Privacy Policy - Domain Name Registration

NOMINALIA INTERNET S.L.U., with registered office at Carrer d’Ulldecona 21, Barcelona, Spain, (hereinafter, the “Data Controller” or “NOMINALIA”) undertakes to protect the privacy of its users at all times. This document contains information about our privacy policies in order for clients to understand how their Personal Data is handled in relation to domain name registration and management activities.

In accordance with the provisions of Regulation (EU) 2016/679 (the “GDPR”) and Organic Law 3/2018, the processing carried out by the Register is based on the principles of lawfulness, fairness, transparency, purpose and storage limitation, data minimisation, accuracy, integrity and confidentiality.


NOMINALIA’s corporate structure includes a Data Protection Officer (DPO). The DPO is available to provide any information regarding the processing of personal data by NOMINALIA. You can contact the DPO by writing to dpo@nominalia.com.

1. Roles and responsibilities in the processing of domain name registration data
The domain name (often referred to simply as a “domain”) is a name associated with an IP address on the internet.

A domain is made up of several parts, one of which is the extension, also called the top-level domain (“TLD”), which is the part of the domain that appears after the dot.

There are two categories of TLDs:


  • Generic TLDs (generic top-level domains or “gTLDs”) such as .com, .org, .info, .biz, etc., which have international reach;

  • National TLDs (country code top-level domain or “ccTLD”), i.e., domains that refer to a country. For example, the ccTLD for Spain is .es.



Three different parties are involved in the process of registering a domain name: Register, Registrar and Registrant.

The term “Register” refers to a national or international body responsible for establishing the rules and procedures for the allocation of domain names, registration management and primary name servers for the various TLDs.
For example, in Spain, the “.es” ccTLD is maintained by RED.es (https://www.red.es/es).
The full list of Registers and related policies can be found at this link: https://www.iana.org/domains/root/db, and on the NOMINALIA website at this link: https://www.nominalia.com/quienes-somos/condiciones-legales/politicas-tdl-y-gtld/

The term “Registrar” refers to an organisation authorised by NOMINALIA to carry out operations on the TLD domains for which it is accredited. The Registrar of a gTLD domain name can be verified by accessing the ICANN service available on this page: https://lookup.icann.org/. To check the Registrar of a ccTLD domain, on the page https://www.iana.org/domains/root/db, you can find the web address of the relevant Register, which provides the whois/RDAP individual Register look-up service.

Lastly, the term “Registrant” or “Holder” refers to the natural or legal person who registers a domain name.

In practice, to register a domain name, the Registrant submits an application to the Registrar who, in turn, forwards the application to the competent Register, which determines whether the registration conditions are met. If the evaluation is satisfactory, the domain name will be registered in the name of the Holder, who will become the assignee and, therefore, can claim rights in accordance with the applicable legislation, for the periods specified in the relevant service contract.

Upon registration of a domain name with a gTLD extension, the Personal Data relating to the beneficiary and Registrant of the domain name in question will normally be published, and thus disseminated, in the public WHOIS/RDAP database, and will be searchable using the data search tool (https://lookup.icann.org/en) made available by ICANN for domain names with a gTLD extension.

Domain names with ccTLD extensions may be published in the WHOIS databases managed by the relevant Registers, in accordance with the policies of each Register.

NOMINALIA normally acts as Data Controller in connection with the processing of data for the registration and management of domain names.

However, the privacy function of NOMINALIA as Registrar is decided on a case-by-case basis by the Register competent for the gTLD or ccTLD for which registration is requested. In the event that NOMINALIA is appointed as Data Processor by the competent Register, on the basis of non-negotiable provisions of the contract between NOMINALIA and that Register, in relation to the processing activities associated with the management of these specific domain extensions, information about the processing and requests to exercise the Data Holder’s rights (see paragraph 8 hereof) shall be addressed to the competent Register for the domain extension to be registered.

In addition, if additional Personal Data of third parties is required to register a domain name (such as, among other things, the contact details of the Administrator - or “Admin-C” - and the Technical Manager - or “Tech-C” - of a given domain name), the Registrar usually acts as Processor with respect to such Personal Data. In this case, you, as a Client of NOMINALIA, act as the sole Data Controller, assuming all legal obligations and responsibilities. In this way, you give the broadest possible indemnity against any objection, claim, request for compensation for damages due to the processing, etc., which may be brought against NOMINALIA by such third parties if their data have been processed in breach of the applicable regulations on the protection of Personal Data. In any event, if you provide the Personal Data of third parties as part of the registration of a domain name, you must ensure from that point onwards - assuming all related liability - that this particular processing activity is based on an adequate legal basis in accordance with Articles 6 or 49 (c) GDPR, which gives legal grounds for the processing of the Data in question.

