When a country code top-level domain (ccTLD) is registered or transferred in, the Registrar sends out an email to the domain owner to validate the domain and ask them to consent to their data privacy regulations (as stipulated in the GDPR).
Notify your customers
If you register or transfer-in domains on behalf of your customers, make sure to tell them that they should expect to receive an email that requires their attention and action. If they don't react to this email, their domain name may not be successfully registered.
Synchronous and asynchronous domains
The various ccTLDs follow different types of registration processes depending on the local regulations imposed by Registries. There are three types of processes: synchronous, asynchronous, and standard. Unfortunately, there is no complete and updated list of ccTLDs sorted by type available online. However, the vast majority of ccTLDs fall within the synchronous category. You can always contact the local Registry and ask them to clarify whether their registration process is synchronous or asynchronous.
Type 1: Synchronous domain registration process
In the synchronous domain registration process, the consent of the SMB is encouraged, but not required. The SMB will therefore receive a consent email from the Registrar, which the SMB is encouraged to act on. However, this type of domain register process doesn't require the consent of the SMB to activate the subscription in RAI. This is due to the fact that not all domain Registries require domain owner consent.
Even if the SMB forgets to give consent or denies consent, the registration of the domain will still be successful. The paid subscription will therefore begin as soon as you have registered the domain. To check the current consent status of a registered domain, please submit a ticket to the Mono Service team.
Type 2: Asynchronous domain registration process
In the asynchronous domain registration process, the consent of the SMB is required. Upon domain registration in RAI, the SMB will receive a consent email from the Registrar, which the SMB is required to act on in order to successfully register a domain. This is due to the fact that certain domain registries require domain owner consent.
The SMB must provide consent before the domain registration can be completed successfully. The SMB has 10 days to confirm the domain registration. The paid subscription will only begin once the domain owner has provided their consent. Without the SMB's consent, the domain will not be registered and activated. To check the current consent status of a registered domain, please submit a ticket to the Mono Service team.
Type 3: Standard domain registration process
In the standard domain registration process, domain owner consent is not required to register a domain. This enables the domain registration and website subscription to start as soon as the required domain registration information has been provided in RAI. In the standard process, no domain registration information is sent to the domain owner (SMB) and it is up to you, as a digital service provider, to inform the SMB that the domain registration has been successful.
What about gTLDs (.com, .net, etc.)?
Registration of gTLDs fall within a different process than that described above for ccTLDs. Registrants of a gTLD must instead go through an ICANN validation process in order to complete their domain order.
Why is there an email going out to SMB´s directly from OpenSRS?
In May of 2018, OpenSRS introduced an “end-user consent management process” to comply with GDPR requirements. They did this because as a data controller, OpenSRS is required to obtain explicit and informed consent from registrants to process their data when they register a domain.
What is the content of the email?
The email contains information to the SMB (registrant of the domain) about how their data is processed by OpenSRS and a link to a page hosted by OpenSRS (also called Tucows) where the SMB has a consent option.
See the page here:
On the page, the registrant is informed, that OpenSRS is required by the registry to share some of their personal data with the registry. OpenSRS is a data controller and have obligations to disclose certain information to the data subject, like who they are, why they process their data, where their data is stored, etc. Furthermore, the email provides an option to share additional data.
The SMB can choose language on the page (e.g. German, Spanish, French, English etc).
Who receives the email?
All SMBs who are registering a domain for the first time through Mono's API, where our systems are configured to register the domain at OpenSRS.
When is the email triggered?
The email is triggered shortly after you register a domain at OpenSRS through Mono API/RAI.
Is the email sent only once?
Yes, In August 2020, OpenSRS reduced the number of emails received by the registrant (SMB). Today, OpenSRS ONLY send a GDPR email the first time a person (fingerprint) register or does an incoming transfer of a domain. Any time after the first registration, e.g. when a SMB buys another domain or changes their existing domain, OpenSRS will NOT send the GDPR email again. This is OK because the SMB already have the consent-link to OpenSRS´ consent page. This link won’t expire for several months.
What is the Fingerprint?
The fingerprint that identifies a data subject and consist of the personal data required by OpenSRS to deliver a domain - and which they need consent for:
Organization name (if one was provided)
Is the data safe with openSRS (Tucows)?
OpenSRS processes data in a safe and secure manner that complies with applicable data privacy laws, as indicated in their service contract with you. Non-personal data, including the domain owner’s State/Province and Country will be included in the public registration data directory, unless the domain has a Whois privacy protection service enabled. OpenSRS states publicly that they never sell personal data, and only shares data in the ways explained below.
What happens if the SMB don't react or take action?
Nothing. There is no action if the registrant does not react. Once OpenSRS send the original email, they record potential consent but other than that, the case is closed. No reminders are sent.
Does InternetX also send this type of consent email to SMBs?
Not currently, but this may change.
Can we modify/customize the email going out to SMBs and the consent page?
There a no options to customise the email. However, OpenSRS recently (December 2020) implemented some options to customise the consent page itself (however only a generic global design can be achieved).