Request for Disclosure of Non-Public Registrant Data - NPRD Policy, Form & Guide

Trustname is committed to protecting customer privacy, including domain registration data. We also recognize that, in limited circumstances, there may be legitimate grounds to request access to non-public registrant data. To handle such requests, Trustname reviews them in accordance with applicable laws of the Republic of Estonia, the European Union, and our contractual obligations as an ICANN-accredited registrar.

For privacy reasons, personal information contained in registration data is not displayed in our public WHOIS. However, certain third parties may request access to non-public registration data ("NPRD") where they can demonstrate a valid legal basis, such as a legitimate interest under applicable data protection law or a valid court order issued by a competent authority.

This article explains the mechanisms available for requesting disclosure of NPRD, the standards Trustname applies when reviewing such requests, and the circumstances in which requests may be rejected.

If you wish to submit a request for NPRD, please download and complete the NPRD Request Form, including all supporting documentation, and submit your completed file to non-public-registrant-data-nprd-disclosure-whois-request-form-v1@trustname.com.

Key Principles

Privacy by Default. Trustname treats registrant data as protected personal data and does not disclose it absent a valid legal basis and proper supporting documentation.
Last Resort. Requests for NPRD should be used only when less-intrusive alternatives have been exhausted or are unavailable.
Data Minimization. Where disclosure is legally justified, Trustname will disclose only the minimum data necessary for the specific purpose.
Case-by-Case Review. Every properly submitted request is reviewed individually on its own merits in light of applicable Estonian and EU law, including the General Data Protection Regulation (GDPR).
No Informal Processing. Requests sent through informal channels may be rejected. Trustname requires use of the appropriate mechanism described below.

Less-Intrusive Alternatives

Before requesting NPRD, Requestor should consider whether the issue can be addressed through less-intrusive channels. Depending on the circumstances, these may include:

Submitting an abuse report through our official form: https://trustname.com/help/report-abuse
Contacting the relevant hosting provider where the issue concerns website content rather than domain registration
Pursuing a court order through the appropriate jurisdiction
Using the UDRP process for trademark-related domain disputes
Using available website contact forms, public notices, or other lawful contact methods

Where less-intrusive alternatives are available and reasonably sufficient, the rights and freedoms of the registrant may outweigh the Requestor's interest in disclosure.

Established Legal Mechanisms

Foreign Court Orders (including US), Subpoenas, and Non-EU Requests

Trustname processes requests for disclosure of registrant data strictly in accordance with the laws of the Republic of Estonia and the European Union.

Trustname does not accept or act upon direct requests from foreign authorities, including subpoenas, warrants, or court orders issued outside of Estonia. Requests originating outside the European Union must be submitted through the appropriate Mutual Legal Assistance Treaty (MLAT) channels and reviewed by the competent Estonian authorities.

Only upon receipt of a valid and enforceable order issued by an Estonian court, following proper judicial review, will Trustname consider disclosure, and only to the extent required by applicable law.

Requests that do not comply with this legally mandated process will be rejected without further review.

Uniform Domain-Name Dispute-Resolution Policy (UDRP)

Trustname complies with the Uniform Domain-Name Dispute-Resolution Policy (UDRP). Disclosure of domain registration data may form part of the UDRP process where requested by the authorized dispute resolution provider or mediator.

Domain registration data is not required in order to file a UDRP complaint. If a UDRP proceeding is initiated, disclosure requests related to that case should be made through the assigned provider in accordance with the applicable UDRP rules.

EU and Estonian Court Orders

Requests for disclosure based on European Union or Estonian court orders must be submitted through our official abuse and legal request form: https://trustname.com/help/report-abuse

To ensure proper review and processing, the submission must include a valid and enforceable order issued by a competent authority within the European Union or the Republic of Estonia, together with all relevant supporting documentation.

Requests submitted via email or other informal channels will not be processed.

Law Enforcement Requests

Trustname discloses domain registration data to law enforcement authorities only pursuant to a valid and enforceable court order issued by a competent authority within the European Union or the Republic of Estonia.

Requests originating from authorities outside the European Union are not accepted directly and must be submitted through the appropriate MLAT channels for review by Estonian authorities.

All other requests requiring review, including requests asserting legitimate interest, must be submitted via our official abuse and disclosure form: https://trustname.com/help/report-abuse

Each request is reviewed on a case-by-case basis in accordance with applicable Estonian and EU law, including GDPR, and subject to a strict necessity and balancing analysis.

