Processing of holders’ data

Introduction

Afnic is the registry designated by the French State to attribute and manage domain names within the top level domains (TLDs) of the addressing system by Internet domains corresponding to the “.fr”.

To do so, Afnic processes personal data in accordance with the provisions of the French Electronic Communications and Telecommunications Act (CPCE) and with those applicable to the protection of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable from 25 May 2018 (hereinafter “the General Data Protection Regulation [GDPR]”).

General principles

When registering a domain name under the .fr, .pm, .re, .tf, .wf or .yt TLD, you are its holder or registrant (hereinafter “registrant”) and the processing of your personal data is then carried out in order to manage the operations on that domain name.

The processing of personal data carried out for domain name operations falls under two categories of processing according to their main respective purposes:

• The processing carried out by your registrar for the provision of registration services on your domain names;
• The processing carried out by Afnic for the administration of the naming zone in question.

PROCESSING CATEGORIES OF YOUR PERSONAL DATA

Afnic and your registrar are the data controllers for the processing operations they perform. Each is the recipient of personal data processed by the other for the purposes of its own processing operations.

It is up to both Afnic and your registrar to respect the provisions resulting from the regulations in force applicable to the processing of your data and, in particular, the GDPR.

The subject of this page is the processing of your personal data by Afnic, as the registry, for the administration of the domain zone for which it is responsible, namely the zone relating to all the domain names registered under the top level domains of the Internet corresponding to the country codes of French territory (see our Naming Policy).

Commitments - Information and transparency on data processing operations

To ensure the information and transparency about the processing of your personal data by Afnic, Afnic publishes and updates as necessary the information contained herein on this Afnic website for direct access or via accredited registrars who must, as part of their obligation to provide information on the processing of personal data, put a link to this information so that it is available to you at any time as soon as you have registered a domain name.

The processing of your personal data is carried out by Afnic in a secure manner in compliance with the legal framework relating to the protection of personal data with the fair, lawful and transparent collection for precise, explicit and legitimate purposes of your personal data which are adequate, relevant and not excessive in relation to these purposes. These exact, complete and, if necessary, updated data shall be kept for the time necessary for those purposes.

Afnic limits its processing of personal data to what is strictly necessary and Afnic clearly indicates for each processing operation:

• Its purpose;
• Its legal basis;
• Its duration;
• The categories of data processed
• The conditions for direct or indirect collection of data;
• Whether the data collected are mandatory or optional;
• The recipient(s)
• If applicable, transfers outside the EU with the appropriate protection measures for your data.

Afnic does not process your data for automated decision making, including profiling. Afnic does not further process your data for a purpose other than those defined in this page.

Exercise of your data subjects rights

It’s simple!

Your rights

As a registrant of a domain name, you have data subjects rights, namely the rights of access, objection, rectification and erasure of the data, the right to restrict processing, the right to withdraw your consent, if given, at any time, the right to lodge a complaint with a supervisory authority and the right to lay down guidelines for the retention, erasure and communication of personal data in the event of death.

Exercise your rights – Contact the DPO (Data Protection Officer)

Your rights are exercised directly with your registrar for:

• All the processing carried out by your registrar and pertaining to the provision of services on domain names;
• All the processing carried out by the Afnic through registrars such as the collection and updating of your personal data for the registration of your domain names.

To obtain any information and/or otherwise exercise your rights on the processing of personal data by Afnic (see List & Description of personal data processing operations below), please contact:

• By electronic means to juridique@afnic.fr
• By mail:

List of processing operations

The list

The processing of personal data’s of holders of .fr, .re, .yt, .pm, .wf and .tf domain names implemented by Afnic involves operations to manage:

• Management of the directory service for .FR and French overseas TLDs
• Management of DNS resolution in .fr and French overseas TLDs
• Provision of the Data Space service to registrars
• Management of requests for verification of eligibility or contactability of a domain name holder
• Management of introductions to administrative contacts
• Management of requests for disclosure of personal data (lifting of anonymity)
• Management of the mediation procedure
• Management of Alternative Dispute Resolution (ADR) procedures
• Management of reports of domain names that are unlawful or contrary to public order
• Management of Afnic’s Zonemaster web service
• Management of satisfaction surveys for the <.fr>
• Management of data subject’s personal rights
• Management of alerts under the French Data Protection Act and notifications of personal data breaches

The description of each processing operation is available to you in the dedicated entries below or directly via the interactive table of contents.

