nic.at GmbH handles your data with the utmost care and is committed to transparent communication about the processing of your data in accordance with the EU General Data Protection Regulation (GDPR). Personal data are collected primarily for the purpose of fulfilling our contract with you. To the extent that any data processors are engaged in order to fulfil the contract, nic.at ensures by means of contracts with them that processors comply with data protection obligations, and verifies that they do so. In principle, the personal data of natural persons will no longer be published in the WHOIS database from 25 May 2018. The same applies to transferring such data to third parties, if such parties do not demonstrate a predominant legitimate or public interest. Your data will not be forwarded to third parties for their marketing purposes. You receive our newsletter if you have given your consent to do so, which you may revoke at any time.
nic.at GmbH is responsible for use of your personal data in accordance with the law, in connection with the registration and administration of your .at domain. If you conclude other contracts (e.g. with your provider/registrar) when registering a .at domain, the respective counterparty is responsible regarding such contracts. We handle your data with the utmost care and in accordance with the principles of the GDPR.
The GDPR is the European General Data Protection Regulation, which applies directly in all EU member states as of 25 May 2018. It protects natural persons with regard to the processing of personal data, and sets out a range of obligations for those who process personal data to provide information and clarification. This means data controllers and those who process data for them. The GDPR also establishes numerous rights and legal remedies for persons whose data is processed (“data subjects”). Austria has enacted additional measures to the GDPR in its Datenschutzgesetz (Data Protection Act).
The text of the GDPR can be found here: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679.
The text of the Austrian Data Protection Act, together with a translation, can be found here: https://www.ris.bka.gv.at/Dokumente/Erv/ERV_1999_1_165/ERV_1999_1_165.pdf.
We are committed to transparent communication about the processing of your data. Below you will find details regarding the way we handle your personal data as well as your individual data protection rights.
How we handle your data
- Data processing and data processing categories
- Your options for controlling your data
- Legal basis and purpose of data processing
- Our data recipients
- Our processors
- Automated registration
- Information requests by third parties
- Erasure of data
- Cookies: general information
- Our cookies
- Third-party cookies used in our services
- Technical data security measures
Your data protection rights
- Right of access
- Right to rectification
- Right to erasure (‘right to be forgotten’)
- Right to restriction of processing
- Right to object
- Right to data portability
- Right to withdraw consent
- Right to lodge a complaint with a supervisory authority
How we handle your data
If you wish to register a .at domain, you can approach nic.at directly, or a .at registrar. This means we either receive your data directly from you, or indirectly from the party you have contracted in this regard. In either case, we require the following data in order to register a .at domain when the domain holder is a natural person:
- First and last name
- Contact details (postal address and e-mail address)
A telephone number and a fax number can also be provided, but are not required.
We collect these data as domain holder data, together with information on the specific contractual relationship including any changes, and your domain names, as well as technical data such as name server data, the IP address (if required for technical purposes) and DS records.
Whilst we have abolished admin-c data in line with the principle of data minimisation, for security reasons we still need to collect and store information on the technical contact person (tech-c). We operate critical infrastructure that is of major importance for maintaining social and economic functions, and disruption of which could bring about extensive damage. We need to be able to reach your technical contact person quickly and directly in critical situations to ensure that we can meet the specific security requirements of your domains.
If you are an end customer of nic.at and have selected the direct debit payment method, we also store the bank details you provide. In the case of all other payment options, you will be forwarded to the corresponding provider (e.g. Saferpay, PayPal, Giropay, EPS); data that are necessary for processing the payment is exchanged, but we do not process your bank and credit card details.
If you are an invoice recipient for .at domains, we process data that are required for invoicing and bookkeeping.
Communications data are collected as required (including records of telephone calls, e-mails, forms, all necessary documents, log-in data, etc.).
Data are also collected and processed when you visit our website. The extent to which and the purposes for which we collect and analyse anonymous data on our website are described under “Our cookies/Third-party cookies used in our services”.
If you subscribe to our newsletter, we process the data required to send it to you and store the respective consent you have provided.
Publication of the personal data of natural persons in the WHOIS database is in principle no longer permitted. The same applies to transferring such data to third parties, if such parties do not demonstrate legitimate or public interest.
If you would like to check that the domain holder data stored in connection with your domain is correct, you can submit an information request. The simplest option is to have us send the information to the e-mail address we have for your domain. You will promptly receive an automated message with the WHOIS data for your domain. If you would like to have the disclosure of your data sent to a different e-mail address, we require proof of identity. We need to be sure that you are actually the person who is requesting your data. Depending on the request, we might also require additional, possibly more specific information, such as your contact details and information on whether we have a contractual relationship with you, in order to be able to send you the desired information.
In addition, as a natural person you have the option to expressly request that your name and selected contact data for your domain be published in the WHOIS database. If you do not wish such information to be published, you must ensure that you, or your registrar (whoever submits the application), enters the correct “person type” when registering the domain. You have the choice to be entered as a legal or natural person. The company and contact details of legal persons are publicly accessible. Because there are natural persons behind every legal entity, we recommend that you provide department names rather than names of individual employees, and non-personal e-mail addresses where contact details are required. Otherwise, the consent of the named contact person must be obtained in advance.