Digital Services Act (DSA)

Where applicable, Trustname may respond to valid legal requests made under the Digital Services Act (DSA) and other binding EU legal instruments.

For content-related submissions under the DSA Notice & Action framework, please refer to our article: DSA Notice & Action Mechanism: Submission Guidelines

Please note that DSA content notices are separate from requests for disclosure of domain registration data. Where a request seeks NPRD, Trustname will evaluate it under the applicable data protection and disclosure framework described in this article.

All Other Requests: Legitimate Interest Balancing Test

For requests that are not based on a court order, UDRP process, or other established legal mechanism, Trustname will apply a legitimate interest balancing test ("Legitimate Interest Assessment" or "LIA") under GDPR Article 6(1)(f) or other applicable privacy laws.

To learn more about LIA, please consult your legal advisors or review help articles at the UK Information Commission’s Office.

This analysis weighs the requestor’s legitimate interest in obtaining personal data against the impact that disclosure may have on the registrant’s rights and freedoms. The test is applied on a case-by-case basis and may include consideration of:

Whether the requested data is necessary for the stated purpose
Whether less-intrusive mechanisms have been exhausted
Whether the request is specific, substantiated, and supported by evidence
Whether the Requestor has been adequately identified and verified
Whether the Requestor has legal authority to act on behalf of another party, where applicable
Whether the Requestor has demonstrated lawful processing safeguards
Whether disclosure would disproportionately interfere with the registrant’s privacy rights
Whether an established legal mechanism would be more appropriate

These factors are not exhaustive. Failure to provide sufficient detail, supporting documentation, or a clear legal basis may result in denial of the request.

Required Content for a Disclosure Request

A request submitted under the balancing test must include, at a minimum:

Domain Name. The exact domain name for which data is requested.
Data Elements Requested. A list of the specific non-public data elements being requested.
Identity of the Requestor. The full name of the individual making the request and the name of the organization, agency, or entity they belong to or represent.
Type of Requestor. Clarification of whether the Requestor is an individual, company, legal representative, law enforcement authority, or other entity.
Authorization to Act. If acting on behalf of another party, evidence of authority, such as a power of attorney or similar authorization.
Contact Information. A direct individual contact name and email address. Generic inboxes may be rejected.
Detailed Explanation of Legitimate Interest. A clear explanation of the legal rights, legitimate interest, and rationale for the request, including supporting documentation where relevant.
Explanation of Why Less-Intrusive Means Are Not Sufficient. A statement describing why alternative mechanisms are unavailable, exhausted, or inadequate.
Good Faith Statement. An affirmation that the request is made in good faith and that the allegations and supporting facts are accurate and complete.
Processing Location and Further Disclosure. The jurisdictions where the data will be processed and whether the data may be shared further, including with whom and for what purpose.
Lawful Processing Commitment. Confirmation that any disclosed data will be processed lawfully, fairly, transparently, and only for the purpose stated in the request.
Safeguards. Confirmation that appropriate technical and organizational measures are in place to protect the data.

Trustname may require additional information where necessary to evaluate a request.

How to submit a request for NPRD

Law enforcement or government agency requests for NPRD will require additional verification. Please email [email protected] for more information.

Requests submitted without required documentation, without sufficient detail, or through the wrong channel may be rejected.

Response Timeline

Trustname will acknowledge receipt of a properly formed disclosure request without undue delay and, in any event, no later than two (2) business days from receipt.

Trustname will provide a substantive response without undue delay and, absent exceptional circumstances, no later than thirty (30) calendar days from acknowledgment.

A response may:

Provide the requested data, in whole or in part; or
Deny the request and explain the reason for denial, including the basis on which Trustname concluded that disclosure is not permitted or not justified.

Emergency Requests

If a request involves an imminent threat to life, serious bodily injury, child exploitation, or critical infrastructure, this must be clearly indicated in the submission together with full supporting details and, where applicable, the name and contact information of the law enforcement authority involved.

Emergency status does not guarantee disclosure, but such requests will be reviewed as a priority where sufficient information is provided.

Abusive or Improper Requests

Trustname may take corrective action to address abusive, repetitive, incomplete, misleading, or bad-faith requests. Such corrective action may include requiring additional information by default, rejecting repetitive submissions, or restricting future requests from the same Requestor.

Any such corrective action will be communicated to the Requestor where appropriate.

Was this article helpful?

Have more questions? Submit a ticket