Processing of personal data by the .pl domain Registry
Respecting the right to privacy is of paramount importance for the .pl domain Registry and helps us maintain the trust in both the services provided by the .pl domain Registry and by Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy in Warsaw (NASK).
To protect your personal data in the best possible way, the .pl domain Registry follows the following rules:
- The .pl domain Registry processes personal data solely to achieve legitimate objectives, for which the data are collected, or in such manner as is defined in compulsorily applicable laws.
- The .pl domain Registry processes only such categories of personal data as are required to achieve the objectives of the processing.
- The .pl domain Registry does not process any personal data in a manner that would be inconsistent with the objective of the processing of such data.
- The .pl domain Registry processes personal data with high security standards to protect personal data against loss or improper use.
- The .pl domain Registry processes personal data for a period not longer than is necessary for the purposes, for which such data are processed.
- You - a natural person whose Personal Data we process or may process in connection with the Registry's activities;
- Registry, We - the Registry of .pl domain, kept by Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy in Warsaw (NASK), who provides services related to .pl domain names and processes Personal Data in connection with its operations;
- Client - a natural person whose Personal Data are processed in connection with the services provided by the Registry under a contract; The Client employs the services of a Registrar, who co-operates with the Registry;
- Registrar - one of the Registry's Partners, whose services the Client has employed; the current list of Registrars is available at: www.dns.pl;
- Regulations - regulations of our services: (i) .pl Domain Names Regulations and (ii) .pl Regulations of option for registration of a domain name, available at www.dns.pl; they describe the Client's and the Registry's rights and obligations as well as services provided by the Registry, which are connected with the way the Internet network functions and all resulting conditions;
- Personal Data - information on identified or identifiable natural person, processed in connection with the Registry's activities;
- Identification Data - information, by which you can be directly identified, such as: name and surname, telephone and address data;
- RODO/GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016. on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- 2. Who is the controller of your personal data and how you can contact us?
The controller of your Personal Data processed by the Registry is Naukowa i Akademicka Sieć Komputerowa - Państwowy Instytut Badawczy (NASK) with its registered office in Warsaw, Kolska 12 str., which maintains the Registry of .pl domain name.
Should you have any questions regarding the processing of your Data and your rights, you can contact the Registry, by writing to Customer Service DNS via e-mail email@example.com.
If you wish to exercise your rights (described in more detail below), you can turn to us in writing or via of our Data Protection Officer: firstname.lastname@example.org.
the Registrar as an independent controller
Your Registrar is a personal data controller independent from the Registry. You may contact the Registrar using the information available at this site.
The performance of Registry services requires co-operation with your Registrar. As the Registry, we provide fundamental technical service, while day-to-day operations in the area of administration service are performed by the Registrar. Information concerning our Clients, which we process for the purposes of provision of our services, are entered into the main .pl domain registry by your Registrar without our interference.
In the framework of co-operation, data are exchanged between us and your Registrar, but we do not have all the Data, which could be important to you and which are processed by your Registrar.
- 3. For what purpose do we process the personal data and on what legal basis?
The Registry processes the Personal Data primarily under an agreement with the Client, for the safe and reliable provision of the services described in the Regulations.
The Clients' data are processed to execute and perform the agreement.
The .pl domain name maintenance service, provided by the Registry, consists in particular in your demand that we make the Data, which you provided, available in the Internet network, so in performance of this service the Data become public. The specific nature of this service is related to the principles of Internet functioning and requires for example publication of the Data in the WHOIS database, which is available to all Internet users at the address: www.dns.pl. The Whois database is the primary source of information about domain names in the Internet.
It is very important that we will not publish the Client's Identification Data in the Whois database, if the Client marked their status in the Registry as a "natural person". This is always done by you, in co-operation with your Registrar. If you do not want your Identification Data to be published in the Whois database, you should select the "natural person" status.
We do not publish your Personal Data, which are related to the provision of the service in accordance with the Regulations of option for registration of a domain name.
In connection with the entering into and performance of the agreement, we send you automatically e-mail messages concerning the most important facts related thereto, e.g. entering into the agreement, change of Personal Data, change of Registrar, change of subscriber.
