processing of personal data by registrars

2 1 The processing of personal data by registrars Introduction DNS.be registrars collect and process personal data from their customers/registrants as part of the process for registering domain names, either directly via their website or via third parties (e.g. resellers, etc.). In 1992, a legal framework was created in Belgium for data through the Personal Data Protection Act of 8th December 1992 relative to details (referred to below as the Personal Data Processing Act). This Act was amended in 1998 in response to European Directive 95/46/EC issued by the European Parliament and the Council of Europe on 24th October 1995, relative to the protection of natural persons in connection with the processing of their personal data and regarding the unrestricted traffic of that data. However, it is not the aim of this document to analyse the legislation mentioned above in any detail, but rather to familiarise registrars in this area and to provide them with a number of practical guidelines for complying with the obligations imposed by this legislation.

3 2 The processing of personal data by registrars When does the Personal Data Processing Act apply? The Act applies to any fully or partly automated processing of personal data, as well as to any non-automated processing of personal data entered in a file or that is intended to be entered in it What is personal data? The Personal Data Processing Act describes personal data as any information that relates to an identified or identifiable natural person. 1 Article 3 1 of the Personal 2 European Court of Justice, Ruling of 6th November 2003, Bodil Linqvist (prejudicial questions), Case C-101/01. 3 Florence de Villenfagne, Protection of personal data, In X., Electronic Commerce, legal and practical aspects, UGA, 2004, p L.F. Asscher and S.A. Hoogcarspel, Regulating Spam: A European Perspective after the Adoption of the e-privacy Directive, in Information Technology and Law, Cambridge University Press, 2006, p Patrick Van Eecke (ed.), Law This is understood to include: the contact details of a person, such as their name, postal address, address, telephone number, etc. However, the principle is not limited to data relating to the privacy of individuals. Data that relates to the professional or public life of a person is also considered to be personal data.2 Less obvious information also comes under this definition, such as cookies 3, IP addresses 4, the click-through behaviour of an individual 5, etc. However, data about legal entities or associations does not come under the protection of the Act. & Electronic Commerce, Larcier, 2011, p. 236.

4 3 The processing of personal data by registrars 6 Article 1 4 of the Personal 7 Florence de Villenfagne, Protection of personal data, In X., Electronic Commerce, legal and practical aspects, UGA, 2004, p European Court of Justice, Ruling of 6th November 2003, Bodil Linqvist (prejudicial questions), Case C-101/01. 9 Patrick Van Eecke (ed.), Law & Electronic Commerce, Larcier, 2011, p What is understood by the processing of data? Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by means of transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of personal data 6 Examples of processing: collecting personal data via a contact form at a website; 7 posting personal data on a webpage; 8 collecting data in order to process orders; collecting data for creating marketing profiles; collecting data for sending out electronic advertising; collecting data to send out a newsletter; etc. In an online context, most operations performed upon personal data are effective processing in the sense of Personal Data Processing Act. 9

5 4 The processing of personal data by registrars Under what conditions may personal data be processed? A. Quality requirements Article 4 of the Personal Data Processing Act gives a summary of the requirements that processing personal data must comply with. 1 Honesty requirement The processing must be transparent for the persons involved and these persons must be informed about the processing of their data. 2 Legality requirement The processing must take account of all the terms set out in the Personal Data Processing Act and may not be in breach of any other regulations (e.g. regarding spam, cookies, etc.). 3 Purpose requirement Personal data may only be obtained for one or more clearly defined, specifically described and justified purposes. It is therefore important to think carefully in advance about the various purposes for which the data will be used: customer management, sending out information about products and services, announcing events, complaints management, etc. The purposes established will determine what kind of data may be collected, what may be done with the data, whom that data may be passed on to, how long it may be kept, etc. Indeed, only actions that comply and are compatible with the established purposes may be carried out. The term compatible is deemed to be what is defined by law and what the person concerned might reasonably expect. Notification of the purposes is best dealt with in a privacy policy, but it is also advisable to reiterate at relevant locations on the website why certain items of data are retrieved Patrick Van Eecke (ed.), Law & Electronic Commerce, Larcier, 2011, p These purposes must be established from the outset and notified to the parties involved.