2. The Personal Data processed
With regard to the processing of personal data carried out as part of the domain name registration service, it should be noted that NOMINALIA will only carry out the processing strictly necessary to provide the service and to manage the billing and accounting of the domain name, unless additional processing is carried out in accordance with an appropriate legal basis pursuant to Article 6 of the GDPR (e.g., consent), which gives legal grounds for the processing of the data in question.
The data collected by NOMINALIA as part of a domain name registration request includes only the data strictly necessary to provide the service that the Data Holder provides at the domain name registration stage, and which is listed in the Service Order available at this address:
https://www.nominalia.com/quienes-somos/condiciones-legales/ccs-registro-dominios/
In some specific cases, NOMINALIA may request a copy of an identity document for particularly sensitive operations, such as requests to delete a domain name or requests for a change of assignee.
Providing such data is in itself optional; however, in the absence of such data, NOMINALIA will not be able to provide the requested service.

3. Purpose of processing

The processing carried out by NOMINALIA is based on the principles of fairness, legality, transparency and protection of the privacy of the data subject.

The information and data you (the Client) provide is used exclusively:

  • for the purposes of registration and management of the domain name, which involves verification of the data provided for registration, billing and accounting management of the domain name, assistance and support in its management, ancillary operations such as requests for deletion, transfer or change of holder, as well as communication of important information about the renewal of the domain (“Provision of the Service”);

  • for security purposes and the prevention of fraudulent conduct (“Prevention of abuse and fraud”);
  • to comply with legal obligations, in particular those arising from the current legislation on domain name registration (“Compliance”);

  • to disclose the data necessary for registration to independent third party data controllers, such as the competent Registers, as the case may be, for the domain extension to be registered (“Disclosure of data to independent third party data controllers”);

  • to protect the industrial property rights of third parties, or to verify reports of abuses allegedly committed by you to the detriment of third parties, e.g., for the protection of industrial property rights (“Protection of the legitimate interests of third parties”).



4. Legal basis for the processing and provision of personal data

The processing for the purpose of providing the service and disclosing data to independent third party controllers is necessary for the performance of the service contract between you and NOMINALIA, in accordance with Article 6(1)(b) GDPR. The provision of such data is in itself optional; however, in the absence of such data, NOMINALIA will not be able to provide the requested service.

Processing for the purposes of preventing abuse and fraud is based on NOMINALIA’s legitimate interest in preventing fraud and fraudulent acts committed to its detriment or to the detriment of its clients or third parties, in accordance with Article 6(1)(f) GDPR and on the basis of Recital 47 GDPR.


Processing for the purposes of protecting the legitimate interests of third parties is based on the legitimate interest of such third parties to protect their rights, such as industrial property rights, or in case of alleged abuse by you to the detriment of such third parties. This processing activity is legitimate in accordance with Article 6(1)(f) GDPR.

Processing for the purposes of compliance is legitimate in accordance with Article 6(1)(c) GDPR. Once Personal Data has been provided, further processing may be necessary in order to comply with certain legal obligations applicable to the Register. This type of processing may not be subject to objection, as it is based on legal obligations.

5. Recipients of personal data

For purposes strictly related to the provision of the service, the Personal Data of the domain name holder (as well as of third parties such as Admin-C and Tech-C, if necessary to register the specific domain name with the competent Register) may be disclosed to third parties acting as independent Data Controllers.

Specifically, this data shall be disclosed to the national and foreign Registers to which NOMINALIA must send the technical and administrative documentation required by sectoral legislation, as well as to any other parties accredited for the registration of domain names with extensions for which the Register is not accredited. The latter generally act as Data Processors on behalf of NOMINALIA.

The exchange of data with independent third party Data Controllers is necessary for the provision of the Service and has its legal basis in Article 6(1)(b) GDPR.

Registers shall process Registrants’ data to keep the domain name register up to date and to ensure compliance with relevant applicable laws and policies. We invite you to consult the privacy notices published by the relevant Register from time to time.

NOMINALIA may be required to disclose your personal information to the Internet Corporation for Assigned Names and Numbers (“ICANN”) in order to comply with ICANN’s policies and procedures.

