default

Everything there is to know about how Afnic processes your personal data

Home > Your data

As a user of this website (“user”), you are informed that, for a simple visit of the website, the only personal data processed is the one processed for Cookies.

If you use the forms made available or avail yourself of services provided by Afnic through this website, Afnic collects and uses your personal data to respond to you and to provide you with these services.

Afnic is careful to protect your privacy in carrying out this processing of your personal data.

Afnic presents all the information relating to the processing of your personal data, your rights and how to exercise them.

Principles & Commitments

In the context of your use of this website, Afnic processes personal data in accordance with the provisions of the French Post and Electronic Communications Code (hereinafter referred to by its French abbreviation “CPCE”) and those applicable to the protection of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable from 25 May 2018 (hereinafter the “General Data Protection Regulation” or “GDPR”).

Always available in the website footer, Afnic publishes the pages “Your Data” and updates them as and when necessary, to provide information relating to the processing of data of users of the website www.afnic.fr so as to ensure information and transparency regarding this processing.

Your personal data are processed by Afnic in a manner that ensures appropriate security in compliance with the legal framework relating to the protection of personal data, which are collected lawfully, fairly and in a transparent manner for specified, explicit and legitimate purposes and are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. These accurate, complete and where necessary updated data are kept for as long as necessary for the said purposes. 

Afnic limits its processing of personal data to what is strictly necessary and clearly indicates for each processing operation:

  • Its purpose;
  • Its lawful basis;
  • Its duration;
  • The categories of data processed;
  • Whether the data are collected directly or indirectly;
  • Whether the data collected are mandatory or optional;
  • Their recipients;
  • Any transfers outside the European Union (EU) with measures to adequately protect your data.

Afnic does not process your data for purposes of automated decision-taking or profiling. Afnic does not subsequently process your data for any purpose other than those defined.

Exercise of your rights and freedoms

It’s simple! 

  1. Your rights
    As a data subject of at least one processing operation of the data of users of the website www.afnic.fr, you have rights and freedoms, namely the rights of access, objection, rectification and erasure of the data, the right to restrict processing, the right to withdraw your consent, if given, at any time, the right to lodge a complaint with a supervisory authority and the right to lay down guidelines for the retention, erasure and communication of personal data in the event of death.
  2. Exercise your rights – Contact the DPO (Data Protection Officer)

Any information and/or any other exercise of your rights and freedoms as regards the processing of personal data by Afnic can be carried out:

Association Française pour le Nommage Internet en Coopération
A l’attention de la Déléguée à la protection des données
Immeuble Stephenson
1 rue Stephenson
78180 Montigny-le-Bretonneux
France

List of processing operations

  1. The list

The personal data processing operations carried out by Afnic on the website www.afnic.fr are for managing:

  • The website and newsletters
  • Events
  • Social networks
  • Checks on eligibility or reachability
  • Establishing relations with the administrative contact
  • Lifting of anonymity
  • Alternative Dispute Resolution (ADR) procedures
  • Reports of domain names that are unlawful or contrary to public order
  • Applications for employment with Afnic
  • Personal rights and freedoms.

The description of each processing operation is available to you in the dedicated entries below or directly via the interactive table of contents.

For processing of personal data of holders of .fr, .re, .yt, .pm, .wf and .tf domain names, Afnic invites you to consult the information relating to the processing of holders’ data.

Find out more about the processing of holders’ data
  1. Understanding the description of a processing operation

In order to provide comprehensible and simple access, Afnic presents the information relating to each processing operation in the form of a fact sheet in accordance with the following model:

