Privacy Statement

1. General 

As manager of the .be, .brussels and .vlaanderen domain name extensions, DNS Belgium obtains a number of personal data directly or indirectly, for which it is the data controller.

DNS Belgium is particularly careful with -- and proceeds to process -- such data mainly in order to guarantee the services we offer and to (technically) manage the domain names. We have also appointed a data protection officer who is responsible for the protection of the data. 

Below we explain which data we process and why. We also want to inform you about your rights and where you can go with questions and/or complaints. 

 

2. Contact data 

If you have questions about the processing of your personal data or your rights, you can always contact us. 

Data controller contact details

DNS Belgium vzw

Ubicenter, Philipssite 5, box 13

3001 Leuven

privacy@dnsbelgium.be

Tel. +32 16 284970

Data protection officer details 

DNS Belgium vzw

Attention:  Peter Vergote

Ubicenter, Philipssite 5, box 13

3001 Leuven

dpo@dnsbelgium.be

 

3. Whose data do we process? 

DNS Belgium processes the data of the following persons:  

  • registrants of a .be, .brussels or .vlaanderen domain name (in the case of a private registration) or of the contact person of registrants of a .be, .brussels or .vlaanderen domain name (in the case of registration in the name of a legal entity)
  • visitors of the website www.dnsbelgium.be or other websites of DNS Belgium
  • persons who call on the services of DNS Belgium or come into contact with us through one of our communication channels
  • persons who act as representatives of a party with which DNS Belgium works
  • visitors to our office in Leuven 

The data of the registrants and their contact persons, if any, come into our possession directly through the registrar with whom the domain name was registered. The data of other persons is processed directly by DNS Belgium. 

3a.  Registrants

Which registrant data to we save?

By registering a domain name, an agreement is reached between DNS Belgium and the registrant. To perform the agreement correctly, we process the following data of registrants of .be, .brussels or. vlaanderen domain names: 

  • name and surname
  • address
  • e-mail address
  • telephone number

If the registrant is a legal entity, we process the following data of the registrant’s the contact person: 

  • the surname and forename (insofar as the name is that of a person and not a functional description such as Domain Admin) 
  • the e-mail address (insofar as the personal address of the contact person is given and no generic e-mail address such as admin@company.be) 
  • the telephone number (insofar as the personal number of the contact person is given and not that of the legal entity) 

We process said data exclusively to be able to manage the three domain name zones correctly and securely or to comply with legal requirements. However, under no circumstance shall said data be used for commercial purposes. 

In principle, DNS Belgium keeps these data for an indefinite period. However, in the context of data minimisation we provide two important exceptions to this principle: 

  • Contact data which have never been linked to an actual domain name registration are deleted automatically after 12 months. 
  • Contact data which were linked to an actual domain name registration before but have not been for more than 10 years are also automatically deleted. 

Why do we process these data? 

DNS Belgium needs your data to inform you about (technical) problems with your domain name or when our general terms and conditions for the management of domain names were to be subject to a major change. 

We may also have to share data with the authorities in the context of legal requirements (e.g. a judicial investigation). Sometimes we also have to disclose the data to judicial or legal representatives of third parties who wish to assert certain rights on one or more specific domain names (see also Section 6. Additional notifications).

We may also have to disclose data to bodies to settle domain name disputes. These are CEPANI for .be domain names and WIPO (and other organisations designated by ICANN    for .brussels and .vlaanderen domain names. 

In principle, we do not disclose any personal data to countries or authorities outside the European Economic Area (EEA). If DNS Belgium receives a request to that end, our data protection officer will perform a prior legal analysis and then decide whether or not the request can be granted. The decision will depend, among other things, on the motivation (e.g. in the context of legal proceedings) and proportionality (e.g. data relating to one specific registrant v. an extensive subsection of all the data held by DNS Belgium) of the request and whether there are adequate safeguards to prevent further processing of these data. 