Legal basis: Your Personal Data connected with the performance of rights and obligations under your agreement with the Registry and the execution of that agreement are processed under Article 6(1)(b) RODO/GDPR - as necessary to enter into or perform the agreement to which you are a party.
In connection with the services provided by the Registry, we send various types of correspondence.
If we receive a complaint, also when it is related to our services, we can process your Personal Data to examine the complaint and provide you with a reply; this includes the necessary correspondence with your Registrar to clarify your complaint. We can also write to you for instance regarding changes made in the Regulations, reported infringements or received court judgements.
If you are not a Client, but you submit to us a complaint, request, notification of dispute or other communication, we process your Personal Data, your attorney's Personal Data (if you are represented by attorney in communications with the Registry) or Client's Personal Data necessary to examine your complaint, request, notification of dispute or other communication, to the extent resulting for your message and our reply thereto.
Legal basis: The data related to such correspondence are processed under Article 6(1)(f) RODO/GDPR, because this is necessary for the purposes of the legitimate interests pursued by us or by the parties, who turned to us. Our interest consists in determining or improving the quality of our services (your complaints), notifying you about important matters related to the agreement (e.g. when the Regulations change, an infringement was reported), or to amicably clarify various issues so that the correspondence does not result in dissatisfaction, lack of sufficient information, or in a claim arising or being pursued (complaints, demands, notifications).
As regards the examination of Clients' complaints related to the provision of Registry services, the basis for the processing consist in Article 6(1)(b) RODO/GDPR, because they concern the agreement to which you are a party.
If the correspondence pertains to domain dispute, the Registry considers also the interest of the person who uses available legal measures to end the existing dispute.
In justified specific cases, the Identification Data can be disclosed to interested parties, e.g. an entity who claims that you infringed their rights and wants to use available legal measures to clarify the dispute. If such entity presents to the Registry the appropriate information regarding the pursue of their claim, the Registry can disclose the Client's Identification Data, which was not published in the Whois database, to make it possible for that entity to instigate the litigation before the competent authority.
Legal basis: Such disclosure of Identification Data takes place on the basis of Article 6(1)(f) RODO/GDPR, because this is necessary for the purposes of the legitimate interests pursued by third parties, but each time we examine whether your interest or your fundamental rights and freedoms, which require the protection of your Personal Data, are not overriding the interest presented by the parties who request the disclosure of your data.
We can also process your Personal Data to carry out our legal obligations e.g. in reply to a demand from a court or competent authority.
Legal basis: The processing takes place within the limits set by mandatory laws and the scope of received demand and is performed under Article 6(1)(c) RODO/GDPR - it is necessary for our compliance with a legal obligation.
We can process your data in connection with the determination, pursue or defence of claims.
Legal basis: The data are processed under Article 6(1)(f) RODO/GDPR, because this is necessary for the purposes of the legitimate interests pursued by us, which consist in determination or assertion of our rights, as well as defence against claims.
Personal Data are also processed for the purposes of day-to-day monitoring, testing, analysis or improvement of our services and systems or implementation of appropriate measures related to their continuous operation or security, as well as to protect the Personal Data against loss, modification, damage or other effects of undesired actions and situations. The reality of fast-developing Internet network, including the continuous appearance and development of threats, require that we continue to improve the security measures for the Registry services, systems and Personal Data.
Legal basis: The Personal Data are processed under Article 6(1)(f) RODO/GDPR, because this is necessary for the purposes of the legitimate interests pursued by us, which consist in provision of stability and security of the Registry of .pl domain and in optimization of solutions and procedures related to the protection of your Personal Data.
Once our services are terminated, or the matter, complaint, request etc. is cleared, we do not use the Personal Data actively. We keep such data in our archives, for the purposes related to the determination, pursue or defence of claims.
Legal basis: The data are processed under Article 6(1)(f) RODO/GDPR, because this is necessary for the purposes of the legitimate interests pursued by us, which consist in determination or assertion of our rights as well as defence against claims.
Some Data, including the Data stored in our archives, are also used for the purposes of scientific and/or historical research as well for statistical purposes, as per Article 89(1) RODO/GDPR. This is done with application of technical and organisational measures that ensure respect for the principle of Personal Data minimisation, including pseudonymisation.