Your data are collected and processed first and foremost for the purpose of fulfilling the contract. We send you newsletters on the basis of your consent, which you can revoke at any time.
Anonymous user behaviour provides the basis for optimising the performance of our website, as well as our interest-based advertising, in which we have a legitimate interest.
Your data will not be forwarded to third parties for their marketing purposes.
Your data are processed by different departments, depending on the purpose.
An external tax consultant takes care of tax matters for us, and a collections agency is used to recover receivables when a counterparty to a contract with us is in serious default.
nic.at also enlists a number of processors, to whom data required for the performance of their contracted tasks are forwarded.
Since contracts are concluded with various parties in the course of domain registration and use (e.g. with your registrar, provider or reseller), data are reciprocally transferred for the purpose of contract fulfilment. In addition, every registrar has WHOIS access to domains that it does not administer, because this is necessary for the efficient administration of .at domains. All registrars are contractually obliged to limit use of their full access to the purpose specified in the registrar’s agreement. Some of the 400-plus registrars are located in third countries, where the GDPR does not apply. Compliance with the GDPR by registrars in third countries who are not on the European Commission’s “whitelist” or who have agreed to abide by the Privacy Shield Framework is ensured by standard European Commission contract clauses.
In addition, the technical contact details of a domain are globally permanently available via name server queries for retrieval by third parties since this requires the availability of a registered domain at any times and thus fulfilling the contract concluded with the domain holder.
nic.at enlists a number of processors to whom data are forwarded if required for the performance of their contracted tasks. For instance, Vienna University Computer Center provides us with important technical support. If you have selected direct debit as your payment method, your bank details are forwarded to our bank. We also work with several marketing agencies. In all cases, nic.at ensures by means of contracts with processors that they comply with data protection obligations.
A number of conditions must be met in order for your desired domain to be registered. Satisfaction of these conditions is checked by automated means. This applies regardless of whether you submit a registration directly to nic.at or, as in most cases, you use a registrar.
In all cases, the first step is to check whether your desired domain is available.
If you submit a registration yourself via www.nic.at and have chosen a domain that is available, you can add it to your shopping basket. After you have entered domain holder data and technical data, a check is performed to see if the name servers provided are correctly configured (i.e., if they respond to a request). Among other things, the syntax of your domain name is also checked. More detailed information on the technical requirements for registration can be found at https://www.nic.at/en/my-at-domain/registration/registration-guidelines
If you have any questions regarding automated registration, please contact customer services; details are available at https://www.nic.at/en/contact.
The WHOIS is a public directory of registered .at domains, which previously showed the holders of all .at domains and their contact details. Due to the direct applicability of the GDPR, this extensive means for the public to make queries will change as follows:
Holder data concerning legal persons will still be published in the WHOIS. It is recommended that the natural persons responsible for these legal entities include department names in their contact details, and not the names of individual employees, as well as providing non-personal e-mail addresses.
Holder data concerning natural persons will no longer be published in the WHOIS. Such data will only appear in the WHOIS at a natural person’s express request. On a case-by-case basis, holder data concerning natural persons will be shared in response to a specific information request from a third party, which must demonstrate a legitimate interest in order to receive such data.
Please note that in this respect the submitter of the application (i.e. you or your registrar) is responsible for ensuring that the correct person type, i.e. an organisation or private individual, is specified upon registration.
As a rule, the holder data for domains held by natural persons can no longer be accessed in the WHOIS. A third party which claims to require these data, for instance to assert legal claims, must submit an information request to nic.at. In every case, we very carefully assess whether the request appears justified on the basis of the facts provided. The third party must have a legitimate interest in the data requested, and be able to demonstrate such an interest.
For instance, the wish to purchase a particular domain or ascertain the identity of a counterparty to a contract is not sufficient.
With regard to the disclosure of domain holder data in connection with infringements of name rights, trademarks and/or brand rights or other legal claims, we require a precise statement of the facts and specific evidence (e.g. an extract from the trademark register) in order to assess whether a legitimate interest exists.
We believe that data must not be stored indefinitely without good reason. We intend to store data only for as long as necessary. In our view, storage of data for the duration of a contractual relationship is definitely necessary. In addition, we store data for as long as claims arising from a contractual relationship can be enforced. Furthermore, due to various statutory requirements, such as those on proper accounting, we are obliged to store data for specific periods.
You receive our newsletter on the basis of the consent you provided. With subscribing to our newsletter you agree that your provided data (first name, last name, e-mail address) can be used and processed for promotions.
You can quickly and easily unsubscribe from the newsletter at any time using the "unsubscribe" link provided in every e-mail. Please note that this does not affect the lawfulness of delivery prior to your withdrawal of consent. In case you wish to cange your data, please use the "update email preferences" link provided in every e-mail.
