ΕΝΑRΤΙΑ Single Member S.A., lawfully incorporated under the laws of Greece with registration number EUID: ELGEMI.077785727000 (“We, us, Enartia, Company“), provides, among others, domain name registration services. The Company is committed to protecting and respecting your privacy.
“You” refers to the Customer.
This document contains information on our policies regarding privacy, to give an understanding of how your Personal Data is processed in the scope of domain name registration and domain name management activities. Personal Data is a term used to describe data that allows you to be directly or indirectly identified as set out in the General Data Protection Regulation (hereinafter “GDPR”).
In accordance with the provisions of Regulation (EU) 2016/679 (the General Data Protection Regulation – “GDPR”), Law 4624/20219 and Law 3471/2006, as amended and currently applicable (the ”data protection and privacy legal framework”), the processing carried out by Enartia is based on the principles of lawfulness, fairness, transparency, limitation of purpose and retention, data minimization, accuracy, integrity and confidentiality.
Enartia has appointed a Data Protection Officer (“DPO”). The DPO is available to provide any information regarding the Processing of Personal Data carried out by Enartia and can be contacted by sending an email to the email address dpo@enartia.com.
Please read the following notice carefully to understand our views and practices regarding your Personal Data and how we will treat it.
1. Roles and responsibilities in the processing of domain name registration data
The domain name (often simply called a “domain”) is a name associated with an IP address on the Internet.
A domain is made up of several parts, one of which is the extension, also referred to as the top-level domain (“TLD”), which is the part of the domain that follows the dot.
There are two categories of TLDs:
– Generic TLDs (generic top-level domain or “gTLD”): for example .com, .org, .info, .biz etc., which have international diffusion;
– National TLDs (country code top-level domain or “ccTLD”): are the domains referring to a country. For example, the ccTLD for Greece is .gr.
Three different parties are involved in the process of registering a domain name: the Registry, the Registrar and the Registrant.
The term “Registry” refers to a national or international body responsible for establishing rules and procedures for the assignment of domain names, the management of registers and the primary nameservers of the various TLDs.
For example, in Greece, the ccTLD “.gr” is maintained by FOUNDATION FOR RESEARCH AND TECHNOLOGY – HELLAS (FO.R.T.H.).
The term “Registrar” refers to an organization authorized by the Registry to carry out operations on the domains of the TLD for which it has accreditation.
For example, Enartia operates as a Registrar for the ccTLD “.gr” and “.ελ”.
Lastly, the term “Registrant” refers to the natural or legal person who registers a domain name.
In practice, to register a domain name, the Registrant submits a request to the Registrar, who, in turn, forwards the request to the competent Registry, which determines whether the conditions for registration are met. If the assessment is successful, the domain name will be registered in the name of the Registrant, who will become the assignee and thus able to claim the rights in accordance with the applicable legislation, for the times indicated in the stipulated service contract.
After registration of a domain name with gTLD extension, the Personal Data relating to the assignee of the domain name in question will usually be published, and therefore disseminated, in the public WHOIS/RDAP database, and can be consulted using the Registration data lookup tool (https://lookup.icann.org/en) made available by ICANN (the “Internet Corporation for Assigned Names and Numbers” a worldwide organization responsible for coordinating the maintenance and the procedures of several databases related to domain names) with gTLD extension.
Domain names with the ccTLD extension may be published on the WHOIS databases managed by the corresponding Registries, according to the policies of each Registry.
Enartia, typically qualifies as Data Processor with respect to the processing of data for the registration and management of domain names via its brands Papaki and Top.Host. The Registry is also typically identified as a Data Controller.
Furthermore, if additional third-party Personal Data is required in order to register a domain name (such as, but not limited to, the contact details of the Administrator – or “Admin-C” – and Technical Manager – or “Tech-C” – of a given domain name), Enartia typically acts as Data Controller with respect to that Personal Data. In this case, you act as independent Data Controller, assuming all legal obligations and responsibilities for the provision of those data. In this way you grant the broadest possible indemnity against any objection, claim, request for compensation for damage due to processing, etc., which could affect Enartia from said third parties if their data has been processed in breach of the applicable Personal Data protection regulations. In any case, if you provide the Personal Data of third parties as part of the registration of a domain name, you must guarantee from thereon in – assuming all related responsibility – that this particular processing activity is based on an appropriate legal basis pursuant to art. 6 or 49(c) GDPR, which legitimises the processing of the data in question.