However, we would like to point out our efforts to .be registrants to keep the .be zone secure and more specifically to the procedures to be followed in the context of "Registrant Verification" as described in Section 6. Additional notifications. If a newly registered domain name is selected for Registrant Verification, this may entail the processing of additional personal data relating to the registrant or the contact person. The sole purpose of such additional processing is to validate the contact details provided for the registrant. As the controller, DNS Belgium must spare no effort to ensure that the personal details processed are as accurate as possible. 

3b. Visitors to the website

What data of visitors to our websites do we save and how long?

The following data of users/visitors to www.dnsbelgium.be or other websites under DNS Belgium's direct management are saved: 

  • IP-address   
  • cookie data (data about the website visit such as language preference, number of viewed pages, which links were clicked)

DNS Belgium solely processes said data to improve the use of the websites and services. Under no circumstance shall said data be used for commercial purposes. 

In case of online entry forms we process certain data to combat abuse (  spam , false declarations, etc.). The following data are processed:

  • name and surname
  • address
  • e-mail address
  • phone number

The data processed following a website visit are saved for a period of 1 year after which they are automatically deleted. 

The data we process when online forms are entered, are saved for a period of 10 years in principle. These data are saved in a Customer Relationship Management application (CRM) (more specifically the application Creatio, https://www.creatio.com) which allows us to optimise our services. After 10 years the saved data are automatically deleted.

However, for the online form (on www.dnsbelgium.be) to contact a .be registrant the following applies:

  • only the user's e-mail address is kept;
  • the data are not saved in the CRM and are automatically deleted after 12 months. 

At the data subject's request the processed personal data in the CRM can be manually removed if more than 12 months have expired since these data were saved.

Which data do we have to disclose and why? 

We may have to disclose data that are processed as a consequence of the visit of our website to countries outside the European Economic Area (EEA). We have made sure that such data are anonymised so that the authority that receives the data cannot possibly identify the parties concerned.  

The data processed when using online forms are not disclosed to countries or authorities outside the EEA. 

3c. People who contact us for services

Which data of people who use our services do we keep?

We keep the following data of persons who use the services of DNS Belgium or who come into contact with DNS Belgium in another way: 

  • name and surname
  • e-mail address (not in case of contact only by telephone)
  • phone number (not in case of contact only by e-mail:) 

DNS Belgium processes such data exclusively to improve its services and to meet the needs of the persons who contact us more efficiently. Under no circumstance shall said data be used for commercial purposes.

After being contacted, DNS Belgium may request an evaluation about the (dis)satisfaction of its services. The submitted answers will only be processed by the Support department and the data will subsequently be rendered completely anonymous for statistical purposes. 

The processing of the aforementioned data does not imply we disclose these data to countries or authorities outside the European Economic Area (EEA). 

In principle, the processed data are saved (not in case of telephone contacts) for a period of 10 years in a Customer Relationship Management application (CRM), (more specifically Creatio, https://www.creatio.com) which allows us to optimise our services.  After 10 years the saved data are automatically deleted. 

At the data subject's request the processed personal data in the CRM can be manually removed if more than 12 months have expired since these data were saved. 

3d. People of organisations we collaborate with

What data of people we collaborate with do we save?

The following data of people who act as representatives of a party with which DNS Belgium has a professional relationship on a contractual or other basis, are saved:

  • name and surname
  • e-mail address
  • phone number

We only process these data to ensure the most efficient collaboration with the data subjects. Under no circumstance shall said data be used for commercial purposes. 

The processing of the aforementioned data does not imply we disclose these data to countries or authorities outside the European Economic Area (EEA). 

In principle, the processed data are kept by DNS Belgium for a period of 10 years. These data are saved in the Customer Relationship Management (CRM) application to optimise the co-operation with contractual and other professional partners.  

At the data subject's request processed personal data can be manually removed if more than 12 months have expired since the termination of the professional collaboration or as soon as the data subject is no longer connected to the organisation DNS Belgium collaborates with.

3e. Visitors to our office

Which data of visitors to our office do we save?

In principle, visitors to our office are pre-registered in a visitor management application by the DNS Belgium employee responsible for welcoming these visitors. If the visitors were not entered into this application beforehand, they will be asked to record their visit when entering the reception area of the office. 

