8 November 2024, version 3.6
Data responsibility
Punktum dk processes personal data in order to administer .dk domain names. This privacy policy provides information on how we process your data.
Punktum dk is the data controller and has the following contact details:
Punktum dk A/S, Ørestads Boulevard 108, 11th floor, 2300 Copenhagen S
VAT No.: 24210375
Tel.: +45 33 64 60 60
Website: www.punktum.dk
Collection and purpose
We only collect and process personal information when necessary. We collect and process personal information:
- To provide services to Punktum dk's customers, including establishing customer relationships with registrants, maintaining contact, providing services and support, invoicing and enhancing the security of Danish domain names etc.
- To fulfill our legal obligation to collect information for the purpose of maintaining the whois database.
- To develop and manage our business, services, systems, processes and enhance security. In this context, we may create statistics and analyses of customer information if needed.
- To send you service messages or information about our services (marketing). In the latter case, the processing of your personal information will only take place if you have given consent.
- To develop and operate solutions based on artificial intelligence (AI). This information is collected and processed in accordance with applicable data protection laws.
We only collect the personal data required to fulfill our role as administrator of .dk domain names.
Types of information, that we use
Punktum dk only collects personal data about registrants, a registrant’s proxy and billing contact (if applicable), and registrars. The personal data we collect and process consists primarily of contact information and information about the registration of a domain name, in the form of:
- name,
- address,
- telephone number,
- email,
- user ID,
- customer number
- CPR number,
- CVR number,
- IP address,
- domain name,
- invoice numbers and
- account numbers.
In connection with submitting an application for a domain name to a registrar, you must also enter into an agreement with Punktum dk on the right of use of a .dk domain name. In this connection, information is transferred from the registrar to Punktum dk so that we can perform registration in the whois database and subsequently contact the registrant.
Punktum dk collects and processes information in connection with the use of Punktum dk’s self-service portal. In connection with the use of our registrar portal, the personal data also includes the registrar’s employees, who are registered in Punktum dk’s systems.
Punktum dk may also collect and process updated personal data in connection with checking the contact information and identity of registrants, as well as validation of contact information by searching for information registered under a CPR or CVR number, see more below. This is necessary to ensure that the personal data we process about you is accurate, as required by the Danish Domain Names Act. Therefore, it is also important that you always keep your own personal data in our systems up to date.
When you visit our website, we use cookies for statistics and user surveys, if you have given your consent.
We may also collect information about potential misuse of domain names.
Checking registrants’ contact information and identity
MitID
All new registrants wishing to register a new .dk domain name, and who reside in Denmark, must complete an identity check with MitID of their contact information and identity. As part of this check, Punktum dk collects the CPR number to confirm the connection between the MitID used and a registrant who is a private individual. When Punktum dk has established this connection, the CPR number will be automatically deleted.
Similarly, all existing registrants will be met with a request for an identity check with MitID when accessing Punktum dk’s self-service portal.
Risk-based identity check
All new registrants wishing to register a new .dk domain name, and who reside outside Denmark, must complete a risk-based check of their contact information and identity. Punktum dk conducts a risk assessment of the information received from the registrar. If this assessment finds that there is a low or high probability of incorrect contact information or false identity, the new registrant must complete a documentation process, in which the applicant must submit documentation through a secure channel in addition to that listed in the previous section. This may include, for example:
- photo identification,
- a portrait photo
- document form utility company, bank or insurance company.
If the documentation is not approved, the application is denied and the domain name is deleted.
Notification about information in whois
In accordance with the Administrative Order on the Internet domain .dk Punktum dk is obliged to investigate the accuracy of a registrant's identity information (name, address, telephone number and e-mail) if Punktum dk receives a notification with a reasoned suspicion that the registrant's information is not correct. In connection with such an investigation, Punktum dk processes the registrant's personal data. The investigation may involve a documentation process as described above.
Fair and transparent processing of personal data
In connection with the collection of your personal data, we inform you of the data we process relating to you and the purpose of this processing. You will receive information about this at the time of collection of your personal data.
Information security
Security is a top priority for Punktum dk. We have a strong focus on the protection of our data, systems and services. The Punktum dk information security policy and our ISO 27001 certification form the foundation for our activities to secure systems and services, and protect our customers’ data. You can read more about this here.
As part of our high standards for information security, we protect our critical and sensitive information and information systems from being compromised or used without authorization. We protect your personal data from destruction by mistake, loss, alteration, unauthorized publication and disclosure to unauthorised parties.
Data processing agreement
We always enter into a data processing agreement with suppliers who process personal data on our behalf, and we ensure that our data processors comply with high standards of information security.
Deletion of personal data
- We delete ordinary customer data, eg name, address and similar information about the contractual relationship between the customer and Punktum dk, which is stored in accordance with the Accounting Act for accounting purposes after the current year plus 5 years.
- We delete personal information relevant to any claims after the expiration of the statute of limitations in accordance with the Limitation Act.