We use the e-mail marketing tool mailworx for sending our newsletters. mailworx recods the time of delivery, the time and the duration the newsletter is opened, the ip-address and the used e-mail programme. mailworks also records the links that were clicked. The data is saved and processed in the European Union.
A cookie is a small text file that your browser stores on your device (PC, smartphone, etc.) when you visit a website. This text file stores information so that the website recognises your device when you visit the site again. Cookies were developed to enhance website functionality. For this reason, information is stored and transmitted in the background when you visit a website. Cookies have differing lifespans, and can be stored either temporarily for the duration of a website visit or for a longer period of time.
Cookies have various uses, ranging from technologically helpful and essential cookies to profiling cookies. Technologically essential cookies enhance convenience, allowing you to visit websites without interference and to shop online, for example. Third-party cookies can be used to profile your surfing behaviour online, and this information is normally used for tailored advertising.
You can delete cookies and limit the possibilities for them being installed in your browser settings. Most browsers give you the option of
- finding out what cookies are stored on your device;
- erasing individual cookies;
- blocking cookies from third parties;
- blocking cookies from certain websites;
- blocking all cookies;
- erasing all cookies when you close your browser.
Please note that if you choose to erase cookies, all of your session data will be lost. In addition, our website does not function properly if you block cookies. Therefore, we recommend that you do not block all cookies.
It should also be noted that cookies usually cannot be stored for use in different browsers. For example, cookies saved in Chrome do not automatically work in Firefox. This means that you should configure the settings separately for each browser you use.
We use the open-source web analysis service Matomo (formerly Piwik; see https://matomo.org/) to continuously optimise our website. Analysing visitor information helps us to identify potential sources of errors and less user-friendly interfaces, and rectify them. The analysis-tool cookie allocates a user ID under which your IP address is stored in a database in pseudonymised form together with information on your surfing behaviour (traffic data). Abstract user behaviour (under the allocated ID number) is of interest to us, not information on a specific person. We use plug-ins produced by third parties for various purposes, including to evaluate the effectiveness of our marketing. This requires geolocalisation, and this information is derived from your IP address and stored (prior to pseudonymisation). In itself, this information does not allow an individual user’s location to be determined. It only provides vague information on the country or federal province in which your IP address was registered. We store and analyse this data exclusively for our own use. This data is not shared with third parties for outside marketing.
You can stop Matomo from collecting this information by clicking on the following link: https://stat.nic.at/index.php?module=CoreAdminHome&action=optOut&language=de . An opt-out cookie will then be saved, which stops your data from being collected when you visit our website in future.
Information security is an extremely important aspect of data protection. nic.at is certified in accordance with the international ISO 27001 standard in order to provide the highest possible level of security.
If you have any questions on the use of your data, please contact our legal department or our customer services unit. You can find the relevant e-mail addresses and telephone numbers at https://www.nic.at/en/contact.
Your data protection rights
The GDPR includes an extensive package of protective rights for natural persons whose data are processed (i.e. collected, stored, transferred, restricted, erased, etc.).
Under Article 15 GDPR, you have the right to obtain information on the categories of personal data we process and for what purpose, the recipients of this data, (where possible) the period for which data will be stored, any information on the source of personal data not collected from you, as well as whether automated decision-making, including profiling, is carried out and how this works. On request, we will send you an overview of these data processing activities free of charge, and inform you of your additional rights.
You have the right to have inaccurate or incomplete personal data rectified and/or completed (Article 16 GDPR).
You have the ‘right to be forgotten’ (Article 17 GDPR). This means we will erase your personal data on request when the data is no longer required for the purposes for which it was collected and processed, and there is no other ground for continued storage of the data. The same applies if you object to or withdraw your consent to the processing of your data, or your data was unlawfully processed.
You have the right to restrict processing of your data (Article 18 GDPR), for example if you contest the accuracy of your personal data or the lawfulness of data processing, or because the data is required to exercise legal claims. Austrian legislators have also provided for restricted data processing in cases where data cannot be rectified or erased without delay for technical or financial reasons.
Under Article 21 of the GDPR, if your data is processed on the basis of legitimate public or private interests, you have the right to object to processing at any time. The same applies to profiling and direct advertising. Therefore, you have the right to object at any time to the cookies that help us to use your personal data – even in pseudonymised form – in order to carry out interest-based advertising.
You have the right to receive your personal data from us, and to have the data transmitted to another controller, provided this is technically feasible.
The right to withdraw consent means that you can unsubscribe from our newsletter at any time. By withdrawing your consent, you restrict processing of your data in future (in this case, delivery of the newsletter). This does not affect the lawfulness of data processing carried out before you withdraw your consent.
If you believe that your data has not been processed in accordance with the GDPR, Article 77 of the Regulation and section 24 Austrian Data Protection Act give you the right to lodge a complaint with the Austrian Data Protection Authority (https://www.data-protection-authority.gv.at/).