Everything there is to know about how Afnic processes your personal data

Principles & Commitments

In the context of your use of this website, Afnic processes personal data in accordance with the provisions of the French Post and Electronic Communications Code (hereinafter referred to by its French abbreviation “CPCE”) and those applicable to the protection of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable from 25 May 2018 (hereinafter the “General Data Protection Regulation” or “GDPR”).

Always available in the website footer, Afnic publishes the pages “Your Data” and updates them as and when necessary, to provide information relating to the processing of data of users of the website www.afnic.fr so as to ensure information and transparency regarding this processing.

Your personal data are processed by Afnic in a manner that ensures appropriate security in compliance with the legal framework relating to the protection of personal data, which are collected lawfully, fairly and in a transparent manner for specified, explicit and legitimate purposes and are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. These accurate, complete and where necessary updated data are kept for as long as necessary for the said purposes. 

Afnic limits its processing of personal data to what is strictly necessary and clearly indicates for each processing operation:

• Its purpose;
• Its lawful basis;
• Its duration;
• The categories of data processed;
• Whether the data are collected directly or indirectly;
• Whether the data collected are mandatory or optional;
• Their recipients;
• Any transfers outside the European Union (EU) with measures to adequately protect your data.

Afnic does not process your data for purposes of automated decision-taking or profiling. Subject to its research and development activities relevant to its public service missions. Afnic does not subsequently process your data for any purpose other than those defined.

Exercise of your rights and freedoms

It’s simple! 

1. Your rights
   As a data subject of at least one processing operation of the data of users of the website www.afnic.fr, you have rights and freedoms, namely the rights of access, objection, rectification and erasure of the data, the right to restrict processing, the right to withdraw your consent, if given, at any time, the right to lodge a complaint with a supervisory authority and the right to lay down guidelines for the retention, erasure and communication of personal data in the event of death.
2. Exercise your rights – Contact the DPO (Data Protection Officer)

Any information and/or any other exercise of your rights and freedoms as regards the processing of personal data by Afnic can be carried out:

• By email to dpo@afnic.fr
• By post to:

Afnic
À l’attention de la Déléguée à la protection des données
7 avenue du 8 mai 1945
78280 Guyancourt
France

List of processing operations

1. The list

The personal data processing operations carried out by Afnic on the website www.afnic.fr are for managing:

• The website and newsletters.
• Events.
• Administration of training registrations and learning paths.
• Prospecting database management.
• Management of members.
• Social networks.
• Checks on eligibility or reachability.
• Handle injunctions and orders for domain name operations.
• Establishing relations with the administrative contact.
• Lifting of anonymity, certificates of ownership and domain names history.
• Mediation.
• Alternative Dispute Resolution (ADR) procedures.
• Reports of domain names that are unlawful or contrary to public order.
• Afnic Labs.
• Applications for employment with Afnic.
• Personal rights and freedoms.
• Information systems security management (ISS).
• Management of alerts under the French Data Protection Act and notifications of personal data breaches.
• Management of disputes involving Afnic.
• Monitoring of Afnic IP prefixes on the Internet.

The description of each processing operation is available to you in the dedicated entries below or directly via the interactive table of contents.

For processing of personal data of holders of .fr, .re, .yt, .pm, .wf and .tf domain names, Afnic invites you to consult the information relating to the processing of holders’ data.

2. Understanding the description of a processing operation

In order to provide comprehensible and simple access, Afnic presents the information relating to each processing operation in the form of a fact sheet in accordance with the following model:

Name of the processing operation

1. Purpose: Afnic processes your data for specified, explicit and legitimate purposes
2. Lawful basis: The processing is necessarily on one of the following lawful bases:

• Your consent (Article 6-1 (a) of the GDPR) 
• In performance of a contract with the data subject or in preparation for such contract (Article 6-1 (b) of the GDPR)
• In compliance with our legal obligations (Article 6-1 (c) of the GDPR)
• To protect your vital interests or those of a third party (Article 6-1 (d) of the GDPR)
• In the performance of our public service role (Article 6-1 (e) of the GDPR)
• For the pursuit of our legitimate interests or those of a third party, while respecting your interests or fundamental rights and freedoms regarding the protection of your personal data (Article 6-1 (f) of the GDPR)

3. Duration not exceeding that necessary for the purposes defined; this total duration is the duration of active retention plus that of subsequent retention in the archives
4. Categories of data processed adequate, relevant and limited to what is necessary in relation to the purposes defined (data minimisation);
5. How the data are collected:

• Direct collection, the data are collected from you 
• Indirect collection, the data are collected from a third party identified and authorised to communicate your data to us

6. Nature of the data: they may be required (pursuant to a legal requirement, for a contract, etc.) or optional, in many cases with consequences if they are not provided.
7. Recipients: the natural or legal person, public authority, department or any other body that receives communication of your data, whether or not from a third party
8. Transfers outside the EU: this refers to the possibility of your data being transmitted to a recipient in a third country or an international organisation subject to adequate protection measures. A copy of these measures can be sent to you upon request to juridique@afnic.fr

The description of each processing operation is available to you in the dedicated entries below or directly via the interactive table of contents.

Management of the website and newsletters

1. Purpose

Administrative processing of the website and newsletters allows Afnic to communicate about itself, its products, its services and items of topical interest. It comprises the following sub-purposes: 

– Presentation of Afnic news, events and figures 

– Administration of subscriptions to the newsletter and registrations for news bulletins

– Management of requests for contacts

– Presentation of the association, the technology watch, new members and invoicing

– Presentation of domain names, TLDs and information on how to register domain names and obtain accreditation

– Consultation of the Whois database, 

– Documentation (register interface, training, FAQ, lexicon, legal and technical references, useful links, other information)

– Subscription form for list of information for the press, press releases

– Public consultation space on Afnic projects 

– Exchange space (comments on blogs)

– Proposing diagnostics of online presence and action plan based on the results 

– Provision of advice, resources and content in various formats

– Relaying partner information and events

– Collecting personal data in return for download of content on the ‘.brand’ (white paper, study, issue paper) in order to (i) collect contact details of persons interested in the content, (ii) invite to events and offer services related to the management of a TLD registry, (iii) transmit the collected data to the partner only for the Internet user coming from the partner’s website and and (iv) gather leads and allow subsequent marketing in the context of ICANN’s next gTLD round.

