Privacy Notice

You may download a .pdf copy of the Privacy Notice.

Introduction

The RESTENA Foundation coordinates national online resources for the Grand-Duchy of Luxembourg. The RESTENA DNS-LU service, also known as DNS-LU, is responsible for the management of .lu domain names and is in charge of the Registry of the country code top level domain .lu.

DNS-LU processes personal data that is subjected to Luxembourg national data protection and the General Data Protection Regulation (GDPR) (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

RESTENA Foundation is committed to ensure that Luxembourg and EU data protection provisions are safeguarded.

This Privacy Notice explains how DNS-LU collects, uses, transmits and discloses (hereinafter referred to together as “processes”) domain name requestors’ and holders’ personal data, including administrative, and/or technical and/or billing contacts (“involved persons”), and the means by which this is done.

1.   Data Controller

The Data Controller of the top level domain .lu is:

Name            Fondation RESTENA

Address        2, avenue de l’Université
                   4365 Esch-sur-Alzette

                   Grand Duchy of Luxembourg
Tel.              +352 42 44 09 1

Fax              +352 42 34 73
E-mail           domreg@dns.lu

In its capacity as Data Controller RESTENA Foundation is committed to respect the rules of personal data protection.

2.   Data Protection Officer

RESTENA Data Protection Officer

Tel.              +352 42 44 09 1
Fax              +352 42 34 73
E-mail           domregs@dns.lu

3.   The Purpose and Legal Basis for Data Processing

  • Performance of an agreement

DNS-LU is processing your data in order to enter into an agreement to register and manage a domain name under the top-level domain .lu and to ensure the due and proper performance of the underlying contractual provisions.
Performance of an agreement may only be performed while taking into account and processing data of parties involved.

Purpose of the processing pursuant to point (b) of the Article 6(1) of the General Data Protection Regulation.

  • Legal obligation

DNS-LU can process your data if it is necessary to comply with legal obligations and/or within the framework of legal proceedings to which DNS-LU might be subject to, e.g., if DNS-LU receives a notification to disclose or transmit your personal data to jurisdictional or governmental authorities.

Purpose of the processing pursuant to point (c) of the Article 6(1) of the General Data Protection Regulation.

  • Legitimate interests

DNS-LU can process your data where it is strictly necessary for the purpose of safeguarding the legitimate interests pursued by DNS-LU or by a third party for preventing fraud, cyber-attacks, network & information security reasons and for ensuring your data integrity as domain holder in relation with domain name registration, provided that your interests or fundamental rights and freedoms are not overriding, taking into consideration the reasonable expectations based on your relationship with the data controller.

Purpose of the processing pursuant to point (f) of the Article 6(1) of the General Data Protection Regulation.

4.   Categories of Recipients of Personal Data

4.1.    DNS-LU has the right to disclose personal data:

4.1.1  if you request such information to be published and DNS-LU can identify the requestor.

4.1.2  if, in cases provided by law, a national jurisdictional, governmental or other authority empowered for this purpose requests personal data and the request is made pursuant to enactments of the Grand-Duchy of Luxembourg.

4.1.3  if, in case an interested party provides DNS-LU in writing with information of a current or potential problem arising in connection with the use and/or proper functionning of the Internet and the Domain Name System (DNS) in order to deal with and/or to look up the status of a domain name.

 4.2.    Within the performance of its contractual obligations, as domain name holder you authorize DNS-LU to transmit Personal Data to employees, agents or other third party service provider within or outside your country in order to provide services and for the purposes indicated above. Employees, agents and other third party service providers which have access to Personal Data are required by DNS-LU to ensure compliance with all applicable data protection provisions. Any person authorized by DNS-LU to access Personal Data as defined in this Privacy Notice will be made aware of the data protection implications.

4.3     In accordance with the request of the domain name holder and concerned persons, DNS-LU has specifically the right to disclose personal data:
- to the Registrar of the domain name holder’s choice, and
- to the identified concerned persons.

4.4.    You have the right to request from DNS-LU information about recipients of your personal data, unless such information cannot be disclosed pursuant to legal provisions of the Grand-Duchy of Luxembourg.

4.5.    You have the right to be informed on whether or not your personal data are transferred to a third country or to an international organisation. In this context, you are entitled to be informed of the appropriate safeguards regarding the transfer pursuant to Article 46 of the GDPR.

5.   Data security, access to Personal Data, Rectification and Data portability

5.1.    DNS-LU protects Personal Data with appropriate physical, electronic and process-related security measures, such as firewalls, personal passwords, encoding and authentication technologies.

5.2.    You can access your data and rectify them via your regular Registrar and/or in case DNS-LU acts as your Registrar via DNS-LU website dns.lu, at DNS-LU’s offices, or by sending your request to our postal address:

2, avenue de l’Université,
4365 Esch-sur-Alzette,
Grand-Duchy of Luxembourg.

5.3.    You have the right to receive your data processed by DNS-LU in a machine-readable format.

6.   Data Update, right to Object and Restriction of Processing

6.1.    You are responsible for providing valid, actual and complete data at the moment of concluding the agreement, as well as during the entire period of the performance of the agreement. Valid, effective and complete data should be provided at any time to your Registrar.

6.2.    In case of any changes, it is your right and under your responsibility to update your data without undue delay by informing your Registrar.

6.3.    If DNS-LU discovers that your data are false, obsolete or incomplete, you will receive a request to correct the data. If no answer is received or the data are not updated within reasonable delay, and in any case within 30 days, DNS-LU has the right to terminate the domain name management agreement as laid out in Terms and Conditions.

6.4.    If a domain name holder objects to the processing of personal data, DNS-LU will terminate the Agreement, as collecting personal data and its processing are necessary for the conclusion and performance of the domain name registration and management agreement.

6.5.    Access to data is restricted.
A request to forward any message to the holder as private person (including involved persons) must be filed in writing with DNS-LU. Such a request must be duly motivated and is subject to DNS-LU’s approval. DNS-LU will consecutively pass on the request to the holder without establishing any direct contact with him.

7.   Identification of authorized persons

7.1.    In the interest of privacy and data protection, DNS-LU will ensure your identity (in your function as requestor) before responding to any requests for transmission of messages to the holder (including involved persons) and reserves the right to request a copy of an identity document.

7.2.    DNS-LU may refuse the request if it can not identify you with certainty or if it considers the request excessive or unfounded. You (as requestor) will be informed of the reasons for the refusal within one month from the receipt of the request. DNS-LU may also require the payment of reasonable fees in the case of unfounded or excessive requests, in particular because of their repetitive nature.

8.   Erasure of Personal Data and Data Storage Limitations

8.1.     Within 30 (thirty) days after the expiry or termination of the domain name management agreement, DNS-LU shall destroy or remove from the computer systems and files all personal data in the possession or under the control of DNS-LU as of the date of expiry or termination, subject to:

8.2.     Personal Data that DNS-LU is legally required to keep after the termination or expiry of the domain name management agreement.

8.3.     In case of Limitation the data can no longer be the subject of any processing.

9.   Complaint Procedure

You have the right to file a complaint with the national supervisory authority (National Commission for Data Protection - CNPD) regarding a possible breach of personal data protection.

10. Change of Policy

DNS-LU reserves the right to modify this Privacy policy. DNS-LU shall notify the public of the new provisions at least 30 days before entry into force thereof, particularly through publication on its website dns.lu.