Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

Privacy Policy for .nl Domain Names

Version: 1 January 2023

What important words and names will you come across in this document?

Administrator

Our CEO.

Applicant

Someone who asks to register a .nl domain name.

Application

When someone asks us to do or change something in connection with a domain name. When you ask to register a domain name, for example.

Data controller

Us, SIDN BV.

Data subject

The person that an item of data is about.

Domain name

A combination of characters at the first level below the .nl domain.

Privacy Policy

This document.

Processing

Doing something with an item of personal data for the register.

Register

The database containing all registered .nl domain names and information about them.

Registrant

Someone who has registered a .nl domain name and is recorded in our register as the registrant.

Registrar

An organisation that arranges the registration of domain names and manages registrations for applicants and registrants. Each registrar has a contract with us.

We

SIDN BV (referred to below as SIDN).

Why do we process personal data?

  • To deal with applications to register domain names.

    • And for all the things we need to do to make that possible.

      • As well as the activities that result from dealing with applications.

  • To respond to requests and complaints from registrants and data subjects.

  • To pass on to registrars so that they can do their work.

    • Details of the data we pass on are given in annex I, under 'available to registrars'.

  • To maintain the zone file.

  • To maintain the Whois (the part of the register that anyone can look at).

    • Whois data can be used for these purposes:

      • To sort out technical problems that affect how the internet works.

      • To apply for .nl domain names and to find out who the registrants of existing names are.

      • To protect intellectual property rights.

      • To stop illegal and harmful content being put on the internet, or to get it taken down.

  • There are rules about the Whois in article 23.2 of the General Terms and Conditions for .nl Registrants.

  • We're also allowed to share the data with the people and organisations mentioned in article 7 of this policy.

    • The data we share is detailed in annex I.

What responsibilities does the manager have?

The manager is in charge of the processing activities on a day-to-day basis.

Whose data do we process?

  • Registrants

  • The people who act as contacts for domain names

  • Registrars and their contacts

  • Resellers

What data do we include in the register?

This is the most data that we process about the people mentioned in article 4:

  • Details of domain name applications and applicants

  • Relationship management information

  • Security information

  • Public data

Where do we get the data from?

  • The registrant

  • The registrar who forwards the domain name application or looks after the registration

Who do we share data with?

  • We publish data in the Whois (the part of the register that anyone can look at).

    • There are rules about the Whois in article 23.2 of the General Terms and Conditions for .nl Registrants.

    • We follow the rules in the General Data Protection Regulation.

  • Sometimes we share non-public data.

    • We share non-public data only with people and organisations that have a legitimate interest in it (interested parties).

    • If we do that, we always tell the registrant.

  • We share non-public data with investigatory and enforcement authorities.

    • We do that only if the law says that the authorities are allowed to have the data, and if they ask us for it.

  • We share non-public data with certification authorities.

    • We do that only if they ask for data on the registrant's behalf.

Who's allowed to process data?

The manager says who can process data.

  • The people allowed by the manager can record, correct, add to and delete data.

What do we do if the data we have contains mistakes?

We correct the data as soon as we can if we find out that it's incorrect or incomplete.

  • The manager gets data corrected to make sure it's accurate.

When do we delete data?

We delete data if we do longer need it for our work.

  • Or if the law says that we aren't allowed to process it any longer.

Who has direct access to our data?

  • The manager decides which of the people that work here are allowed direct access.

    • The people who have direct access process data only for our work and to deal with complaints and enquiries.

  • Anyone can use the Whois to look at our public data.

    • So everyone has direct access to that data.

  • The manager decides who is allowed direct access to our data for technical activities.

How do we secure data?

We secure data in line with the manager's instructions.

What rights do data subjects have?

  • Anyone who wants to use the rights they have under the General Data Protection Regulation can contact the manager.

    • You will find the relevant articles from the regulation in appendix 2.

  • You can get a lawyer to contact the manager for you if you like.

    • Your lawyer will need to show written authorisation from you.

  • You can also have someone else contact the manager on your behalf.

    • Your representative will need to show written authorisation from you.

      • We won't be able to give your representative any data that they have a personal interest in.

