Privacy Policy

Gateway SRS

THIS PRIVACY POLICY FORMS PART OF DNS’ GATEWAY STANDARD TERMS AND ALSO APPLIES TO ANY PERSONAL INFORMATION THAT DNS MIGHT COLLECT FROM THE CUSTOMER FOR ANY OF DNS’ SERVICES. IF THE CUSTOMER DOES NOT AGREE WITH ANY TERM OF THIS PRIVACY POLICY, IT MUST CEASE ITS USE OF DNS’ SERVICES IMMEDIATELY.

General

This Privacy Policy establishes the Parties’ respective responsibilities for the Processing of Personal Information. It is intended to ensure that Personal Information is Processed in a manner that is secure and in accordance with Applicable Laws and its defined Purpose(s). 

This Privacy Policy forms part of the Gateway Standard Terms (“Agreement”) entered into between the Parties for the provision of the Services to reflect the Parties’ agreement regarding the Processing of Personal Information.

The Parties are each responsible for complying with their respective obligations under Applicable Laws governing Personal Information.

The Customer remains solely responsible for obtaining Registrants’ consent to processing of Personal Information and for ensuring that DNS’ processing of Personal Information for purposes of the Services will not place DNS in breach of any laws, provided that DNS also remains liable to use Personal Information only for the purpose of providing the Services in accordance with Applicable Laws.

Definitions 

The terms defined in the Agreement will have the same meanings in this Privacy Policy unless stated to the contrary. 

The following words and phrases have these specific meanings in this document:

“Applicable Agreements” means this Privacy Policy, the Registrar Accreditation Agreement (“RAA”), the Registry Agreement (“RA”), and the Agreement.

“Applicable Laws” means the General Data Protection Regulation (2016/679) (“GDPR”), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) (as amended) and all other applicable laws and regulations worldwide, including their successors or as modified, relating to the Processing of Personal Information.

“Customer” means a party which enters its name, contact and other required details in the DNS Portal, and has accepted the terms of the Gateway Standard Terms.

“Data Protection Authority” means the relevant and applicable supervisory data protection authority in the member state or other territory where a party to this Privacy Policy is established or has identified as its lead supervisory authority, or otherwise has jurisdiction over a Party to this Privacy Policy.

“Data Subject” means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to Personal Information.

“DNS” refers to DNS Africa Ltd, a private company incorporated in accordance with the laws of the Republic of Mauritius with registration number 135786 C1/GBL.

“DNS Portal” means the Internet website operated by DNS at URL http://portal.dns.business (including subdomains) or such other URL as may be selected by DNS from time to time.

“ICANN” means the Internet Corporation for Assigned Names and Numbers.

“Personal Information” means any information such as a name, an identification number, location data, an online identifier or information pertaining to an individual’s physical, physiological, genetic, mental, economic, cultural or social identity relating to that natural person, that can be used to directly or indirectly identify a Data Subject.

 “Process” means any operation or set of operations which is performed on the in relation to Personal Information, whether or not by automated means, and which includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, or otherwise as defined in Applicable Laws.

“Purpose(s)” means as provided in Section 5 below.

“Registration Data” means data collected by the Registrar under the RAA and that is required to be shared with the Registry under the RAA and the RA.

“Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information.

 “Temporary Specification” means the “Temporary Specification for gTLD Registration Data” Adopted on 17 May 2018 by the ICANN Board of Directors, as may be amended or supplemented from time to time. 

Status and Amendments

This Privacy Policy sets out our information gathering and dissemination practices in respect of DNS’ Services.

This Privacy Policy forms part of the Agreement. If the Customer does not agree with this Policy, then it may not use DNS’ Services and are required to cease doing so immediately.

To the extent that DNS has access to Personal Information in providing the Services to the Customer under the Agreement, DNS will Process Personal Information in accordance with this Privacy Policy. Solely in relation to the Processing of Personal Information, to the extent that the terms of this Privacy Policy conflict with the terms of the Agreement the terms of this Privacy Policy will take precedence over the terms of the Agreement. 

DNS reserves the right to amend the terms and conditions of this Privacy Policy at any time.

