Whois

Personal data are published in the Whois online directory. Is this normal?

Home > Observatory and resources > Expert papers > Personal data are published in the Whois online directory. Is this normal?
04/22/2021

What is the Whois?

The directory service provided by Afnic for all the TLDs it manages: .fr (France) .re (Réunion Island), .yt (Mayotte), .pm (Saint-Pierre and Miquelon), .wf (Wallis and Futuna) and .tf (French Southern and Antarctic Lands).

The Whois database is designed to provide accurate administrative information on the holder of a domain name and the various contacts associated with it, as well as technical information relating to the domain name itself.

This information allows you to check the availability of a domain name, to contact its holder or to check your own registrations, etc.

Afnic defines and sets out the terms and conditions of this service in the Policy on publication and access to information and the domain name registration systems.

Yes, the Whois contains personal data

As a registry and in accordance with the provisions of the French Post and Electronic Communications Code, Afnic is tasked with collecting the information required to identify the natural or legal persons registering domain names from registrars, and consequently establishing the Whois database.

Principle of confidentiality of personal data

The principle is simple: the personal data of domain name holders who are natural persons are not published in the directory service available to the general public.

How does it work on a technical level?

When registering a domain name with a registrar, the holder selects “natural person” or “organisation”:

  • If they select “natural person”, the contact details of the holder are protected by confidentiality by default.
  • However, if they select “organisation”, the contact details are published in the directory service available online to the general public. This applies even in the specific cases where personal data are used to identify them where publication of this identifying information concerns legal persons and organisations is required to incur their professional legal liability for a trustworthy Internet.

Personal data are published in the Whois online directory. Is this normal? What should I do?

If the principle is so simple and clear, why are personal data found in the Whois online directory?

Personal contact data can be published in Whois in the cases described below.

For each case, information is given on the steps to take if this publication of personal data is not “normal”.

Scenarios of publication of personal dataCourses of action
Publication of personal data concerning the natural contact person for a domain name registered without their knowledgeProtect against identity theft:

The guide

The form

Publication of personal data concerning the contacts for a legal person

  • Best practices: when registering a domain name, the organisation enters the contact data using professional details only not connected to a natural person:
  • the name of the department instead of the first and last names of individuals;
  • the switchboard phone number, not that of an individual;
  • an alias for the email address.
Update the data with the domain name registrar, replacing personal data with company data (see the best practice reminder opposite)

 

 

Afnic encourages legal persons holding domain names to refrain from entering personal data when registering their domain name.

Publication of personal data for a domain name’s technical contactRequired for Internet resilience, technical information (technical contact – registrar contact details and DNS servers) are always published.

If possible, give the company data of the legal entity holder or those of the technical representative of the holder (its Internet provider, legal person).

Publication of personal data concerning the natural contact person with their prior consent obtained by the domain name registrarThe person concerned has requested publication of their data in order to be contacted. At any moment the person can retract this consent by contacting it’s registrar to benefit from the confidentiality of their personal data.
Publication of personal data concerning the natural contact person without their prior consent obtained by the domain name registrarThe holder concerned should contact their registrar to request application of restricted publication of their personal data associated with the holder contact and/or administrative contact for the domain name.

If the registrar fails to take action, contact Afnic.

Confidentiality and third party rights

The confidentiality of the personal registration data of natural holders of domain names is not absolute and ends where the rights of others begin in application of the French legal framework.

Afnic provides these personal data on legitimate request under the framework set out in the Naming Charter.