      • Also, we'll refuse a request from a representative if we have good reason to think that their written authorisation isn't genuine.

What are the confidentiality arrangements?

You have to keep information about other people to yourself.

  • That's unless you need to share it in order to do what it was given to you for.

  • Or unless the General Data Protection Regulation or this policy says you can share it.

Annex 1 to the Privacy Policy for .nl Domain Names

This table shows who can see what data in the Whois.

Public (website)

Public (command line)

Investigators, CAs & interested parties1

Registrars

Domain name

x

x

x

x

Status

x

x

x

x

Registrant's handle

x

x

Registrant's name

x2

x

x

Registrant's address

x3

x

x

Registrant's e-mail address

x

x

Registrant's phone number

x

x

Admin-c's handle

x

x

Admin-c's name

x

x

Admin-c's address

x

x

Admin-c's e-mail address

x

x

x

Admin-c's phone number

x

x

Registrar's name

x

x

x

x

Registrar's address

x

x

x

x

Tech-c's handle

x

x

Tech-c's name

x

x

Tech-c's name address

x

x

Tech-c's e-mail address

x

x

x

Tech-c's phone number

x

x

Name servers

x

x

x

x

DNSSEC

x

x

x

Registration date

x

x

x

x

Date of last update

x

x

x

x

NL Domain Registry

x

x

x

x

Domicile notice

x

Copyright notice

x

x

x

x

[1] On request in individual cases. [2]Only business registrants' names are visible to the public. Private registrants' names aren't. [3]Business registrants can choose to make their addresses public. Private registrants' addresses aren't visible.

Annex 2 Relevant articles from the General Data Protection Regulation

Article 15, Right of access by the data subject

  1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

    1. the purposes of the processing;

    2. the categories of personal data concerned;

    3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

    4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

    5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

    6. the right to lodge a complaint with a supervisory authority;

    7. where the personal data are not collected from the data subject, any available information as to their source;

    8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

  2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

  3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

  4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Article 16, Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Article 17, Right to erasure (‘right to be forgotten’)

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

    1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

    2. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

    3. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

    4. the personal data have been unlawfully processed;

    5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

    6. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

  2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

  3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

    1. for exercising the right of freedom of expression and information;

    2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

    3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

    4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

    5. for the establishment, exercise or defence of legal claims.

Article 18, Right to restriction of processing

  1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

    1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

    2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

    3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

    4. the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

  2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

  3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Article 21, Right to object

  1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

  2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

  3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

  4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

  5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

  6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Annex 3 - Personal data in the public Whois

1. What is the purpose of the public Whois?

The Whois is an SIDN service that enables anyone who abides by the conditions of use to look up certain information about a registered .nl domain name by automated means and without identifying themselves. Information may be looked up for the following purposes:

  1. To resolve technical problems that affect how the internet works

  2. To apply for a .nl domain name or to find out who the registrant of an existing name is[4]

  3. To protect intellectual property rights

  4. To stop illegal and harmful content being put on the internet, or to get it taken down

There are two ways of accessing the Whois:

  • Via the command line

  • Via SIDN's website

When the Whois is accessed via the command line, only very basic details of the registration are available. No limit therefore applies to the number of command-line queries you can submit. However, website queries are controlled in order to prevent large-scale automated data harvesting. We control website queries by limiting the daily number of queries accepted from any given IP address. In addition, the e-mail addresses in the Whois are protected against automated copying. [4] With a view to contacting the registrant about the possibility of transferring the domain name

2. What personal data is published in the Whois?

Article 4.1 of the General Data Protection Regulation states: 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

If the registrant is a natural person, a domain name therefore counts as personal data. Consequently, all the information about a natural person's domain name provided by the Whois has to be regarded as personal data as well.

Even if a domain name's registrant isn't a natural person, information about the registrant may be personal data. That's the case when a natural person registers a domain name for business use and gives their own details as the registrant's name, trading name or address. The e-mail addresses of the administrative and technical contacts are personal data too, if they are the addresses of natural persons. Finally, the Whois includes the (trading) names and addresses of registrars and, in some cases, resellers. That information is personal data as well where the registrar or reseller is a sole trader or otherwise directly associated with a natural person.