– Organizing webinars

2. Lawful basis: Consent (Article 6-1 (a) of the GDPR): by completing the forms available on the website (registration, subscription, etc.) or by participating in or contacting or questioning Afnic by electronic means, by registering for a webinar offered by Afnic. In execution of a contract (art. 6 – 1. b/ of the RGPD) i.e. the general and special conditions of the website relating to the service used.
3. Duration: Deletion (i) unless appealed against, one year after the end of the processing of the request expressed in the form, (ii) one year after the last contact, (iii) for data processed in exchange for the content on the .brand, after the launch of ICANN’s next gTLD round, or (iii) upon withdrawal of your consent. 

There is no limit of duration for data contributed to public consultations once they have been anonymised.

Data processed in the event of registration for an Afnic webinar: deletion with the webinar. If retained, comments are anonymized.

4. Categories of data processed: Your identifying data. Any data from exchanges (correspondence) and those needed to provide our communication services. In the context of downloading the content on .brand, the data processed includes: the date of downloading the content and, for Internet users coming from a partner website, the partner website.Data processed in the event of registration for an Afnic webinar: registration, participation and, where applicable, notes and comments.
5. How the data are collected: Direct collection.

6. Nature of the data: Necessary for the provision of the communication services concerned.

7. Recipients:

The Afnic internal departments concerned. Our service providers access only such data as fall within the scope of the purposes that are subcontracted: 

For the hosting of the website: Ecritel, 84 Rue Villeneuve, 92110 Clichy, registered with the Nanterre Trade & Companies Register under No 332 484 021 https://www.ecritel.fr/fr/.

For the management, maintenance of the website and Afnic’social networking: SPINTANK, 32 Rue Alexandre Dumas, 75011 Paris – SIRET 490 067022 00049 – https://spintank.fr/.

For the routing of newsletters/e-mails: Sarbacane Software, 3 avenue Antoine Pinay, Parc d’activités des 4 vents, 59510 Hem, France registered with the Lille Métropole Trade & Companies Register under No. 509 568 598 – https://www.sarbacane.com.

For Internet user coming from a partner website, the partner is the recipient of this Internet user’s data collected in return for downloading the white paper on the .brand.

Provider for video hosting on YouTube (service provided by Google LLC via Google Ireland Limited, company under the Irish laws 368047/ AVT N°: IE6388047V) Gordon House, Barrow Street Dublin 4 Irlande): autonomous data controller whose Privacy Policy is published at this address: https://policies.google.com/privacy?hl=fr.

For webinars, Afnic can use the webikeo solution from webikeo SAS, registered in the Aix-en-Provence Trade and Companies Register since November 14, 2008 under number B 508 973 161 and whose registered office is located at 1940 ROUTE DE LOQUI 13100 AIX-EN-PROVENCE FRANCE.

8. Transfers outside the EU

No, apart from what is published on the website which is by its nature accessible without territorial limit.

Management of events

1. Purpose

The administrative processing of events allows Afnic to:

• Organise and manage internal or external communication events in France or abroad 
• Send invitations 
• Produce communication material and disseminate it in all media and formats
• Assess participants’ satisfaction after the events

2. Lawful basis: The consent (Article 6-1 (a) of the GDPR) given by those invited to attend the event. In performance of the contract entered into (Article 6-1 (b) of the GDPR) by persons in the context of the event in the case of exploitation of image, voice, interview.

3. Duration: Three years from the last event in which the data subject took part. In the case of exploitation of image, voice, interview: the duration provided in the contract authorising exploitation.

4. Categories of data processed: Your identifying data. The data of any exchanges (correspondence) and any data authorised for exploitation for the event.

5. How the data are collected: Direct collection.

6. Nature of the data: Necessary for the provision of the services concerned.

7. Recipients: Afnic internal departments.

Provider of the « Eventmaker » event management software application (sending of invitations, personalised website, logistical management of participants): EVENTMAKER (registered with the Paris Trade & Companies Register under No. 512 747 676; address: 38, rue Laffitte, 75009 Paris, France).

Provider of the solution for assessing participant’s satisfaction with events: SurveyMonkey Europe UC (CRO Ireland No.: 532327; address: 2nd Floor, 2 Shelbourne Buildings, Shelbourne Road, Ballsbridge, Dublin 4, Ireland).

8. Transfers outside the EU: No, apart from what is published on the website which is by its nature accessible without territorial limit.

Administration of training registrations and learning paths

1. Purpose

The computerised processing of the administration of training registrations and learning paths allows Afnic to:

• provide participants with all the documents they need to follow their chosen learning path (registration, notification, attendance records, satisfaction questionnaire);
• manage participant testimonials
• manage trainers and speakers;
• obtain some of the documents needed for Qualiopi certification; and
• present the auditor with a learning path for purposes of Qualiopi certification.

2. Lawful basis: Fulfilment of legal obligations (Article 6-1 (c) of the GDPR) namely those resulting from the professional training delivered by Afnic, a Qualiopi-certified training institution.

   On the basis of consent (Article 6(1)(a) of the GDPR) for the publication of non-anonymized participant testimonials: prior consent collected from the participant via a dedicated form

3. Duration: Four years, of which one year active retention and three years retention in the archives (duration of the Qualiopi certification cycle). Testimonial data: as long as the training is offered by AFNIC or within a maximum of 15 business days from the withdrawal of consent by the data subject.
4. Categories of data processed:

Identifying and contact data: first name, surname, email address;

Data for managing the training programme: status (student/ speaker), occupation, professional needs and plans relating to the training, course (title, date, place, modalities, certification, etc.), presence or absence, evaluation, satisfaction;

Data for managing the questionnaires and attendance:

Email address, Surname, First name, IP address, Organisation, Password, Device model, Browser, Signature, Professional title, Telephone number, Training sessions (Title, dates, room).

Data specific to trainers/speakers: CV, trainer’s/speaker’s contract, planning, evaluation.

Testimonial data: first name, last name, company name, training attended, and testimonial.

5. How the data are collected: directly, or indirectly via the employer.
6. Nature of the data: Those necessary for the training programme.
7. Recipients:

For the attainment of strategic and operational objectives, the employer ordering training services from Afnic.

For the management of the questionnaires and of attendance, Edusign and its sub-contractors for the digital attendance solution:

SIRET No.: 88206416500013 – 1 Rue du Prieure 78100 Saint-Germain-en-Laye, Website: www.edusign.com

8. Transfers outside the EU: Transfer to the USA in the context of the operations sub-contracted to EDUSIGN for the following purposes as regards user data: Support and data processing, Emailing, Analytics. Data protection for these transfers is put in place by EDUSIGN with its sub-contractors.

Prospecting database management

1. Purpose

Prospect management processing enables Afnic to:

– Management and prospecting of future business partners and/or legal entities who may be interested in Afnic’s products and services, and in particular in the acquisition of domain names in the TLDs managed or operated by Afnic.

