Privacy: Registrars are controllers
Norid has reviewed and analysed the new GDPR rules. During this process we have worked closely with IIS, the .se registry, and DK Hostmaster, the .dk registry. Our conclusion is that Norid regards the registrars as individual controllers.
In the autumn of 2017 Norid held a special privacy seminar for our registrars. At this seminar the discussion about whether the registrar can be regarded as a processor for Norid, and not as an individual controller came up. Under the current privacy law, Norid and the registrars have acted as individual controllers for our respective processing of personal data, and thus there is no data processing agreement between Norid and the individual registrar.
The definitions of controller and processor are set in the GDPR article 4 (7) and 4 (8). The controller is the one who decides the purpose of the data processing and the means by which the processing is done.
An important starting point is therefore whether the processing primarily has data processing as its purpose, or whether the data processing comes in addition to and is dependent on other services, concessions or purposes of the processing.
Both the registrar and Norid enter into separate agreements with the registrant. It follows from the domain regulation (Norwegian administrative regulation on domain names under Norwegian country code top-level domains) § 5 that Norid is required to leave some parts of the domain registration process to registrars. Even though there is a certain level of decision from Norid about which data must be collected, transferred and processed by the registrar, the main purpose of the registrar’s processing is not to process the data on Norid’s behalf, but rather that the registrar in their own right can sell subscriptions to .no domain names; separately or combined with the registrar’s other services.
The registrar agreement contains conditions and requirements that touches on processing of personal data. However, Norid does not have any instruction authority through the domain regulation or through the registrar agreement to decide any details about a registrar’s internal processing of personal data that is collected and processed by the registrar after the data has been transferred by being registered in Norid’s registry system. Norid only decides that the registrar has to collect and submit / process certain information / data, while the registrar decides how and by what means they process data relating to their customers.