The Parties are each responsible for complying with their respective obligations under Applicable Laws governing Personal Information.
The Customer remains solely responsible for obtaining Registrants’ consent to processing of Personal Information and for ensuring that DNS’ processing of Personal Information for purposes of the Services will not place DNS in breach of any laws, provided that DNS also remains liable to use Personal Information only for the purpose of providing the Services in accordance with Applicable Laws.
The following words and phrases have these specific meanings in this document:
“Applicable Laws” means the General Data Protection Regulation (2016/679) (“GDPR”), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) (as amended) and all other applicable laws and regulations worldwide, including their successors or as modified, relating to the Processing of Personal Information.
“Customer” means a party which enters its name, contact and other required details in the DNS Portal, and has accepted the terms of the Gateway Standard Terms.
“Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to Personal Information.
“DNS” refers to DNS Africa Ltd, a private company incorporated in accordance with the laws of the Republic of Mauritius with registration number 135786 C1/GBL.
“DNS Portal” means the Internet website operated by DNS at URL http://portal.dns.business (including subdomains) or such other URL as may be selected by DNS from time to time.
“ICANN” means the Internet Corporation for Assigned Names and Numbers.
“Personal Information” means any information such as a name, an identification number, location data, an online identifier or information pertaining to an individual’s physical, physiological, genetic, mental, economic, cultural or social identity relating to that natural person, that can be used to directly or indirectly identify a Data Subject.
“Process” means any operation or set of operations which is performed on the in relation to Personal Information, whether or not by automated means, and which includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, or otherwise as defined in Applicable Laws.
“Purpose(s)” means as provided in Section 5 below.
“Registration Data” means data collected by the Registrar under the RAA and that is required to be shared with the Registry under the RAA and the RA.
“Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information.
“Temporary Specification” means the “Temporary Specification for gTLD Registration Data” Adopted on 17 May 2018 by the ICANN Board of Directors, as may be amended or supplemented from time to time.
Status and Amendments
Roles and Responsibilities
The Customer acknowledges and agrees that, with respect to Processing of Personal Information for the Purposes as set out herein:
Either of the Parties and ICANN may act as either a Controller or Processor of Personal Information; and
The Parties must, subject to the instructions of the Data Subject, ensure that Personal Information is accurate. Where any Party becomes aware of inaccuracies in Personal Information, they must, where necessary, notify the other Parties, to enable the timely rectification of such information.
The Customer undertakes to inform Data Subjects of the Purposes for which their Personal Information will be Processed and provide all of the information that it must provide in accordance with Applicable Laws, to ensure that the Data Subjects understand how their Personal Data will be Processed.
Purpose of Collection and Processing of Personal Information of Data Subjects
Processing of Personal Information by the Parties is for the limited purpose of provisioning, servicing, managing and maintaining domain names, as required of Registries and Registrars under the Applicable Agreements with ICANN, including to the extent those purposes serve to ensure the stability and security of the Domain Name System and to support the lawful, proper and legitimate use of the services offered by you and us.
The Parties must fully cooperate with each other to the extent necessary to effectuate corrections, amendments, restrictions or deletions of Personal Data as required by Applicable Laws and/or at the request of any Data Subject. The Registry Operator will describe in the Published Policies the purposes for which any Personal Information that is submitted to the Registry Operator by either Party is collected or used, as well as the intended recipients of such Personal Information.
The Customer must inform each Registrant of the purposes for which Personal Information is collected and used and of other relevant information as set out in the Published Policies, and obtain the consent of each Registrant for collection and use for such purposes, and in particular obtain consent for:
use by the Registry Operator in providing the registry services and in particular providing a public WHOIS facility which may include the Personal Information;
inclusion of Personal Information in escrow deposits by the Registry Operator held by third parties located anywhere in the world;
transfer of Personal Information to the Registry Operator’s service provider or the Registry Operator’s affiliates for the purposes of providing registry services; and
transfer of Personal Information to a third party replacing the Registry Operator in providing the Registry Operator function in terms of the Registry Operator’s agreement with ICANN, wherever in the world such third party may be located.
Each Party must ensure that it Processes Personal Information on the basis of one of the following legal grounds:
where the Data Subject has consented to Processing the Personal Information for one or more specific Purposes (which consent can be revoked at any time);
where Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
as necessary to provide the Services and pursuant to the Agreement;
where necessary to comply with any legal obligation;
Processing is necessary for the purposes of the legitimate interests pursued by the Customer or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data;
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Customer; or
where the information is made public by the Data Subject.
Use and Processing of Personal Information of Data Subjects
The Parties must fully cooperate with each other to the extent necessary to effectuate corrections, amendments, restrictions or deletions of Personal Data as required by Applicable Laws and/or at the request of any Data Subject.
Both Parties undertake that Personal Information will be processed in accordance with Applicable Laws and requirements directly applicable to the provision of the Services, and that they will only process the information in a manner consistent with allowing use of the Services and will process it to the minimum extent necessary.
Neither Party may use or authorise the use of Personal Information in any way that is incompatible with the purpose set out in the Published Policies or which is contrary to the Agreement or Applicable Laws.
