Privacy Policy

This is the privacy policy of the puntCAT Foundation. Your privacy is very important to us, and through this policy we want to explain which personal data we process for you, why, for how long it is kept, and how you can exercise your rights to manage it.

Please read this privacy policy carefully for a good understanding of how we protect your personal data.

Fundació puntCAT

Fundació puntCAT is a non-profit organisation registered with the Generalitat de Catalunya Directorate Generate of Law and Legal Entities under the following details:

Name: Fundació puntCAT
Address: Plaça Nova, 5, 7a planta
08002 Barcelona
Identity number: G-63719025
e-mail address (matters regarding privacy): dpd@domini.cat

Does this privacy policy affect you?

This privacy policy affects you if you have contacted us in the following cases, among others: if you have registered a .cat domain, because you are an associated contact with a .cat domain name, as an employee of an organisation with which we have a contractual relationship, as a subscriber to our newsletter, as a participant in any of our training activities, or through any other channel you have used to contact us (e-mail, phone, events, etc.).

Your personal data can be collected using the following methods: through the domain name registration processes, through our network of accredited registrars, by e-mail, by phone, by fax, through your registration to take part in any of our training activities, having attended an event, through cookies or other technologies used to track visitors to our websites, through supplier or partner communications, through a form on our websites, or through any other means that we may use to conduct our activities.

Which of your personal data do we process?

Personal data is any information related to an identified or identifiable physical person (i) that is provided voluntarily (e.g. through our website forms), (ii) that has been provided by your registrar when registering your domain name, (iii) that we collect after you have attended our events or visited our website(s).
Within the context of our commercial and training activities and to provide a good service and improve our services wherever possible, depending on the information we need to be able to provide the service for which you have contacted us, we may process the following personal data: your name, your e-mail address, the organisation for which you work, your position in the organisation, your private address, your language preference, your gender, your age, your unique identification alias in our system, your domain name, your financial details, the details related to your bank account or credit card information, legal details relating to your domain names, your IP address, images, and video files.

We might have to process your identity document and your employment status in order to provide some of the training activities. You will only be asked for this data when it is essential for two reasons: to check the suitability of applicants for the course, and to certify participation.

In the case of domain owners and associated contacts, because it is not possible to register the domain name directly with us, we collect your personal data through the company you used to register your domain. This company might be one of our accredited registrars or one of their distributors, which will collect your personal data on our behalf.

Why do we process your personal data?

There are different reasons why we process your personal data:

• We must collect personal data relating to your domain name to be able to offer the best services possible for it. This also enables us to identify you and contact you directly in relation to the registering of your domain name, wherever necessary.

• We use your personal data to maintain and build long-term relationships and to execute the contract we might have. We use your personal data to answer your enquiries, to fulfil your requests, and/or to send you administrative information.

• Your personal data might be used to comply with applicable law. It might also be used to respond to requests or claims made by the public or state authorities, including the public and state authorities outside your country of residence, or to protect our rights, privacy, security or property, and/or our organisations.

• We might use your personal data to send you promotional messages, marketing, information on the .cat community, and other information that may be of interest.

Principles observed when collecting and processing personal data

The Fundació .cat will comply with the following principles to regulate the processing of personal data that:

• will only be processed lawfully, fairly and transparently in relation to the owners of the registered names and other data (“lawfulness, equality and transparency”),

• will only be obtained for specific, explicitly and legitimate purposes, and will not be processed in any manner that is incompatible with this purpose (“restricted purpose”),

• is appropriate, relevant and not excessive in relation to the purposes for which it is processed (“data minimisation”),

• is correct and, where appropriate, is kept up to date, according to the purposes for which it is processed (“precision”),

• is not kept in a form that allows for the owner of the registered name and other data subjects to be identified for longer than necessary for the permitted purposes (“restricted storage”), and

• is processed in such a manner that guarantees the adequate security of the personal data, including protection against unauthorised or illegal processing and against its accidental loss, destruction or damage, using adequate technical or organisational measures (“integrity and confidentiality”).

Who has access to your personal data?

Your personal data will only be accessible to qualified personnel of the .cat Foundation who must process it and, where essential to provide the service linking you to us, by personnel of the organisations that collaborate with the Foundation to provide said service.