6 5 The processing of personal data by registrars 4 Proportionality requirement The personal data that is processed must be relevant, taking account of the purposes for which it was obtained or for which it will be processed further. When, for example, personal data is processed for the purpose of customer management, no more data than is strictly necessary may be processed, e.g. the name of the person or the organisation, the address, the address, the company number. For example, it is not relevant to ask for, store and process details regarding the profession of your customers. 5 Accuracy requirement Data that is processed must be accurate and updated if necessary; all reasonable measures must be taken to delete or amend data that is inaccurate or incomplete. 6 Restriction requirement Personal data may not be stored for longer than is necessary to carry out the purposes for which it was obtained or further processed. If the personal data is collected and processed for the purpose of customer management, this data must be deleted/destroyed as soon as the person in question is no longer a customer. DNS.be also advises registrars to delete the contact handles of ex-customers/registrants. Consequently it is very important for a registrar to ensure that the data of its customers/registrants is up-to-date at all times. This requirement of accuracy is explicitly reiterated in the agreement that DNS.be enters into with registrars.

7 6 The processing of personal data by registrars B. Justification grounds 11 Article 5 of the Personal 12 Patrick Van Eecke (ed.), Law & Electronic Commerce, Larcier, 2011, p Privacy Commission, Recommendation nº 04/2009 dated 14th October 2009, p. 13. The Personal Data Processing Act 11 lists 6 circumstances in which personal data may be processed. These are the grounds that the controller may invoke for processing certain personal details. If the controller is unable to invoke any of these grounds, then the processing is unlawful. Personal data that is collected in an online context usually comes under the first two grounds or the last ground, i.e. 1. The person involved has given his/ her unequivocal consent for the processing. This consent is only valid if it is given freely and specifically and is based on information. However, the Act does not stipulate that this consent must be given explicitly and in writing. 12 However, in practice it is advisable to draw up a privacy policy and to request the express acceptance of this policy via a tick-box that it is mandatory to tick. 2. The processing is necessary for the execution of the agreement to which the person involved is a party, or for the implementation of precontractual measures that the person involved has requested. On the basis of this and in the context of the registration of a domain name, a registrar may collect and process the name of the person or the organisation, the address details and the company number of the registrant in order to be able to supply the service ordered and to draft the invoice associated with it. 3. The processing is necessary in order to serve the justified interest of the controller or of a third party, on condition that the interests or rights of the person involved are not impaired. However, this legal ground must be strictly interpreted and may not be seen as a means of circumventing other legal grounds. However, the Commission for the protection of privacy (referred to below as the Privacy Commission ) does accept that this legal ground is used in the case of customer relationship management with regard to one s own customers, such as conducting a satisfaction survey among one s own customers about the services they purchase, an invitation to one s own customers to extend or renew their contract, etc. 13

8 7 The processing of personal data by registrars Obligations of the controller 1. Obligations of the controller The controller is charged with virtually all of the obligations imposed by the Personal Data Processing Act to ensure the protection of the data processed. Under the Act, the controller is any natural or legal person, un-associated organization or public authority which alone or jointly with others determines the purposes and means of the processing of personal data 14 As a result, the controller is the company/person which/who has the authority to take decisions in relation to the data processed (which/who defines what data is processed, the purpose for which the data is used, to whom it is passed on etc.). 14 Article 1 4 of the Personal

9 8 The processing of personal data by registrars 15 Article 9 of the Personal 16 If the data is not obtained from the person in question. 17 Article 9 1 of the Personal 2. Statutory information The controller is obliged to notify the person involved of the following information 15 : the name and address of the controller; the purposes of the processing; the existence of the person s right, on request and without charge, to object to processing intended for direct marketing; other additional information, in particular - the recipients or categories of recipients of the data, - the categories of data involved 16, - whether or not the answer is required and any consequences arising from not answering, - the existence of the person s right to access and amend the data relating to him/her. If the controller collects the personal data itself, it is obliged to provide that information at the latest at the time the data is obtained. 17 A registrar that collects personal data itself via its website can notify registrants of this information in a clause mentioned during the registration procedure. A registrar can also comply with the duty of information by using a link to the privacy policy at its website.