For processing of personal data of Afnic’s website users, Afnic invites you to consult the information relating to these processings on the page “Your data”.

2. Understanding the description of a processing operation

In order to provide comprehensible and simple access, Afnic presents the information relating to each processing operation in the form of a fact sheet in accordance with the following model:

Name of the processing operation

1. Purpose: Afnic processes your data for specified, explicit and legitimate purposes
2. Lawful basis: The processing is necessarily on one of the following lawful bases:

• Your consent (Article 6-1 (a) of the GDPR)
• In performance of a contract with the data subject or in preparation for such contract (Article 6-1 (b) of the GDPR)
• In compliance with our legal obligations (Article 6-1 (c) of the GDPR)
• To protect your vital interests or those of a third party (Article 6-1 (d) of the GDPR)
• In the performance of our public service role (Article 6-1 (e) of the GDPR)
• For the pursuit of our legitimate interests or those of a third party, while respecting your interests or fundamental rights and freedoms regarding the protection of your personal data (Article 6-1 (f) of the GDPR)

3. Duration not exceeding that necessary for the purposes defined; this total duration is the duration of active retention plus that of subsequent retention in the archives
4. Categories of data processed adequate, relevant and limited to what is necessary in relation to the purposes defined (data minimisation);
5. How the data are collected:

• Direct collection, the data are collected from you
• Indirect collection, the data are collected from a third party identified and authorised to communicate your data to us

6. Nature of the data: they may be required (pursuant to a legal requirement, for a contract, etc.) or optional, in many cases with consequences if they are not provided.
7. Recipients: the natural or legal person, public authority, department or any other body that receives communication of your data, whether or not from a third party
8. Transfers outside the EU: this refers to the possibility of your data being transmitted to a recipient in a third country or an international organisation subject to adequate protection measures. A copy of these measures can be sent to you upon request to juridique@afnic.fr

The description of each processing operation is available to you in the dedicated entries below or directly via the interactive table of contents.

Management of the directory service for .FR and French overseas TLDs

1. Purpose

The administrative processing of the directory service for .FR and French overseas TLDs allows Afnic to:

• Provide information on a .fr or French overseas domain name in real time via directory services (Whois port 43/web, RDAP and by access Interface to the directory service (API = Application Programming Interface) telling us whether a domain name is available for registration with or without prior examination
• Periodically publish certain information relating to a .fr or French overseas domain name (Open Data, SQUAW)
• Publish daily (rolling 7-day period) a list of the domain names registered the day before, freely available and free of charge from Afnic’s website
• Measure trends in the market for .fr and French overseas domain names (geographical sectors, breakdown between private individuals and legal entities, etc.) to fulfil the commitments under the State-Afnic Agreement (see Article 6)
• Manage the escrow of data to ensure the continuity of services on domain names
• Collect data on the use of directory services for purposes of: debugging, performance monitoring, use volume monitoring, statistics, customer service/support
• Collect data on the use of directory services for purposes of detecting security incidents

2. Lawful basis:

In performance of a public service role (Article 6-1 (e) of the GDPR): in application of Articles L45ff. of the French Postal and Electronic Communications Code (CPCE), R20-44-39ff of the CPCE and the State-Afnic Agreement

3. Duration:

Domain name data: indefinitely

Holder and contact data are kept in the NIC HANDLE (contact identifier) or until the domain names to which they relate are deleted or until they are deleted at the holder’s request or automatically by our information system due to their obsolescence

Operations transmitted by registrars and appearing in the registry database: indefinitely

Log files containing details of operations carried out by registrars, and log files of Whois/RDAP/API requests made are kept for ten years.

