As a user of this website (“user”), you are informed that, for a simple visit of the website, the only personal data processed is the one processed for Cookies.
If you use the forms made available or avail yourself of services provided by Afnic through this website, Afnic collects and uses your personal data to respond to you and to provide you with these services.
Afnic is careful to protect your privacy in carrying out this processing of your personal data.
Afnic presents all the information relating to the processing of your personal data, your rights and how to exercise them.
Principles & Commitments
In the context of your use of this website, Afnic processes personal data in accordance with the provisions of the French Post and Electronic Communications Code (hereinafter referred to by its French abbreviation “CPCE”) and those applicable to the protection of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable from 25 May 2018 (hereinafter the “General Data Protection Regulation” or “GDPR”).
Always available in the website footer, Afnic publishes the pages “Your Data” and updates them as and when necessary, to provide information relating to the processing of data of users of the website www.afnic.fr so as to ensure information and transparency regarding this processing.
Your personal data are processed by Afnic in a manner that ensures appropriate security in compliance with the legal framework relating to the protection of personal data, which are collected lawfully, fairly and in a transparent manner for specified, explicit and legitimate purposes and are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. These accurate, complete and where necessary updated data are kept for as long as necessary for the said purposes.
Afnic limits its processing of personal data to what is strictly necessary and clearly indicates for each processing operation:
- Its purpose;
- Its lawful basis;
- Its duration;
- The categories of data processed;
- Whether the data are collected directly or indirectly;
- Whether the data collected are mandatory or optional;
- Their recipients;
- Any transfers outside the European Union (EU) with measures to adequately protect your data.
Afnic does not process your data for purposes of automated decision-taking or profiling. Afnic does not subsequently process your data for any purpose other than those defined.
Exercise of your rights and freedoms
It’s simple!
- Your rights
As a data subject of at least one processing operation of the data of users of the website www.afnic.fr, you have rights and freedoms, namely the rights of access, objection, rectification and erasure of the data, the right to restrict processing, the right to withdraw your consent, if given, at any time, the right to lodge a complaint with a supervisory authority and the right to lay down guidelines for the retention, erasure and communication of personal data in the event of death. - Exercise your rights – Contact the DPO (Data Protection Officer)
Any information and/or any other exercise of your rights and freedoms as regards the processing of personal data by Afnic can be carried out:
- By email to dpo@afnic.fr
- By post to:
Association Française pour le Nommage Internet en Coopération
A l’attention de la Déléguée à la protection des données
Immeuble Stephenson
1 rue Stephenson
78180 Montigny-le-Bretonneux
France
List of processing operations
- The list
The personal data processing operations carried out by Afnic on the website www.afnic.fr are for managing:
- The website and newsletters
- Events
- Social networks
- Checks on eligibility or reachability
- Establishing relations with the administrative contact
- Lifting of anonymity
- Mediation
- Alternative Dispute Resolution (ADR) procedures
- Reports of domain names that are unlawful or contrary to public order
- Applications for employment with Afnic
- Personal rights and freedoms
- Management of alerts under the French Data Protection Act and notifications of personal data breaches.
The description of each processing operation is available to you in the dedicated entries below or directly via the interactive table of contents.
For processing of personal data of holders of .fr, .re, .yt, .pm, .wf and .tf domain names, Afnic invites you to consult the information relating to the processing of holders’ data.
Find out more about the processing of holders’ data- Understanding the description of a processing operation
In order to provide comprehensible and simple access, Afnic presents the information relating to each processing operation in the form of a fact sheet in accordance with the following model:
Name of the processing operation
- Purpose: Afnic processes your data for specified, explicit and legitimate purposes
- Lawful basis: The processing is necessarily on one of the following lawful bases:
- Your consent (Article 6-1 (a) of the GDPR)
- In performance of a contract with the data subject or in preparation for such contract (Article 6-1 (b) of the GDPR)
- In compliance with our legal obligations (Article 6-1 (c) of the GDPR)
- To protect your vital interests or those of a third party (Article 6-1 (d) of the GDPR)
- In the performance of our public service role (Article 6-1 (e) of the GDPR)
- For the pursuit of our legitimate interests or those of a third party, while respecting your interests or fundamental rights and freedoms regarding the protection of your personal data (Article 6-1 (f) of the GDPR)
- Duration not exceeding that necessary for the purposes defined; this total duration is the duration of active retention plus that of subsequent retention in the archives
- Categories of data processed adequate, relevant and limited to what is necessary in relation to the purposes defined (data minimisation);
- How the data are collected:
- Direct collection, the data are collected from you
- Indirect collection, the data are collected from a third party identified and authorised to communicate your data to us
- Nature of the data: they may be required (pursuant to a legal requirement, for a contract, etc.) or optional, in many cases with consequences if they are not provided.