3. Justification for processing in the form of publication in the Whois

With all personal data made available in the Whois, processing is necessary for protection of the legitimate interests of SIDN (as the data controller), or those of the data subject, or those of a third party insofar as we consider that, in the particular circumstances, the third party's interests outweigh the data subject's interest in privacy protection founded upon his or her fundamental rights and freedoms.

In cases where the registrant is a natural person, implying that all associated registry data is personal data, the data made available in the Whois and the purposes for which that data is made available are as specified below. Where standalone personal data is made available, details are provided.

  • Domain name: the variable upon which a Whois look-up is based and which therefore needs to be stated.

  • Status: a statement as to whether the domain name is currently active, or, for example, in quarantine following cancellation. (Purpose 2 applies.)

  • Registrant: information about the party to whom the domain name is registered. (Purposes 1-4 apply.) No information about any natural person is given under this heading unless the domain name has been registered for business use. Business registrants have the option of making their physical (business) address available.

  • Administrative contact: the e-mail address to which communications regarding the registration may be sent for the attention of the registrant. The address in question may be that of the registrant, or that of a third party (natural person or legal entity) who manages the domain name for the registrant. Any valid e-mail address may be given. Hence, a registrant is free to give an address which sheds no light on the identity of the registrant or contact, e.g. xyz495@gmail.com. (Purposes 1-4 apply.)

  • Registrar: the name and physical address of the SIDN-affiliated registrar that manages the registration. The registrar is a professional service provider that manages domain name registrations for registrants under the terms of a contract with SIDN. The registrar's details are provided as an alternative means of contacting the registrant if communications to the other contact addresses produce no response. (Purposes 1-4 apply.)

  • [If available:] Reseller: the name and physical address of the reseller (where relevant). The reseller is a provider of registration and domain name management services, who acts as an intermediary between the registrar and the registrant. The reseller's details are made available at the request of the registrar, because the reseller often has closer contact with the registrant than the registrar does. (Purposes 1-4 apply.)

  • [If available:] Abuse contact: a phone number and/or e-mail address for communications relating specifically to abuse of the domain name. The information in question is provided only if the registrar opts to have it made available. (Purpose 4 applies.)

  • Technical contact: an e-mail address for communications relating to technical problems associated with (use of) the domain name. (Purpose 1 applies.) In practice, the address given often belongs to (the technical support department of) the registrar, reseller or hoster. However, it may belong to the registrant or a third party. So, for example, the address may be something like techsupport@registrar-name.nl or, again, xyz495@gmail.com.

  • DNSSEC: an indicator ('Yes' or 'No') as to whether the domain name is secured in accordance with the DNSSEC protocol. The information is important in the event of the domain name's transfer from one registrar to another: if the domain name's DNSSEC status is 'Yes', the registrars/resellers/hosters involved in the transfer will need to ensure maintenance of the domain name's secure status. (Purpose 1 applies.)

  • Domain name servers: details of the name servers for the domain name. (Purpose 1 applies.)

  • Registration date: the date on which the domain was last registered. This date can be important in the context of, for example, intellectual property disputes, but also in the context of crime prevention. (Purposes 3 and 4 apply.)

  • Date of last update: the date on which the domain name's registration was last amended. The amendment in question may involve any aspect of the registration: a change of registrant, an update to the registrant's details, or a change to the name servers, administrative/technical contact or registrar, for example. The date is used for purposes such as removing illegal and harmful internet content and protecting intellectual property rights. (Purposes 3 and 4 apply.)

  • Administration by: the name of the party responsible for central administration of the domain name. For all .nl domain names, that is SIDN. This information makes it clear that SIDN is the data controller.

4. Opt-out

As indicated above, we publish personal data in the Whois in the legitimate interests associated with such publication, and with due regard for the need to strike a balance between the interests served by publication and the interests of the data subject. Under normal circumstances, an appropriate balance between those interests is achieved by publication of the data referred to in section 3. Under certain circumstances, however, it may be appropriate to make less personal data available. To cater for such circumstances, we have an opt-out-procedure. In cases where an opt-out is permitted, the Whois contains no information about the registrant or the administrative contact.