Data processing in the .PT zone
Technical Opinion – GDPR and .PT zone
This Technical Opinion is an integral part of www.pt.pt website’s Zone File Access Policy.Framework:
The purpose of this document is to examine whether the content of the .PT zone, which is regularly transferred outside the European Union limits, includes data considered as personal data in the light of the RGPD. If this premise is true, then measures must be taken that are considered as applicable according to what results from this law, as well as the other applicable legislation on the privacy and protection of personal data.
Analysis:
The .PT zone is the file that is generated periodically and which, in practice, is the product of the DNS.PT job. This file contains the delegations that exist for .pt domains and makes the introduction of these delegations into the worldwide DNS system. See below an example of the content for the domain dns.pt.
Fig. 1
For the insertion of this data in the world DNS system, this file is loaded in DNS servers, being that, due to redundancy issues, there is a set of 9 servers registered in the root zone, after which these 9 servers multiply in more than 150 locations, many of them outside the limits of the European Union.
The zone file contains several types of DNS records, highlighting the records of type NS, type A and AAAA. NS type records are delegations of .PT domains into other servers and consist only of domain names, whereas type A or AAAA records are called glue records and consist of a domain name and a IP version 4 or version 6. There are more types of records in the PT zone, but these are the result of the DNSSEC signature of the zone and have no relevance for this purpose.
Regarding the domain names in the zone file, it was understood internally that these are not considered personal data. Therefore, their transfer outside the European
Union requires no particular extra diligence.
Regarding the IP addresses, the GDPR expressly provides that we will reproduce:
"Natural persons may be associated with identifiers by electronic means, provided by their devices, applications, tools and protocols, such as IP (Internet Protocol) addresses...".
In view of this, it is necessary to clarify if the IPs existing in the .PT zone are personal data or not, that is, if they allow the identification of a natural person from them.
IP's are the addresses that the devices use to communicate on the Internet, and typical Internet communication involves two actors: a client and a server. In the scenario described above the server is always a machine and the client can be a machine, in machine-to-machine communications, or a human in other cases. It is important to define that when the interlocutor is a machine this typically belongs to an organization and not to a natural person. This means that in these scenarios the IP identifies an organization and not a natural person.
We can exemplify this communication with the example of access to the site www.pt.pt by a client. Currently the IPv4 address of this site is 85.39.208.69, and the IPv6 address is 2a04: 6d80: 0: 1 :: 5, so when a client wants to access this site from any device, there is a packet exchange between the client device and the server where the IPs of both parties are always present. In this communication exchange the involved IPs can identify the client and the server, but the IP of the server identifies a corporate person and not a natural person since a direct association between the IP of the site and a specific individual can not be made. This is because the site identifies a legal person.
Let's focus on DNS systems now. Most DNS communications are machine-machinelike, and the systems that DNS.PT operates on are name servers, so these IPs identify organizations and not a specific element of the team, that is, a specific person. Systems that communicate with DNS.PT servers are also mostly servers and therefore identify organizations rather than individuals.
The IPs that are in the content of the .PT zone remain to analyze. These IPs are designated by the domain administrators and point to the domain name servers in question and as explained above serve primarily for machine-to-machine communications. Thus, in the case of servers, these systems identify organizations, not individuals. In addition, most of these servers are associated with multiple domains or sites.
At this time, the .PT zone has less than 3000 IP addresses and most of them are associated with domains owned by legal persons.
Regarding the IP addresses, the GDPR expressly provides that we will reproduce:
"Natural persons may be associated with identifiers by electronic means, provided by their devices, applications, tools and protocols, such as IP (Internet Protocol) addresses...".
In view of this, it is necessary to clarify if the IPs existing in the .PT zone are personal data or not, that is, if they allow the identification of a natural person from them.
IP's are the addresses that the devices use to communicate on the Internet, and typical Internet communication involves two actors: a client and a server. In the scenario described above the server is always a machine and the client can be a machine, in machine-to-machine communications, or a human in other cases. It is important to define that when the interlocutor is a machine this typically belongs to an organization and not to a natural person. This means that in these scenarios the IP identifies an organization and not a natural person.
We can exemplify this communication with the example of access to the site www.pt.pt by a client. Currently the IPv4 address of this site is 85.39.208.69, and the IPv6 address is 2a04: 6d80: 0: 1 :: 5, so when a client wants to access this site from any device, there is a packet exchange between the client device and the server where the IPs of both parties are always present. In this communication exchange the involved IPs can identify the client and the server, but the IP of the server identifies a corporate person and not a natural person since a direct association between the IP of the site and a specific individual can not be made. This is because the site identifies a legal person.
Let's focus on DNS systems now. Most DNS communications are machine-machinelike, and the systems that DNS.PT operates on are name servers, so these IPs identify organizations and not a specific element of the team, that is, a specific person. Systems that communicate with DNS.PT servers are also mostly servers and therefore identify organizations rather than individuals.
The IPs that are in the content of the .PT zone remain to analyze. These IPs are designated by the domain administrators and point to the domain name servers in question and as explained above serve primarily for machine-to-machine communications. Thus, in the case of servers, these systems identify organizations, not individuals. In addition, most of these servers are associated with multiple domains or sites.
At this time, the .PT zone has less than 3000 IP addresses and most of them are associated with domains owned by legal persons.
Conclusion:
In view of the foregoing, it is our understanding that the .PT zone does not include personal data within the meaning of the RGPD. In this context, and with respect to the transmission outside the European Union, it is understood that technical steps and conditions must be maintained, in particular at the level of compliance with security norms and standards adopted to date, and it is not necessary in the immediate to implement additional requirements.
Lisbon, May 8, 2018
Technical Direction .PT