Legal basis: The data are processed under Article 6(1)(f) RODO/GDPR, because this is necessary for the purposes of the legitimate interests pursued by us, which consist in the conduct of scientific or historical research as well as compilation of statistics related to the Registry's operation, while observing the appropriate technical and organisational measures as referred to in Article 89(1) RODO/GDPR.
Our processing of your Personal Data, as described above, under Article 6(1)(f) RODO/GDPR takes place after considering our interest or third party's interest and your interest, rights and freedoms, in typical situations. We decided that the processing of Personal Data will not interfere excessively with your privacy and will not be excessively onerous to you. In the course of the analysis, we also considered that we process your data while respecting the principle of data minimisation, and the Personal Data are appropriately protected against excessive use, in particular since your Identification Data are not published in the Whois database when you selected your status in the Registry as a "natural person".
The Registrars' data are processed to perform the agreements between us and the Registrars and for the purposes of related settlements or tax obligations. The Registrar's data are available on the website www.dns.pl and in the WHOIS database. We process personal data of the staff dedicated by the Registrars to co-operate with us, for the purposes of regular contact with the Registrar and performance of agreements between us.
Legal basis: Data are processed under Article 6(1)(b) RODO/GDPR - as necessary to execute or perform the agreement to which the Registrar is a party.
The Registrars' and prospective Registrars' data are processed for the needs of communication related to research into the quality of our cooperation with Registrars and its improvement, joint meetings and conferences, as well as the conclusion of agreements between us and Registrars and prospective Registrars.
Legal basis: The data are processed under Article 6(1)(f) RODO/GDPR, because this is necessary for the purposes of the legitimate interests pursued by us, which consist in developing and improving of NASK Registrar Programme.
- 4. What data do we process?
In connection with the entering into and performance of agreements with our Clients, we perform the Personal Data necessary to identify the Client as a party to the agreement: name and surname, address, e-mail address (this data are obligatory and without them the agreement cannot be executed) and, optionally, phone number and fax number. This Identification Data are not published in the WHOIS database, if the Client marks their status in the Registry as a "natural person".
We also process other Data related to the Registry services and the technical manner in which they are provided, such as for example the character string which creates the name in the .pl domain, name servers designations, IP addresses of the devices which use the services, internal identifiers and similar information related to the service, time of execution of certain entries or change thereof, data pertaining to the Registrar, notification of a domain dispute, information about the termination of services or the end of billing period.
If you write to us e.g. regarding a complaint, we will also process any other Personal Data which may appear in this correspondence, such us information regarding the use of our services, to which the complaint pertains, the data contained in documents enclosed with the complaint, the content of requests or demands and their rationale, the content of reply, the information about court proceedings pending, with identification of the parties to litigation, the court judgements.
The data, which we process in connection with determination, pursue or defence of claims, may include additionally such information as the rationale for the claim and the amount of the claim, the extent of damage, the conduct of enforcement proceedings, the data of participants of the proceedings, attorneys for the proceedings etc.
As part of day-to-day technical servicing of our services, in order to monitor, test, analyse or improve our services and systems or implement appropriate measures related to their continuous operation or security, we strive for performing the respective activities without people identification or, at the very least, with the use of pseudonymisation. Data concerning devices, which connect to our systems without our initiative (e.g. in an automated manner) can be subject to processing as anonymous data or data not used to identify people.
The data stored in our archives do not exceed the scope of Data processed in connection with the performance of our services or the correspondence, including that related to complaints, requests, demands or disputes.
We also process the Registrar's Data for the purposes related to the performance of agreements between us and the Registrars, so the Registrar's Data are e.g. made available in the WHOIS database with reference to the .pl domain name he services.
- 5. How do we obtain your data and what is the source?
Usually, we do not seek to obtain Personal Data. Normally we receive the Personal Data at your initiative. In particular, we do not seek to obtain your Data for the purposes of the entering into an agreement. If you are a Client, you initiate the entering of the data into the Registry, by giving such demand to your Registrar who subsequently provides us with your Data by recording them in the main .pl domain registry.
Your Registrar is an independent Personal Data Controller and co-operates with us so that you can use the Registry services. In line with your agreement with the Registry, the updating or supplementing of your Personal Data in the main.pl domain registry is carried out by your Registrar. Should you request us directly to do this, we will pass on your demand or request to your Registrar.