– Communication, sending newsletters, invitations to various events organized by Afnic

2. Lawful basis: On consent of the B2B contact (art. 6 – 1. a/ of the RGPD)
3. Duration: Retention for the duration of the prospecting operation or until consent is withdrawn. Deletion no more than one year after the last contact or when a prospect has not responded to two successive solicitations, and failing that, deletion no more than three years after the last contact.
4. Categories of data processed: First and last name, e-mail address, telephone number, company/employer, city of residence, photographs of contacts (if applicable)

Contact information for users of Webikeo’s online videoconferencing services reserved for professionals participating in Afnic’s webinars live or via replay

Contact information for professionals who may be interested in Afnic’s services via the INFOTRADE service provider: last name, first name, title, position in the company, professional email address and telephone number.

5. How the data are collected: Direct or indirectly (database purchase or via third-party solutions)
6. Nature of the data: Necessary
7. Recipients:

– Indirect prospecting providers

* AMLAUDIT&SOLUTIONS, publisher of the “D-ANA” B2B commercial prospecting solution: customer targeting, export of B2B prospecting files, referencing of prospecting actions (absent prospect, hot prospect, etc.).

*INFOTRADE, owner of the Sparklane database and publisher of the PREDICT software solution.

* Webikeo (part of the Infopro Digital group), a simplified joint-stock company with capital of 1,286 euros, registered in the Aix-en-Provence Trade and Companies Register since November 14, 2008 under number B 508 973 161, with its head office at 1940 ROUTE DE LOQUI 13100 AIX-EN-PROVENCE, France.

– Where applicable, technical service providers.

8. Transfers outside the EU: No

Management of members

1. Purpose

The administrative processing of members allows Afnic to:

– receive and administer membership applications and requests for other information in particular via the extranet member’s area https://membres.afnic.fr/;

– register and update the individual information needed for the administration of members, in particular the management of subscriptions, in accordance with the statutory provisions governing the data subjects;

– establish statistical statements or lists of members or contacts to respond to management needs, specifically with a view to sending bulletins, invitations, preparatory documents for meetings of association governance bodies and newsletters. Where these lists are selective, the criteria used are objective and based exclusively on characteristics corresponding to Afnic’s corporate object;

– to establish directories of members, including directories made available to the public on the Internet;

– to carry out prospecting actions with members and potential members by any means of communication. For online communication, processing of connection data may be carried out for purely statistical purposes.

– provide and manage the collaborative platform https://asso.afnic.fr/

– to organise the remote participation in meetings of association governance bodies and the implementation of online voting in this context (functioning of the election and issue of anonymised statistics);

– to grant remuneration to elected trustees who request it (means of remuneration, payment and transparency in General Meeting);

• to communicate the complete list of domain names subject to prior review.

2. Lawful basis:

Performance of the contract (Article 6-1 (b) of the GDPR) namely the membership contract established by online subscription which includes acceptance of Afnic’s Articles of Association and Internal Association Regulations as well as the terms and conditions of use of the online areas dedicated to members.

Fulfilment of Afnic’s legal obligations as an association (Article 6-1 (c) of the GDPR)

Performance of a public service (Article 6-1 (e) of the GDPR) vested in Afnic under Article L211-4, 2) of the Heritage Code (public archives) and the legal framework of access to administrative documents (Code of relations between the public and the administration)

3. Duration:

– Civil status, Identity, Identification data: For members, data are retained for three years from the end of membership or longer (i) with the express consent of the data subject, (ii) in the event of dispute or (iii) in fulfilment of legal obligations and/or public service missions. For trustees, data are retained for six years from the end of the term of office or longer (i) with the express consent of the data subject, (ii) in the event of dispute or (iii) in fulfilment of legal obligations and/or public service missions. For membership applications or requests for information that are not followed up, the data are eliminated one year after the last exchange.

The membership account on the Extranet is purged one year after its closure.

– Data on the administrative life of the association: For members, data are retained for three years from the end of membership or longer (i) with the express consent of the data subject, (ii) in the event of dispute or (iii) in fulfilment of legal obligations and/or public service missions. For trustees, data are retained for six years from the end of the term of office or longer (i) with the express consent of the data subject, (ii) in the event of dispute or (iii) in fulfilment of legal obligations and/or public service missions.

– Data on the collaborative life of the association via asso.afnic.fr : At the end of membership or of access to the platform for other users, deactivation of the account with anonymization for the conservation of contributions for an unlimited period.

– Data relating to electronic voting (Belenios solution installed on Afnic server):

Voting cookies: Once the elector has finished voting, all identifying information is eliminated.

Public data, data on trustees and server data: (i) data are retained on the Afnic server before, during and for one week after the end of the election (vote counting) except for the general server connection logs and the security.log file, which are deleted two weeks after the votes are counted. (ii) They are retained in the archives for the duration of the term of office – four years from the vote counting (iii) They are then purged.

Unlimited duration: statistical election data (non-identifying data)

4. Categories of data processed: Civil status, Identity, Identification data; Data on the administrative life of the association; Data on the collaborative life of the association via asso.afnic.fr; Data needed for electronic voting (Belenios solution installed on Afnic server)
5. How the data are collected: Directly
6. Nature of the data: Only such data as are necessary for the stated purposes.
7. Recipients:

– Civil status, Identity, Identification data: The persons statutorily responsible for managing the association. The departments responsible for administering and managing members. Members, for a detailed version of their directory. The public for the publication in the directory of members showing only first name, surname and organisation. The public for the publication of reports of governing bodies showing only first name, surname and organisation. The public in the case of application of the Patrimony Code and the framework of access to administrative documents. The data subject in the case of application of the framework of access to administrative documents.

– Data on the administrative life of the association: The persons statutorily responsible for managing the association. The departments responsible for administering and managing members. The public in the case of application of the Patrimony Code and the framework of access to administrative documents. The data subject in the case of application of the framework of access to administrative documents.

– Data on the collaborative life of the association via asso.afnic.fr : Area reserved for members and authorized afnicians employees committed to the confidentiality of data appearing on the platform The provider of the Jamespot.Pro web platform, a corporate social network and intranet published and maintained by JAMESPOT, a SAS registered with the Bobigny Trade and Companies Register on July 20, 2005 – Number: 483321378 and whose registered office is located at 66, rue Marceau – Bâtiment C’ 93100 Montreuil Telephone: 01 48 58 18 01 Email: info@jamespot.com. The public in the event of application of the heritage code and the framework for access to administrative documents. The person concerned in the event of application of the framework for access to administrative documents

– Data relating to electronic voting (Belenios solution installed on Afnic server): Election manager: Data on the manager and public data. Managers of the Afnic election server: Data on the manager, server data and public data. Accessible to electors: public data. Access to archived data: electors on request to allow them to check the result and verify its consistency with the election bulletin figures and the election manager.