4. Categories of data processed:

• The domain name (DN) and the technical information associated with it (name of registrar, domain status, name servers, DNSSEC keys, date of creation, date of expiry, date of last amendment) -> Indirect collection
• Information on private individual holders: type, surname, first name, address, telephone, fax, email, obsolete (associated with at least one domain name), whether restricted publication or not -> Indirect collection
• Information on legal entity holders: type, name of organisation, address, telephone, fax, email, obsolete (associated with at least one domain name), no restricted publication. Comment: no personal data unless (1) the holder has provided personal data or (2) his or her entity is linked to the legal representative (example: self-employed entrepreneur) -> Indirect collection
• Information on private individual administrative contact: type, surname, first name, address, telephone, fax, email, obsolete (associated with at least one domain name), whether restricted publication or not -> Indirect collection
• Information on legal entity administrative contact: type, name of organisation, address, telephone, fax, email, obsolete (associated with at least one domain name), no restricted publication. Comment: no personal data unless (1) the holder has provided personal data or (2) his or her entity is linked to the legal representative (example: self-employed entrepreneur) -> Indirect collection
• Information on private individual technical contact(s): type, surname, first name, address, telephone, fax, email, obsolete (associated with at least one domain name), whether restricted publication or not -> Indirect collection
• Information on legal entity technical contact(s): type, name of organisation, address, telephone, fax, email, obsolete (associated with at least one domain name), no restricted publication. Comment: no personal data unless (1) the holder has provided personal data or (2) his or her entity is linked to the legal representative (example: self-employed entrepreneur) -> Indirect collection
• Information on the registrar: name, type of contract (option 1/2), address, telephone, fax, email, date of last update of information linked to the registrar. -> Indirect collection
• Operations transmitted by registrars: log files (date, time, name of registrar, operation requested on domain name) and database of the registry (details of the operation linked to the domain name to know its history) -> Direct collection
• Log data of requests for the Whois directory service: time, date, IP address making the request, the domain name asked about -> Direct collection
• Log data of requests for the RDAP service: time, domain name asked about and information relating to its registration (whether or not subject to prior examination), IP address making the request, and possibly (in the event of prior authentication) name of user making the request -> Direct collection

5. How the data are collected:

Direct and indirect collection

6. Nature of the data:

Your data are a regulatory requirement and failure to provide them can prevent the administration of and operations on your domain name starting with the registration

7. Recipients:

Subcontractors providing hosting of Afnic’s infrastructures and escrow or digital safe.

Externally: 1) All Internet users have access to the data published by the directory services made available. 2) Open data & Publication of the daily list of domain names: selections of data accessible to all under free licence. 3) Licence Squaw: access to some providers subject to prior contractual commitments. 4) Third parties with a right of communication. 5) Third parties with a right of access in the cases defined by the Naming Policy. 6) Beneficiaries of operations requested on the domain name (example: assignee of the domain name) and their representatives

Internally: all Afnic employees access the data they need in the framework of their functions and powers granted.

8. Transfers outside the EU

Yes. Due to their being published on the Internet as required by the law and standards of the domain names sector, certain data (domain names and those of persons opting for publication) are accessible anywhere in the world. The “public” status of these data does not allow their protection by adequate safeguards as defined by the regulatory framework in force (contractual clauses, territorial limitation, etc.)

Management of DNS resolution in .fr and French overseas TLDs

1. Purpose

The administrative processing of DNS resolution in .fr and French overseas TLDs allows Afnic to:

• Resolve domain names of the .fr and French overseas zones
• Publish the .FR and French overseas zones
• Secure the domain names of the .fr and French overseas zones
• Ensure the resilience of the domain name resolution service
• Measure the migratory flows of DNS requests in .fr and French overseas TLDs (means of managing the resilience of the flow)

2. Lawful basis:

In performance of a public service role (Article 6-1 (e) of the GDPR): pursuant to Articles L45ff of the French Postal and Electronic Communications Code (CPCE), R20-44-39ff of the CPCE and the State-Afnic Agreement

3. Duration:

For the technical domain name data: for as long as the data are exploited. No data kept for DNS resolution

For DNS requests:

• Samplings of requests made on servers are kept for one month for purposes of post mortem incident analysis

Log files containing DNS requests made are kept for 10 years for archiving.

4. Categories of data processed:

Some of the technical domain name data. These data are personal only in the contexts in which they are processed in association with the account of a directly or indirectly identifiable natural person such as a private individual holder or contact. Except in these contexts, these data are not of a personal nature.