What is the lawful basis for processing your personal data?

We are able to process your personal data due to different legal reasons:

• Processing might be necessary for us to meet our legal obligations as a register or as data administrators.

• Processing might be necessary to provide the service you have contracted with us.

• Processing is necessary to protect our lawful interests and, particularly: economic, commercial and financial interests, commercial continuity, the security and confidentiality of the information and products of clients, and the security of the digital and physical infrastructure.

• Processing might be based on the consent you have given in relation to the activities of the .cat Foundation.

With whom do we share your personal data?

We never sell your personal data to anyone. Wherever permitted by applicable law and, among others, compliance with the domain name registration agreement, your personal data might be disclosed to the following parties:

• Technical support and storage providers: To guarantee the activities of the registration operator involved in registering your domain name, we must store and make backup copies of all the registration data, including your personal data.

• Third parties: Your personal data might be disclosed to third parties, including the state authorities for legitimate reasons.

• ICANN: The Internet Corporation might be provided with names and numbers assigned with your data in relation to your registering of .cat domain names, as set forth in our Registration Agreement with ICANN.

• Auditors: Auditors might have access to your personal data to ensure our commercial operations are correctly appraised.
When we share your personal data, we make sure we instruct the recipients wherever possible to process your personal data in accordance with our instructions.

What rights do you have in relation to your personal data?

Except where your request is considered excessive or unsubstantiated, you may exercise the following rights in relation to your personal data:

• You are entitled to request information on your personal data.

• You are entitled to ask for a copy of all your data in a standard format.

• You are entitled to modify or correct your personal data if it is incorrect.

• You are entitled to request the restriction of certain processing activities in certain circumstances.

• You are entitled to object to certain processing activities.

• You are entitled to withdraw your consent.

• You are entitled to ensure your personal data is deleted under certain circumstances.

• You may exercise any of your rights by completing and sending our on-line form.

Some of these rights in relation to the registering of domain names might have to be exercised through the registrar of the domain name registration in question.

You are also entitled to file a claim with the local supervisory authority whenever you believe that your personal data has not been processed in line with applicable law.

Where and for how long do we keep your personal data?

Your personal data is stored electronically and manually, internally and by third parties. We store your personal data from a form that allows you to be identified for no longer than necessary for the purposes for which your personal data is processed. This storage period is different depending on the type of personal data processed, the purpose for processing, and other factors.

As the owner of a domain name, we store personal data for one (1) year after the domain name has been erased.

The personal data of individuals that we collect outside the scope of a contract within the context of our business activities is stored for one (1) year after it has ceased to be relevant.

What security measures are taken to safeguard your personal data?

We are constantly implementing and updating our security measures to help protect your personal data and other data from unauthorised access, loss, destruction or alteration. We do everything possible to ensure all the information is stored securely and ask our service providers to apply the appropriate security measures.

Cookies and other tracking technologies

When you visit our website, we might store certain information on your devices in the form of cookies. Please read our cookie policy carefully for a good understanding of how we request or use cookies.

Registration data for .cat domains

This Section provides information on the processing of your Registration Data according to ICANN policies and the European Union General Data Protection Regulation (GDPR), as well as any other applicable law.

a. Controller

ICANN, the Register, your Registrar and, where appropriate, your reseller, are joint Controllers (or Processors, wherever applicable) in the processing of your Registration Data, as described in this Section. The main reasons for processing include the maintenance of the operations of your Domain Name, transfers of Domain Names, and any needs of the Whois tool.

The role of ICANN, a non-profit organisation from California in the United States, is to establish the policies involving the processing and publishing of your Data, and to control and guarantee that the Domain Name system remains secure and stable.

You can find further information on ICANN here

We and your Registrar are contractually required by ICANN to process your Personal Data and to apply the policies in which this is regulated, which are partly policies established by the ICANN community. All the parties involved are also contractually required by ICANN to regularly inform on the compliance with these policies.

The role of the Registrar or, where applicable, the reseller, is to offer the registration of Domain Names and other related services to their Owners. In accordance with the requirements established by ICANN, Registration Data must be processed by the Registrar and then transferred to the Register.

The role of the Register is to keep the central repository of all the .cat Domain Name registrations and allow for the resolution of these names to the Domain Name System (DNS). The Register does not offer to register Domain Names directly.