Name of the processing operation

  1. Purpose: Afnic processes your data for specified, explicit and legitimate purposes
  2. Lawful basis: The processing is necessarily on one of the following lawful bases:
  • Your consent (Article 6-1 (a) of the GDPR) 
  • In performance of a contract with the data subject or in preparation for such contract (Article 6-1 (b) of the GDPR)
  • In compliance with our legal obligations (Article 6-1 (c) of the GDPR)
  • To protect your vital interests or those of a third party (Article 6-1 (d) of the GDPR)
  • In the performance of our public service role (Article 6-1 (e) of the GDPR)
  • For the pursuit of our legitimate interests or those of a third party, while respecting your interests or fundamental rights and freedoms regarding the protection of your personal data (Article 6-1 (f) of the GDPR)
  1. Duration not exceeding that necessary for the purposes defined; this total duration is the duration of active retention plus that of subsequent retention in the archives
  2. Categories of data processed adequate, relevant and limited to what is necessary in relation to the purposes defined (data minimisation);
  3. How the data are collected:
  • Direct collection, the data are collected from you 
  • Indirect collection, the data are collected from a third party identified and authorised to communicate your data to us
  1. Nature of the data: they may be required (pursuant to a legal requirement, for a contract, etc.) or optional, in many cases with consequences if they are not provided.
  2. Recipients: the natural or legal person, public authority, department or any other body that receives communication of your data, whether or not from a third party
  3. Transfers outside the EU: this refers to the possibility of your data being transmitted to a recipient in a third country or an international organisation subject to adequate protection measures. A copy of these measures can be sent to you upon request to juridique@afnic.fr

The description of each processing operation is available to you in the dedicated entries below or directly via the interactive table of contents.

Management of the website and newsletters

  1. Purpose

Administrative processing of the website and newsletters allows Afnic to communicate about itself, its products, its services and items of topical interest. It comprises the following sub-purposes: 

– Presentation of Afnic news, events and figures 

– Administration of subscriptions to the newsletter and registrations for news bulletins

– Management of requests for contacts

– Presentation of the association, the technology watch, new members and invoicing

– Presentation of domain names, TLDs and information on how to register domain names and obtain accreditation

– Consultation of the Whois database, 

– Documentation (register interface, training, FAQ, lexicon, legal and technical references, useful links, other information)

– Subscription form for list of information for the press, press releases

– Public consultation space on Afnic projects 

– Exchange space (comments on blogs)

– Proposing diagnostics of online presence and action plan based on the results 

– Provision of advice, resources and content in various formats

– Relaying partner information and events

– Collecting personal data in return for download of a white paper on the ‘.brand’ in order to (i) collect contact details of persons interested in the white paper and (ii) gather leads and allow subsequent marketing in the context of ICANN’s next gTLD round. 

  1. Lawful basis: Consent (Article 6-1 (a) of the GDPR): by completing the forms available on the website (registration, subscription, etc.) or by participating in or contacting or questioning Afnic by electronic means
  2. Duration: Deletion (i) unless appealed against, one year after the end of the processing of the request expressed in the form, (ii) one year after the last contact, (iii) for data processed in exchange for the white paper on the .brand, after the launch of ICANN’s next gTLD round, currently expected for 2022 or (iii) upon withdrawal of your consent. 

There is no limit of duration for data contributed to public consultations once they have been anonymised.

  1. Categories of data processed: Your identifying data. Any data from exchanges (correspondence) and those needed to provide our communication services
  2. How the data are collected: Direct collection
  3. Nature of the data: Necessary for the provision of the communication services concerned
  4. Recipients:

The Afnic internal departments concerned. Our service providers access only such data as fall within the scope of the purposes that are subcontracted: 

For the hosting of the website: Ecritel, 84 Rue Villeneuve, 92110 Clichy, Enregistrée au registre du commerce de Nanterre sous le N° 332 484 021 https://www.ecritel.fr/fr/

For the maintenance and development of the website: Makheia Group, 125 rue de Saussure, 75017 Paris, France registered with the Paris Trade & Companies Register under No. 399 364 751 – https://makheia.com/

For the routing of newsletters: Sarbacane Software, 3 avenue Antoine Pinay, Parc d’activités des 4 vents, 59510 Hem, France registered with the Lille Métropole Trade & Companies Register under No. 509 568 598 – https://www.sarbacane.com

For the hosting and downloading from the website on which the white paper on the .brand is published as well as for the hosting of the space for comments on the blog: Jimdo GmbH, Stresemannstraße 375, 22761 Hamburg, Germany, registered with: Amtsgericht Hamburg under No. HRB 101417, VAT ID: DE814864138 – https://www.jimdo.com/