2. Which Personal Data we process
The data collected by Enartia as part of a domain name registration request includes only the data strictly necessary for providing the service, which the Customer provides at the domain name registration stage, and is listed in the Service Order available at this address: https://web.papaki.com/legal/katoxirosi-domain/?lang=en
Typically, to register a domain name, you must provide certain personal information including:
- Contact Information: your name, address, phone number, and email address.
- Identity Verification: Some Registries may also require you to provide additional documentation to verify your identity, such as a government-issued ID or passport.
- Additional contact point: Some Registries may require you to provide one or more additional contact points, who will be responsible for e.g. administrative or technical aspects of the domain registration.
Regarding Personal Data processing carried out as part of the domain name registration service, it should be noted that Enartia will process data necessary for the billing and accounting management of the domain name, according to the Client Privacy Notice.
By purchasing services/products through our website, the Customer declares that they want the Company to undertake the completion of a task on their behalf or the mediation between the Customer and a third party for the completion of a task in the capacity of the Company as a digital service provider.
In certain specific cases, we may request a copy of an identity document for certain important operations, such as requests to erase a domain name or requests to change the assignee.
The provision of such data is in itself optional; however, in its absence, Enartia will not be able to provide the requested service.
The domain Registrar as the entity responsible for managing the registration of domain names, is responsible for collecting and storing your Personal Data in accordance with applicable laws and regulations. They may share the Personal Data with other Registrars in order to register a domain. The domain Registry, as the entity responsible for maintaining the database of registered domain names, will receive your Personal Data. The Registry uses this information to maintain accurate and up-to-date records of the registered domain names, and to ensure compliance with relevant laws and regulations. The Registrar and Registry may also be required to share your Personal Data with ICANN (Internet Corporation for Assigned Names and Numbers) as a part of the compliance process with ICANN’s policies.
3. Purpose of processing
We process the personal data as part of this process exclusively:
- for domain name registration and management purposes, which involves verifying the data provided for the registration, billing and accounting management of the domain name, assistance and support in its management, ancillary operations such as requests for erasure, transfer or change of owner, as well as the communication of important information on the renewal of the domain (“Provision of the Service”);
- for billing and invoicing for the domain registration
- for security purpose and the prevention of fraudulent conduct (“Abuse and Fraud Prevention”);
- to fulfil legal obligations, in particular those deriving from the legislation in force on the registration of domain names (“Compliance”);
- to communicate the data necessary for registration to independent third-party data controllers, such as the competent Registries, according to each case, for the extension to be registered (“Data communication to independent third-party data controllers”);
- to protect the intellectual and industrial property rights of third parties, or to verify reports of abuse allegedly committed by you to the detriment of third parties, for example, for the protection of industrial property rights (“Protection of legitimate third-party interests”).
4. Legal basis for the Processing of Personal Data
- Processing for the purpose of provision of the Service and Data communication to independent third-party controllers is necessary in order to execute the service contract between you and Enartia, pursuant to art. 6(1)(b) GDPR.
- Processing for the purpose of Abuse and Fraud Prevention is based on Enartia’s legitimate interest in preventing fraud and scams committed to its detriment or to the detriment of its customers, pursuant to art. 6(1)(f) GDPR and on the basis of Recital 47 GDPR.
- Processing for the purpose of protection of legitimate third-party interests is based on the legitimate interest of said third parties to protect their rights, such as intellectual and industrial property rights, or in the event of abuse allegedly committed by you to the detriment of said third parties. This processing activity is legitimate pursuant to art. 6(1)(f) GDPR.
- Processing for the purpose of Compliance with the applicable legislation (i.e. domain name legislation, tax legislation, etc.) is legitimate pursuant to art. 6(1)(c) GDPR. Once the Personal Data has been provided, further processing may be necessary to fulfil certain legal obligations to which Enartia is subject. This type of Processing may not be opposed, given that it is based on legal obligations.
5. Personal Data Recipients
For purposes strictly related to the provision of the service of domain registration, the Personal Data of the domain name holder (as well as of third parties like Admin-C and Tech-C, if required for registering the specific domain name with the competent Registry), may be communicated to third parties acting as independent Data Controllers.
