Valid from 25 May 2018
(Extract pertaining to .ie domain registration and domain management retention)
2. Policy Statement
The Data Protection Acts 1988 and 2003 (as amended) (the DPA) and, from the 25 May 2018, the General Data Protection Regulation (the GDPR) impose obligations on us, as a Data Controller, to process personal data in a fair manner and to notify data subjects of the purposes of data processing and to retain the data for no longer than is necessary to achieve those purposes. In this policy, the IEDR’s retention practices are detailed, along with the rationale for the retention periods.
Personal Data for Registrants & Domain Contacts
- If associated with a successful request, this is retained until 2 years after domain deletion.
- If associated with an unsuccessful request, this is retained for 7 days after failure.
Docs containing Personal Data for Registrants & Domain Contacts
- If associated with a successful request, this is retained for 30 days after
- If associated with an unsuccessful request, this is deleted within 7 days after
- Records and documents that do not contain Personal Data may be retained in
accordance with business practice.
3. Data Retention
Personal Data for .ie Registrants and Domain Contacts
IEDR retains the Personal Data of .ie Registrants and Domain Contacts for the period of the contract, i.e. lifetime of the domain registration, plus a further 2 year period after deletion.
On the 2 year anniversary of the domain deletion, all Personal Data relating to the deleted domain record is anonymised.
Note: This further 2 year retention period after domain deletion relates to the potential need for IEDR to defend its legal rights should legal action be launched for breach of contract. (The Statute of Limitations is 6 years for a civil action to be taken for breach of contract).
Non-Personal Data records
IEDR retains non-Personal Data records associated with deleted domain records indefinitely.
Personal Data in failed new registration, modification or transfer requests
If a request to register, modify or transfer a .ie domain name registration fails to complete, the Personal Data contained within that request is deleted within 7 days after the request fails.
4. Document Retention
Documentation containing Personal Data for .ie Registrants and Domain Contacts
In accordance with the principles of data minimisation and purpose limitation, IEDR retains documentation containing the Personal Data of .ie Registrants and Domain Contacts for a maximum period of 30 days from the date on which the related request completes1. This documentation is typically provided to the IEDR in support of domain registration, modification and transfer requests, in accordance with the Rules of the namespace.
Documentation containing Non-Personal Data records
Documentation containing non-Personal Data records may be retained indefinitely.
Documentation containing Personal Data in failed registration, modification or transfer requests
If a request fails to complete, the documentation containing Personal Data is deleted within 7 days after the request fails.
1 For the avoidance of doubt, a completed request is one that has passed IEDR’s internal administrative, technical and financial checks, thereby creating a contract between the IEDR and the Registrant.
5. Rationales for Data and Document Retention
Data Retention Rationale
- The IEDR is responsible for managing the .ie namespace, which it does under a “Managed Registry” model. This means that anyone applying to register a .ie domain name must show compliance with the Rules of the .ie namespace. These Rules include the requirement for a future registrant to provide evidence of their real connection to the island of Ireland.
- When registering a .ie domain name, a contract is established between the Registrant, and IEDR, the Registry. Every accredited Registrar has a contractual relationship with the Registry.
- This contract forms the legal basis for IEDR’s processing of Personal Data related to the .ie domain request for the lifetime of the domain registration.
- When the contract lapses, i.e. when the domain registration deletes, IEDR retains Personal Data for a further 2 year period for defence of its legal rights in any future legal action for Breach of Contract.
Note: Under the Statute of Limitations for civil action to be taken for breach of contract, Personal Data relevant to the contract may potentially be retained for a period of up-to 6 years after domain deletion.
On review, IEDR acknowledges that any legal action would likely arise in the first year after domain deletion, with a further year required for such action to be resolved by the Courts. This is the rationale for the retention outlined above.
Document Retention Rationale
- The IEDR is responsible for managing the .ie namespace, which it does under a “Managed Registry” model.
- When registering a .ie domain name, a contract is established.
- This contract forms the legal basis for IEDR’s processing of Personal Data related to .ie domain names during the lifetime of that registration. [Provision of evidence demonstrating the Registrant’s compliance with the Registration and Naming Policy is one of the requirements to be met in order for the contract to be established].
- When the contract has been established, i.e. when the domain registration
completes, IEDR retains supporting documentation containing Personal Data for a maximum period of 30 days thereafter. This is done to allow for internal quality control checks to be undertaken. Similarly, when a .ie domain modification or transfer request is received, related documentation containing Personal Data is retained for a maximum period of 30 days to allow for these internal quality control checks.
- IEDR may rely on the related Personal Data for the defence of its legal rights in any future legal action for Breach of Contract.
IEDR is responsible for ensuring that records containing the Personal Data of .ie Registrants and Domain Contacts are stored in a safe, secure and accessible manner. This data is stored in the Republic of Ireland, is protected to industry standards and is fully encrypted.
IEDR is responsible for the continuing process of identifying the Personal Data records that have met their required retention period, and destroying this Personal Data, in accordance with the practices outlined in this Policy and the Rules of the namespace.
The physical destruction of Personal Data contained will be conducted by shredding.
The destruction of Personal Data contained within electronic records is coordinated by the IEDR’s Senior Management Team and IEDR’s Technical Services Department.
Where a legal complaint arises, the destruction of records will be ceased immediately upon notification of this action. Destruction of the related records will be arranged once the IEDR receives satisfactory notification that the proceedings have been withdrawn or concluded.