DNS Belgium uses the visitor management Proxyclick application (https://www.proxyclick.com).

The following data of visitors to our office are processed:

  • name and surname (obligatory)
  • company/organisation (obligatory)
  • e-mail address (optional)
  • phone number (optional)

The data of the visit (time and duration of the visit) are automatically deleted after 6 months. The contact data of the visitors are not automatically deleted but are manually removed from the application after 12 months. 

We solely process these data as part of our ISO/IEC 27001 certification obligations regarding “secure monitoring to locations of the involved organisation”. 

The following data of visitors to our office who want to use the WiFi network for visitors are registered: name, company name (name of the organisation representing the visitor), e-mail address, IP-address, MAC-address and some connection data (such as date and time (duration) of login, SSID connection, used network ports, browser version, OS type and version, hostname).

The aforementioned data (with the exception of the MAC-address) are kept for 90 days and are then automatically deleted. The data are only processed with a view to investigating possible security incidents. The MAC-address is anonymised (no link with visitor) and kept for a period of one year and this for statistical purposes. After one year, the data are automatically deleted. The access to data relating to the use of the WiFi network for visitors can only be consulted by the staff of the Corporate ICT department.  

These data are also only processed as part of our ISO/IEC 27001 certification obligations regarding “management of security incidents”.   

The processing of the aforementioned data does not imply we disclose these data to countries or authorities outside the European Economic Area (EEA). 

Under no circumstance shall said data be used for commercial purposes of course. 

 

4. What are your rights? 

A summary of your rights is given below to make the new regulation on the protection of your privacy comprehensible.  

Right of access to data processed by DNS Belgium 

If this is not sufficiently evident from our privacy policy, you can always ask us which of your data we process, why, to whom we provide it, and how long we store it. We may require specific identity details from you in order to answer your question properly.

Right to rectification of data processed by DNS Belgium  

It is obviously in both our interests for us to process only correct data. If you find that certain data are incorrect or incomplete, you are of course always welcome to inform us. We will supplement or correct your data as promptly as possible.

A particular remark is in order for .be/.brussels/.vlaanderen registrants because we do not control this data directly. We only process it based on the input from the registrar who manages your domain name. 

As a registrant, you must report changes in your personal data to the registrar who manages your domain name at that time. The registrar will adapt the data for you and make sure that these changes are entered also in the DNS Belgium database. If you do not have your data updated, you run the risk that the registrar cannot contact you (to send the annual renewal invoice, for instance) and your domain name may be deleted inadvertently.

Right to be forgotten

DNS Belgium is the only body that can provide a summary of the entire lifecycle of a (.be/.vlaanderen/.brussels) domain name registration. In that respect, we would like to keep the registration history of a domain name as intact as possible. This history is often important in the context of a dispute or a judicial investigation, for example. 

Of course, we do not want to do this indefinitely and, as described above, certain data are automatically deleted after a certain period of time. 

This does not of course preclude that DNS Belgium will consider every request to exercise the right to be forgotten and assess the feasibility thereof. 

Our privacy statement specifies how long we keep certain data. DNS Belgium is of course prepared to delete data if it ascertains that: 

  1. the specified period has expired 
  2. the data are no longer needed for the intended processing purposes

Right to restriction of processing 

DNS Belgium endeavours to keep the processing of personal data to a minimum. 

If you think the processing by us should be restricted further, please let us know. We  will then examine as promptly as possible whether the conditions of Article 18 GDPR are met and whether further restriction is appropriate. 

Right to data portability

DNS Belgium will gladly help with any administrative simplification and can above all provide .be/.brussels/.vlaanderen registrants with data that can prove useful for a transfer to other bodies. 

We would like to point out that our registrants can download a certificate with the summary of the registrant data. To do this, go to our website www.dnsbelgium.be, and enter your domain name under “verify details”.

Right to object to data processing

DNS Belgium endeavours to keep the processing of personal data to a minimum. If you nonetheless think that you can object to the processing of your data, you can always report this to DNS Belgium. 