In specific terms, this data will be communicated to the national and foreign Registries to which Enartia is required to send the technical and administrative documentation required by sector legislation, as well as to any other organizations accredited for the registration of domain names with extensions for which Enartia is not accredited. The latter typically act as Data Processors on behalf of Enartia.
The Registries will process the Registrants’ data to keep the register of domain names updated and to ensure compliance with the relevant applicable laws and policies. We invite you to consult the privacy notices issued by the relevant Registry from time to time.
Enartia may be required to communicate your personal data to ICANN, in order to comply with ICANN policies and procedures. ICANN also requires Enartia, as Registrar, to deposit a copy of the data necessary for domain name management as escrow with an accredited Escrow Agent. For this service, Enartia uses the company DENIC Services GmbH & Co. KG (hereinafter, “DENIC”), located in Germany and designated by ICANN.
It should be noted that for gTLD extensions, and in some cases also for ccTLD extensions, if permitted or required by the competent Registry, Enartia may be required to communicate your data to third parties for the purpose of Abuse and Fraud Prevention, on the basis of art. 4 of the ICANN Temporary Specification for gTLD Registration Data, available at this link https://www.icann.org/resources/pages/gtld-registration-data-specs-en/#4 or for ccTLDs, on the basis of the policies issued from time to time by the competent Registry.
Upon explicit, detailed request, Enartia may also communicate the Personal Data of a domain name to third parties, based on its own legitimate interest, for the purpose of protecting its rights (including intellectual and industrial property rights), and the protection of legitimate third-party interests.
6. Personal Data Transfers
As part of the domain name registration services, the data is communicated to the recipients listed in section 5 of this privacy notice, which may be located outside the EU or the European Economic Area (the “EU/EEA”), such as ICANN and DENIC, or the Registry of the country of interest where the ccTLD or gTLD is to be registered.
Enartia ensures that the processing of your Personal Data by these Recipients takes place in compliance with the GDPR.
The legal basis of the aforementioned transfers to the Registries competent according to each case is found in art. 49(1)(b) GDPR and art. 49(1)(c) GDPR, where transfer outside the EU/EEA is necessary for the execution of the contract between Customer and Data Controller, or between Data Controller and a third party on behalf of the Customer.
With regard to data transfer to DENIC in the scope of gTLDs registrations, or in the event Enartia uses third party Registrars for the registration of certain gTLD extensions, the transfers are conducted on the basis of the EU Commission’s Standard Contractual Clauses, pursuant to art. 46 GDPR.
7. Data Retention
Personal Data processed for the purposes of provision of the Service and Data communication to independent third-party controllers will be kept for the time strictly necessary to achieve the indicated purposes.
Enartia will retain only the necessary personal data that refer to the provision of our Services, for 5 years after the end of service, which in general corresponds to the statutory limitation period for breach of contract proceedings, so as to protect its interests and be able to demonstrate that it has correctly fulfilled its contractual obligations.
For the purposes of Abuse and Fraud Prevention and Protection of legitimate third-party interests Personal Data will be kept for the period required by Enartia to prevent and combat fraudulent conduct and to protect the legitimate interests of third parties, i.e. for 5 years.
Additionally, we will keep payment records for 20 years to comply with our tax and accounting obligations and based on our legitimate interest to protect against any lawsuits for wrongdoing.
8. Customer Rights
Without prejudice to the obligations or powers to retain Personal Data set forth in paragraph 7, you have the right to ask Enartia, at any time, 1) for access to your Personal Data, 2) its correction, 3) erasure or 4) limitation of processing in the cases contemplated by art. 18 GDPR, as well as to 5) obtain the data concerning you in a structured, commonly used and machine-readable format (portability), in the cases contemplated by art. 20 GDPR, for the purpose of provision of the Service.
You have also the right to 6) object to the processing of your personal data for the purpose of Abuse and Fraud Prevention, in the cases contemplated by art. 21 GDPR.
Such requests can be made by contacting the Enartia Data Protection Officer (DPO) as mentioned above.
If you feel that the protection of your personal data has been violated, you may file a complaint with the Hellenic Data Protection Authority (www.dpa.gr).
9. Amendments
We may change this document at any time in order to reflect changes in the law or our practices. Keep an eye on our website for any updates. If we change anything major in this document, we will inform you.
In case of discrepancies between translations, the Greek version shall prevail.