If you are not a Client, we most often obtain your Personal Data from the correspondence you send us. The data, which we process, may also come from people who are not our Clients or may pertain to matters not related directly to Registry services.
The contact with us is often initiated anonymously or by entities, whose identities we do not determine or are unable to determine, so also devices or unidentified persons who initiate such contact may be a source of the Data.
We also obtain Client's Personal Data from courts, authorised authorities or interested parties, e.g. within the scope of judgements, demands, orders or notifications presented to us.
The source of processed Personal Data concerning the Registrar, including the Data published in the WHOIS database, is the Registrar, in accordance with the agreement between them and the Registry.
- 6. Who do we share your personal data with?
The .pl domain name maintenance service consists in particular in the Client's demand that the Registry makes public the provided information concerning the domain name, by making it available to all Internet network users. This applies also to the Data published in the WHOIS database. Thus the information made available this way can reach recipients in any country, also outside the European Economic Area (EEA), where the level of information protection may be lower than in the EEA. The provision of information this way is necessary to perform the agreement between you and the Registry, because it is not possible to carry out this service in any other way, considering the rules of operation of the Internet network. This, however, does not apply to your Identification Data, which is not published in the Whois database, if the Client marked their status in the Registry as a "natural person". The rule for such Client's Personal Data is that the Registry and the Registrar process the data without making them public.
Sharing of your Personal Data between us and the Registrar is necessary to perform the agreement between you and us, as well as to carry out activities to execute the same, regardless of the country, where the Registrar of your choice has its registered office or operates a business. This applies also to your Data, if you turn directly to us (e.g. in connection with a complaint). Such data will be transferred to the Registrar, unless you turn to us in a matter, which is not related to the Registrar's operations.
We provide Personal Data when requested by third parties and this is necessary for the purposes of the legitimate interests pursued by such parties, e.g. to take actions aimed at the protection of their legally protected interest, by means of court proceedings. We also provide Personal Data to courts and authorised authorities, if they make such a request under applicable laws.
We transfer the Data to our providers who process them on our behalf, when providing us with services of technical nature, handling our ICT network or our ICT systems, or making ICT tools available to us, providing us with audit services or legal assistance, as well as other personal data controllers, e.g. entities which conduct post or messenger business.
- 7. How long do we keep your personal data?
We process the Identification Data, entered into the Registry by the Registrar, for the purposes of performing the necessary activities before entering into the agreement. If the agreement is not concluded or no actions are taken with the aim to conclude it within 30 days of the data entry, the Identification Data will be removed from the main .pl domain Registry (unless such data are simultaneously related to another agreement, which has already been signed). Client-related Data, connected with the performance of the Registry services, are kept for the term of the agreement concerning such services.
Once the Registry services are terminated, the Personal Data connected with those services are stored in our archives for the period required by law, in which such data can be used to determine, pursue or defend against claims. The Personal Data used for statistical purposes or to conduct scientific or historical research are kept for the period necessary to achieve those purposes, with application of technical and organisational measures are in place, to ensure respect for the principle of Personal Data minimisation, including pseudonymisation.
The Personal Data connected with correspondence, which does not come from our Client or does not concern the Registry services, is processed for the time necessary to clarify the matter, to which the correspondence pertains. To the extent such correspondence pertains to complaints, demands or reported grudges, it is stored in our archives for the period required by law, in which it can be used to determine, pursue or defend against claims. We do the same with respect to Data stored for the purposes of matters, in which we seek claims or defend against claims, as well as matters where we process the Data at the demand of the court or authorised state authority.
The Data stored in connection with day-to-day monitoring, testing, analysis or improvement of our services and systems, or implementation of appropriate measures related to their continuous operation or security, as well as protection of Data against loss or effects of undesired activities and situation, are kept for such time as is necessary to complete the purpose for the Data are used. Depending on circumstances (e.g. periodic increase in threats) this time may vary, but we make efforts to ensure that such time is no longer than several months. We apply the same rules to the storing of Data where the source are persons or devices, which are unidentified for us or anonymous from our point of view.