10 9 The processing of personal data by registrars 3. The rights of the person involved A. Right to access and notification 18 Each person involved has the right to obtain the following information from the controller: 18 Article 10 of the Personal whether or not data about that person is being processed; the purpose for which this data is being processed; the nature of the data; the origin of the data; the categories of recipients to whom this data is provided; the data itself that is processed in an understandable form; the information available about the origin of the processed data. The controller may itself determine the way in which the processed data is provided to the person involved. It is therefore not mandatory, for example, to supply a copy of a printout of the processed data or to allow the person involved to look at the computer screen. Providing that person with the data will suffice. It must be possible for the person involved to exercise their right to access and notification free of charge. To exercise that right, the person involved must send a signed and dated request to the controller, accompanied by proof of his or her identity. The controller must provide the information mentioned above at the latest 45 days after receiving the request.

11 10 The processing of personal data by registrars B. Right to rectification 19 Any person involved can also, at no charge, ask the controller to rectify any inaccurate data relating to him or her, as well as to delete incomplete, irrelevant or forbidden data, or to forbid the use of this data. To exercise that right, the person involved must send a signed and dated request to the controller. The controller must, at the latest within one month of the request being submitted, give notification of what amendments or deletions have been carried out. The controller must also pass on this information to any third parties to which the incomplete, irrelevant or forbidden data has been supplied, unless this is impossible or would appear to be extremely difficult. C. Right to object 20 Any person involved has the right to object to the processing of data relating to him or her. However, this right is not absolute. In this case, the person involved must have significant and justified reasons for objecting. This means that he or she must give a reason for the objecting, in the sense that the processing may have detrimental consequences. He or she may also not object to the processing of his or her data if such processing is necessary for the execution of an agreement or to comply with a statutory obligation. 19 Article 12 of the Personal 20 Article 12 of the Personal If the data is collected for the purposes of direct marketing, the person involved may object to the processing of his or her data at no cost and without having to divulge the reason. The right to object must also be exercised via a signed and dated request to the controller. The controller must provide notification of what it has done in response to the request within one month of the request being submitted. If the controller agrees to the request, processing of the data must cease.

12 11 The processing of personal data by registrars 4. General obligation of security Article 16 4 of the Personal Data Processing Act states that the controller, in order to guarantee the security of personal data, must take the appropriate technical and organisational measures required to protect that personal data against accidental or unlawful destruction, against accidental loss, and against the alteration of or access to personal data and any other unauthorised processing of personal data. These measures must ensure an appropriate level of security, taking account on the one hand of current technology in the matter and the cost of applying the measures and, on the other, the nature of the data to be protected and the potential risks involved. The Act therefore provides no concrete measures as such, but leaves interpretation of the obligation to protect data to the controller itself. However, a number of general obligations are imposed on the controller in articles 16 2 and 3. These are: 1. ensure with due care that the data is kept up-to-date, and that incorrect, incomplete and irrelevant data, as well as data that was obtained or further processed in violation of articles 4 to 8, is rectified or erased; 2. ensure that the number of individuals acting under his authority, as well as access to the data and the possible operations carried out on it, are limited to what is necessary for these individuals to fulfill their obligations or to whatever is necessary for the requirements of the service; 3. inform all individuals acting under his authority of the provisions of this Act and its implementing decrees, and of all relevant provisions in respect to the protection of privacy in relation to data; 4. ensure that the programs used for the automatic processing of personal data correspond to the information provided in the notification and that they are not used unlawfully. 5. ensure that the persons acting under the authority of the controller and who have access to the personal data only process this data on his behalf. The Privacy Commission has also drawn up a set of Reference measures for the security of any processing of personal data. This document is a tool that can be used by the controllers assignment in the implementation of a security policy.

13 12 The processing of personal data by registrars 21 Article 15b of the Personal In practical terms, this means that the controller must implement firewalls, virus scanners, logging and tracking mechanisms, etc. but must also ensure that the individuals involved in the processing of personal data are informed sufficiently about the applicable legislation and requirements, that there are documented procedures, that there is a management plan for security incidents, etc. If the processing is entrusted to a processor, the controller must sign a contract with the processor stating what guarantees the processor offers with regard to the technical and organisational security measures that are applied to the processing, what the accountability of the processor is and that the processor and anyone acting under the processor s authority, may only act under the instructions of the controller. Under the Personal Data Processing Act, the controller bears all liability for breaches of the security obligation. 21 Only contractual arrangements with the processor may transfer this liability to the processor.