- Recipients: the natural or legal person, public authority, department or any other body that receives communication of your data, whether or not from a third party
- Transfers outside the EU: this refers to the possibility of your data being transmitted to a recipient in a third country or an international organisation subject to adequate protection measures. A copy of these measures can be sent to you upon request to juridique@afnic.fr
The description of each processing operation is available to you in the dedicated entries below or directly via the interactive table of contents.
Management of the website and newsletters
- Purpose
Administrative processing of the website and newsletters allows Afnic to communicate about itself, its products, its services and items of topical interest. It comprises the following sub-purposes:
– Presentation of Afnic news, events and figures
– Administration of subscriptions to the newsletter and registrations for news bulletins
– Management of requests for contacts
– Presentation of the association, the technology watch, new members and invoicing
– Presentation of domain names, TLDs and information on how to register domain names and obtain accreditation
– Consultation of the Whois database,
– Documentation (register interface, training, FAQ, lexicon, legal and technical references, useful links, other information)
– Subscription form for list of information for the press, press releases
– Public consultation space on Afnic projects
– Exchange space (comments on blogs)
– Proposing diagnostics of online presence and action plan based on the results
– Provision of advice, resources and content in various formats
– Relaying partner information and events
– Collecting personal data in return for download of a white paper on the ‘.brand’ in order to (i) collect contact details of persons interested in the white paper, (ii) invite to events and offer services related to the management of a TLD registry, (iii) transmit the collected data to the partner only for the Internet user coming from the partner’s website and and (iv) gather leads and allow subsequent marketing in the context of ICANN’s next gTLD round.
- Lawful basis: Consent (Article 6-1 (a) of the GDPR): by completing the forms available on the website (registration, subscription, etc.) or by participating in or contacting or questioning Afnic by electronic means
- Duration: Deletion (i) unless appealed against, one year after the end of the processing of the request expressed in the form, (ii) one year after the last contact, (iii) for data processed in exchange for the white paper on the .brand, after the launch of ICANN’s next gTLD round, or (iii) upon withdrawal of your consent.
There is no limit of duration for data contributed to public consultations once they have been anonymised.
- Categories of data processed: Your identifying data. Any data from exchanges (correspondence) and those needed to provide our communication services. In the context of downloading the white paper on .brand, the data processed includes: the date of downloading the white paper and, for Internet users coming from a partner website, the partner website.
- How the data are collected: Direct collection
- Nature of the data: Necessary for the provision of the communication services concerned
- Recipients:
The Afnic internal departments concerned. Our service providers access only such data as fall within the scope of the purposes that are subcontracted:
For the hosting of the website: Ecritel, 84 Rue Villeneuve, 92110 Clichy, Enregistrée au registre du commerce de Nanterre sous le N° 332 484 021 https://www.ecritel.fr/fr/
For the maintenance and development of the website: Makheia Group, 125 rue de Saussure, 75017 Paris, France registered with the Paris Trade & Companies Register under No. 399 364 751 – https://makheia.com/
For the routing of newsletters: Sarbacane Software, 3 avenue Antoine Pinay, Parc d’activités des 4 vents, 59510 Hem, France registered with the Lille Métropole Trade & Companies Register under No. 509 568 598 – https://www.sarbacane.com
For the hosting and downloading from the website on which the white paper on the .brand is published as well as for the hosting of the space for comments on the blog: Jimdo GmbH, Stresemannstraße 375, 22761 Hamburg, Germany, registered with: Amtsgericht Hamburg under No. HRB 101417, VAT ID: DE814864138 – https://www.jimdo.com/
For Internet user coming from a partner website, the partner is the recipient of this Internet user’s data collected in return for downloading the white paper on the .brand.
- Transfers outside the EU
No, apart from what is published on the website which is by its nature accessible without territorial limit
Management of events
- Purpose
The administrative processing of events allows Afnic to:
- Organise and manage internal or external communication events in France or abroad
- Send invitations
- Produce communication material and disseminate it in all media and formats
- Assess participants’ satisfaction after the events
- Lawful basis: The consent (Article 6-1 (a) of the GDPR) given by those invited to attend the event. In performance of the contract entered into (Article 6-1 (b) of the GDPR) by persons in the context of the event in the case of exploitation of image, voice, interview
- Duration: Three years from the last event in which the data subject took part. In the case of exploitation of image, voice, interview: the duration provided in the contract authorising exploitation.