A negligible part of the data from DNS requests from which it is very difficult to deduce identities (extraordinary means) and from which in any case Afnic cannot and does not deduce identities.

5. How the data are collected:

Direct and indirect collection

6. Nature of the data:

Necessary for the provision of the services concerned

7. Recipients:

Subcontractors providing DNS resolution services

All Internet users have access to the data appearing in the zone file in response to a DNS service query (domain name, IP address)

8. Transfers outside the EU:

Yes, DNS resolution is international. Guarantees of adequate data protection are established by contracts with the providers of DNS resolution services

Provision of the Data Space service to registrars

1. Purpose

The processing of provision of the Data Space service to registrars allows Afnic to:

• Provide accredited registrars with dashboards for monitoring their activity from their portfolio of domain names and the activity of their customers in the context of the .fr market
• Provide accredited registrars with an analysis of the performance of their portfolio of domain names based on a technical and usage analysis of the domain names
• Provide accredited registrars with suggestions on how to secure the domain names in their portfolio

2. Lawful basis:

In the performance of a public service role (Article 6 -1 (e) of the GDPR): among Afnic’s responsibilities defined in the State-Afnic Agreement are ascertaining and measuring trends in the .fr and French overseas domain name market (geographical sectors, breakdown between private individuals and legal entities, etc.); promoting the .fr TLD

3. Duration:

One year.

4. Categories of data processed:

• Data from the SRS (Shared Registry System): “Date de fin de periode du rapport / End of period”, “Nom de domaine / Domain name”, “Date de creation / Creation date”, “Date de suppression / Delete date”, “Date de restauration / Restoration date”, “Date d’expiration / Expiration date”, “Titulaire Nic Handle / Holder Nic Handle”, “Titulaire type / Holder type”, “Code postal titulaire / Holder zipcode”, => Only ORG, “Pays titulaire / Holder country”, => Only ORG, “Admin Nic Handle”, “Tech 1 Nic Handle” and “Tech 2 Nic Handle”
• Data from the SRS: “SIREN”
• Data from the Siren database and NAF/NACE codes: “Categorie d’entreprise / Enterprise category” – “NAF rev2 – Label niveau 1 à 5 / Label lvl 1 to 5” – “Nace rev2 – Label niveau 1 à 4 / Label lvl 1 to 4”
• Domain name usage data: “Status HTTP / HTTP Status”, “Classification du domaine / Domain classification”, “redirection” and “Note d’usage / Usage notation”
• Domain name assessment data via Zonemaster :”Nb de messages ‘Warning’/ Nb of warning messages”, “Nb de messages ‘Error’ / Nb of error messages”, “Nb de messages ‘Critical’ / Nb of critical messages”, “Domaine ayant au moins un NS en IPv6 / domain with at least one NS with IPv6” and “Domaine avec DNSSEC / Domain with DNSSEC”
• Data relating to the FRLock service: “Domaine FRLocke / FRlocked domain” and “FR Lock suggestion”
• Data from the DNS (Traffic on Afnic’s servers): “Nb de requêtes a / Nb of a requests”, “Nb de requêtes mx / Nb of mx requests”, “Nb de requêtes whois / Nb of whois requests”

5. How the data are collected:

Indirect collection

6. Nature of the data:

Necessary for the provision of the services concerned

7. Recipients:

Registrars, for the data exclusively concerning holders of domain names appearing in their portfolios.

8. Transfers outside the EU:

Yes: only for holders electing to register their domain names with registrars outside the EU.

