The entry into force of Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data, the so-called GDPR, has had a very significant impact in the processing of personal data of persons residing in the European Union, including the area of domain name registration services.
Therefore, also in Portugal, the GDPR gave rise to changes in the Registration Rules of .pt domain names, which have been applied since May 25, 2018, which is also the date of entry into force of the GDPR.
The GDPR has reinforced the level of protection of the rights of personal data holders, raising concerns about the possibility that personal data may continue to be made available on the WHOIS service, such data being essential for contact or identification of those responsible for websites, and for the activation of dispute resolution procedures and enforcement of intellectual property rights, namely, in the case of conflicts between domain names and trademark rights.
The recommendations at international level of organizations such as CENTR – Council European National Top – Level Domain Registries and ICANN - Internet Corporation for Assigned Names and Numbers were to maintain the availability of data in the WHOIS system, and the inherent principles of transparency and advertising, as far as possible, matching them, however, with the requirements of the GDPR. In any case, the availability of personal data in the WHOIS .PT service must be based on the informed, free and informed consent of the respective holders. Thus the WHOIS policy rules in the .pt domain are as follows:
Regarding the domain name, the WHOIS publishes the following data
- domain name,
- creation date,
- expiration date,
- server data (name server).
With regard to the registration holder, WHOIS discloses:
- if it is a legal person, the name, address and email of the holder,
- if it is a natural person, the name, address and email address of the holder only if the holder has given consent.
With respect to the managing entity or registrant, the WHOIS discloses:
- if it is a legal person, the name, address and email of the entity,
- if it is a natural person, the name, address and email, only if the latter has given consent.
In the case of natural persons who have not given consent to public disclosure, or who have withdrawn the consent initially provided, it will be possible to contact the holder by means of an "anonymized" email, that is, without the recipient address being displayed.
In addition, judicial authorities, ARBITRARE (arbitration center for intellectual property disputes), entities to which the law assigns powers in the criminal investigation, or whose mission is the supervision and prevention of compliance with the law, in particular, the protection of the rights of consumers, intellectual property, communications, security, public health and commercial practices in general, may request the DNS.PT to access personal data not publicly accessible via WHOIS.