All Products
Document Center

Legal:Alibaba Cloud - Domain Services - ICANN Supplemental Notice

Last Updated:Jan 13, 2023


I. About this Supplemental Notice

In order to offer domain name registration services (the “Services”), several Alibaba entities are required to collect, store and share (i.e. “Process”) data about the domain name holders (this data is called “Registrant Data”).

This Processing is in particular required by Alibaba’s contracts with domain name registry operators (entities responsible for providing registry services such as customer database administration, zone file publication, DNS and DNSSEC operation and policy determination), and the Internet Corporation for Assigned Names and Numbers (ICANN), which in turn enable Alibaba to provide the Services.

The Alibaba entities in question are the Alibaba Cloud entity you contract with for the Services, and Singapore E-Commerce Private Limited (the “Registrar”).

In some cases, Registrant Data may relate to an identified or identifiable individual, in which case it will be subject to theAlibaba Cloud International Website Privacy Policy (the “Policy”). In respect of Registrant Data, the Policy should be read as also applying to the Registrar’s Processing of Registrant Data. Therefore in the Policy, and in this Supplemental Notice, the words “Alibaba”, “we” or “us” refer to the Alibaba Cloud entity you contract with for the Services, and the Registrar. Our contact details are set out in the Policy.

Further to this Supplementary Notice, Registrant Data will be Processed by us in accordance with the Agreement and Terms of Use governing your registration of domain names, including the rules, notices and policies referred to in those contracts. Those include ICANN-mandated policies (which are publicly available on ICANN’s website) and applicable regulatory requirements. These are evolving due to regulatory changes (particularly in Europe), so please be sure to regularly consult the aforementioned documents, including this Supplemental Notice, for information regarding the Processing of Registrant Data.

II. What is Registrant Data?

Registrant Data is information about individuals and/or their organization that is Processed by Alibaba in connection with the Services. The following Registrant Data are obligatory: (i) the registration data that Alibaba collects for registration of domain names (e.g. names, postal addresses, e-mail addresses, telephone numbers, fax numbers, for the various registrant, administrative, technical and billing contacts that are provided), (ii) IP addresses and names of the primary nameserver and secondary nameserver(s) for the registered domain name; (iii) data in and about communications relating to registration applications, confirmations, modifications, terminations, or any other correspondence with you (as Registrant), or with another party, relating to use of the Services (e.g., when investigating complaints), and (iv) our records indicating your acceptance of the Service Agreement.

III. Why is Registrant Data Processed, and who is it shared with?

Registrant Data is Processed for the following purposes, as set out in Section 4.4 of ICANN’s May 2018 Temporary Specification (terms used here have the same meaning as in that Temporary Specification):

• Reflecting a domain name holder’s rights to a registered domain name, and ensuring that the domain name holder (such as yourself) may exercise those rights;

• Providing access to accurate, reliable, and uniform Registrant Data based on legitimate interests not outweighed by the fundamental right of relevant data subjects, consistent with the European Union General Data Protection Regulation (EU) 2016/679 (the “GDPR”);

• Enabling a reliable mechanism for identifying and contacting domain name holders for a variety of legitimate purposes more fully set out below;

• Enabling a mechanism for the communication or notification of payment and invoicing information and reminders to domain name holders;

• Enabling a mechanism for the communication or notification to the domain name holder of technical issues and/or errors with a registered domain name or any content or resources associated with a registered domain name;

• Enabling a mechanism for the Registry Operator, Alibaba to communicate with or notify the domain name holder of commercial or technical changes in the domain in which the registered domain name has been registered;

• Enabling the publication of technical and administrative points of contact administering the domain names at the request of the domain name holder;

• Supporting a framework to address issues involving domain name registrations, including but not limited to consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection;

• Providing a framework to address appropriate law enforcement needs;

• Facilitating the provision of zone files of gTLDs to Internet users;

• Providing mechanisms for safeguarding domain name holders’ Registrant Data in the event of a business or technical failure, or other unavailability of Alibaba or a Registry Operator;

• Coordinating dispute resolution services for certain disputes concerning domain names; and

• Handling contractual compliance monitoring requests, audits, and complaints submitted by Registry Operators, Alibaba, domain name holders, and other Internet users.