Roles and Responsibilities

The Customer acknowledges and agrees that, with respect to Processing of Personal Information for the Purposes as set out herein:

Either of the Parties and ICANN may act as either a Controller or Processor of Personal Information; and

Although ICANN, the Registry and Registrar may each take on the role, or additional role, of Controller or Processor in the lifecycle of processing Registration Data under Applicable Agreements, for the purposes of this Privacy Policy, only the roles of the Registry and the Registrar are applicable.

The Parties must, subject to the instructions of the Data Subject, ensure that Personal Information is accurate. Where any Party becomes aware of inaccuracies in Personal Information, they must, where necessary, notify the other Parties, to enable the timely rectification of such information.

The Customer undertakes to inform Data Subjects of the Purposes for which their Personal Information will be Processed and provide all of the information that it must provide in accordance with Applicable Laws, to ensure that the Data Subjects understand how their Personal Data will be Processed.

Purpose of Collection and Processing of Personal Information of Data Subjects

This Privacy Policy sets out the framework for the protection of Personal Information for the Purposes noted in this section and defines the principles and procedures that the Parties must adhere to and the responsibilities the Parties owe to each other. 

Processing of Personal Information by the Parties is for the limited purpose of provisioning, servicing, managing and maintaining domain names, as required of Registries and Registrars under the Applicable Agreements with ICANN, including to the extent those purposes serve to ensure the stability and security of the Domain Name System and to support the lawful, proper and legitimate use of the services offered by you and us. 

The Parties must fully cooperate with each other to the extent necessary to effectuate corrections, amendments, restrictions or deletions of Personal Data as required by Applicable Laws and/or at the request of any Data Subject. The Registry Operator will describe in the Published Policies the purposes for which any Personal Information that is submitted to the Registry Operator by either Party is collected or used, as well as the intended recipients of such Personal Information.

The Customer must inform each Registrant of the purposes for which Personal Information is collected and used and of other relevant information as set out in the Published Policies, and obtain the consent of each Registrant for collection and use for such purposes, and in particular obtain consent for:

use by the Registry Operator in providing the registry services and in particular providing a public WHOIS facility which may include the Personal Information;

inclusion of Personal Information in escrow deposits by the Registry Operator held by third parties located anywhere in the world;

transfer of Personal Information to the Registry Operator’s service provider or the Registry Operator’s affiliates for the purposes of providing registry services; and

transfer of Personal Information to a third party replacing the Registry Operator in providing the Registry Operator function in terms of the Registry Operator’s agreement with ICANN, wherever in the world such third party may be located.

Each Party must ensure that it Processes Personal Information on the basis of one of the following legal grounds:

where the Data Subject has consented to Processing the Personal Information for one or more specific Purposes (which consent can be revoked at any time);

where Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;

as necessary to provide the Services and pursuant to the Agreement;

where necessary to comply with any legal obligation; 

Processing is necessary for the purposes of the legitimate interests pursued by the Customer or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data; 

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Customer; or

where the information is made public by the Data Subject.

Use and Processing of Personal Information of Data Subjects

The Parties must fully cooperate with each other to the extent necessary to effectuate corrections, amendments, restrictions or deletions of Personal Data as required by Applicable Laws and/or at the request of any Data Subject. 

The Parties collectively acknowledge and agree that Processing necessitated by the Purpose(s) is to be performed at different stages, or at times even simultaneously by the Parties. Thus, this Privacy Policy is required to ensure that where Personal Information may be Processed, it is done so at all times in compliance with the requirements of Applicable Laws.

Both Parties undertake that Personal Information will be processed in accordance with Applicable Laws and requirements directly applicable to the provision of the Services, and that they will only process the information in a manner consistent with allowing use of the Services and will process it to the minimum extent necessary.

Neither Party may use or authorise the use of Personal Information in any way that is incompatible with the purpose set out in the Published Policies or which is contrary to the Agreement or Applicable Laws.

Both Parties may Process Personal Information during the term of the underlying Agreement to which this this Privacy Policy is applicable and must abide by the terms of this Privacy Policy for the duration of the Processing if in excess of that term, unless otherwise agreed upon in writing. 

The Parties must immediately notify each other and ICANN and/or the Registry Operator (whichever is applicable) if, in its opinion, any instructions or requirements under Applicable Agreements infringes any Applicable Laws. 