- We delete documentation sent in connection with ID verification no later than after one year, to ensure that Punktum dk can submit the documentation to the Complaints Board for Domain Names, in the event that an appeal is lodged against Punktum dk's decision.
We regularly review our need for information retention so that we do not store more than is absolutely necessary.
Release of information to Center for Cyber Security
To ensure a high level of information security for .dk domain names, Punktum dk is connected to the Cybersecurity Center's network security service. The service detects, analyzes, and helps mitigate security incidents by monitoring selected network and information systems at Punktum dk.
Release of information to others
Marketing use
Punktum dk does not release personal data to any third party for their marketing use.
Whois information
It is important that internet users can identify the person or company that is the registrant of a given domain name. Therefore, the name, address and telephone number must generally be available to the public in our whois database. This is required by section 18(1) of the Danish Domain Names Act.
The Danish Domain Names Act allows registrants to keep their address and/or telephone number hidden if other legislation excludes this information from the public domain. In order for Punktum dk to accept a request for anonymity, you must either have name and address protection in the Danish civil registration system (CPR), or under the legislation of the country where your address is located.
The billing contact and the proxy will always be hidden from the public in the whois database, but not from the registrant’s self-service portal.
Punktum dk may release personal data to a third party on request. This includes personal data about registrants that is anonymous in the whois database. You can read more about the release of data here.
Punktum dk is entitled to release name and address data about all registrants (including registrants that are anonymous in the whois database) to Punktum dk’s auditor in connection with the auditing of Punktum dk’s financial statements and to other professional advisers, including lawyers, if necessary, e.g. to resolve a dispute or legal claims.
Punktum dk share personal information with vendors including those involved in the operation and maintenance of DNS, operating systems, security solutions, payment solutions, and systems for conducting data and ID-control.
Punktum dk may release personal information to public authorities, private companies or organizations, including research institutions, the police and public agencies, for the purposes of research, law enforcement and enhancing the security of Danish domain names, where such disclosure is compliant with the data protection regulation.
Release of data according to law
According to administrative order on the .dk Internet domain, §7 (1), Punktum dk is obliged to conduct user surveys once a year to measure the satisfaction of registrants and registrars. In this connection, we share their contact information with a third party responsible for conducting the user survey.
In addition, Punktum dk is required by law to provide information on registrants of .dk domain names to public authorities on an ongoing basis.
Release of data to third parties
Some of the third parties with whom Punktum dk shares personal information, for example, in connection with system operations, may be located outside the EU and EEA. For such transfers, the European Commission's standard contractual clauses or another legal basis for transfer, as outlined in the General Data Protection Regulation articles 45-49, are utilized. Additionally, the necessary organizational and technical measures are in place to ensure the protection of the personal information entrusted to our data processors in third countries
Right of access
You are always entitled to access to the personal data we have registered about you. If you request access to your personal details, we will require evidence of your identity to ensure that the data is only released to the right person.
At your request, we can inform you of the data we process that relates to you. However, access to this information may be limited out of consideration for the privacy protection of other persons, trade secrets or intellectual property rights.
To request access to your personal data, write to us here.
Right to deletion or correction of your personal data
If you believe the personal data we are processing about you is inaccurate, you are entitled to correction of this data. You must contact us and inform us what the inaccuracies are and how they can be corrected.
In some cases, we will be obliged to delete your personal data. If you believe that your data is no longer necessary in relation to the purpose for which we obtained it, you can request deletion of the data. You can also contact us if you believe that your personal data is being processed in violation of the law or other legal obligations.
When you contact us to request the correction or deletion of your personal data, we will check whether the conditions for such correction or deletion have been met, and if this is the case we will perform the correction or deletion as quickly as possible.
Right of objection
You have the right to object to our processing of your personal data. If your objection is legitimate, we will discontinue processing of your personal data. However, please note that processing of your personal data is a requirement for having an agreement with Punktum dk on the right of use to a .dk domain name, as this data is necessary to administer the customer relationship.
Cookies
Visiting Punktum dk’s website
At punktum.dk we use cookies for statistics and user surveys. This gives us an overview of how many people visit the different parts of our website, as well as asking our users about their experience of punktum.dk. That way we can make the website as user-friendly as possible.
When you visit punktum.dk, you will see a banner with information about cookies for statistics. Clicking "Allow all cookies" sets session cookies and cookies to collect statistics and the banner disappears. The information in cookies is anonymous to us and will not be linked to the individual user.
Use of Punktum dk's self-service systems
If you log in to selvbetjening.punktum.dk, a cookie is placed on your computer, which is used exclusively as a key to the self-service portal. The cookie, named "DKHM_SB_SESSION", is only relevant as long as you are active in our self-service portal. The cookie remains in the browser until the browser is closed.
Complaints
Please direct complaints about Punktum dk’s processing of personal data to:
Danish Data Protection Agency, Borgergade 28, 5, DK-1300 Copenhagen K
Tel.: +45 3319 3200
Email: dt@datatilsynet.dk