Guarantees of appropriate processing: ad hoc clauses in the registration contract between Afnic and the registrar, see Annex 3 “Appropriate safeguards for transfers outside EU”

Management of requests for verification of eligibility or contactability of a domain name holder

1. Purpose

Administrative processing of requests for verification of eligibility or contactability of a domain name holder allows Afnic to:

• Manage the checks initiated by Afnic in the context of its public service responsibilities
• Allow a third party to ask the registry to verify the eligibility and/or contactability criteria
• Manage and process Notifications/Report Forms relating to requests for verification of eligibility and/or reachability
• Generate statistics

2. Lawful basis:

In the performance of our public service role (Article 6-1 (e) of the GDPR): Articles L45-3 and 45-5 of the CPCE. Naming policy and other applicable policies

3. Duration:

Destruction of requests for verification and of their processing two years after the closing of verification operations classed as not pursued. For those pursued (judicially, extra-judicially or by Afnic), destruction once the procedures instigated have been completed and their legal prescription period has come to an end

4. Categories of data processed:

Data identifying the person requesting verification and his or her representative if any. Data on the request for verification and its processing. Data on the processing of the verification of eligibility and the holder’s reachability

5. How the data are collected:

Direct collection

6. Nature of the data:

The requirement of the data is regulatory. For the applicant, failure to provide the data prevents the request from being processed. For the holder, failure to provide data may lead to the deletion of his or her portfolio of domain names in application of the CPCE and of the Naming Charter

7. Recipients:

The internal Afnic departments concerned. The registrar of the domain name concerned. The applicant and his or her representative receive the result of the procedure. The public consulting the Whois online directory of domain names sees the result of the procedure

Management of introductions to administrative contacts

1. Purpose

The processing of introductions to administrative contacts allows Afnic to:

• Put a third party in touch with the administrative contact of a domain name when the holder’s data are subject to restricted publication
• Enable third parties to send a message to the administrative contact via an interface on the website www.afnic.fr
• Generate statistics

2. Lawful basis:

For the sender of the message, is/her consent (Article 6-1 (a) of the GDPR). For the administrative contact:  In the performance of our public service role (Article 6-1 (e) of the GDPR): Arrangements for meeting the requirements of permanence, quality, availability and security of the registration service. Articles L45-1 §1 and R20-44-39 of the CPCE

3. Duration:

One year

4. Categories of data processed:

Data identifying the third party, sender of the message. Connection data of the third party, sender of the message. Email address of the administrative contact of the domain name.

5. How the data are collected:

Direct collection except for the administrative contact’s email address collected from the registrar

6. Nature of the data:

For the third party, sender of the message, its identification data are a contractual requirement for the use of the connecting interface.

Note: for the registrant of the domain name, an incorrect electronic address of the administrative contact can lead to an eligibility verification procedure concerning the domain name

7. Recipients:

Afnic forwarding the message. The holder is the sole recipient of the message sent by the third party

Management of requests for disclosure of personal data (lifting of anonymity)

1. Purpose

The administrative processing of requests for disclosure of personal data or lifting of anonymity allows Afnic to:

• Reveal the identity and contact details of a private individual domain name holder subject to restricted publication upon well-grounded request of a third party.
  • For the pursuit of the applicant’s legitimate interests, while respecting the holder’s interests or fundamental rights and freedoms regarding the protection of his/her personal data (Article 6-1 (f) of the GDPR) ; Afnic recognizes such interest when the domain name is an identical or nearly identical reproduction of: (i) a previously registered trademark protected in France, (ii) a previously registered distinctive sign (company name, business name, trading name or logo protected in France, domain name), (iii) a previously registered title protected by French copyright law, (iv) a family name or pseudonym. Afnic’s examination focuses particularly on the similarity of the signs and does not extend to the content of websites.
• Reveal the identity and contact details provided by the domain name holder and subject to restricted publication (holder’s data and administrative contact’s data) in response to the exercise of a communication right ->
• • In compliance with legal obligations and/or public service role (Article 6-1 (c) & Article 6-1 (e) of the GDPR) authorizing investigative powers of public authorities
• Manage user accounts of individuals who represent public authorities
• Manage requests for lifting of anonymity and generate statistics

2. Lawful basis:

In performance of its public service role (Article 6-1 (e) of the GDPR) in application of Article L45-2 of the CPCE and of the registry policies

3. Duration:

Six months, then deleted. Data for the management and connection generated by access via RDAP: 1/ In active records, for the duration of the user account ; in archive database, 5 years upon the end of the contract with the public authority ; 2/ The data present in the logs:: sliding six months  then deleted.