The Data related to the Registrar is kept for the period stemming from the agreement between us and the Registrar and is required by law (e.g. tax regulations or laws concerning the determination, pursue or defence of claims), but the Registrar's Data are disclosed in the WHOIS database, with respect to the Client, for such time as the Registrar continues to be the Client's Registrar.
- 8. What are your rights in connection with the processing of your personal data?
We ensure that your rights under the RODO/GDPR can be exercised. When you can use them and to what extent, is specified by law and depends e.g. on the purpose, for which we process your Data, or the related legal basis.
We pay special attention to the security of Personal Data, thus we may ask you for additional information necessary to confirm your identity. Please try to keep the information we sent you, where such information may be helpful in identifying you, e.g. Client designation or identifiers, letter reference numbers etc. Please understand our prudent approach in this matter, because thorough verification serves the protection of Personal Data against unauthorised disclosure.
You have the right to demand that your Registrar update your data, and this is the fastest and simplest way to verify or change your Data safely. Due to the rules of our co-operation, the exercise of your rights under the RODO/GDPR will usually require us to contact your Registrar - this may result in extending the time to perform the service and, in some cases, affect the correct provision of services or Data compatibility. Please also remember that we do not process various Personal Data which your Registrar processes (e.g. information about current settlements, invoices etc., because you do not pay the fees to us).
We will reply to your demand without delay, but not later than within one month after receiving it. If, however - because of a complex nature of the demand or the number of demands - we are unable to do so within one month, we will reply within the next two months, having notified your first about the intended extension of the time limit. The time limit for a reply to the Client can be extended e.g. when the Client turns to us in a matter, in which actions should be taken by their Registrar or the performance of such actions will require further contact with the Client's Registrar.
If your demands are manifestly unfounded or excessive, in particular because of their repetitive character, we can collect a relevant fee or refuse taking action in connection with the demand.
- Right of access to the data (Article 15 RODO/GDPR)
You have the right to receive from us a confirmation whether we process your Personal Data, and if we do, you have the right to:
receive information about the purposes of the processing, the categories of your Personal Data we process, the recipients or recipient categories, the time for which we plan to keep your Personal Data stored or the criteria for determination of such time, the rights you have under the RODO/GDPR, and the right to lodge a complaint with a supervisory authority, the source of such data, the automated decision-making process, including the profiling, and the security measures applied in connection with transfer of such data outside the European Economic Area;
obtain a copy of your Personal Data; for each next copy, we can collect a fee resulting from our administrative costs; the RODO/GDPR does not allow us to transfer any information which could have adverse impact on other people's rights and freedoms, and this may affect the scope of information contained in the copy of the Data.
- Right to rectification of the data (Article 16 RODO/GDPR)
You have the right to rectify your Personal Data when it is incorrect and to have incomplete Personal Data supplemented, taking into consideration the purpose of the processing.
If you are a Client, your Data are updated and supplemented by your Registrar, and this is the fastest and simplest way to verify or change your Data safely. If you submit the request to us, this will require us - for security reasons - to contact your Registrar - this may result in extending the time to perform the service and, in some cases, affect the correct provision of services or settlements with your Registrar. Please remember that we process only some from among the Personal Data processed by your Registrar.
- Right to erasure of the data (Article 17 RODO/GDPR)
You have the right to demand that your Personal Data be erased, if:
they ceased to be necessary for the purposes, for which they were collected or were otherwise processed; the exercise of this right with respect to the Data related to the executed agreement will require a prior termination thereof - this will result in our inability to continue the provision of the service (loss of domain name, e-mail addresses created in such domain etc.);
they have been processed unlawfully; the existence of such situation may require an appropriate determination or confirmation;
you filed the objection against the processing of your data, which was found justified in accordance with the RODO/GDPR or the Personal Data must be erased for compliance with our legal obligation.
Despite the demand to erase the personal data, we can retain certain Personal Data under the RODO/GDPR, e.g. within the scope needed to determine, pursue or defend claims.
The data published in the WHOIS database are made available (made public) to all users of the Internet network. Please remember, however, that the Identification Data are not published in the WHOIS database, if you marked your status in the Registry as a "natural person".