Examples of the Processing of Registrant Data for the purposes stated above include:

• Inclusion in publicly-searchable Registration Data Directory Services (e.g. WHOIS directories, and their successors based on the Registration Data Access Protocol (RDAP)), which provide query-based access (although please note -- per the Temporary Specification, the inclusion of most Registrant Data in free public search results via these services may for the time being be subject to individuals’ prior consent, apart from organization name, state/province, and country. Access to the full (non-public) data will be granted on a more case-by-case basis, based on the legitimacy of the access. This policy, determined by ICANN, is subject to change in future; for more details, please see the Temporary Specification, in particular its Appendix A);

• Research on an aggregated statistical basis;

• Day to day operations of Alibaba or a Registry Operator, including sharing Registrant Data with Alibaba Cloud, the Registrar or the Registry Operator that provide legal, accounting, delivery, installation, system support, escrow, marketing, and other Registry services on their behalf;

• Email contact (by Alibaba Cloud, the Registrar or the Registry Operator) with the domain name holder, as required by any acceptable use policy;

• Transfers to providers of UDRP , URS , Trademark Clearinghouse and emergency back-end registry operator (“EBERO”) services;

• Transfer and further processing of Registrant Data to/by the Escrow, UDRP, URS, Trademark Clearinghouse and emergency back-end registry operator (“EBERO”) services;

• Processing that Alibaba, ICANN or a Registry Operator has a good faith belief is required by the law enforcement agencies, or a court order or other compulsory legal process applicable to Alibaba, ICANN, the Registrant or the Registry Operator; and

• As may be required by ICANN in accordance with a “zone file” access request.

In connection with the above,

• The Registrar is required to make certain Registrant Data available to ICANN for inspection by ICANN. Registrar will share certain Registrant Data with ICANN to resolve compliance-related inquiries and respond to ICANN audits;

• The Registrar and Registry Operator must regularly submit an electronic copy of certain Registrant Data to an escrow agent mutually approved by the Registrar, the Registry Operator, and ICANN, where it will be held in escrow in order to keep the domain name operating in the event we leave the domain-name registration business.

The relevant Registry Operator, and their policies, are listed here. ICANN’s policies are linked to above and/or listed here . The relevant escrow agents are listed here.

IV. If the Registrant Data is Personal Data protected by the EU GDPR, what is the legal basis for that Processing?

In relation with the GDPR, unless the legal basis for the Processing of Registrant Data is–

i. necessity to enter into or perform a contract with you (in particular, the contract for the Services);

ii. compliance with obligations laid down in EU or EU Member State law (for instance, where we are legally obligated to obtain, retain, search and/or disclose Registrant Data at the request of a court or investigating authority);

iii. necessity to perform a task in the public interest, where EU or EU Member State law requires or permits the Processing of Registrant Data to fulfill that task, or

iv. you have been asked to give, and have freely given, consent to such Processing (in which case you can non-retroactively revoke such consent at any time),

then the GDPR legal basis for the Processing is that is it necessary for you, our or a third party’s legitimate interests. For more information about those legitimate interests and the balancing exercise that evaluating those competing interests (including your potential interests relating to the protection of your rights, such as to privacy), please refer to the ICANN Temporary Specification linked to above, in particular sections 4.4 and 4.5. This complements the legitimate interests indicated in the Alibaba Cloud International Website Privacy Policy.

V. How long does Alibaba retain Registrant Data?

By default, and subject to applicable law, we retain Registrant Data that is Personal Data for the duration of your use of the Services and approximately two years thereafter, to ensure its continued availability for the purposes specified above.

Certain Registrant Data may be retained longer, for example for so long as it would be needed in order for us to establish, exercise or defend against legal claims, as described in the Alibaba Cloud International Website Privacy Policy . To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure of the Personal Data, the purposes for which we process the Personal Data, whether we can achieve those purposes through other means, and the applicable legal requirements.