8. Transfers outside the EU: No

Management of Afnic’s social network accounts

1. Purpose

The administrative processing of its social network accounts allows Afnic to:

• Administer the accounts technically (creation, publications) 
• Use social networks to access our content published on these networks 
• Interact (publicly or through private messaging) with subscribers and other users of the platforms 
• Increase Afnic’s visibility and that of its activity and its websites
• Prepare usage statistics

2. Lawful basis: The pursuit of Afnic’s legitimate interests, while respecting the fundamental rights and freedoms regarding the protection of personal data (Article 6-1 (f) of the GDPR)
3. Duration: The data are stored for as long as the social network concerned exists, unless the user exercises the right of erasure or objection. 

Afnic does not configure and does not have data concerning you from the accounts and cookies operated by social networks. Consequently, only those responsible for these networks can respond to technical requests concerning the cookies used and the exercise of your personal rights.

4. Categories of data processed: Data visible by default on social networks. Data made public by the user in the context of the configuration of his or her account on each of the social networks. Data on use of the social network for the production of anonymous statistics
5. How the data are collected: Direct and indirect collection
6. Nature of the data: Necessary in the case of voluntary access by the user to our available content and interaction with the user
7. Recipients: For information publicised by the user, the public at large; otherwise only authorised persons in Afnic
8. Transfers outside the EU: No, apart from what is published on social networks which is accessible without territorial limit. The data needed to prepare statistics may be processed outside the European Union, depending on the data management policy put in place by the person responsible for each social network.

Management of verifications regarding eligibility or contactability of a domain name holder

1. Purpose

Administrative processing of requests for verification of eligibility or contactability of a domain name holder allows Afnic to: 

– Manage the checks initiated by Afnic in the context of its public service responsibilities.

– Allow a third party to ask the registry to verify the eligibility and/or contactability criteria.

– Manage and process Notifications/Report Forms relating to requests for verification of eligibility and/or reachability.

– Assess the reliability of documents provided as proof of domain name registration data.

– Generate statistics.

2. Lawful basis: In the performance of our public service role (Article 6-1 (e) of the GDPR): Articles L45-3 and 45-5 of the CPCE. Naming policy and other applicable policies.

3. Duration: Data relating to a verification is destroyed by Afnic: (i) within two (2) months of the closure of the verification operations when the alert is not followed by the deletion of domain name(s), judicial or extra-judicial proceedings or any action taken by Afnic OR (ii) within six (6) months of the closure of the verification operations that led to the deletion of domain name(s) when the alert is not followed by judicial or extra-judicial proceedings or any action taken by Afnic. For those pursued (judicially, extra-judicially or by Afnic), destruction once the procedures instigated have been completed and their legal prescription period has come to an end.

4. Categories of data processed: For the applicant: Last name, first name, email address, company name, phone number, postal address. Verification-related exchanges.

   For the domain name holder:

   • Registration data, and in particular:
     • The country: it must be eligible under the naming charter
     • The phone number: it must have a syntactically correct format
     • The email address: it must have a properly configured mail server
     • The composition of the domain name: it must not include the term “gouv”, strictly reserved for the French government
     • The re-registration of the domain name within the month following its deletion for lack of eligibility or reachability
   • Proof of eligibility and/or reachability
   • If applicable, reliability assessment report of the document
   • Verification-related exchanges

   
   

5. How the data are collected: Direct collection.

6. Nature of the data: The requirement of the data is regulatory. For the applicant, failure to provide the data prevents the request from being processed.
   For domain name holders, the failure to provide correct data may result in (i) the automatic suspension of the domain name’s publication in the DNS at the time of registration and (ii) the deletion of their domain name portfolio as part of the justification procedure provided for in the naming charter (cf. Article 3.2).

   
   

7. Recipients: The internal Afnic departments concerned. The registrar of the domain name concerned. The applicant and his or her representative receive the result of the procedure. The public consulting the Whois online directory of domain names sees the result of the procedure.
   Afnic’s subcontractor for the instant assessment of supporting documents provided to Afnic as part of the justification procedure, namely FINOVOX (SIREN: 878 381 961), 92 bd de la république, Saint-Cloud 92210, finovox.com.

Handle injunctions and orders for domain name operations

1. Purpose

Administrative processing to handle injunctions/requests and orders for domain name operations allows Afnic to:

• Receiving and managing injunctions from authorized public authorities (e.g., legal basis)
• Receiving and managing court orders
• Taking action on domain names in accordance with injunctions and orders
• Exchanges relating to the implementation of injunctions and orders
• Compiling anonymized statistics

2. Lawful basis:

In accordance with our legal obligations (Art. 6 – 1. c/ of the GDPR), namely (i) for orders issued by the DGCCRF (French Directorate General for Competition, Consumer Affairs and Fraud Control), Article L45-2 of the French Postal and Electronic Communications Code and §C of 2° of Article L.521-3-1 of the French Consumer Code, (ii) for requests from the ANSSI, Article L. 2321-2-3 of the Defense Code, and (iii) for orders, the applicable code of procedure.

3. Duration:

Retention in active database for the entire duration of the required measures. Transfer to archive database at the end of processing for a period of 5 years.

For exchanges, retention in active database for the entire duration of the required measures + 2 months, then purging.

Domain name operations: indefinite duration in the registry database.

4. Categories of data processed:

For injunctions and requests: the identifying details of the person making the request, the domain name subject to the injunction/request, the context of the injunction/request, the signature and identity of the representative of the public authority

For orders: the identifying details of the judicial officer and representatives of the judiciary, the domain name subject to the order, details of the applicant and their representative, the context of the order

For operations on the domain name following an injunction/request: blocking and/or deletion and/or transfer of the domain name to the competent authority; dates of operations carried out

For the enforcement of orders: freezing of the domain name, blocking of the domain name, deletion of the domain name, transmission to the applicant of the identifying data of the domain name holder; dates of operations carried out

Exchanges relating to the implementation of injunctions/requests and orders

5. How the data are collected:

Direct collection for representatives of public authorities and judicial bodies. Indirect collection for data relating to the holder and parties to disputes

6. Nature of the data:

The data requirement is mandatory and necessary for Afnic to implement injunctions/requests and orders.

7. Recipients:

The relevant internal departments of Afnic. The registrar of the domain name concerned. The beneficiary specified in the order requesting Afnic to transmit the identifying data of the domain name holder.