The data protection officer will look into your specific situation in the light of the provisions of Article 21 of the GDPR and assess whether your objection to processing is justified. If the data protection officer’s assessment of your request is positive, DNS Belgium will immediately cease any further processing of your data. 

Automated individual decision-making/profiling 

DNS Belgium reaches no decisions based on automated processing or profiling. 

However, we would like to point out that potentially fraudulent registrations in the .be domain name zone can be stopped in the context of "Registrant Verification" procedures (see Section 6. Additional notifications).

 

5. Lodging a complaint with the competent authorities 

If you think that your rights are infringed or that DNS Belgium has failed to protect them, you can lodge a complaint with the competent governmental authority responsible for the protection of your personal data (Data Protection Authority or DPA).  

In principle, you must lodge your complaint with the authority of the EU Member State in which you reside. For Belgium that is the:

Data Protection Authority (DPA) 

35 Drukpersstraat  

1000 Brussels 

Tel. +32 2 2744800

E-mail: contact@apd-gba.be  

www.dataprotectionauthority.be

We would of course appreciate it if you contacted us first to see whether a solution to the problem can be found.  

A  complete and detailed summary of  your rights is set out in Articles 15-20 of the General Data Protection Regulation (DPA).  

 

6. Additional notifications

Requesting info of registrants

On www.dnsbelgium.be, DNS Belgium provides a search function ( WHOIS ) to search the contact data of a registrant by entering a specific domain name. 

DNS Belgium would like to confirm that this function has been modified to provide maximum protection for the privacy of registrants. 

First, a distinction is made between domain name registrations registered in the name of private people and by legal entities.

For domain name registrations registered in the name of private people the registrant's data are completely protected and cannot be consulted with a normal search. The same applies to possible ‘onsite’ and ‘tech’ contacts linked to such domain names, when it concerns a private person here. With regard to linked contacts of the managing registrar, the name of physical contacts is not shown anymore but the company's contact data are. 

For domain name registrations registered in the name of companies and organisations, a limited set of data of the registrant (name of company/organisation and address) is always shown in a search. However, the name of physical contacts, telephone number and e-mail address are not shown. For linked ‘onsite’ and ‘tech’-contacts and registrar-contacts the same applies as specified above for private domain name registrations.

Access to data for DNS Belgium employees

As described above, the internal systems of DNS Belgium (e.g. CRM-application) contain personal data of registrants and third parties. DNS Belgium has taken measures to ensure that its employees only have access to personal data when required for the performance of their respective tasks in the organisation. This prevents unnecessary exposure of personal data and further minimises the risk of data leaks.

Technical security measures

In the context of the deduplication of critical components of its management systems, DNS Belgium uses cloud services. For the  hosting   of the registration platform we work with AWS' cloud services.

DNS Belgium opted for a specific setup whereby all data hosted at AWS are encrypted based on the most recent cryptographic technologies. In the – albeit very unlikely– scenario of a serious incident at AWS whereby certain data is accessed by unauthorised persons, the DNS Belgium data will still not be legible thanks to the applied encryption. Again, this further minimises the risk of data leaks.

Guarantees regarding non-commercial use of your data

DNS Belgium is no commercial entity and shall never use your data in a commercial sense. In other words, we guarantee you that your data will never be used for direct marketing, commercial e-mails or other forms of prospecting.

DNS Belgium only gives the data to third parties in the following cases:

  • at the request of a public body (local or federal, judicial or administrative) in the context of the performance of their legal responsibilities; 
  • at the request of a dispute settlement body in the context of an alternative dispute resolution ( ADR );
  • on the basis of specific agreements concluded with official bodies or non-commercial organisations in the context of specific actions aiming "cyber security”  
  • at the request of an interested party and following prior evaluation by the legal department of DNS Belgium (see below). 

But even in these situations we look at it on a case by case whether disclosing data is necessary. 

