Appendix 9 New gTLD Program: 2026 Round Privacy Policy

ICANN is committed to respecting and appropriately protecting the personal data it processes, including when sharing this data with others.

This privacy policy sets out how ICANN collects and uses personal information provided by or collected from individuals as part of the New gTLD Program: 2026 Round. This policy, which specifically pertains to the New gTLD Program: 2026 Round, is supplemented by the ICANN Privacy Policy¹ which contains the more general provisions. In the event of a conflict between the two, the New gTLD Program: 2026 Round Privacy Policy (New gTLD Program Privacy Policy) prevails.

If you have any questions about this New gTLD Program Privacy Policy, contact privacy@icann.org.

This New gTLD Program Privacy Policy covers the following key topics:

• A9.1 Definitions

• A9.2 Data Controller

• A9.3 Personal Information Processed

• A9.4 Use of Personal Information – Purposes and Legal Bases

• A9.5 Sharing of Personal Information

• A9.6 International Transfers

• A9.7 Security

• A9.8 Retention

• A9.9 Exercise of Data Subject Rights

• A9.10 Required Personal Information

• A9.11 Minors

• A9.12 Revisions

• A9.13 Exhibit 1: Data Subject Rights Under the GDPR

A9.1 Definitions

"Authorized User" means any other users authorized by ICANN to access the 2026 Round Portals. This includes, but may not be limited to ICANN staff and Independent Application Assessment Panelists.

"Applicant" means the organization designated as the “applicant” in the 2026 Round Application that has been submitted or will be submitted by the Applicant.

"Applicant User" means the User accessing and completing the 2026 Round Application on behalf of the Applicant.

"Application" means the application submitted for new gTLDs under the New gTLD Program: 2026 Round. For more information on Application, refer to the New gTLD Program: 2026 Round Applicant Guidebook (Applicant Guidebook), the Registry Service Provider (RSP) evaluation process Handbook (RSP Handbook) the Applicant Support Program (ASP) Handbook (ASP Handbook).

"Data Subject" means the identified or identifiable natural person to which the Personal Information is relating.

"EU Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Commission Implementing Decision (EU) 2021/914 of 4 June 2021).

"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

"2026 Round Portal" or “Portals” means any online new gTLD application management portal(s) for the New gTLD Program: 2026 Round, as specified by ICANN.

"ICANN Account" means the account that allows access to certain ICANN services, including the New gTLD Program: 2026 Round, so that account holders can manage their information such as name, email, and password, using only one set of login credentials.

"New gTLD Program: 2026 Round" means the ICANN initiative to enable the expansion of the Internet's Domain Name System (DNS) through the introduction of new generic top-level domains.

"Evaluation Panels" means any independent panel of subject matter experts ("Panelists") that is provided access to the Portals for the purpose of evaluating the 2026 Round Application as set forth in the Applicant Guidebook, RSP Handbook and ASP Handbook.

“Other Applicable Data Protection Law” means any applicable local and national data protection law of a third country.

"Processing" means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"User" means any individual using any 2026 Round Portal, either as an Applicant User or as an Authorized User.

Defined terms not explicitly defined in this New gTLD Program Privacy Policy shall have the meanings assigned to them in either the ICANN Privacy Policy or ICANN’s New gTLD Program: 2026 Round Applicant Guidebook.

A9.2 Data Controller

ICANN operates the New gTLD Program: 2026 Round and processes Personal Information in this context as an independent data controller. ICANN’s headquarters is located at 12025 Waterfront Drive, Suite 300, Los Angeles, CA 90094-2536, USA. For inquiries, ICANN can be contacted at privacy@icann.org.

A9.3 Personal Information Processed

This section outlines the various stages of an application's lifecycle during which Personal Information is processed.

Application Submission: Participation in the New gTLD Program: 2026 Round involves the collection and use of an applicant’s Personal Information, such as full name, postal address, telephone number, and email address. The complete list of data elements required for submitting an application, which may or may not include Personal Information depending on the type of application, can be found in the sources listed below. Some fields are optional or not required depending on the application type:

• For the Registry Service Provider (RSP) evaluation process, refer to the RSP Handbook² (Evaluation Processing Stages).

• For the Applicant Support Program (ASP), refer to the ASP Handbook³ (ASP Application Evaluation).

• For the New gTLD Program: 2026 Round applications, refer to the Applicant Guidebook (see Module 7 String and Application Evaluation Procedures).

Administration: ICANN requires updated Personal Information about the applicant's directors and officers, and other relevant personnel, such as full name, date of birth, city, and country code of residence. ICANN and its service providers use this information to conduct necessary background checks and other evaluations. If the applicant is selected, they may be asked to confirm the validity and accuracy of the data submitted during the application process.