You can contact us here:

Fundació puntCAT
Plaça Nova, 5, 7a planta
08002 Barcelona (Catalonia)
Phone: +34 936 750 354
e-mail: dpd@domini.cat

b. The data we process. Registration Data

We have specific provisions for your Registration Data regarding Community domains. The Registration Data is a set of data contained in this Section, including data on all the contacts and the intended use.

The Registrars collect the following data to transfer it to the Register:

– Domain Name
– Name Servers
– Name of the Owner
– Organisation
– Street
– City
– Postcode
– Region
– Country
– Phone no.
– Phone extension no.
– Fax no.
– Fax extension no.

These elements collected from the Domain owner are also collected from the Administration and Technical contacts. They are also collected from the Invoicing contact, although this latter is optional.

– Intended use: You must also provide the intended use for your Domain Name.

c. Lawful basis for collection

The lawful basis for the collection of your Data is Art. 6.1.b) of the GDPR. The Domain owner and the intended use is to comply with the Domain Name Registration Policies according to the specific eligibility requirements and for subsequent validation in the register. The Administration contact is to permit Domain name management, such as transfers, and to supervise compliance with the law. The Technical contact is to establish contact for technical reasons.

When third-party data are collected, e.g. When the Owner and the Administration and/or Technical contacts are different to the person or persons providing the Registrar with the data, the Registrar is responsible for informing these third parties of the particulars of this Registration Policy, including the privacy provisions.

ICANN, the Register, the Registrar and, where applicable, the reseller, are all Controllers.

d. Transfer of data to the Register

The Registrar must also transfer the Data included in the above section. The lawful basis for this is Article 6.1.f) of the GDPR, as we have a legitimate interest in identifying and investigating models of behaviour that might be in breach of the law, providing information in relation to disputes as to the ownership of the domain, and operating a central owner data repository.

ICANN and the Register are the controllers for this processing activity, and the Registrar is the processor.

e. Processing third-party data

We use the services of the CORE Association (an organisation based in Switzerland) as a provider of back-end technical services for the Domain register, which is the processor of your Data.

The Register is also the processor of your data to transfer it to an escrow agent, as required by ICANN (controller) and the data might be transferred to an Emergency Operator (EBERO) indicated by ICANN if Register activities are suspended.

f. Publishing data

The Register will not publish your Data in the whois or make it public except in the following cases:

Your data will only be transferred if there is sufficient lawful basis for this transfer, which will be assessed in each individual case. The lawful basis might be Article 6.1.b) (in the case of UDRP or URS), Article 6.1.c) (in the case of requests by competent public authorities) or Article 6.1.f) (lawful basis in the legitimate interests of a third party).

Until ICANN adopts an accreditation model to process the requests, they will also be processed individually by the Register.

g. Data retention period

The Registration Data will be deleted as soon as the reason for its treatment no longer applies. The data processed by the Register will be deleted as soon as the retention periods imposed by law have ended. The Register will comply with Articles 17 and 18 of the GDPR.

ICANN may impose some of these retention periods. The Registration Data may have to be kept for a period of one (1) year after the domain has been deleted.

h. Correction of your Data

You undertake to correct and update your Data immediately during the registration period of your Domain Name as soon as it becomes incorrect.

Rights

You may exercise the following rights:

· Right of access by the data subject. Art. 15 GDPR;
· Right to rectification. Art. 16 GDPR. Modifications may be requested from your Registrar or, where applicable, your reseller, as the Register is unable to make this rectification itself;
· Right to erasure. Art. 17 GDPR. The erasure of your data might lead to the cancellation of your Domain;
· Right to restriction of processing. Art. 18 GDPR;
· Right to data portability. Art. 20 GDPR;
· Right to object. Art. 21 GDPR.

You are entitled to file a complaint with the Data Protection Authority regarding the manner in which we process your data.

Processing of your Data

We will only process your Data according to applicable data protection regulations and will adopt all technical and organisational measures to protect your Data from any loss, incorrect use, or unauthorised access, modification or publication, and from its deletion. We will also adopt any security measure required by law.

Contact us

Should you have any questions on this privacy policy or wish to exercise any of your rights indicated above, please contact us at dpd@domini.cat.