- Categories of data processed: Your identifying data. The data of any exchanges (correspondence) and any data authorised for exploitation for the event.
- How the data are collected: Direct collection
- Nature of the data: Necessary for the provision of the services concerned
- Recipients: Afnic internal departments
Provider of the « Eventmaker » event management software application (sending of invitations, personalised website, logistical management of participants): EVENTMAKER (registered with the Paris Trade & Companies Register under No. 512 747 676; address: 38, rue Laffitte, 75009 Paris, France)
Provider of the solution for assessing participant’s satisfaction with events: SurveyMonkey Europe UC (CRO Ireland No.: 532327; address: 2nd Floor, 2 Shelbourne Buildings, Shelbourne Road, Ballsbridge, Dublin 4, Ireland)
- Transfers outside the EU: No, apart from what is published on the website which is by its nature accessible without territorial limit
Management of Afnic’s social network accounts
- Purpose
The administrative processing of its social network accounts allows Afnic to:
- Administer the accounts technically (creation, publications)
- Use social networks to access our content published on these networks
- Interact (publicly or through private messaging) with subscribers and other users of the platforms
- Increase Afnic’s visibility and that of its activity and its websites
- Prepare usage statistics
- Lawful basis: The pursuit of Afnic’s legitimate interests, while respecting the fundamental rights and freedoms regarding the protection of personal data (Article 6-1 (f) of the GDPR)
- Duration: The data are stored for as long as the social network concerned exists, unless the user exercises the right of erasure or objection.
Afnic does not configure and does not have data concerning you from the accounts and cookies operated by social networks. Consequently, only those responsible for these networks can respond to technical requests concerning the cookies used and the exercise of your personal rights.
- Categories of data processed: Data visible by default on social networks. Data made public by the user in the context of the configuration of his or her account on each of the social networks. Data on use of the social network for the production of anonymous statistics
- How the data are collected: Direct and indirect collection
- Nature of the data: Necessary in the case of voluntary access by the user to our available content and interaction with the user
- Recipients: For information publicised by the user, the public at large; otherwise only authorised persons in Afnic
- Transfers outside the EU: No, apart from what is published on social networks which is accessible without territorial limit. The data needed to prepare statistics may be processed outside the European Union, depending on the data management policy put in place by the person responsible for each social network.
Management of requests for verification of eligibility or contactability of a domain name holder
- Purpose
Administrative processing of requests for verification of eligibility or contactability of a domain name holder allows Afnic to:
– Manage the checks initiated by Afnic in the context of its public service responsibilities
– Allow a third party to ask the registry to verify the eligibility and/or contactability criteria
– Manage and process Notifications/Report Forms relating to requests for verification of eligibility and/or reachability
– Generate statistics
- Lawful basis: In the performance of our public service role (Article 6-1 (e) of the GDPR): Articles L45-3 and 45-5 of the CPCE. Naming policy and other applicable policies
- Duration: Destruction of requests for verification and of their processing two years after the closing of verification operations classed as not pursued. For those pursued (judicially, extra-judicially or by Afnic), destruction once the procedures instigated have been completed and their legal prescription period has come to an end
- Categories of data processed: Data identifying the person requesting verification and his or her representative if any. Data on the request for verification and its processing. Data on the processing of the verification of eligibility and the holder’s reachability
- How the data are collected: Direct collection
- Nature of the data: The requirement of the data is regulatory. For the applicant, failure to provide the data prevents the request from being processed. For the holder, failure to provide data may lead to the deletion of his or her portfolio of domain names in application of the CPCE and of the Naming Charter
- Recipients: The internal Afnic departments concerned. The registrar of the domain name concerned. The applicant and his or her representative receive the result of the procedure. The public consulting the Whois online directory of domain names sees the result of the procedure
Management of introductions to administrative contacts
- Purpose
The processing of introductions to administrative contacts allows Afnic to:
– Put a third party in touch with the administrative contact of a domain name when the holder’s data are subject to restricted publication
– Enable third parties to send a message to the administrative contact via an interface on the website www.afnic.fr
– Generate statistics
- Lawful basis: For the sender of the message, is/her consent (Article 6-1 (a) of the GDPR). For the administrative contact: In the performance of our public service role (Article 6-1 (e) of the GDPR): Arrangements for meeting the requirements of permanence, quality, availability and security of the registration service. Articles L45-1 §1 and R20-44-39 of the CPCE
- Duration: One year
- Categories of data processed: Data identifying the third party, sender of the message. Connection data of the third party, sender of the message.
