The Regulation defines “data controller” as the party who determines the purposes and means of the processing of personal data. The definitions of data controller and data processor are found in GDPR art 4 (7) og 4 (8).
Norid conducted a very thorough process prior to the introduction of the GDPR in 2018. We reviewed and analyzed policies and worked closely with our sister organizations IIS, who are responsible for .se, and DK Hostmaster, who are responsible for .dk.
We also involved our registrars in this process. Among other things, we organized a data protection seminar in late 2017. One topic we discussed was whether registrars would be considered a data processor on behalf of Norid and not an independent data controller. Under the current Personal Data Act, Norid and registrars have acted as independent data controllers for their respective processing of personal data, and there is currently no data processing agreement between Norid and the registrar.
A central premise is therefore whether the processing can be said to have data processing as its primary purpose, or whether the data processing is auxiliary, i.e. comes in addition to other services, provisions or purposes.
Both the registrar and Norid enter into separate agreements with the holder. It follows from Section 5 of the Domain Regulations that Norid must leave some of the registration process to registrars. While Norid may have some influence over which types of data registrars collect, transfer and process, the primary purpose of the registrar’s processing is not to perform data processing on behalf of Norid, but rather to facilitate for the registrar’s marketing of subscriptions on Norwegian domain names, either on its own or as part of a package with the registrar’s other services.
The registrar agreement includes terms and conditions that concern the processing of personal data, but Norid has neither regulatory nor contractual authority to determine the details of a registrar’s internal processing of personal data collected and processed by the registrar after this data has been registered in Norid’s registration system. Norid can only require that registrars collect and enter (process) certain types of data, whereas registrars determine how and through what means they process information about their customers.