Management of introductions to administrative contacts

1. Purpose

The processing of introductions to administrative contacts allows Afnic to: 

– Put a third party in touch with the administrative contact of a domain name when the holder’s data are subject to restricted publication

– Enable third parties to send a message to the administrative contact via an interface on the website www.afnic.fr

– Generate statistics

2. Lawful basis: For the sender of the message, is/her consent (Article 6-1 (a) of the GDPR). For the administrative contact:  In the performance of our public service role (Article 6-1 (e) of the GDPR): Arrangements for meeting the requirements of permanence, quality, availability and security of the registration service. Articles L45-1 §1 and R20-44-39 of the CPCE
3. Duration: One year
4. Categories of data processed: Data identifying the third party, sender of the message. Connection data of the third party, sender of the message.
5. How the data are collected: Direct collection
6. Nature of the data: For the third party, sender of the message, his or her identification data are necessary for the use of the contact interface.
7. Recipients: Afnic forwarding the message. The administrative contact, holder is the sole recipient of the message sent by the third party

Management of requests for disclosure of personal data (lifting of anonymity), for certificates of ownership and for domain names history

1. Purpose

The administrative processing of requests for disclosure of personal data or lifting of anonymity allows Afnic to: 

• Reveal the identity and contact details of a private individual domain name holder subject to restricted publication upon well-grounded request of a third party. 
  • For the pursuit of the applicant’s legitimate interests, while respecting the holder’s interests or fundamental rights and freedoms regarding the protection of his/her personal data (Article 6-1 (f) of the GDPR) ; Afnic recognizes such interest when the domain name is an identical or nearly identical reproduction of: (i) a previously registered trademark protected in France, (ii) a previously registered distinctive sign (company name, business name, trading name or logo protected in France, domain name), (iii) a previously registered title protected by French copyright law, (iv) a family name or pseudonym. Afnic’s examination focuses particularly on the similarity of the signs and does not extend to the content of websites.
• Reveal the identity and contact details provided by the domain name holder and subject to restricted publication (holder’s data and administrative contact’s data) in response to the exercise of a communication right.
  • In compliance with legal obligations and/or public service role (Article 6-1 (c) & Article 6-1 (e) of the GDPR) authorizing investigative powers of public authorities

– Manage user accounts of individuals who represent public authorities

– Attest the identity of the registrant and communicate the history of his/her/its domain name portfolio during his/her/its period(s) of ownership (certificate of ownership and domain names history)

– Manage requests and generate statistics

2. Lawful basis: In performance of its public service role (Article 6-1 (e) of the GDPR) in application of Article L45-2 of the CPCE and of the registry policies
3. Duration: Six months, then deleted. Data for the management and connection generated by access via RDAP: 1/ In active records, for the duration of the user account ; in archive database, 5 years upon the end of the contract with the public authority ; 2/ The data present in the logs:: sliding six months  then deleted.
4. Categories of data processed: The data identifying the applicants and their representatives. In the case of applicant’s legitimate interests: the data contained in the form and in documents attached thereto. The processing of the form. The data identifying the domain name holder in respect of whom the request is made. In response to the exercise of a communication right: The data contained in the request and in documents attached thereto. The identifying data provided by the domain name holder in respect of whom the request is made: data identifying the holder and data identifying the administrative contact. Data for the management and connection generated by access via RDAP to the Whois database by authorised representatives of public authorities which have a communication right. The administrative and operational data on the domain name concerned for the public authorities in application of the law or for third parties in application of a court ruling. For certificate of ownership and domain names history: ownership data and domain names portfolio history during the period of ownership
5. How the data are collected: Direct collection except for the registrant’s data which is an Indirect collection of data collected from the registrar
   
6. Nature of the data: For applicants: obligatory, since without the data the request cannot be processed. For holders: erroneous identification data can lead to procedures calling their portfolio of domain names into question in application of the CPCE and of the Naming Charter
7. Recipients: Regarding applicant’s personal data: The internal Afnic departments concerned. Regarding personal data, object of the Request for disclosure of personal data: the applicant and, if any, his/her representative on the legal basis they invoke such as:* For the pursuit of the applicant’s legitimate interests, while respecting the holder’s interests or fundamental rights and freedoms regarding the protection of his/her personal data (Article 6-1 (f) of the GDPR) ;* In compliance with legal obligations and/or public service role authorizing investigative powers of public authorities (Article 6-1 (c) & Article 6-1 (e) of the GDPR)=> The legal basis invoked by the applicant is in its sole responsibility; the applicant (or public authority) commits itself to receive and use the personal data received only for the purposes defined in its request on the legal basis invoked.Regarding personal data of the applicant and, if any, his/her representative exclusively in the case of applicant’s legitimate interests: the domain name holder as soon as he or she exercises his or her right to information data subjects right) received by Afnic before the data purge.

Management of the mediation procedure

1. Purpose

Managing the mediation procedure enables Afnic to:

• allow claimants to instigate mediation by the registry to seek a negotiated solution to a dispute in application of the mediation regulations
• allow exchanges between the mediator, the parties and, where applicable, their representatives, and Afnic
• implement the negotiated solution: delete or transfer the domain name forming the object of the mediation
• manage the service: administration, security, information and statistics
• manage the satisfaction surveys:
  • Prepare survey to improve mediation service
  • Send out survey invitations
  • Collect anonymized responses
  • Generate statistics on anonymized survey results
  • Publish anonymized survey results
• manage mediators: verification of skills and experience, handling of cases, appointment and end of assignment

2. Lawful basis: In performance of its public service role (Article 6-1 (e) of the GDPR) in application of the Agreement between the State/Afnic for the management of the .fr signed on 18 March 2022, Article L45-2 of the CPCE, the Naming Charter and the mediation procedure rules.Participation in the satisfaction survey: Consent of the data subject, who may optionally complete the satisfaction questionnaire after the mediation has ended (art. 6 -1. a/ of the RGPD).
3. Duration:

Personal data processed for mediation cases: retention in active database for up to two months from the date of implementation of the negotiated solution or administrative closure, then retention of the request, the consent form and the recor in archive database for 5 years before purge.

Personal data of mediators in the context of the management of their assignments: deletion of all data one month after the end of the assignment, or later (i) with the express consent of the data subject, (ii) in the event of dispute or (iii) in application of legal obligations.

Personal data of satisfaction survey participants:

• Survey invitation data: purged two months after the last exchange.
• Survey results and statistics: by their very nature, these do not contain any personal data. Anonymized if necessary.
• FRAMASOFT Matomo tracker: 13 months for the unique identifier, data collected is anonymized and kept for 6 months.