- How the data are collected: Direct collection
- Nature of the data: For the third party, sender of the message, his or her identification data are necessary for the use of the contact interface.
- Recipients: Afnic forwarding the message. The administrative contact, holder is the sole recipient of the message sent by the third party
Management of requests for disclosure of personal data (lifting of anonymity)
- Purpose
The administrative processing of requests for disclosure of personal data or lifting of anonymity allows Afnic to:
- Reveal the identity and contact details of a private individual domain name holder subject to restricted publication upon well-grounded request of a third party.
- For the pursuit of the applicant’s legitimate interests, while respecting the holder’s interests or fundamental rights and freedoms regarding the protection of his/her personal data (Article 6-1 (f) of the GDPR) ; Afnic recognizes such interest when the domain name is an identical or nearly identical reproduction of: (i) a previously registered trademark protected in France, (ii) a previously registered distinctive sign (company name, business name, trading name or logo protected in France, domain name), (iii) a previously registered title protected by French copyright law, (iv) a family name or pseudonym. Afnic’s examination focuses particularly on the similarity of the signs and does not extend to the content of websites.
- Reveal the identity and contact details provided by the domain name holder and subject to restricted publication (holder’s data and administrative contact’s data) in response to the exercise of a communication right.
- In compliance with legal obligations and/or public service role (Article 6-1 (c) & Article 6-1 (e) of the GDPR) authorizing investigative powers of public authorities
– Manage user accounts of individuals who represent public authorities
– Manage requests for lifting of anonymity and generate statistics
- Lawful basis: In performance of its public service role (Article 6-1 (e) of the GDPR) in application of Article L45-2 of the CPCE and of the registry policies
- Duration: Six months, then deleted. Data for the management and connection generated by access via RDAP: 1/ In active records, for the duration of the user account ; in archive database, 5 years upon the end of the contract with the public authority ; 2/ The data present in the logs:: sliding six months then deleted.
- Categories of data processed: The data identifying the applicants and their representatives. In the case of applicant’s legitimate interests: the data contained in the form and in documents attached thereto. The processing of the form. The data identifying the domain name holder in respect of whom the request is made. In response to the exercise of a communication right: The data contained in the request and in documents attached thereto. The identifying data provided by the domain name holder in respect of whom the request is made: data identifying the holder and data identifying the administrative contact. Data for the management and connection generated by access via RDAP to the Whois database by authorised representatives of public authorities which have a communication right. The administrative and operational data on the domain name concerned for the public authorities in application of the law or for third parties in application of a court ruling.
- How the data are collected: Direct collection
- Nature of the data: For applicants: obligatory, since without the data the request cannot be processed. For holders: erroneous identification data can lead to procedures calling their portfolio of domain names into question in application of the CPCE and of the Naming Charter
- Recipients: Regarding applicant’s personal data: The internal Afnic departments concerned. Regarding personal data, object of the Request for disclosure of personal data: the applicant and, if any, his/her representative on the legal basis they invoke such as:* For the pursuit of the applicant’s legitimate interests, while respecting the holder’s interests or fundamental rights and freedoms regarding the protection of his/her personal data (Article 6-1 (f) of the GDPR) ;* In compliance with legal obligations and/or public service role authorizing investigative powers of public authorities (Article 6-1 (c) & Article 6-1 (e) of the GDPR)
=> The legal basis invoked by the applicant is in its sole responsibility; the applicant (or public authority) commits itself to receive and use the personal data received only for the purposes defined in its request on the legal basis invoked.
Regarding personal data of the applicant and, if any, his/her representative exclusively in the case of applicant’s legitimate interests: the domain name holder as soon as he or she exercises his or her right to information data subjects right) received by Afnic before the data purge.
