EU Domain & GDPR Data Residency Requirements

WHOIS Data Under GDPR

Domain registrant data (name, address, email, phone) is personal data under GDPR. Registrar is data controller. Must: Store in EU/EEA, obtain consent, allow deletion request, notify breaches within 72 hours.

EU vs Non-EU Registrars

EU registrar (OVH, Gandi, EuroDNS): Data stored in EU by default. GDPR-compliant infrastructure. Non-EU registrar (GoDaddy, Namecheap): May store data in US. Need Privacy Shield successor or Standard Contractual Clauses.

Adequacy Decisions

GDPR allows data transfer to countries with "adequate" protection: UK, Switzerland, Japan, Canada (commercial). US has Data Privacy Framework (replaced Privacy Shield). Verify registrar participates in DPF.

Data Processing Agreements

If using non-EU registrar, require Data Processing Agreement (DPA). Confirms: Data processing location, security measures, sub-processor list, EU data subject rights. Most major registrars offer standard DPA.

Cookie Consent for Domain Websites

Website on EU domain must comply with ePrivacy Directive (Cookie Law). Requires: Explicit consent before non-essential cookies, ability to reject, cookie policy page. Affects all .eu domains and EU-targeted sites.

.eu Domain Eligibility

Only EU residents, companies registered in EU, or organizations established in EU can register .eu domains. Brexit: UK entities lost .eu domain eligibility. Existing .uk.eu domains transitioned to .eu or deleted.

Domain as Personal Data Asset

Domain registered to individual (not company) = personal data asset under GDPR. Individual has right to: Access their data (WHOIS info), rectify errors, delete domain registration (with notice period).

Right to Erasure Limits

Can't instantly delete domain (would break internet). Registrars implement "right to be forgotten" as: Transfer domain to new owner, or let domain expire after current registration period.

EUIPO Trademark Coordination

Register EU trademark via EUIPO. Protects across all 27 EU member states. Coordinate .eu domain registration with EUIPO filing. Trademark gives legal basis to recover infringing .eu domains via ADR.

Hosting Data Residency

Domain registered in EU but website hosted in US = potential GDPR issue if collecting EU personal data (contact forms, newsletter, cookies). Use EU-based hosting (Hetzner, OVH) or US host with EU data centers.

Multi-Country Domain Strategy

Operating across EU: .eu (pan-European brand) + country TLDs (.de, .fr, .es for local markets). GDPR applies uniformly but local marketing regulations vary. .eu + local ccTLDs = best coverage.

Data Breach Notification

Registrar suffers data breach (WHOIS data exposed) = must notify: Supervisory authority within 72 hours, affected registrants without undue delay. You (registrant) must notify customers if breach affects them.

Brexit Implications

UK left EU. UK GDPR mostly mirrors EU GDPR. But: Separate jurisdictions. .uk domains not affected. .eu domains: UK entities ineligible. Data transfers UK↔EU require adequacy decision (currently in place but subject to review).

Trademark Lens checks .eu and country-code domain availability - secure GDPR-compliant domains with EU-based registrar for full data residency protection.