  1. Transfers outside the EU

No, apart from what is published on the website which is by its nature accessible without territorial limit

Management of events

  1. Purpose

The administrative processing of events allows Afnic to:

  • Organise and manage internal or external communication events in France or abroad 
  • Send invitations 
  • Produce communication material and disseminate it in all media and formats
  • Assess participants’ satisfaction after the events
  1. Lawful basis: The consent (Article 6-1 (a) of the GDPR) given by those invited to attend the event. In performance of the contract entered into (Article 6-1 (b) of the GDPR) by persons in the context of the event in the case of exploitation of image, voice, interview
  2. Duration: Three years from the last event in which the data subject took part. In the case of exploitation of image, voice, interview: the duration provided in the contract authorising exploitation.
  3. Categories of data processed: Your identifying data. The data of any exchanges (correspondence) and any data authorised for exploitation for the event.
  4. How the data are collected: Direct collection
  5. Nature of the data: Necessary for the provision of the services concerned
  6. Recipients: Afnic internal departments

Provider of the “AgoraEvent” event management software application (sending of invitations, personalised website, logistical management of participants): Avanti Technologies (registered with the Paris Trade & Companies Register under No. 421 975 293; address: Immeuble des Lumières, 44 av. des Terroirs de France, 75012 Paris, France)

Provider of the solution for assessing participant’s satisfaction with events: SurveyMonkey Europe UC (CRO Ireland No.: 532327; address: 2nd Floor, 2 Shelbourne Buildings, Shelbourne Road, Ballsbridge, Dublin 4, Ireland)

  1. Transfers outside the EU: No, apart from what is published on the website which is by its nature accessible without territorial limit

Management of Afnic’s social network accounts

  1. Purpose

The administrative processing of its social network accounts allows Afnic to:

  • Administer the accounts technically (creation, publications) 
  • Use social networks to access our content published on these networks 
  • Interact (publicly or through private messaging) with subscribers and other users of the platforms 
  • Increase Afnic’s visibility and that of its activity and its websites
  • Prepare usage statistics
  1. Lawful basis: The pursuit of Afnic’s legitimate interests, while respecting the fundamental rights and freedoms regarding the protection of personal data (Article 6-1 (f) of the GDPR)
  2. Duration: The data are stored for as long as the social network concerned exists, unless the user exercises the right of erasure or objection. 

Afnic does not configure and does not have data concerning you from the accounts and cookies operated by social networks. Consequently, only those responsible for these networks can respond to technical requests concerning the cookies used and the exercise of your personal rights.

  1. Categories of data processed: Data visible by default on social networks. Data made public by the user in the context of the configuration of his or her account on each of the social networks. Data on use of the social network for the production of anonymous statistics
  2. How the data are collected: Direct and indirect collection
  3. Nature of the data: Necessary in the case of voluntary access by the user to our available content and interaction with the user
  4. Recipients: For information publicised by the user, the public at large; otherwise only authorised persons in Afnic
  5. Transfers outside the EU: No, apart from what is published on social networks which is accessible without territorial limit. The data needed to prepare statistics may be processed outside the European Union, depending on the data management policy put in place by the person responsible for each social network.

Management of requests for verification of eligibility or contactability of a domain name holder

  1. Purpose

Administrative processing of requests for verification of eligibility or contactability of a domain name holder allows Afnic to: 

– Manage the checks initiated by Afnic in the context of its public service responsibilities 

– Allow a third party to ask the registry to verify the eligibility and/or contactability criteria

– Manage and process Notifications/Report Forms relating to requests for verification of eligibility and/or reachability

