The Regulation defines “data controller” as the party who determines the purposes and means of the processing of personal data. The definitions of data controller and data processor are found in GDPR art 4 (7) og 4 (8).
Norid conducted a very thorough process prior to the introduction of the GDPR in 2018. We reviewed and analyzed policies and worked closely with our sister organizations IIS, who are responsible for .se, and DK Hostmaster, who are responsible for .dk.
We also involved our providers in this process. Among other things, we organized a data protection seminar in late 2017. One topic we discussed was whether providers would be considered a data processor on behalf of Norid and not an independent data controller. Under the current Personal Data Act, Norid and providers have acted as independent data controllers for their respective processing of personal data, and there is currently no data processing agreement between Norid and the provider.
A central premise is therefore whether the processing can be said to have data processing as its primary purpose, or whether the data processing is auxiliary, i.e. comes in addition to other services, provisions or purposes.
Both the provider and Norid enter into separate agreements with the subscriber. It follows from Section 5 of the Domain Regulations that Norid must leave some of the registration process to providers. While Norid may have some influence over which types of data providers collect, transfer and process, the primary purpose of the provider’s processing is not to perform data processing on behalf of Norid, but rather to facilitate for the provider’s marketing of subscriptions on Norwegian domain names, either on its own or as part of a package with the provider’s other services.
The provider agreement includes terms and conditions that concern the processing of personal data, but Norid has neither regulatory nor contractual authority to determine the details of a provider’s internal processing of personal data collected and processed by the provider after this data has been registered in Norid’s registration system. Norid can only require that providers collect and enter (process) certain types of data, whereas providers determine how and through what means they process information about their customers.