- Right to restriction of the data processing (Article 18 RODO/GDPR)
You have the right to demand that the processing of your Personal Data be restricted, in a situation when:
you contest the accuracy of your Personal Data - for a period we may need to verify their accuracy;
the processing of your Personal Data is unlawful, and you decide not to demand the erasure of the data and request the restriction of their use instead;
we no longer need your Personal Data for the purposes, for which we processed them, but you need that data to determine, pursue or defend a claim;
you lodged an objection against the use of your data - for such time as we need to verify whether the objection is justified in accordance with the RODO/GDPR.
The restriction may not occur, however, for reasons specified in the RODO/GDPR, e.g. when the Data are processed to determine, pursue or defend a claim or the protect other party's rights. This may apply, in particular, in a situation when the restriction would lead to the termination of Registry services or would prevent communication with such party.
- Right to data portability (Article 20 RODO/GDPR)
If you are our Client, please remember that in accordance with the Regulations, your Data are entered into the main .pl domain registry by your Registrar. You provide those Data to your Registrar and you have the right to demand that your Registrar carry out your right to data portability with respect to all your Personal Data, which were entered into the Registry by the Registrar.
You have the right to receive your Personal Data, which were delivered to us by you. We will send such data in a structured, commonly used and and machine-readable format. The RODO/GDPR does not allow to transfer any information which could have adverse impact on other people's rights and freedoms, and this may affect the scope of Data provided to you.
You have also the right to demand that we send the personal data directly to such controller, but the capacity for such transfer may require further determinations or arrangements.
The Registry does not process many of the information processed by your Registrar, and the right described above does not authorise us to transfer your Data between Registrars.
- Right to object against data use (Article 21 RODO/GDPR)
You have the right to object, at any time, on grounds relating to your particular situation, against the processing of your Personal Data, which is necessary for the purposes of the legitimate interests pursued by us or by a third party (see more in item 5 above), e.g. when we examine a complaint or request of a third party. The right to object does not apply to the processing of any Personal Data, with respect to which there are grounds for determination, pursue or defence of claims.
The objection is examined by way of analysis of your particular situation as you described it and the related interest, rights and freedoms, which you want to protect, vs. our legitimate grounds for the processing of the Data, to which the objection pertains. For instance, we indicate that priority may be given to our interest, which consists in ensuring the stability and security of the Registry. The case will be similar when the objection would prevent or considerably hinder the exercise of rights guaranteed by law, e.g. through concealment of the Client's identity from a person who defends their rights. This, naturally, depends on the circumstances of each case.
At present, we do not process any Personal Data for direct marketing purposes.
- Automated individual decision-making, including profiling (Article 22 RODO/GDPR)
During the procedure for entering into the agreement or certain changes related thereto, we automatically verify the fulfilment of general technical conditions regarding the domain name or relevant systems, referred to on our website (e.g. if the domain name does not contain too many characters, whether it has not been registered earlier for someone else, etc.), but we also verify if the Registrars pay the fees due in accordance with the list presented on the website www.dns.pl. Those actions are necessary to execute or perform the agreement between us and the Client. In any case, you can contact us or your Registrar to have a competent person clarify your doubts related thereto, or to express your position.
- Right of access to the data (Article 15 RODO/GDPR)
- 9. Right to lodge a complaint with a supervisory authority.
If you believe that your rights related to the protection of your Personal Data were violated, you have the right to lodge a complaint with a supervisory authority, that is the President of the Office for Personal Data Protection (address: Prezes Urzędu Ochrony Danych Osobowych, Stawki 2 str., 00-193 Warsaw).
- 10. How do we care about the security of your personal data?
We make every effort to ensure appropriate processing of your Personal Data, in particular we pay attention to the security of your Data. To ensure that Personal Data are processed in compliance with the RODO/GDPR, we implement and maintain appropriate technical and organisational measures, including relevant regulations and policies related to the protection of Personal Data. We design and optimise those measures to effectively follow the rules for Personal Data protection, such as minimalization of Personal Data, and to provide the processing with necessary safeguards so as to meet legal requirements and protect your rights.
We implement those measures so that, by default, only Personal Data which are necessary for each specific purpose of the processing are processed. This applies to the amount of Personal Data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default Personal Data are not made accessible to an indefinite number of natural persons, except as necessary for the operation of the Registry services.
Our measures are continuously monitored, and reviewed and updated where necessary.