4. Categories of data processed:

In the case of applicant’s legitimate interests: the data identifying the applicants and their representatives. The data contained in the form and in documents attached thereto. The processing of the form. The data identifying the domain name holder in respect of whom the request is made.

In response to the exercise of a communication right: The data contained in the request and in documents attached thereto. The identifying data provided by the domain name holder in respect of whom the request is made: data identifying the holder and data identifying the administrative contact. Data for the management and connection generated by access via RDAP to the Whois database by authorised representatives of public authorities which have a communication right. The administrative and operational data on the domain name concerned for the public authorities in application of the law or for third parties in application of a court ruling.

5. How the data are collected:

Direct collection except for the registrant’s data which is an Indirect collection of data collected from the registrar

6. Nature of the data:

For applicants: obligatory, since without the data the request cannot be processed. For holders: erroneous identification data can lead to procedures calling their portfolio of domain names into question in application of the CPCE and of the Naming Charter

7. Recipients:

Regarding applicant’s personal data: The internal Afnic departments concerned.

Regarding personal data, object of the Request for disclosure of personal data: the applicant and, if any, his/her representative on the legal basis they invoke such as:

• For the pursuit of the applicant’s legitimate interests, while respecting the holder’s interests or fundamental rights and freedoms regarding the protection of his/her personal data (Article 6-1 (f) of the GDPR) ;
• In compliance with legal obligations and/or public service role authorizing investigative powers of public authorities (Article 6-1 (c) & Article 6-1 (e) of the GDPR)

The legal basis invoked by the applicant is in its sole responsibility; the applicant (or public authority) commits itself to receive and use the personal data received only for the purposes defined in its request on the legal basis invoked.

Regarding personal data of the applicant and, if any, his/her representative, exclusively in the case of applicant’s legitimate interests: the domain name holder as soon as he or she exercises his or her right to information data subjects right) received by Afnic before the data purge.

Management of Alternative Dispute Resolution (ADR) procedures

1. Purpose

Managing the mediation procedure enables Afnic to:

• allow claimants to instigate mediation by the registry to seek a negotiated solution to a dispute in application of the mediation regulations
• allow exchanges between the mediator, the parties and, where applicable, their representatives, and Afnic
• implement the negotiated solution: delete or transfer the domain name forming the object of the mediation
• manage the service: administration, security, information and statistics
• manage mediators: verification of skills and experience, handling of cases, appointment and end of assignment

2. Lawful basisIn performance of its public service role (Article 6-1 (e) of the GDPR) in application of the Agreement between the State/Afnic for the management of the .fr signed on 18 March 2022, Article L45-2 of the CPCE, the Naming Charter and the mediation procedure rules.
3. Duration:

Personal data processed for mediation cases: deletion of all data two months after date of implementation of the negotiated solution

Personal data of mediators in the context of the management of their assignments: deletion of all data one month after the end of the assignment, or later (i) with the express consent of the data subject, (ii) in the event of dispute or (iii) in application of legal obligations.

4. Categories of data processed:

For the parties to the mediation and their representatives if any:

• surname, first name, postal and email addresses, telephone number
• the exchanges
• the negotiated solution: written report and its implementation (deletion/transfer of the domain name forming the object of the mediation)

For the mediator:

• surname, first name, postal and email addresses, telephone number
• qualifications: skills and experience for acting as mediator
• information on impartiality and independence: verifications and declarations
• cases handled and exchanges for mediation procedures

For third parties: the information sent by the parties in the context of the exchanges under the mediation.

5. How the data are collected:

For the parties to the mediation and their representatives if any: direct collection

For the mediator: direct collection

For third-party data transmitted by the parties: indirect collection

6. Nature of the data:

For the parties to the mediation and their representatives if any: mandatory collection

For the mediator: mandatory collection

For third-party data transmitted by the parties: optional collection

7. Recipients:

The mediator for the exchanges aimed at finding the negotiated solution

The relevant internal departments of Afnic for management of the mediation procedure

The service provider in charge of hosting the afnic.fr website for sending request forms for mediation via the afnic.fr website: ECRITEL, registered with the Nanterre Trade & Companies Register under number 332 484 021, having its registered office at 84 Rue Villeneuve, 92110 Clichy, FRANCE

The registrar(s) affected by the implementation of the negotiated solution

8. Transfers outside the EU:

No, subject to the party’s or parties’ choice of service provider (representatives and/or registrars) established outside the EU. The appropriate guarantees for any such transfers are those taken out by said parties, the data controllers, with their service providers.