– Generate statistics

  1. Lawful basis: In the performance of our public service role (Article 6-1 (e) of the GDPR): Articles L45-3 and 45-5 of the CPCE. Naming policy and other applicable policies
  2. Duration: Destruction of requests for verification and of their processing two years after the closing of verification operations classed as not pursued. For those pursued (judicially, extra-judicially or by Afnic), destruction once the procedures instigated have been completed and their legal prescription period has come to an end
  3. Categories of data processed: Data identifying the person requesting verification and his or her representative if any. Data on the request for verification and its processing. Data on the processing of the verification of eligibility and the holder’s reachability
  4. How the data are collected: Direct collection
  5. Nature of the data: The requirement of the data is regulatory. For the applicant, failure to provide the data prevents the request from being processed. For the holder, failure to provide data may lead to the deletion of his or her portfolio of domain names in application of the CPCE and of the Naming Charter
  6. Recipients: The internal Afnic departments concerned. The registrar of the domain name concerned. The applicant and his or her representative receive the result of the procedure. The public consulting the Whois online directory of domain names sees the result of the procedure

Management of introductions to administrative contacts

  1. Purpose

The processing of introductions to administrative contacts allows Afnic to: 

– Put a third party in touch with the administrative contact of a domain name when the holder’s data are subject to restricted publication

– Enable third parties to send a message to the administrative contact via an interface on the website www.afnic.fr

– Generate statistics

  1. Lawful basis: For the sender of the message, is/her consent (Article 6-1 (a) of the GDPR). For the administrative contact:  In the performance of our public service role (Article 6-1 (e) of the GDPR): Arrangements for meeting the requirements of permanence, quality, availability and security of the registration service. Articles L45-1 §1 and R20-44-39 of the CPCE
  2. Duration: One year
  3. Categories of data processed: Data identifying the third party, sender of the message. Connection data of the third party, sender of the message. Message’s sender. Email address of the administrative contact of the domain name.
  4. How the data are collected: Direct collection
  5. Nature of the data: For the third party, sender of the message, his or her identification data are necessary for the use of the contact interface.
  6. Recipients: Afnic forwarding the message. The administrative contact, holder is the sole recipient of the message sent by the third party

Management of requests for disclosure of personal data (lifting of anonymity)

  1. Purpose

The administrative processing of requests for disclosure of personal data or lifting of anonymity allows Afnic to: 

– Reveal the identity and contact details of a private individual domain name holder subject to restricted publication upon well-grounded request of a third party or a judicial, police or similar body. 

– Manage requests for lifting of anonymity and generate statistics

  1. Lawful basis: In performance of its public service role (Article 6-1 (e) of the GDPR) in application of Article L45-2 of the CPCE and of the registry policies
  2. Duration: Six months, then deleted
  3. Categories of data processed: The data identifying the applicants and their representatives. The data contained in the form and in documents attached thereto. The processing of the form. The data identifying the domain name holder in respect of whom the request is made. The administrative and operational data on the domain name concerned for the public authorities in application of the law or for third parties in application of a court ruling.
  4. How the data are collected: Direct collection
  5. Nature of the data: For applicants: obligatory, since without the data the request cannot be processed. For holders: erroneous identification data can lead to procedures calling their portfolio of domain names into question in application of the CPCE and of the Naming Charter
  6. Recipients: The internal Afnic departments concerned.

Management of Alternative Dispute Resolution (ADR) procedures

  1. Purpose

The administrative processing of ADR procedures allows Afnic to: 

– Enable a third party to call upon Afnic to demand the transfer or deletion of a domain name

– Enable a domain name holder subject to an ADR procedure to respond

– Manage the service alone (Afnic for SYRELI) or with the Centre (WIPO for EXPERT ADR EXPERT): administration, security, information and statistics

– Access the platforms (experts and those involved in the procedure)