Background Screening Information: For background screenings, ICANN processes various types of information, including applicant entity information, applicant entity users and contacts information, ultimate control contacts information, and applicant Personal Information. This includes confirmation, and where necessary, additional explanation, that the applicant is free from convictions, disciplinary actions or other measures as further specified in Section 6.1.2 Background Screening Criteria.

Moreover, ICANN processes Personal Information from applicants contained in reports issued by third-party sources conducting background screenings based on publicly available information. This is done for due diligence, reputation checks, and Office of Foreign Assets Control (OFAC) checks (see Appendix 10 Terms and Conditions).

In certain circumstances, the results of initial background checks may require ICANN to request additional Personal Information to complete necessary background checks or other Program application evaluations. Personal Information is also processed to maintain an accurate history of application processing and changes.

Sensitive Personal Information: ICANN does not collect sensitive Personal Information (e.g., personal medical or health information, racial or ethnic origin, or political opinions) in connection with the Program. Applicants will be notified if such sensitive Personal Information is necessary, such as to conduct further background checks.

ICANN Account: Applicant Users may access the 2026 Round Portals through their ICANN account. The processing of Personal Information contained in the ICANN account is described in general terms in the ICANN Privacy Policy.⁴

Through their ICANN account, the Applicant Users’ following Personal Information will be processed:

• First and last name.

• Applicant User email address.

Logging Applicant Information for Usage Information and IT Security Purposes: To help understand how Users interact with the New gTLD Program: 2026 Round portals, information such as action history, information requested or rejected, User selections, log files, performance logs, diagnostic reports, pages or content viewed, searches conducted, pages requested, websites visited before using the 2026 Round Portals, and the dates, times, and durations of the users’ visits, will be collected by the portals’ provider.

Personal Information from the Evaluators, Panelists and Independent Objectors: The following Personal Information from all evaluators, panelists, and Independent Objectors, will be processed:

• First and last name.

• Email address.

• Curriculum Vitae (CVs).

All Types of Personal Information: The categories of personal information described above may be processed by ICANN for analytics related to reporting on the usage of the 2026 Round Portals. Any Personal Information will be pseudonymized or anonymized, if and to the extent required under applicable laws. Only anonymized results of these data analytics will be shared with members of the ICANN community and the public, as described in Section A9.5 Sharing of Personal Information of this New gTLD Program Privacy Policy.

This policy does not replace the privacy policies of third-party service providers that may apply to the processing of the same data, nor does it establish joint-controller relationships with such third-party service providers.

A9.4 Use of Personal Information - Purposes and Legal Bases

ICANN processes the Personal Information described in Section A9.3 Personal Information Processed of this policy to manage and administer the New gTLD Program: 2026 Round effectively and to streamline the application submission and receipt process. This may include Processing for the purpose of reporting on the usage of the 2026 Round Portals. Personal Information from Users is also logged for the purpose of ensuring the operational stability and security of the 2026 Round Portals.

If and to the extent the GDPR applies, ICANN relies on the legal basis of Art. 6 (1) lit. f) GDPR, which allows ICANN to Process Personal Information when it is necessary for ICANN’s or a third party’s legitimate interest, unless otherwise specified in this policy. ICANN will carefully assess the necessity of processing under Article 6(1)(f) GDPR to ensure it does not override the interests and/or fundamental rights and freedoms of the data subject whose data is being processed, as required by law. References to GDPR legal bases are also intended to encompass equivalent legal bases under other applicable data protection laws.

Where the GDPR does not apply, ICANN will comply with the relevant applicable data protection laws.

As allowed by these laws, ICANN processes background and third-party background screening information for background screenings, as further described in Section 6.1.2 Background Screening Criteria of the Applicant Guidebook, based on its legitimate interest in maintaining the security and stability of the Internet and protecting registrants (Art. 6 (1) lit. f) GDPR).

A9.5 Sharing of Personal Information

ICANN will not sell or otherwise share any Personal Information with third parties for marketing purposes. ICANN also will not share any disclosed Personal Information that reasonably identifies disclosers with third parties for their independent use except when: (i) ICANN has the discloser’s permission, (ii) is doing so at the discloser’s direction, (iii) it is required to comply with ICANN’s legal obligations, (iv) as permitted by applicable law, or (v) as otherwise described in this policy. For more information on how ICANN shares Personal Information, refer to Section 5 of ICANN’s Privacy Policy.⁵

Service Providers: ICANN shares the Personal Information described in this New gTLD Program Privacy Policy in Section ‎A9.3 Personal Information Processed with third-party service providers that process the Personal Information on ICANN’s behalf (as data processors) or in their own capacity (as data controllers). A list of these service providers and their locations is available on the DRSP Page of the New gTLD Program website.⁶

Public Sharing: In line with its principles of transparency and accountability, ICANN will publish the applicant’s name and relevant gTLD information on ICANN’s website. While this information is not typically considered Personal Information, it may contain Personal Information.