14 13 The processing of personal data by registrars 22 Article 17 5 of the Personal 5. Reporting to the Privacy Commission Pursuant to article 17 1 of the Personal Data Processing Act, the controller must report the processing prior to proceeding to process the data. A report is not required for requesting permission or an authorisation, but is merely intended to inform the Privacy Commission of the fact that the controller will be processing personal data. A separate report is required for each processing purpose or group of cohesive purposes. 22 Processing for the purposes of customer management and the collection of data for marketing purposes must be reported in different reports to the Privacy Commission. A report of data may be lodged in hardcopy form or electronically via the Privacy Commission website ( A fee must be paid for each report: if the report is lodged electronically, if the report is lodged in hard-copy form. Each report must contain the following details: the identity of the controller; the purposes; the categories of processed data; any statutory or regulatory basis for being able to process the data; the possible recipients to whom the data may be distributed; the guarantees associated with a notification to third parties; the way in which the individuals involve will be notified if their data is passed on to third parties; the person to be contacted for individuals to exercise their rights; the measures taken to make it easier for the individuals involved to exercise their rights; the length of time the data will be kept; the security measures; any sending of the data to other countries.

15 14 The processing of personal data by registrars the data has been collected directly from the person involved (no database enrichment or viral marketing, etc.); There are, however, a number of exceptions to this principle of mandatory reporting in the Royal Decree for implementing the Personal Data Processing Act 23. These exceptions apply only to standard processing and are subject to strict restrictions. For example, customer and supplier management is not subject to a prior report to the Privacy Commission if the following conditions are met: only data of potential, existing and past customers and suppliers; the data is not passed on to third parties. DNS.be has lodged 2 reports with the Privacy Commission: one for the data that is processed in our registration system, and one for the data that is processed for handling complaints relating to.be domain names. 23 Article 17 5 of the Personal no sensitive, medical or judicial data is included; the data is not kept for longer than required for normal business operations;

16 15 The processing of personal data by registrars Conclusion the (technical and organisational) measures taken to guarantee the security of the data; the use of cookies and the procedure for switching them off. The Personal Data Processing Act states as a general rule that personal data may be processed on condition that a justified reason applies and provided all of the conditions laid down by law are complied with in the processing. 24 To comply with the conditions set by the Personal Data Processing Act, DNS.be advises its registrars as follows: 1 draw up and apply a privacy policy. This privacy policy can be made known to third parties by way of a privacy statement or declaration. This privacy policy should include the following provisions: name and address of the controller; The best place to put this privacy policy is somewhere where the individuals involved can easily find it, e.g. a link on the homepage and/or (all) other webpages or a pop-up on the first visit to the website. It is also recommended to include a direct link to the full or summarised text of the privacy policy, a clause or a popup with the full or summarised text of the privacy policy with a tick-box that must be filled in with forms to be completed online. DNS.be s privacy policy is at our website: indicate that the Personal Data Processing Act will be complied with; purpose(s) of the processing; what sort of data is being collected; who the data will be passed on to; mention the existence of a right of access, notification and amendment and the procedure for of exercising these rights; 24 Privacy Commission, Recommendation nº 04/2009 of 14th October 2009, p. 2 the option to explain the right to object if the data is being collected for direct marketing purposes;

17 16 The processing of personal data by registrars The privacy policy should also be known internally. This can only be done if your own staff who deals with personal data and answer s, letters or phone calls from customers are themselves informed about the Personal Data Processing Act and the way it is applied within the organisation. Clear internal communication of the privacy policy must therefore precede communicating that policy externally. 2 implement technical security measures (firewalls, virus scanners, logging and tracking mechanisms, etc.) to protect the personal data. 3 submit a report to the Privacy Commission about the data being processed in the context of their business as a registrar. Registrars in fact pass this personal data on to the competent registration authorities and in many cases they also do not receive personal data directly from the registrant, but via a third party (e.g. a reseller, etc.).

18 17 The processing of personal data by registrars Executive Editor: DNS.be vzw/asbl Concept: ABSOLUUT Photo.be: Jesse Willems

19 18 The processing of personal data by registrars DNS Belgium vzw/asbl Ubicenter Philipssite 5 bus Leuven info@dns.be