All Personal Information must be treated as strictly confidential and the Parties must inform all its employees or approved agents engaged in processing the Personal Information of the confidential nature of the Personal Information, and ensure that all such persons or parties have signed an appropriate confidentiality agreement to maintain the confidence of the Personal Information. 

Personal Information of Customer

DNS collects Personal Information about the Customer, including information that directly or indirectly identifies it if the Customer chooses to share it with DNS. 

The Customer hereby expressly agrees that DNS may collect, Process and share its Personal Information that it entered on the DNS Portal for the purposes of providing the Services or in line with this Privacy Policy. 

DNS uses the information it collects on the Customer to provide its Services, to improve its Services and as otherwise described in this Privacy Policy. 

DNS may use the Customer’s Personal Information collected to compile profiles for statistical purposes. No information contained in the profiles or statistics will be able to be linked to any specific person or entity. 

Data Subject Rights

The Parties have certain obligations to respond to requests of a Data Subject whose Personal Information is being Processed under this Privacy Policy, and who wishes to exercise any of their rights under Applicable Laws, including, but not limited to: 

right of access and update; 

right to data portability; 

right to erasure;

 right to rectification;

 right to object to automated decision-making;

or right to object to processing.

Data Subjects have the right to obtain certain information about the Processing of their Personal Information through a subject access request (“Subject Access Request”). The Parties must maintain a record of Subject Access Requests, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request.

The Parties agree that the responsibility for complying with a Subject Access Request falls to the Customer and any final decisions made by it will govern the actions taken.

The Parties agree to provide reasonable and prompt assistance (within 5 (five) Business Days of such a request for assistance) as is necessary to each other to enable them to comply with Subject Access Requests and to respond to any other queries or complaints from Data Subjects. 

Destruction of Personal Information

DNS will delete all Personal Information, upon receipt of a written instruction from the Customer or a Data Subject to do so. 

DNS will destroy or delete any Personal Information that is no longer needed by it for the Purpose it was initially collected, or subsequently Processed.

DNS may retain information from deleted accounts to comply with Applicable Laws, prevent fraud, resolve disputes, troubleshoot problems and enforce any of its terms. Any information DNS retains will be handled in accordance with this Privacy Policy.

Security

The Customer will be responsible for the security of transmission of any Personal Information in transmission to DNS by employing appropriate safeguards and technical information security controls.

The Parties must both take appropriate, reasonable technical and organisational measures as required by Applicable Laws to protect the Personal Information from loss, misuse, unauthorized disclosure, alteration or destruction.

Both Parties will take reasonable measures to:

ensure that only authorised individuals for the Purposes of this Privacy Policy can access the Personal Information;

encrypt the Personal Information, where necessary or appropriate;

ensure continued confidentiality, integrity, availability and resilience of our processing systems and services;

restore the availability and access to Personal Information in a timely manner;

establish and maintain appropriate safeguards against the risks identified;

conducting regular threat assessment or penetration testing on systems as deemed necessary, considering the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, with due regard to the nature of the data held, the cost of implementation, and the state of the art; 

identify all reasonably foreseeable internal and external risks or vulnerabilities to the Processing of Personal Information; and

ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

The Parties agree to implement appropriate technical and organisational measures to protect the Personal Information in their possession against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure, including but not limited to:

ensuring IT equipment, including portable equipment is kept in lockable areas when unattended;

not leaving portable equipment containing the Personal Information unattended;

ensuring use of appropriate secure passwords for logging into systems or databases containing Personal Information;

ensuring that all IT equipment is protected by antivirus software, firewalls, passwords and suitable encryption devices;

using industry standard 256-bit AES encryption or suitable equivalent where necessary or appropriate;

limiting access to relevant databases and systems to those of its officers, staff, agents, vendors and sub-contractors who need to have access to the Personal Information, and ensuring that password security mechanisms are in place to prevent inappropriate access when individuals are no longer engaged by the Party;

conducting regular threat assessment or penetration testing on systems as deemed necessary, considering the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, with due regard to the nature of the data held, the cost of implementation, and the state of the art; and

allowing for inspections and assessments as to the security measures taken, or producing evidence of those measures, if requested.