Consultants and Advisors, Government Authorities and Agencies: To the extent necessary; ICANN may share the Personal Information described in this New gtLD Program Privacy Policy in Section ‎A9.3 Personal Information Processed with technical and business consultants, as well as financial and legal advisors, government authorities and agencies as further described in Section 5 of ICANN’s Privacy Policy.⁷ Additionally, where GDPR applies and the processing of Personal Information is necessary for ICANN to comply with a legal obligation, the legal basis for such processing will be Article 6(1) lit. c) GDPR.

A9.6 International Transfers

When applying for a new gTLD or using a 2026 Round Portal, the Applicant User is directly transferring its own Personal Information to ICANN in the United States. Such transfer of Personal Information that relates to the Applicant User is not considered an international transfer under Chapter V of the GDPR, as the Personal Information is directly collected from the Applicant as the Data Subject under Art. 3 (2) GDPR.

When the Applicant submits Personal Information of third parties into the 2026 Round Portal (as contained in Applications or information related to Applications), this Personal Information is transferred to ICANN in the United States and from the United States possibly also to other countries outside of the European Economic Area (EEA) where ICANN staff and third party service providers are located. A list⁸ of ICANN offices are available and respective locations of the third parties are linked under Section A9.5 Sharing of Personal Information of this policy.

Such transfers are safeguarded by suitable transfer mechanisms, including EU Standard Contractual Clauses. A copy of these safeguards can be obtained upon email request to privacy@icann.org.

Pursuant to the Terms and Conditions in Appendix 10 made available by ICANN, from time to time Applicants must also represent and certify that they have obtained the necessary permissions or consents for the sharing and publication, where applicable, of any Personal Information included in the Application and in the materials submitted with the Application. This obligation includes ensuring that any Personal Information subject to cross-border data transfer restrictions under applicable laws, which would be submitted in the Application via the 2026 Round Portal that is operated by ICANN in the United States, is in compliance with applicable laws. This would require the Applicant to implement any necessary transfer safeguards under such laws (e.g., EU Standard Contractual Clauses), prior to submission.

A9.7 Security

ICANN will use reasonable industry standard safeguards, which may include physical, procedural and technical measures, to protect against the unauthorized disclosure of Personal Information it collects and holds. ICANN will take reasonable steps to ensure that Personal Information collected is complete and relevant to its intended use, which includes, when required or appropriate and feasible, obtaining written assurances from third parties that may access your Personal Information that they will protect such information with safeguards designed to provide a level of protection equivalent to those adopted by ICANN.

ICANN cannot represent, warrant, or guarantee that information processed in the New gTLD Program: 2026 Round or the 2026 Round Portal will be free from unauthorized access by third parties, loss, misuse, or alterations. While ICANN will take reasonable and appropriate security measures to protect against unauthorized access, disclosure, alteration or destruction of Personal Information received, ICANN DISCLAIMS ANY AND ALL LIABILITY FOR UNAUTHORIZED ACCESS OR USE OR COMPROMISE OF PERSONAL INFORMATION TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW. USERS ARE ADVISED THAT THEY SUBMIT PERSONAL INFORMATION AT THEIR OWN RISK.

A9.8 Retention

ICANN will retain Personal Information generally in accordance with its archival practices and as required by law.

ICANN will retain Personal Information only for the time required to fulfill the purposes set out in Section ‎A9.4 Use of Personal Information-Purposes and Legal Bases. However, where ICANN is required by law to retain Personal Information longer or Personal Information is required for ICANN to assert or defend against legal claims, ICANN will retain the Personal Information until the end of the relevant retention period or until the claims in question have been resolved. More details about the retention periods applicable will be available on the New gTLD Program website.⁹

A9.9 Exercise of Data Subject Rights

Individuals (Data Subjects) may be entitled to the following rights, in each case as permitted under applicable data protection law:

• Obtain access to information about the Processing of Personal Information;

• Object to certain Processing;

• Request information portability.

• Have their Personal Information rectified, deleted, or otherwise restricted in terms of Processing.

Users may also be entitled to withdraw any consent given with prospective effect with respect to the Processing of their Personal Information.

Individuals can exercise these rights or learn more about ICANN’s processing of Personal Information by sending a request to privacy@icann.org. All requests are subject to identity verification. ICANN will respond to requests promptly, and within the legally required time frame. Certain Personal Information may be exempt from such requests under applicable law.