Management of reports of domain names that are unlawful or contrary to public order

1. Purpose:

The administrative processing of reports of domain names that are unlawful or contrary to public order allows Afnic to:

• Enable anyone, through a form available on www.afnic.fr, to report to Afnic a domain name of an unlawful nature or contrary to public order
• Generate statistics

2. Lawful basis:

In the performance of our public service role (Article 6-1 (e) of the GDPR): Arrangements to meet the requirement of a mechanism allowing anyone to bring to Afnic’s attention a domain name likely to be unlawful or contrary to public order. Articles L45-1 §1 and R20-44-39 of the CPCE

3. Duration:

Destruction of requests for reports of domain names and of their processing two months after the closing of verification operations classed as not pursued. For those pursued (judicially, extra-judicially or by Afnic), destruction once the procedures instigated have been completed and their legal prescription period has come to an end

4. Categories of data processed:

Data identifying the sender of sender of the report. Data on the report and its processing. Registrant : domain name reported.

5. How the data are collected:

Direct collection

6. Nature of the data:

The requirement of the data is regulatory, and without them the requests cannot be dealt with

7. Recipients:

The Afnic internal departments concerned. The competent public authorities

Management of Afnic’s Zonemaster web service

1. Purpose

The administrative processing of Afnic’s Zonemaster web service allows Afnic to:

• Manage the Zonemaster website offering the service of technical diagnostics of domain names
• Generate statistics on visits to the website
• Use the application error codes received by users to manage and improve the service
• Produce statistics on the domain names tested by users of Zonemaster
• Use the contents of requests (anonymised version) to manage and improve the service
• Receive and manage requests for contact and support via the website (messaging)
• Manage and coordinate all the developments of Zonemaster in collaborative mode
• Manage and propose historical records of all the tests carried out from the site on the domain name requested by the user

2. Lawful basis:

• Subject to consent (Article 6 – 1 (a) of the GDPR): by sending an email or using the services, the user consents to the processing of his or her personal data necessary to respond to his or her requests
• For holders of domain names: In performance of a public service role (Article 6-1 (e) of the GDPR): pursuant to Articles L45ff of the French Postal and Electronic Communications Code (CPCE), R20-44-39ff of the CPCE and the State-Afnic Agreement

3. Duration:

Destruction one year after the last contact or withdrawal of consent. Cookies are not kept beyond 13 months and are not renewed in the event of any new visits

4. Categories of data processed:

• Categories of data processed of users of the Zonemaster website: IP – Country – Browser – OS – Code and error message of the web server’s HTML response – Date and time of visit – Domain name tested – Results of the tests on the domain name (= analysis by Zonemaster engine of the public content of the domain name zone) – Test number – Date and time of the test – Diagnostic of the technical domain name test
• Categories of data processed of visitors to the Zonemaster website (test engine not used): IP – Country – Browser – OS – Code and error message of the web server HTML response – Date and time of visit
• Categories of data processed of persons contacting Afnic by email: Email address – Content of the message – Exchanges
• Categories of data processed of members of the Zonemaster project for its collaborative development: Information on the user’s public profile if he or she has an account with GitHub, Inc. (San Francisco): surname, first name, company, location, email, website – Exchanges with Afnic on the project space dedicated to Zonemaster and coordinated by Afnic

Categories of data processed of holders (natural persons) of the domain names tested IF identified: Domain name tested and all technical information relating to this domain name in the Zonemaster service

1. How the data are collected:

• For all categories of data except those of holders: Direct collection
• Categories of data processed of holders (natural persons) of the domain names tested IF identified: Indirect collection (DNS zone files)

2. Nature of the data:

Mandatory

3. Recipients:

Internal Afnic departments.  .