Security Breach Notification 

Should either Party become aware of any Security Breach in relation to Personal Information, and where such a Breach is of a material impact to this Privacy Policy, or is likely to have a material impact on either Party, the Party should immediately notify the other, and provide immediate feedback about any impact this incident may/will have on such Party, including the anticipated impacts to the rights and freedoms of Data Subjects, if applicable. Such notification will be provided as promptly as possible, but in any event no later than 24 hours after detection of the Security Breach. 

The Party being notified of a Security Breach must be provided the following information, to the greatest extent possible, with further updates as additional information comes to light: 

A description of the nature of the incident and likely consequences of the incident; 

Expected resolution time (if known); 

A description of the measures taken or proposed to address the incident including, measures to mitigate its possible adverse effects; and

The categories and approximate volume of Personal Information and individuals potentially affected by the incident, and the likely consequences of the incident on that Personal Information and associated individuals.

The Parties may, upon mutual agreement, provide resources from its security group to assist with an identified Security Breach for the purpose of meeting its obligations in relation to the notification of a Security Breach under Applicable Laws or other notification obligations or requirements. 

For the purpose of this section, both Parties are also required to provide notification in accordance with this section in response to: 

A complaint or objection to Processing or request with respect to the exercise of a Data Subject’s rights under Applicable Laws; and 

An investigation into or seizure of Personal Information by government officials, regulatory or law enforcement agency, or indications that such investigation or seizure is contemplated. 

Sub-Contractors

To the extent that either Party contracts with any subcontractor, vendor or other third-party to facilitate performance under the Applicable Agreements, such Party must enter into a written agreement with this third party to ensure it also complies with the terms of this Privacy Policy.

The Party which employs a sub-processor, vendor or other third-party is, and will remain, fully liable for any such third party’s acts where such party fails to fulfil its obligations under this Privacy Policy (or similar contractual arrangement put in place to impose equivalent obligations on the third party to those incumbent under this Privacy Policy or under Applicable Laws.

Indemnity

The Parties will, at its own expense, defend, indemnify and hold the other harmless from and against all claims, liabilities, costs and expenses arising from or relating to: 

a Security Breach, 

breach of Applicable Laws, and 

 breach of this Privacy Policy, to the extent the cause of the breaching Party’s negligent, wilful or intentional acts or omissions. 

Transfer of Personal Information

For the purposes of this Privacy Policy, transfers of Personal Information include any sharing of Personal Information, and shall include, but is not limited to, the following:

Transfers amongst the Parties for the Purposes contemplated in this Privacy Policy or under any of the Applicable Agreements;

Disclosure of the Personal Information with any other third party with a valid legal basis for the provisioning of the Purposes;

Publication of the Personal Information via any medium, including, but not limited to in public registration data directory services;

The transfer and storage by the Parties of any European Economic Area from within the European Economic Area (“EEA”) to servers outside the EEA; and

Otherwise granting any third party located outside the EEA access rights to the European Economic Area.

Personal Information relating to EU individuals may only be transferred to outside of the EEA (or if such Personal Information is already outside of the EEA, to any third party also outside the EEA), in compliance with the terms of this Privacy Policy and the requirements of Applicable Laws, the latter including any relevant Adequacy Decision of the European Commission or the use of EU ‘Standard Contractual Clauses’. Where Standard Contractual Clauses for data transfers between EU and non-EU countries are required to be executed between parties, they may be found and downloaded, to be incorporated herein as part of this Privacy Policy upon execution, at https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087 (or such link location as may be updated from time to time). 

If provision of the Services requires transfer of any Personal Information to a third party located in another jurisdiction, DNS will procure the Customer’s prior written consent to such transfer.

Impact of Changes

In the event the ICANN Board adopts changes to the Temporary Specification (a “Triggering Event”), then Registry may notify Registrar of the changes, and upon ICANN publication of the updated Temporary Specification to its website, the changes will also be adopted and incorporated automatically herein to this Privacy Policy.

Registrar will be given thirty (30) days to accept or reject the proposed changes; rejection may result in termination of the Agreement. If Registrar does not respond within thirty (30) days following notice, it is deemed to have accepted the changes to the Privacy Policy, as applicable.

In the event Applicable Laws change in a way that the Privacy Policy is no longer adequate for the purpose of governing lawful processing of Personal Information and there was no Triggering Event, both of us agree that we will negotiate in good faith to review and update this Privacy Policy in light of the new laws.

DNS Gateway