The EDPB adopted a letter on behalf of the EDPB Chair addressed to the Internet Corporation for Assigned Names and Numbers (ICANN), providing guidance to enable ICANN to develop a GDPR-compliant model for access to personal data processed in the context of WHOIS.
The letter addresses the issues of purpose specification, collection of “full WHOIS data”, registration of legal persons, logging of access to non-public WHOIS data, data retention and codes of conduct and accreditation.
The EDPB’s predecessor, WP29, has been offering guidance to ICANN on how to bring WHOIS in compliance with European data protection law since 2003.
The EDPB expects ICANN to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of those data.