Management of satisfaction surveys for the .fr

1. Purpose

The administrative processing of <.fr> satisfaction surveys allows Afnic to:

• Manage satisfaction surveys of actual and potential holders of <.fr> domain names (or applications for online presence)
• Produce a study and statistics on the results of surveys once anonymised
• Draw up profiles of <.fr> holders
• Ascertain the reasons for registering a <.fr> domain name
• Ascertain the use made of <.fr> domain names
• Improve the quality of Afnic’s service in its public service role
• Identify causes of dissatisfaction so as to act on improvement levers
• Monitor Afnic’s progress in its commitments regarding the <.fr> TLD

2. Lawful basis:

In the performance of a public service role (Article 6 -1 (e) of the GDPR): in application of Article L45 of the CPCE and of the State-Afnic Agreement for the preparatory processing of the list of persons concerned contacted for the survey

Consent of the data subject on the occasion of first contact, with the immediate power to object to it (Article 6 – 1. (a) of the GDPR)

3. Duration:

• Database of the survey: destruction at the end of the survey
• Raw results: destruction upon receipt by the provider of confirmation of end of assignment
• Provider’s subcontractor: immediate destruction once the provision of the service has been completed
• No limit for anonymised results

4. Categories of data processed:

• Representatives of legal entity holders of <.fr> domain names: Name of the body, Surname and first name, Title, Position, Work email, Work telephone, Work postal address, Responses to the survey questionnaire
• Representatives of individual entity holders of <.fr> domain names: Surname and first name, Title, Occupation if possible, Email, Telephone, Responses to the survey questionnaire
• For non-holders of .fr domain names: Email, Responses to the survey questionnaire

5. How the data are collected:

Indirect collection: for data of holders via their registrars and for non holders, via a survey provider

6. Nature of the data:

Necessary for the conduct of the optional survey

7. Recipients:

Internal. Externally, the providers in charge of the survey. Any addressee for anonymised results

Management of personal rights and freedoms

1. Purpose

The administrative processing of personal rights and freedoms allows Afnic to:

• Manage requests to exercise the rights of access, objection, rectification and erasure of data, restriction of processing, the right to withdraw consent, to lodge a complaint with a supervisory authority and to lay down guidelines regarding the retention, erasure and communication of personal data in the event of death
• Manage requests for access to and erasure of personal data in the event of identity theft in registering a domain name

2. Lawful basis:

In compliance with legal obligations (Article 6-1 (c) of the GDPR): Chapter 3 of the GDPR

3. Duration:

One year in current files followed by three years in intermediate files in the event of the exercise of the right of objection

4. Categories of data processed:

Identification data. The request and its processing

5. How the data are collected:

Direct collection

6. Nature of the data:

The requirement for data is regulatory and failure to provide them may prevent the processing of the request

7. Recipients:

The Afnic internal departments concerned. The registrars responsible for the domain names concerned by the request, if any

Management of alerts under the French Data Protection Act and notifications of personal data breaches

1. Purpose

The administrative processing of alerts under the French Data Protection Act and notifications of personal data breaches allows Afnic to:

• Receive and act on the alerts received
• Analyse the alerts received, undertake any investigations that may be necessary of all pertinent persons and entities and produce reports/summaries
• Keep journals and monitor measures and actions
• Manage any notifications (CNIL (French Data Protection Agency) and data subjects)
• Manage any follow-ups decided on by Afnic
• Produce statistics on activity

2. Lawful basis:

In compliance with our legal obligations (Article 6-1 (c) of the GDPR) namely those resulting from Articles 32ff of the GDPR

3. Duration:

The data relating to a notification of a personal data breach are kept for ten years from the closing of the case.

4. Categories of data processed:

Identification data, work contact details, working life

Data concerned by alert or even data breach

In the event of a breach, the risk analyses, exchanges and follow-ups with data subjects

5. How the data are collected:

Direct and indirect collection depending on the data

6. Nature of the data:

The requirement of the data is necessary for the purposes

7. Recipients:

Departments charged with investigating and managing alerts and breaches. Depending on their respective needs, the following may receive all or part of the data:

• authorised members and agents of the CNIL;
• in the event of a notification concerning cross-border processing for which the CNIL is the leading authority, the data may be sent to the other data protection authorities concerned.
• Afnic’s partners concerned by the alerts or indeed data breaches