Norid’s processing of customer data
Norid collects and processes various information about the domain registrations. This information is registered in Norid’s customer database. The database is continually updated by information being added about new domain names that are registered, or by registered information being changed. Historical data is stored separately from the customer database, for research and statistical analysis.
UNINETT Norid AS (Norid) runs the registry for Norwegian domain names. All domain names directly under the Norwegian top-level domain .no are registered with us. Norid processes domain applications and ensures that the rules for allocating domains are consistent with the needs of society. Norid is also responsible for the technical operation and development of the service.
A domain is created as soon as Norid registers it to an organisation1 or an individual. The domain holder is granted the right to use the domain name for as long as the registration is valid, normally until the organisation or individual terminates it. The holder may transfer the domain to others or request its deletion. After deletion, anyone can register the domain name anew.
Norwegian domain names are registered and maintained via registrars. Registrars are enterprises that have a contract with Norid to submit applications and updates on behalf of the domain holder, and generally acts as an intermediary between Norid and the holder. In order to register a domain, a holder must sign one contract with Norid and one with the provider.
1. The purpose of processing customer data
The purpose of Norid’s processing of customer data is:
- To ensure that private individuals and organisations can register Norwegian domain names and maintain and transfer the registration within the parameters set by the domain name policy for .no
- To manage the Norwegian top-level domain in a way that contributes to robust operation of the internet as an infrastructure
Some processes following from this purpose:
- Processing of domain applications and associated activities
- Inclusion of relevant data in the zone file
- Making select data available through the registration directory service
- Conveyance of domain complaints in the dispute resolution system for .no
- Sharing of data with the registrars so that they can act on behalf of the domain holder
- Development of the registry service so that it is suited to the needs of society
- Operation of the name service for .no in a way that secures stability and technical quality
- Research and statistical analysis
2. Types of information
2.1 Information about the registration
Information collected from the domain holder via the registrar includes:
- The domain name to which the registration applies
- Confirmation that the holder has submitted a applicant declaration2 (name, date, version)
- Transfer code3
- DNSSEC information4
In addition, the system creates information about the duration and status of the registration:
- When the registration was created, last changed, and when it expires
- Status of the registration (being deleted, blocked for changes, cannot be transferred, etc.)
Each registration has one domain holder, a minimum of one technical contact, a minimum of two name servers (which can have their own technical contacts), and one registrar. Norid records the time the data is registered in the database and when the information was last updated.
A holder may register several domains. Similarly, a technical contact may be responsible for several domains and name servers. All registrars are responsible for multiple domains on behalf of one or more domain holders.
2.2 Information about the domain holder
The holder can be a private individual or an organisation (legal person). Norid collects the following information about these:
|Unique identifier||Registered organisation number or personal identifier5|
|Organisation||Organisation name (if the subscriber is an organisation)|
|Contact person||Name of the holder (if the holder is a person) or name of the organisation’s contact person|
|E-mail address||Can be generic, e.g. firstname.lastname@example.org|
|Postal address||Street, postal code and postal area|
Use of unique identifier: The holder is identified to Norid by a unique identifier. For organisations, this is the organisation number registered in the Brønnøysund Register Centre, while private individuals are identified by their national identity number. The unique identifier shows who has the right to use the domain.
Private individuals state their national identity number and the name with which they are registered in the National Registry to Norid, and we check the information against the National Registry. To restrict access to the holder’s national identity number, Norid then creates a unique identifier that the holder uses in our systems and towards the registrar. The combination of name, national identity number and personal identifier is stored by Norid in a specially secured database to which only authorised employees have access.
2.3 Information about technical contacts
Each registration must have at least one technical contact that can be contacted if a technical error occurs with the domain, or if the domain is used in a way that threatens the functionality, security or stability of other domains or the internet as an infrastructure. The technical contacts are roles – for example an IT department or the internet service provider’s hostmaster.
Norid collects the following information about technical contacts:
|Role description||For example: hostmaster or technical department|
|E-mail address||Should be generic, of the type email@example.com|
|Postal address||Street, postal code and postal area|
2.4 Information about name servers
Each domain name must have a minimum of two name servers. These are machines that answer requests for addresses under the domain name. The name servers are essential for the domain functioning. Name servers may have a technical contact that can be contacted in the event of a fault with the service, but this is optional.
Norid collects the following information about name servers:
|Name||For example: nac.no|
|IP-address||For example: 126.96.36.199|
2.5 Information about registrars
All domain registrations are linked to a registrar. Norid collects the following information about registrars in the customer database:
|Postal address||Street, postal code, postal area, country|
Norid also registers information about the registrars in dedicated business systems separate from the database. This includes the organisation’s name and number, contact persons, status, breaches of contract, whether the registrar offers services to both private individuals and organisations, and whether they offer DNSSEC for the customer’s domains, etc.
3. More about processing of personal data
Some of the information that is collected is information related to private individuals, and which is regarded as personal data as defined in Article 4, 1 (“Definitions”) of the General Data Protection Regulation (GDPR).
Norid’s processing of this data is necessary for:
- the performance of a contract to which the domain holder is party or to take steps at the request of the holder prior to entering into a contract (GDPR Article 6, 1b)
- complying with a legal obligation to which Norid is subject (GDPR Article 6, 1c)
- the purposes of the legitimate interests pursued by Norid or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the holder (GDPR Article 6, 1f)
With the exception of the status of the domain registration, as well as date of creation, change, and termination, Norid’s customer data is collected in from the holder via a registrar.
The domain holder must enter into one agreement with Norid and one with the registrar, and Norid and the registrar must both process personal data in order to fulfil their agreement with the holder. Norid and the registrar are thus independent data controllers. The holder may exercise his right to access his own data by contacting his registrar or Norid.
4. Maintenance of customer data
The domain holder is responsible for ensuring that the contact information related to the domain is correct. In the event of an error, the holder must contact the relevant registrar so that the information can be updated. Norid processes notifications of change received via the registrars in a quick and efficient manner. This means that data is continually updated.
A domain holder may ask to be removed from the database by contacting his registrar. However, this means that all registrations held by the holder must be deleted, and the domains become available for others. Data that is not connected to an existing domain registration is automatically removed from the customer database after a certain period.
- Registered in Norway’s Central Coordinating Register for Legal Entities [Enhetsregisteret].
- The holder accepts the registration rules for .no using an applicant declaration form
- The transfer code ensures that the domain name cannot be transferred to a new provider without the holder’s consent
- Securing domains with DNSSEC is optional, but if the domain is secured, the holder has to submit DNSSEC keys and DS records
- Identifier generated by Norid’s systems and only used in connection with the domain registration
- All holders must have a Norwegian postal address