If individuals are dissatisfied with ICANN’s response or believe their Personal Information is not processed lawfully, they may contact or lodge a complaint with the competent supervisory authority or seek alternative legal remedies.

A specific description of data subject rights applicable under the GDPR is attached to this New gTLD Program Privacy Policy as A9.13 Exhibit 1: Data Subject Rights Under the GDPR.

A9.10 Required Personal Information

Applicants must provide the Personal Information described in Section A9.3 Personal Information Processed (under the Subsection “Personal Information from Applicants”), including the details needed to complete the “Applicant User Account Setup Form” and the “Application Form.” Failure to provide this information will prevent submission of the application.

A9.11 Minors

Portal users must be of legal age (at least 18 years or the applicable minimum legal age). ICANN does not knowingly collect any personal information from users who do not meet the minimum age requirements.

A9.12 Revisions

ICANN reserves the right to change the New gTLD Program Privacy Policy at any time. Any changes we make will be posted on ICANN.org with the most recent revision date identified. The date this New gTLD Program Privacy Policy was last revised is identified at the top of the page. Users are responsible for periodically monitoring and reviewing any updates to this New gTLD Program Privacy Policy. Continued participation in the New gTLD Program: 2026 Round following amendments indicates acknowledgment of these changes. For material changes to the way ICANN collects, uses, or shares Personal Information, ICANN will endeavor to provide notice of disclosures of Personal Information before implementation, such as by posting a prominent notice on the ICANN.org website.

A9.13 Exhibit 1: Data Subject Rights Under the GDPR

Individuals (Data Subjects) whose Personal Information is Processed in the context of the New gTLD Program: 2026 Round pursuant to the GDPR have the following Data Subject rights, as provided for under the GDPR, subject to limitations under the GDPR and otherwise applicable law.

Personal Information is referred to as "Personal Data" in this Exhibit.

• A Data Subject has the right to obtain confirmation as to whether Personal Data relating to itself are being Processed by ICANN and, where that is the case, the right to access the Personal Data and a copy thereof (Art. 15 (1) and (3) GDPR).

• If ICANN Processes inaccurate Personal Data, the Data Subject has the right to rectification (Art. 16 GDPR).

• In some cases described by law, a Data Subject may request the erasure of Personal Data concerning the Data Subject or the restriction of Processing (Art. 17 and 18 GDPR).

• If Processing is based on the Data Subject’s consent within the meaning of Art. 6 (1) lit. a) GDPR and/or Art. 9 (2) lit. a GDPR, the Data Subject may withdraw consent at any time (Art. 7 (3) GDPR), which will not affect the lawfulness of Processing based on consent before its withdrawal. ICANN informs the Data Subject separately if ICANN requires the Data Subject’s consent for the processing of their personal data for specified, explicit and legitimate purposes not covered by this New gTLD Program Privacy Policy.

• If Processing is based on the Data Subject's consent within the meaning of Art. 6 (1) lit. a) GDPR and/or Art. 9 (2) lit. a GDPR, or on a contract pursuant to Art. 6 (1) lit. b) GDPR, and the data Processing is carried out by automated means, the Data Subject has a right to receive the Personal Data concerning the Data Subject in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the Personal Data have been provided (Art. 20 GDPR).

• Data Subjects have the right to object, on grounds relating to their particular situation, at any time to Processing of Personal Data concerning them based on Art. 6 (1) lit. e) or f) GDPR (Art. 21 (1) GDPR). Data Subjects may object to the Processing of their Personal Data on the basis of Art. 6 (1) lit. f) GDPR for direct marketing purposes at any time (Art. 21 (2) GDPR), without stating grounds relating to the Data Subject’s particular situation. However, ICANN does not Process Data Subjects’ Personal Data for this purpose.

• Furthermore, Data Subjects have the right to lodge a complaint with the competent data protection supervisory authority. Data Subjects can, for example, contact the supervisory authority in the EU Member State of their habitual residences, places of work or places of an alleged infringement. The lead supervisory authority responsible for ICANN is the:

Autorité de la protection des données - Gegevensbeschermingsautoriteit (APD-GBA)

Rue de la Presse 35 – Drukpersstraat 35

1000 Bruxelles - Brussel

Tel. +32 2 274 48 00

Fax +32 2 274 48 35

Email: contact@apd-gba.be

Website:

https://www.autoriteprotectiondonnees.be https://www.gegevensbeschermingsautoriteit.be

For questions or complaints about ICANN data processing, contact privacy@icann.org. To exercise rights or learn more about ICANN data processing, send a request to privacy@icann.org.