Tucows believes in the principles that the GDPR upholds, and we, along with other key players in our industry, feel that extending the benefits of the GDPR to registrants worldwide is simply the right thing to do.
- Applying GDPR platform-wide
- Tucows branding on Your Data Sharing Preferences pages
- The difference between consent and contract
- Personal data retention
- ICANN data policy compliance
Applying GDPR platform-wide
There are other privacy policies with similarly strict requirements for the GDPR in place today. It’s expected that more will be introduced as governments around the world are called on to create a policy that properly addresses our modern privacy concerns in, digital age. It is in our best interest, and that of our resellers and registrants, to prepare for a world of heightened data sharing and privacy standards.
Tucows branding on Your Data Sharing Preferences pages
Tucows remains committed to providing a white-labeled solution for our resellers. This commitment must be met in balance with the legal obligations we have as a data processor and controller.
Modern privacy laws and regulations require service providers to disclose what personal data they are processing, how this data is being held and processed, and by whom it is being processed. For us to obtain informed, affirmative consent from registrants to process their personal data, we must be transparent about the fact that Tucows is processing their data.
The difference between consent and contract
To an end-user, checking a consent box and accepting a contract may feel very similar, but legally these are two distinct concepts. Each one is a separate legal basis with unique applicabilities and limitations. Any data elements that Tucows or the registry/service provider requires to provide a TLD or other product is processed on a contract basis, meaning they are included in our contractual agreement with the registrant. We do not need to send a consent request to process these data.
Additional pieces of data such as those that are not contractually required but are helpful to have, or have been requested by the registry but not included in their contractual requirements, can only be processed with consent from the registrant. We are also obligated to provide registrants with an easy and accessible method to revoke this consent. Our Your Data Sharing Preferences page accomplishes both of these tasks: collecting registrant consent and providing a means to revoke it.
Asynchronous services are a special case. Tucows doesn’t require additional, consent-based data, yet the registry or service provider does, even if they have not provided a contractual legal basis for processing them.
Personal data retention
Data processed as part of fulfilling our service contract will be kept for the service's lifetime, plus up to ten years after the service’s termination.
Tucows will hold any data that we process under the legal basis of consent for the same period as the contract-based data unless that consent is withdrawn. If consent is removed, the erasure process begins at the time of withdrawal of consent and may take up to 60 days to complete. Please note that Tucows will log the registrant’s choice to revoke consent for asynchronous services and direct the end-user to their reseller to cancel services. Upon canceling the service, the registrant’s decision to withdraw consent will take effect.
Note: The domain service provider (reseller) may retain data for a shorter or longer period than Tucows.
ICANN data policy compliance
We continue to comply with ICANN policy to the greatest extent possible, as we have always done. Until ICANN policy is updated in response to the GDPR and other similar worldwide data privacy legislation, we may face many instances where ICANN's requirements layout for its registrars' conflict with our legal obligations. In these instances, we follow the law first and comply with ICANN as best we can.