ICANN also requires NOMINALIA, as Registrar, to deposit a copy of the data necessary for the management of escrowed domain names with an accredited “Escrow Agent”. For this service, NOMINALIA uses the company DENIC Services GmbH & Co. KG (hereinafter referred to as “DENIC”), located in Germany (Heinrich-Hertz-Str. 6, 64295 Darmstadt, Germany, info@denic-services.de) and designated by ICANN.

It should be noted that for gTLD extensions, and in some cases also for ccTLD extensions if permitted or required by the competent Register, NOMINALIA may be required to disclose your data to third parties for the purposes of Preventing Abuse and Fraud, on the basis of Article 4 of the ICANN Temporary Specification for gTLD Registration Data, available at this link:
https://www.icann.org/en/system/files/files/gtld-registration-data-temp-spec-17may18-es.pdf;
or for ccTLDs, on the basis of the policies published from time to time by the competent Register.
Upon explicit and detailed request, NOMINALIA may also disclose the Personal Data of a domain name to third parties, on the basis of its own legitimate interest, in order to protect its rights (including industrial property rights), and for the protection of the legitimate interests of third parties.

6. Transfer of personal data

As part of domain name registration services, data is disclosed to the parties listed in Section 4 of this Privacy Policy, which may be located outside the European Economic Area (the “EEA”), such as ICANN and DENIC, or the Registry of the relevant country where the ccTLD or gTLD is to be registered.
NOMINALIA guarantees that the processing of your Personal Data by these Recipients shall be carried out in accordance with the GDPR.

The legal basis for such transfers to the competent Register, as the case may be, is in Article 49(1)(b) GDPR and Article 49(1)(c) GDPR, where the transfer outside the EEA is necessary for the performance of the contract between the Data Controller and the Data Holder, or between the Data Controller and a third party on behalf of the Data Holder.

With respect to the transfer of data to DENIC for gTLD registrations, or in the event that the Register uses third party Registrars for the registration of certain gTLD extensions, transfers are made on the basis of the EU Commission’s Standard Contractual Clauses, pursuant to Article 46 GDPR. In such a case, a copy of the clauses may be requested, after redaction of the parts containing personal data.
For more information, please write to dpo@nominalia.com

7. Data retention
The Personal Data processed for the purposes of the Provision of the Service and Disclosure of Data to independent third party Data Controllers will be kept for as long as strictly necessary to achieve the aforementioned purposes. In addition, as this processing is carried out for the provision of the domain name registration and management service, NOMINALIA will process the Personal Data for as long as permitted by Spanish law to protect its interests. In particular, it will retain the data necessary to provide evidence of the proper performance of its contractual obligations for the period required by law, which generally corresponds to the general statutory limitation period for proceedings (Article 1964.2 of the Civil Code).

For Compliance purposes, Personal Data will instead be retained for the period required by the specific obligation or applicable law.

For the purposes of Prevention of Abuse and Fraud and Protection of the legitimate interests of third parties, Personal Data will be kept for the period required by the Register to prevent and combat fraudulent conduct and to protect the legitimate interests of third parties, i.e., for 10 years.
You can obtain more information about the retention periods for Personal Data and the criteria used to determine such periods by writing to the Data Controller or the DPO.

8. Rights of the Holder/Data Subject

Without prejudice to the obligations or powers of retention of Personal Data set out in section 6, you have the right to request from NOMINALIA, at any time, access to your Personal Data, their rectification, erasure or restriction of processing in the cases referred to in Article 18 GDPR, as well as to obtain the data concerning you in a structured, commonly used and machine-readable format (portability), in the cases referred to in Article 20 GDPR, for the purposes of the provision of the Service.
You have the right to object to the processing of your personal data for the purposes of abuse and fraud prevention, in the cases referred to in Article 21 of the GDPR.

Such requests can be made by writing to dpo@nominalia.com

To exercise your right to portability and to obtain further information on the content, please also contact dpo@nominalia.com. You can also find information on this matter in our Privacy Policy, which is available at:
https://www.nominalia.com/quienes-somos/condiciones-legales/cookies/

In all cases, you always have the right to file a complaint with the competent Supervisory Authority (Personal Data Protection Authority) under Article 77 GDPR if you consider that the processing of your data is in contravention of the legislation in force, or to bring the matter before a court of law (Article 79 GDPR).

9. Amendments
This privacy policy is effective as of the date indicated below. NOMINALIA reserves the right to amend or update the content of this Policy, in whole or in part, including in the event of changes in applicable law. If amendments to this Policy involve substantial changes to the processing of data or have a significant impact on Holders / Subjects, NOMINALIA will take appropriate care to notify them.


© NOMINALIA INTERNET S.L.U.
July 2024