4. Categories of data processed:

For the parties to the mediation and their representatives if any:

– surname, first name, postal and email addresses, telephone number

– the exchanges

– the negotiated solution: written report and its implementation (deletion/transfer of the domain name forming the object of the mediation)

Satisfaction survey participant data :

– E-mail address

– Survey answers

– FRAMASOFT Matomo trackers: Matomo generates a cookie with a unique identifier. The data collected (IP address, User-Agent…) is anonymized.

For the mediator:

– surname, first name, postal and email addresses, telephone number

– qualifications: skills and experience for acting as mediator

– information on impartiality and independence: verifications and declarations

– cases handled and exchanges for mediation procedures

For third parties: the information sent by the parties in the context of the exchanges under the mediation.

5. How the data are collected:

For the parties to the mediation and their representatives if any: direct collection

For satisfaction survey participant data: Direct collection

For the mediator: direct collection

For third-party data transmitted by the parties: indirect collection

6. Nature of the data:

For the parties to the mediation and their representatives if any: mandatory collection

For satisfaction survey participant data: optional subject to * survey requirements

For the mediator: mandatory collection

For third-party data transmitted by the parties: optional collection

7. Recipients:

The mediator for the exchanges aimed at finding the negotiated solution

The relevant internal departments of Afnic for management of the mediation procedure

The service provider in charge of hosting the afnic.fr website for sending request forms for mediation via the afnic.fr website: ECRITEL, registered with the Nanterre Trade & Companies Register under number 332 484 021, having its registered office at 84 Rue Villeneuve, 92110 Clichy, FRANCE

The registrar(s) affected by the implementation of the negotiated solution

To manage the satisfaction survey:

– In-house: people in charge of processing

– FRAMAFORMS survey tool published by the service provider FRAMASOFT – Association loi 1901 declared at the Arles sub-prefecture on December 2, 2003 under n° 0132007842 – Siret n°: 500 715 776 00026 – c/o Locaux Motiv at 10 bis rue Jangot, 69007 Lyon.

– FRAMASOFT data hosting subcontractor: Hetzner Online GmbH Industriestr. 25, 91710 Gunzenhausen, Germany

– Public: All recipients of anonymized survey results and statistics

8. Transfers outside the EU:

No, subject to the party’s or parties’ choice of service provider (representatives and/or registrars) established outside the EU. The appropriate guarantees for any such transfers are those taken out by said parties, the data controllers, with their service providers.

Management of Alternative Dispute Resolution (ADR) procedures

1. Purpose

The administrative processing of ADR procedures allows Afnic to:

– Enable a third party to call upon Afnic to demand the transfer or deletion of a domain name

– Enable a domain name holder subject to an ADR procedure to respond

– Manage the service alone (Afnic for SYRELI) or with the Centre (WIPO for EXPERT ADR EXPERT): administration, security, information and statistics

– Access the platforms (experts and those involved in the procedure)

– Manage the experts and persons involved

2. Lawful basis: In the performance of our public service role (Article 6-1 (e) of the GDPR): Article L45-6 of the CPCE. Naming Charter and ADR Regulations
3. Duration:

– Data relating to user accounts: Destroyed two months after their creation if no case file is opened OR destroyed after one year of inactivity from the last case file transferred to “CLOSED” status OR destroyed on demand

– Data relating to Support/College, Admin (Admin Afnic, Admin WIPO, Admin Accounting and Superadmin) and Expert accounts: Destruction upon resignation, removal or departure or later (i) with the express consent of the data subject, (ii) in the event of dispute or (iii) in fulfilment of legal obligations

– Data relating to case files of Claimants, Holders, their representatives and, if applicable, the personal data of third parties: Data relating to a procedure are retained on a current basis by Afnic for a period of two months from the closure of the procedure when this is not followed by a judicial or extra-judicial procedure or any action instigated by or against Afnic. In the case of a judicial or extra-judicial procedure or a procedure instigated by Afnic against a respondent, the data relating to the procedure are retained by Afnic for the duration of the procedure and until the means of appeal are exhausted. Following the end of the processing on a current basis, data are retained, in archives, for ten years before being destroyed. Data are not retained by the Experts or by the WIPO Centre.

– Personal data of the Experts and other Participants in the procedure: Apart from the data published in the context of the publication of decisions handed down and advertising of the activity of the ADR: upon resignation, removal or departure or longer (i) with the express consent of the data subject, (ii) in the event of dispute or (iii) in fulfilment of legal obligations.

Rulings publicised after anonymisation.

4. Categories of data processed: Identifying data. Data from ADR files (pleas, exhibits, exchanges, etc.) and their processing (report, ruling, etc.).
5. How the data are collected: Direct collection
6. Nature of the data: Necessary. Erroneous identification or contact data will prevent receipt of the entire proceedings online. The domain name holder is free to respond to an ADR file. In any case the ADR ruling will be enforceable vis-à-vis the holder (see ADR Regulations)
7. 7. Recipients: The internal Afnic departments concerned. The plaintiff, the holder and the representatives if any. The registrar in charge of the domain name forming the object of the ADR proceedings. If the plaintiff lodges the application with EXPERT ADR: The designated expert and the relevant departments of the WIPO Arbitration and Mediation Centre. The public as regards the ADR ruling
8. Transfers outside the EU: In the case of a EXPERT ADR file, the recipient is the WIPO Arbitration and Mediation Centre, established in Switzerland as co-administrator of the EXPERT ADR procedure with Afnic. Means of ensuring adequate protection: Switzerland is a country recognised by the European Commission as offering a sufficient level of protection for personal data

Management of reports of domain names that are unlawful or contrary to public order

1. Purpose: The administrative processing of reports of domain names that are unlawful or contrary to public order allows Afnic to:

– Enable anyone, through a form available on www.afnic.fr, to report to Afnic a domain name of an unlawful nature or contrary to public order

– Generate statistics

2. Lawful basis: In the performance of our public service role (Article 6-1 (e) of the GDPR): Arrangements to meet the requirement of a mechanism allowing anyone to bring to Afnic’s attention a domain name likely to be unlawful or contrary to public order. Articles L45-1 §1 and R20-44-39 of the CPCE
3. Duration: Destruction of requests for verification and of their processing two months after the end of the processing or the closing of verification operations classed as not pursued. For those pursued (judicially, extra-judicially or by Afnic), destruction once the procedures instigated have been completed and their legal prescription period has come to an end
4. Categories of data processed: Data identifying the sender of sender of the report. Data on the report and its processing. Data identifying the domain name holder. Data on the processing of the verification of eligibility and contactability
5. How the data are collected: Direct collection
6. Nature of the data: The requirement of the data is regulatory, and without them the requests cannot be dealt with
7. Recipients: The Afnic internal departments concerned. The competent public authorities