Management of the mediation procedure
- Purpose
Managing the mediation procedure enables Afnic to:
- allow claimants to instigate mediation by the registry to seek a negotiated solution to a dispute in application of the mediation regulations
- allow exchanges between the mediator, the parties and, where applicable, their representatives, and Afnic
- implement the negotiated solution: delete or transfer the domain name forming the object of the mediation
- manage the service: administration, security, information and statistics
- manage mediators: verification of skills and experience, handling of cases, appointment and end of assignment
- Lawful basis: In performance of its public service role (Article 6-1 (e) of the GDPR) in application of the Agreement between the State/Afnic for the management of the .fr signed on 18 March 2022, Article L45-2 of the CPCE, the Naming Charter and the mediation procedure rules.
- Duration:
Personal data processed for mediation cases: deletion of all data two months after date of implementation of the negotiated solution
Personal data of mediators in the context of the management of their assignments: deletion of all data one month after the end of the assignment, or later (i) with the express consent of the data subject, (ii) in the event of dispute or (iii) in application of legal obligations.
- Categories of data processed:
For the parties to the mediation and their representatives if any:
– surname, first name, postal and email addresses, telephone number
– the exchanges
– the negotiated solution: written report and its implementation (deletion/transfer of the domain name forming the object of the mediation)
For the mediator:
– surname, first name, postal and email addresses, telephone number
– qualifications: skills and experience for acting as mediator
– information on impartiality and independence: verifications and declarations
– cases handled and exchanges for mediation procedures
For third parties: the information sent by the parties in the context of the exchanges under the mediation.
- How the data are collected:
For the parties to the mediation and their representatives if any: direct collection
For the mediator: direct collection
For third-party data transmitted by the parties: indirect collection
- Nature of the data:
For the parties to the mediation and their representatives if any: mandatory collection
For the mediator: mandatory collection
For third-party data transmitted by the parties: optional collection
- Recipients:
The mediator for the exchanges aimed at finding the negotiated solution
The relevant internal departments of Afnic for management of the mediation procedure
The service provider in charge of hosting the afnic.fr website for sending request forms for mediation via the afnic.fr website: ECRITEL, registered with the Nanterre Trade & Companies Register under number 332 484 021, having its registered office at 84 Rue Villeneuve, 92110 Clichy, FRANCE
The registrar(s) affected by the implementation of the negotiated solution
- Transfers outside the EU:
No, subject to the party’s or parties’ choice of service provider (representatives and/or registrars) established outside the EU. The appropriate guarantees for any such transfers are those taken out by said parties, the data controllers, with their service providers.
Management of Alternative Dispute Resolution (ADR) procedures
- Purpose
The administrative processing of ADR procedures allows Afnic to:
– Enable a third party to call upon Afnic to demand the transfer or deletion of a domain name
– Enable a domain name holder subject to an ADR procedure to respond
– Manage the service alone (Afnic for SYRELI) or with the Centre (WIPO for EXPERT ADR EXPERT): administration, security, information and statistics
– Access the platforms (experts and those involved in the procedure)
– Manage the experts and persons involved
- Lawful basis: In the performance of our public service role (Article 6-1 (e) of the GDPR): Article L45-6 of the CPCE. Naming Charter and ADR Regulations
- Duration: Active records deleted two months after publication of the ruling. For cases pursued further (judicially, extra-judicially or by Afnic), destruction once the procedures instigated have been completed and their legal prescription period has come to an end. Followed by a further five years of retention in archive database. Rulings publicised after anonymisation.
- Categories of data processed: Identifying data. Data from ADR files (pleas, exhibits, exchanges, etc.) and their processing (report, ruling, etc.).