DNS Belgium works with third parties for certain technical solutions such as, for example, AWS for cloud services. This means that data can be saved in other locations than DNS Belgium's registered office. As already explained above, DNS Belgium takes the necessary precautions in these cases to ensure the data are adequately protected (among others by encryption) to avoid unauthorised access.

Requesting contact data of a specific registrant

Contact details of .be/.brussels/.vlaanderen domain name holders cannot be consulted (private individuals) or only partially (legal entities) via the search function (Whois) on our site www.dnsbelgium.be. Anyone who needs the full set of contact details available to DNS Belgium can obtain these details by completing the request form below and submitting it to DNS Belgium.

On this request form the applicant:

  • must specify and substantiate the legitimate reasons for the request;
  • accept a waiver, in which he/she undertakes not to use the requested personal data for other purposes than what is specified on the request form (and/or specified in the enclosed documents);
  • notify their contact details (name, address, e-mail address, telephone, and if it concerns a legal entity, the company registration number or other similar information that allows the organisation to be identified).

The legal department and/or data protection officer of DNS Belgium will investigate and evaluate every request in depth in light of the requirements for this special processing of data. In case of a positive evaluation the requested data are disclosed to the requesting parting.

Registrant Verification

Registrant Verification is a process for validating the contact details provided by registrants when registering their .be domain name. The purpose of Registrant Verification is to maximise the overall security of the .be zone while ensuring that the data processed by DNS Belgium are as accurate as possible. 

In principle, registrations in the .be domain name zone are based on the “first come, first served” principle without prior checking of the registrant's identity.  

However, DNS Belgium uses a number of monitoring mechanisms to detect problematic registrations from the outset and to prevent potentially illegal websites linked to .be domain names from becoming activated in the .be domain name zone. 

DNS Belgium implemented a “Registrant Verification” programme in this respect with the goal of blocking registrations where the contact details of the registrant are suspected to be incomplete, incorrect or fraudulent.

If an incoming .be registration exceeds a number of hitpoints, it will be blocked by our technical system and a delegation to the .be zone will be blocked as long as the registrant does not provide proof of correspondence with the registrant's contact data imported into our system by the registrar.  

In this phase the domain name registration is not cancelled but DNS Belgium reserves all rights to perform a thorough inspection of the accuracy of the imported contact data in a later phase and possibly to proceed with a formal withdrawal of the domain name in question. 

If a domain name registration is selected for “Registrant Verification”, the registrant or his contact person will be asked to provide substantiating evidence to confirm his/her identity.  

Where applicable, DNS Belgium may receive personal data of a .be registrant or a contact person of the registrant which goes further than the data specified in Section 3a. These data are stored either in a Customer Relationship Management application (CRM) (more specifically the application Creatio, https://www.creatio.com), stored in a specific database of DNS Belgium for verified contacts, or they are processed further by Signicat, the company with which DNS Belgium works to carry out the validation. 

DNS Belgium shall never demand supplementary personal data in the context of “Registrant Verification” but only proof/confirmation of previously notified data via the Registrar. The registrant has several options for providing this proof or validation. 

For example, the supporting documents may be sent to DNS Belgium by e-mail. But DNS Belgium also has a web portal where private individuals can have their details validated online using applications such as Itsme or have the details of their e-ID card read out. When validating data via the web portal, the following personal details are also processed: date of birth, place of birth and nationality of the person concerned. 

In the event the .be registrant transfers additional personal data to DNS Belgium for Registrant Verification, the following rules will be maintained:  

In the case of validation by sending supporting documents: 

  • in the event of a positive validation of the identity of the registrant or his contact person, all transferred information will be deleted in the CRM within 30 days upon receipt; 
  • in the event of a negative validation of the identity of the registrant or his contact person, all transferred information in the CRM will be deleted within 12 months upon receipt or until there is a positive validation.  

In the case of validation via the DNS Belgium web portal: 

  • in the event of positive validation of the identity of the registrant or his  contact person, all retained information in the database of verified contacts is deleted (overwritten) within 12 months of the data being recorded; 
  • in the event of negative validation of the identity of the registrant or his contact person, the data provided will not be retained.