Afnic Labs

1. Purpose

The administrative processing of Afnic Labs concerns Afnic’s scientific research activities on DNS technologies and developments in Internet architectures ; il allows Afnic to:

• Contribute to fundamental and collaborative applied research and develop new tools for processing and analyzing data on DNS technologies and developments in Internet architectures.
• Develop and maintain the Labs technical platform offering data acquisition (pipeline data), storage, and processing services (machine learning, deep learning).
• Develop applications (APIs, user interfaces, etc.) to bring concepts from research topics/products to fruition.
• Define, prototype, test, and implement new applications and services for internal needs or those of partners in the fields of DNS, web architectures, cybersecurity, and the Internet of Things.
• Organize demonstrations and publications for internal or external audiences, such as:
  • Demonstrations of how installed devices or software work.
  • Presentations of work conducted on new technologies, provision of data analyses.
  • Publishing Afnic resources related to its R&D work.
  • Making the sources of Labs projects publicly available independently.
  • Proposing external contributions to Afnic.
• Ensuring the maintenance and security of IT services.
• Assisting in the management of the activity.
• Producing statistics and activity reports.

2. Lawful basis:

In fulfilment of a public service mission (Art. 6-1.e/ of the GDPR): pursuant to Articles L45 et seq. of the French Postal and Electronic Communications Code (CPCE), R20-44-39 et seq. of the CPCE & Article 12 of the State-Afnic Agreement designating Afnic’s R&D activities as a Registry, and in particular projects relating to the following priority areas:

• Carbon neutrality of the DNS,
• DNS security,
• Development of digital identities based on the DNS,
• Combating abuse.

3. Duration:

3.1- The retention period is defined according to the research purpose and prior to the implementation of any personal data processing. Data retention period principles:

– 3 years from the end of data collection to allow for analysis and production of research results, OR.

– 3 years from the date of the last scientific publication, OR.

– until the occurrence of a specific and certain event depending on the research project (e.g., retention until the survey is repeated when a second wave is already planned).

– indefinitely once anonymized.

Retention periods for traffic data (Example 1): deletion over a rolling 6-month period from the date of collection.

Periods applied to aggregated traffic data (Example 2): deletion over 2 rolling years from the date of aggregation.

Periods applied to data processed for the classification of abusive domain names (Example 3): until classification.

3.2- Data on https://gitlab.rd.nic.fr.

– Account profiles: As long as the account exists or until the person concerned objects + 6 months (backup time).

–    Connection data: 6 rolling months.

–    Content: 6 rolling months in backups.

–    Indefinite for contributions.

3.3- Logs for maintenance and security of IS Labs: (i) Service logs: 30 rolling days (II) HTTP logs: 10 rolling days.

4. Categories of data processed:

4.1-    Data processed by Afnic as the registry for .fr domain names, whether it be data relating to domain names, contacts, or the technical resolution of domain names.

Example 1: Traffic data => “date of request (millisecond)”, “DNS site (anycast cloud server)”, “client IP address”, “port used by the client”, “number of packet hops”, “client ASN”, “server IP address”, “transport label (flags)”, “protocols used (IPv4/IPv6 and UDP/TCP)”, “DNS query header”, “DNS query length”, “query ID”, “domain requested”, “query type”, “query content”, “response content (without records)”, response length (without records)“, ”return code”.

Example 2: Aggregated traffic data => “date (second)”, “domain name”, “IP protocol”, “UDP/TCP protocol”, “client ASN”, “client country”, “number of requests”, “query type”, “return code”, “query length”, “response length”.

Example 3 (R&D classification of abuse in domain names): Information on domain names created: Domain name,  Date and time of creation, Registrar reference + Contact details: owner, administrative and technical details of domain names created.

4.2-    Data that is publicly accessible in accordance with open data rules and the rights of the individuals concerned.

4.3-    Data provided by research partners under specific contracts.

4.4-    Member and contributor data: first name, last name, username, role in the project, contribution, contribution statistics, professional contact details, online resource user account on https://gitlab.rd.nic.fr.

4.5-      Labs IT service maintenance and security data: (i) Service logs: Date and time,     User name, Client IP address, Request, Log message,    User’s LDAP groups (II) HTTP logs: Date and time,  Web client IP address, HTTP request, User Agent.

5. How the data are collected:

Direct and indirect collection depending on the data.

6. Nature of the data:

Mandatory.

7. Recipients:

Internal: Afnic. Restricted internal circle for research purposes.

External: No, except:

–    Exception 1:

Subject to a confidentiality agreement if the recipient is justified based on the purpose of the research and their role in the research.

–    Exception 2: service providers.

For the publication and sharing platform https://gitlab.rd.nic.fr, the service provider GitLab B.V. and GitLab Inc: see https://about.gitlab.com/privacy/ and for the exercise of rights: DPO@gitlab.com.

Management of applications to and recruitment by Afnic

1. Purpose

The administrative processing of applications to and recruitment by Afnic allows Afnic to manage spontaneous applications and applications in response to advertised job vacancies

2. Lawful basis: The consent (Article 6-1 (a) of the GDPR) given by the data subject’s sending an application to Afnic, spontaneously or in response to an advertised vacancy
3. Duration: Deleted one year after the last contact or earlier in the event of withdrawal of consent
4. Categories of data processed: Your identifying data. Such data as are necessary and pertinent to respond to the requirements of the offer of employment. Our exchanges. Data on processing of applications. Outcome of applications.
5. How the data are collected: Direct collection in principle. Indirect collection for gathering references from the candidate’s work environment (hierarchical superiors, colleagues, internship supervisors, clients, service providers, etc.). No other indirect collection without the candidate’s prior agreement
6. Nature of the data: Necessary to allow processing of and response to the application
7. Recipients: Afnic’s HR department. Afnic managers issuing the job offer for information relating to the performance of the functions. The recruitment agency commissioned by Afnic, if any.