- How the data are collected: Direct collection
- Nature of the data: Necessary. Erroneous identification or contact data will prevent receipt of the entire proceedings online. The domain name holder is free to respond to an ADR file. In any case the ADR ruling will be enforceable vis-à-vis the holder (see ADR Regulations)
- Recipients: The internal Afnic departments concerned. The plaintiff, the holder and the representatives if any. The registrar in charge of the domain name forming the object of the ADR proceedings. If the plaintiff lodges the application with EXPERT ADR: The designated expert and the relevant departments of the WIPO Arbitration and Mediation Centre. The public as regards the ADR ruling
- Transfers outside the EU: In the case of a EXPERT ADR file, the recipient is the WIPO Arbitration and Mediation Centre, established in Switzerland as co-administrator of the EXPERT ADR procedure with Afnic. Means of ensuring adequate protection: Switzerland is a country recognised by the European Commission as offering a sufficient level of protection for personal data
Management of reports of domain names that are unlawful or contrary to public order
- Purpose: The administrative processing of reports of domain names that are unlawful or contrary to public order allows Afnic to:
– Enable anyone, through a form available on www.afnic.fr, to report to Afnic a domain name of an unlawful nature or contrary to public order
– Generate statistics
- Lawful basis: In the performance of our public service role (Article 6-1 (e) of the GDPR): Arrangements to meet the requirement of a mechanism allowing anyone to bring to Afnic’s attention a domain name likely to be unlawful or contrary to public order. Articles L45-1 §1 and R20-44-39 of the CPCE
- Duration: Destruction of requests for verification and of their processing two months after the closing of verification operations classed as not pursued. For those pursued (judicially, extra-judicially or by Afnic), destruction once the procedures instigated have been completed and their legal prescription period has come to an end
- Categories of data processed: Data identifying the sender of sender of the report. Data on the report and its processing. Data identifying the domain name holder. Data on the processing of the verification of eligibility and contactability
- How the data are collected: Direct collection
- Nature of the data: The requirement of the data is regulatory, and without them the requests cannot be dealt with
- Recipients: The Afnic internal departments concerned. The competent public authorities
Management of applications to and recruitment by Afnic
- Purpose
The administrative processing of applications to and recruitment by Afnic allows Afnic to manage spontaneous applications and applications in response to advertised job vacancies
- Lawful basis: The consent (Article 6-1 (a) of the GDPR) given by the data subject’s sending an application to Afnic, spontaneously or in response to an advertised vacancy
- Duration: Deleted one year after the last contact or earlier in the event of withdrawal of consent
- Categories of data processed: Your identifying data. Such data as are necessary and pertinent to respond to the requirements of the offer of employment. Our exchanges. Data on processing of applications. Outcome of applications.
- How the data are collected: Direct collection in principle. Indirect collection for gathering references from the candidate’s work environment (hierarchical superiors, colleagues, internship supervisors, clients, service providers, etc.). No other indirect collection without the candidate’s prior agreement
- Nature of the data: Necessary to allow processing of and response to the application
- Recipients: Afnic’s HR department. Afnic managers issuing the job offer for information relating to the performance of the functions. The recruitment agency commissioned by Afnic, if any.
Management of personal rights and freedoms
- Purpose
The administrative processing of personal rights and freedoms allows Afnic to:
– Manage requests to exercise the rights of access, objection, rectification and erasure of data, restriction of processing, the right to withdraw consent, to lodge a complaint with a supervisory authority and to lay down guidelines regarding the retention, erasure and communication of personal data in the event of death
– Manage requests for access to and erasure of personal data in the event of identity theft in registering a domain name
- Lawful basis: In compliance with our legal obligations (Article 6-1 (c) of the GDPR): Chapter 3 of the GDPR
- Duration: One year in current files followed by three years in intermediate files in the event of the exercise of the right of objection
- Categories of data processed: Your identification data. Your request and its processing
- How the data are collected: Direct collection
- Nature of the data: The requirement for your data is regulatory and failure to provide them may prevent the processing of your request
- Recipients: The Afnic internal departments concerned. The registrars responsible for the domain names concerned by the request, if any
Management of alerts under the French Data Protection Act and notifications of personal data breaches
- Purpose
The administrative processing of alerts under the French Data Protection Act and notifications of personal data breaches allows Afnic to:
- Receive and act on the alerts received
- Analyse the alerts received, undertake any investigations that may be necessary of all pertinent persons and entities and produce reports/summaries
- Keep journals and monitor measures and actions
- Manage any notifications (CNIL (French Data Protection Agency) and data subjects)
- Manage any follow-ups decided on by Afnic
- Produce statistics on activity
- Lawful basis:
In compliance with our legal obligations (Article 6-1 (c) of the GDPR) namely those resulting from Articles 32ff of the GDPR
- Duration:
The data relating to a notification of a personal data breach are kept for ten years from the closing of the case.
- Categories of data processed:
Identification data, work contact details, working life.
Data concerned by alert or even data breach
In the event of a breach, the risk analyses, exchanges and follow-ups with data subjects
- How the data are collected:
Direct and indirect collection depending on the data
- Nature of the data:
The requirement of the data is necessary for the purposes
- Recipients:
Departments charged with investigating and managing alerts and breaches. Depending on their respective needs, the following may receive all or part of the data:
- authorised members and agents of the CNIL;
- in the event of a notification concerning cross-border processing for which the CNIL is the leading authority, the data may be sent to the other data protection authorities concerned.
- Afnic’s partners concerned by the alerts or indeed data breaches