– Manage the experts and persons involved

  1. Lawful basis: In the performance of our public service role (Article 6-1 (e) of the GDPR): Article L45-6 of the CPCE. Naming Charter and ADR Regulations
  2. Duration: Active records deleted two months after publication of the ruling. For cases pursued further (judicially, extra-judicially or by Afnic), destruction once the procedures instigated have been completed and their legal prescription period has come to an end. Followed by a further five years of retention in archive database. Rulings publicised after anonymisation.
  3. Categories of data processed: Identifying data. Data from ADR files (pleas, exhibits, exchanges, etc.) and their processing (report, ruling, etc.).
  4. How the data are collected: Direct collection
  5. Nature of the data: Necessary. Erroneous identification or contact data will prevent receipt of the entire proceedings online. The domain name holder is free to respond to an ADR file. In any case the ADR ruling will be enforceable vis-à-vis the holder (see ADR Regulations)
  6. Recipients: The internal Afnic departments concerned. The plaintiff, the holder and the representatives if any. The registrar in charge of the domain name forming the object of the ADR proceedings. If the plaintiff lodges the application with EXPERT ADR: The designated expert and the relevant departments of the WIPO Arbitration and Mediation Centre. The public as regards the ADR ruling
  7. Transfers outside the EU: In the case of a EXPERT ADR file, the recipient is the WIPO Arbitration and Mediation Centre, established in Switzerland as co-administrator of the EXPERT ADR procedure with Afnic. Means of ensuring adequate protection: Switzerland is a country recognised by the European Commission as offering a sufficient level of protection for personal data

Management of reports of domain names that are unlawful or contrary to public order

  1. Purpose: The administrative processing of reports of domain names that are unlawful or contrary to public order allows Afnic to:

– Enable anyone, through a form available on www.afnic.fr, to report to Afnic a domain name of an unlawful nature or contrary to public order

– Generate statistics

  1. Lawful basis: In the performance of our public service role (Article 6-1 (e) of the GDPR): Arrangements to meet the requirement of a mechanism allowing anyone to bring to Afnic’s attention a domain name likely to be unlawful or contrary to public order. Articles L45-1 §1 and R20-44-39 of the CPCE
  2. Duration: Destruction of requests for verification and of their processing two months after the closing of verification operations classed as not pursued. For those pursued (judicially, extra-judicially or by Afnic), destruction once the procedures instigated have been completed and their legal prescription period has come to an end
  3. Categories of data processed: Data identifying the sender of sender of the report. Data on the report and its processing. Data identifying the domain name holder. Data on the processing of the verification of eligibility and contactability
  4. How the data are collected: Direct collection
  5. Nature of the data: The requirement of the data is regulatory, and without them the requests cannot be dealt with
  6. Recipients: The Afnic internal departments concerned. The competent public authorities

Management of applications to and recruitment by Afnic

  1. Purpose

The administrative processing of applications to and recruitment by Afnic allows Afnic to manage spontaneous applications and applications in response to advertised job vacancies

  1. Lawful basis: The consent (Article 6-1 (a) of the GDPR) given by the data subject’s sending an application to Afnic, spontaneously or in response to an advertised vacancy
  2. Duration: Deleted one year after the last contact or earlier in the event of withdrawal of consent
  3. Categories of data processed: Your identifying data. Such data as are necessary and pertinent to respond to the requirements of the offer of employment. Our exchanges. Data on processing of applications. Outcome of applications.
  4. How the data are collected: Direct collection in principle. Indirect collection for gathering references from the candidate’s work environment (hierarchical superiors, colleagues, internship supervisors, clients, service providers, etc.). No other indirect collection without the candidate’s prior agreement
  5. Nature of the data: Necessary to allow processing of and response to the application
  6. Recipients: Afnic’s HR department. Afnic managers issuing the job offer for information relating to the performance of the functions. The recruitment agency commissioned by Afnic, if any.

Management of personal rights and freedoms

  1. Purpose

The administrative processing of personal rights and freedoms allows Afnic to:

– Manage requests to exercise the rights of access, objection, rectification and erasure of data, restriction of processing, the right to withdraw consent, to lodge a complaint with a supervisory authority and to lay down guidelines regarding the retention, erasure and communication of personal data in the event of death 

– Manage requests for access to and erasure of personal data in the event of identity theft in registering a domain name

  1. Lawful basis: In compliance with our legal obligations (Article 6-1 (c) of the GDPR): Chapter 3 of the GDPR
  2. Duration: One year in current files followed by three years in intermediate files in the event of the exercise of the right of objection
  3. Categories of data processed: Your identification data. Your request and its processing
  4. How the data are collected: Direct collection
  5. Nature of the data: The requirement for your data is regulatory and failure to provide them may prevent the processing of your request
  6. Recipients: The Afnic internal departments concerned. The registrars responsible for the domain names concerned by the request, if any