OpenSRS Data Processing General Information

This article explains how OpenSRS processes registrant personal data, including the difference between consent-based and contract-based processing, how long data is retained, and how OpenSRS reconciles GDPR obligations with ICANN policy. Tucows extends GDPR-aligned protections to registrants worldwide, regardless of where they live.

Applying GDPR platform-wide

Other privacy frameworks with similarly strict requirements exist alongside the GDPR, and more are expected as governments respond to modern data privacy concerns. Tucows applies GDPR-aligned protections platform-wide so resellers and registrants are prepared for a world of heightened data sharing and privacy standards.

Tucows branding on the Your Data Sharing Preferences page

Tucows remains committed to providing a white-labeled solution for resellers. That commitment must be balanced with the legal obligations Tucows has as a data processor and controller.

Modern privacy laws require service providers to disclose what personal data they process, how it is held and processed, and by whom. To obtain informed, affirmative consent from registrants, Tucows must be transparent about the fact that Tucows is processing their data. As a result, Tucows branding appears on the Your Data Sharing Preferences page.

The difference between consent and contract

To an end user, checking a consent box and accepting a contract may feel similar, but they are legally distinct. Each is a separate legal basis for processing personal data, with its own applicability and limitations.

Any data elements that Tucows or the registry or service provider requires to provide a TLD or other product is processed on a contract basis. These elements are included in the contractual agreement with the registrant, and OpenSRS does not need to send a consent request to process them.

Additional data — items that are not contractually required but are helpful to have, or that have been requested by the registry without being included in the contractual requirements — can only be processed with consent from the registrant. OpenSRS is also obligated to provide an easy, accessible way to revoke that consent. The Your Data Sharing Preferences page collects consent and provides the means to revoke it.

Asynchronous services are a special case. Tucows does not require additional consent-based data, yet the registry or service provider does, even when they have not provided a contractual legal basis for processing it.

Personal data retention

Data processed as part of fulfilling a service contract is retained for the lifetime of the service plus up to ten years after the service's termination.

Data processed under the legal basis of consent is held for the same period as contract-based data unless that consent is withdrawn. If consent is removed, the erasure process begins at the time of withdrawal and may take up to 60 days to complete. Tucows logs the registrant's choice to revoke consent for asynchronous services and directs the end user to the reseller to cancel services. The registrant's decision to withdraw consent takes effect upon service cancellation.

ICANN data policy compliance

OpenSRS continues to comply with ICANN policy to the greatest extent possible. Until ICANN policy is updated in response to the GDPR and similar data privacy legislation worldwide, there are situations where ICANN requirements for registrars conflict with Tucows' legal obligations. In those cases, Tucows follows the law first and complies with ICANN as best it can.

Next steps

• Review the GDPR Consent Management Process article. Understand how synchronous and asynchronous consent flows surface to registrants.

• Confirm your own data retention policy. As the reseller and a downstream data controller, document and disclose how long you retain registrant data and how registrants can request changes.

• Plan for evolving privacy laws. Track new privacy regulations in regions where you do business, since GDPR-style obligations are spreading globally.

Questions? Contact OpenSRS Support.