Management of personal rights and freedoms

1. Purpose

The administrative processing of personal rights and freedoms allows Afnic to:

– Manage requests to exercise the rights of access, objection, rectification and erasure of data, restriction of processing, the right to withdraw consent, to lodge a complaint with a supervisory authority and to lay down guidelines regarding the retention, erasure and communication of personal data in the event of death

– Manage requests for access to and erasure of personal data in the event of identity theft in registering a domain name

2. Lawful basis: In compliance with our legal obligations (Article 6-1 (c) of the GDPR): Chapter 3 of the GDPR
3. Duration: One year in current files followed by three years in intermediate files in the event of the exercise of the right of objection
4. Categories of data processed: Your identification data. Your request and its processing
5. How the data are collected: Direct collection
6. Nature of the data: The requirement for your data is regulatory and failure to provide them may prevent the processing of your request
7. Recipients: The Afnic internal departments concerned. The registrars responsible for the domain names concerned by the request, if any

Information systems security management (ISS)

Information systems security management (ISS)

1. Purpose

The processing of Information systems security management (ISS) allows Afnic to:

• Supervision of the access authorization policy for users and administrators to the information systems used by Afnic.
• Regular processing of security logs from various information systems (applications, servers, equipment, metrology/supervision systems, intrusion detection).
• Management of vulnerabilities and security incidents (collection of incident data, exploitation, management of corrective measures and actions).
• Management of requests addressed to the Information Systems Security Manager and monitoring of IS projects.
• Management of individual authentication certificates (electronic signature).
• Where applicable, management of notifications (ANSSI).
• Management of follow-up actions by Afnic.
• Management of awareness-raising, training, and communication within Afnic on security issues:
  • Manage actions.
  • Compile statistics, indicators, reports, summaries, and accounts.
  • Evaluate awareness and training sessions.
  • Document action plans on relevant topics.
• Production of activity statistics.

2. Lawful basis:

In compliance with our legal obligations (Article 6-1 (c) of the GDPR) namely those resulting from Articles L45 et seq. of the French Postal and Electronic Communications Code (CPCE), R20-44-39 et seq. of the CPCE and the State-Afnic Agreement + Law No. 2018-133 of 26 February 2018 on various provisions adapting to European Union law in the field of security – Directive (EU) 2016/1148 of 6 July 2016 concerning measures to ensure a high common level of security of network and information systems across the Union.

3. Duration:

– Data required to supervise access authorizations to information systems: Purge when user account is deleted or not used for one year.

– Data in logs: Six months, then purge.

– Data required to monitor vulnerabilities and security incidents: purged after five years, except in the case of legal proceedings (retained for the duration of the proceedings).

– Data processed for awareness-raising, training, and communication within Afnic: 4 years on a rolling basis, then purged.

4. Categories of data processed:

Identification data, rights by user profile, history of user actions according to rights, statistical reports.

For awareness-raising, training, and communication within Afnic: Identification data, Professional life, and Data on actions taken and follow-up.

5. How the data are collected:

Direct collection.

6. Nature of the data:

The requirement of the data is necessary for the purposes.

7. Recipients:

Afnic and, where applicable, its technical service providers, as well as law enforcement agencies and the competent courts.

Where applicable for safety awareness/training and communication data: Audit firms / Supervisory authorities.

Management of alerts under the French Data Protection Act and notifications of personal data breaches

1. Purpose

The administrative processing of alerts under the French Data Protection Act and notifications of personal data breaches allows Afnic to:

• Receive and act on the alerts received
• Analyse the alerts received, undertake any investigations that may be necessary of all pertinent persons and entities and produce reports/summaries
• Keep journals and monitor measures and actions
• Manage any notifications (CNIL (French Data Protection Agency) and data subjects)
• Manage any follow-ups decided on by Afnic
• Produce statistics on activity

2. Lawful basis:

In compliance with our legal obligations (Article 6-1 (c) of the GDPR) namely those resulting from Articles 32ff of the GDPR

3. Duration:

The data relating to a notification of a personal data breach are kept for ten years from the closing of the case.

4. Categories of data processed:

Identification data, work contact details, working life.

Data concerned by alert or even data breach

In the event of a breach, the risk analyses, exchanges and follow-ups with data subjects

5. How the data are collected:

Direct and indirect collection depending on the data

6. Nature of the data:

The requirement of the data is necessary for the purposes

7. Recipients:

Departments charged with investigating and managing alerts and breaches. Depending on their respective needs, the following may receive all or part of the data:

• authorised members and agents of the CNIL;
• in the event of a notification concerning cross-border processing for which the CNIL is the leading authority, the data may be sent to the other data protection authorities concerned.
• Afnic’s partners concerned by the alerts or indeed data breaches

Management of disputes involving Afnic

1. Purpose

The administrative processing of disputes involving Afnic allows Afnic to:

• Defend the interests of Afnic and its employees in transactions, conciliation, arbitration, mediation, alternative dispute resolution procedures, and judicial and/or administrative proceedings before national and/or European and/or international bodies.
• Manage any disputes brought by third parties against Afnic and its employees.
• Take any action to defend the rights and seek compensation for damage suffered by Afnic and its employees.

2. Lawful basis:

For the pursuit of our legitimate interests or those of a third party, with due regard for the interests or fundamental rights and freedoms relating to the protection of personal data (Art. 6 – 1. f/ of the GDPR).

3. Duration:

Active database: for the entire duration of the dispute; for disputes that have been the subject of a court decision, until the end of the proceedings, taking into account the applicable limitation periods. Archive database: indefinite (legal archives & Afnic archives).

4. Categories of data processed:

Identifying and contact details. Documents relating to the dispute, regardless of their format: arguments, exhibits, evidence, procedural documents, exchanges/communications, etc.

5. How the data are collected:

Direct and indirect collection depending on the data.

6. Nature of the data:

The requirement of the data is necessary for the purposes.

7. Recipients:

Internal personnel responsible for the procedure.

Afnic representatives and advisors for dispute management.

Organizations called upon to manage disputes (mediators, arbitrators, court members, etc.).

The State for legal archiving.

Monitoring of Afnic IP prefixes on the Internet

1. Purpose

The administrative processing of monitoring of Afnic IP prefixes on the Internet  allows Afnic to:

• Monitor the status of Afnic IP prefixes on the Internet.
• Ensure that third parties do not attempt to spoof Afnic IP prefixes.

2. Lawful basis:

For the pursuit of our legitimate interests or those of a third party, with due regard for the interests or fundamental rights and freedoms relating to the protection of personal data (Art. 6 – 1. f/ of the GDPR).

3. Duration:

BGP announcements (source from the RIPE RIS service): no retention (real-time analysis). Alerts (only concerning Afnic prefixes): 6 months.

4. Categories of data processed:

BGP announcements (source from the RIPE RIS service): Timestamp, Source router, IP prefix(es), AS number(s) (neighbor and path), Announcement type, BGP community(ies). This data is personal only if and when the IP or AS is linked to a directly or indirectly identifiable natural person. This is a very rare occurrence.

Alerts (concerning Afnic prefixes only): Timestamp, IP prefix, AS numbers, Alert type. This data is only personal if and when the IP or AS is linked to a directly or indirectly identifiable natural person. This is a very rare occurrence.

5. How the data are collected:

Indirect collection.

6. Nature of the data:

The requirement of the data is necessary for the purposes.

7. Recipients:

Internal personnel responsible for the procedure.