Pursuant to Appendix A, Section 4 of ICANN’s Temporary Specification for gTLD Registration Data (the “Temporary Specification”) and our Registrar Accreditation Agreement with ICANN, MarkMonitor is required to provide reasonable access to non-public WHOIS information (“WHOIS data”) when we receive an adequate request based on a lawful basis, including but not limited to a legitimate interest stated by the requestor.
This policy does not apply to requests for WHOIS data that are made by the person to whom that information relates. It only applies where the person or organisation requesting the WHOIS data is a third party. Requests from data subjects exercising rights in their own data (e.g. right to rectification, right to erasure, etc.) should be made to the client’s CSM and/or firstname.lastname@example.org.
We will provide the requestor with non-public WHOIS, only if all the following conditions are met. Please see Section 4 below for guidance on processing requests when the following conditions are not met, and please reach out to Legal, the Director of Policy, and MarkMonitor’s designated Privacy Contact (together, the “Privacy Team”) in case of any uncertainty.
- Requests must be sent via email, and we must receive the request via the email address published in our WHOIS output (email@example.com).
- The domain name in question must be a gTLD – ICANN rules and our obligations under the Temporary Specification only apply to gTLDs.
- The requestor must state with specificity what WHOIS information is being requested, and must state the lawful purpose for which the information is being requested (see 2.F. below).
- The requestor must identify themselves with at least their name. This could be a natural person’s name (e.g. Jane Smith), or an organization name (e.g. “MarkMonitor brand protection department”) is also acceptable. We will verify the requestor’s identity based on the requestor’s email address and any additional information provided in the request. The request should connect the identity of the individual to the lawful basis for requesting the data (e.g. “MarkMonitor, Inc. is legal owner of the MARKMONITOR trademark”). See Section 2.F. below. If the requestor claims to be an attorney, service provider (e.g. MarkMonitor), or otherwise an agent of the entity with a lawful basis, the request should be accompanied by a Letter of Authority or representation affirming the requestor is authorized to act on behalf of the entity that has the underlying lawful basis.
- The WHOIS must actually be redacted – we should not reply when we are already publishing the full unredacted WHOIS (i.e. non-EEA data or data relating to a legal person only).
- The request must state a lawful basis for requesting the data, including but not limited to “legitimate interests.” Lawful bases include, among other stated purposes: (i) to name the registrant as a defendant in a complaint under the URS, UDRP, or as a defendant in intellectual property litigation; (ii) to notify the registrant of alleged trademark infringement, piracy, or counterfeit violation relating to the domain, or to correspond with the registrant in relation to such alleged infringement or violation; and (iii) to identify the registrant to take measures in relation to suspected fraud, phishing, or malware attacks. For requests based on “legitimate interests” under Article 6, Section 1(f) of the GDPR, the prejudice to the stated purpose must be weighed against the interests or fundamental rights and freedoms of the data subject, and such requests should be reviewed by the Privacy Team before actioning.
- The request must show that the data is necessary for the stated purpose.
3. How we Respond
We try to respond within five business days. When providing a fulsome response, we will copy and paste the following legal disclaimer into the top of our email reply to the requestor, followed by the non-public WHOIS information (but no more non-public WHOIS data than is necessary for the stated purpose) (“WHOIS Data”) for which the requestor has a lawful basis:
“MarkMonitor takes our clients’ privacy, and global privacy laws, very seriously. By processing the WHOIS Data we disclose to you, you understand and agree that you: do so as a separate (and not joint) data controller with respect to such WHOIS Data, and as a result are responsible for determining the lawful ground under the General Data Protection Regulation applicable to your processing of this data. You further agree to process and safeguard the WHOIS Data we supply to you in accordance with all applicable laws at all times.”
- We must log each instance where we provide non-public WHOIS data, including the request, our response, and our decision-making rationale.
4. Insufficient Requests
In order to ensure compliance with data privacy laws, MarkMonitor will not process requests for WHOIS Data that do not meet all the requirements specified in Section 2 above. However, due to the novelty of implementing the Temporary Specification, if a request is missing one or more of the requirements above, we may respond with language similar to the below, and may provide the requestor with further specific instructions to amend and correct their request, at MarkMonitor’s sole discretion:
“We are in receipt of your request. Unfortunately, your request has been preliminarily deemed insufficient as lacking one or more of the following MarkMonitor requirements for providing non-public WHOIS information under ICANN’s Temporary Specification: requests must be sent to the MarkMonitor email address which is established for this purpose, and which is listed in MarkMonitor’s WHOIS output; the domain name in question must be a gTLD; the requestor must explicitly identify themselves (and if they act on behalf of another person, provide a Letter of Authority or representation affirming the requestor is authorized to act); the WHOIS output for the domain must not already be public – check to see if the WHOIS output for this domain is already publicly available; and the request must state a sufficient legal basis and a sufficient lawful purpose (e.g. a ‘legitimate interest’) for requesting the data, showing that the data is necessary for the stated purpose.”</>