The Parties must immediately notify each other and ICANN and/or the Registry Operator (whichever is applicable) if, in its opinion, any instructions or requirements under Applicable Agreements infringes any Applicable Laws.
All Personal Information must be treated as strictly confidential and the Parties must inform all its employees or approved agents engaged in processing the Personal Information of the confidential nature of the Personal Information, and ensure that all such persons or parties have signed an appropriate confidentiality agreement to maintain the confidence of the Personal Information.
Personal Information of Customer
DNS collects Personal Information about the Customer, including information that directly or indirectly identifies it if the Customer chooses to share it with DNS.
DNS may use the Customer’s Personal Information collected to compile profiles for statistical purposes. No information contained in the profiles or statistics will be able to be linked to any specific person or entity.
Data Subject Rights
right of access and update;
right to data portability;
right to erasure;
right to rectification;
right to object to automated decision-making;
or right to object to processing.
Data Subjects have the right to obtain certain information about the Processing of their Personal Information through a subject access request (“Subject Access Request”). The Parties must maintain a record of Subject Access Requests, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request.
The Parties agree that the responsibility for complying with a Subject Access Request falls to the Customer and any final decisions made by it will govern the actions taken.
The Parties agree to provide reasonable and prompt assistance (within 5 (five) Business Days of such a request for assistance) as is necessary to each other to enable them to comply with Subject Access Requests and to respond to any other queries or complaints from Data Subjects.
Destruction of Personal Information
DNS will delete all Personal Information, upon receipt of a written instruction from the Customer or a Data Subject to do so.
DNS will destroy or delete any Personal Information that is no longer needed by it for the Purpose it was initially collected, or subsequently Processed.
The Customer will be responsible for the security of transmission of any Personal Information in transmission to DNS by employing appropriate safeguards and technical information security controls.
The Parties must both take appropriate, reasonable technical and organisational measures as required by Applicable Laws to protect the Personal Information from loss, misuse, unauthorized disclosure, alteration or destruction.
Both Parties will take reasonable measures to:
encrypt the Personal Information, where necessary or appropriate;
ensure continued confidentiality, integrity, availability and resilience of our processing systems and services;
restore the availability and access to Personal Information in a timely manner;
establish and maintain appropriate safeguards against the risks identified;
conducting regular threat assessment or penetration testing on systems as deemed necessary, considering the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, with due regard to the nature of the data held, the cost of implementation, and the state of the art;
identify all reasonably foreseeable internal and external risks or vulnerabilities to the Processing of Personal Information; and
ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
The Parties agree to implement appropriate technical and organisational measures to protect the Personal Information in their possession against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure, including but not limited to:
ensuring IT equipment, including portable equipment is kept in lockable areas when unattended;
not leaving portable equipment containing the Personal Information unattended;
ensuring use of appropriate secure passwords for logging into systems or databases containing Personal Information;
ensuring that all IT equipment is protected by antivirus software, firewalls, passwords and suitable encryption devices;
using industry standard 256-bit AES encryption or suitable equivalent where necessary or appropriate;
limiting access to relevant databases and systems to those of its officers, staff, agents, vendors and sub-contractors who need to have access to the Personal Information, and ensuring that password security mechanisms are in place to prevent inappropriate access when individuals are no longer engaged by the Party;
conducting regular threat assessment or penetration testing on systems as deemed necessary, considering the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, with due regard to the nature of the data held, the cost of implementation, and the state of the art; and
allowing for inspections and assessments as to the security measures taken, or producing evidence of those measures, if requested.
Security Breach Notification
The Party being notified of a Security Breach must be provided the following information, to the greatest extent possible, with further updates as additional information comes to light:
A description of the nature of the incident and likely consequences of the incident;
Expected resolution time (if known);
A description of the measures taken or proposed to address the incident including, measures to mitigate its possible adverse effects; and
The categories and approximate volume of Personal Information and individuals potentially affected by the incident, and the likely consequences of the incident on that Personal Information and associated individuals.
The Parties may, upon mutual agreement, provide resources from its security group to assist with an identified Security Breach for the purpose of meeting its obligations in relation to the notification of a Security Breach under Applicable Laws or other notification obligations or requirements.
For the purpose of this section, both Parties are also required to provide notification in accordance with this section in response to:
A complaint or objection to Processing or request with respect to the exercise of a Data Subject’s rights under Applicable Laws; and
An investigation into or seizure of Personal Information by government officials, regulatory or law enforcement agency, or indications that such investigation or seizure is contemplated.
The Parties will, at its own expense, defend, indemnify and hold the other harmless from and against all claims, liabilities, costs and expenses arising from or relating to:
a Security Breach,
breach of Applicable Laws, and
Transfer of Personal Information
Disclosure of the Personal Information with any other third party with a valid legal basis for the provisioning of the Purposes;
Publication of the Personal Information via any medium, including, but not limited to in public registration data directory services;
The transfer and storage by the Parties of any European Economic Area from within the European Economic Area (“EEA”) to servers outside the EEA; and
Otherwise granting any third party located outside the EEA access rights to the European Economic Area.
If provision of the Services requires transfer of any Personal Information to a third party located in another jurisdiction, DNS will procure the Customer’s prior written consent to such transfer.
Impact of Changes