The subject of your question is complicated and cannot be repeated in a few sentences.
In summary, the GDPR is still new for many entities, and there are still some phases of adaptation. ICANN (which controls what gTLDs can and cannot do) took a long time to accept that the GDPR did not go away and finally had to take it into account. He created a "temporary specification" for which you can get details at https://www.icann.org/resources/pages/gtld-registration-data-specs-en. This is why, for the moment, if you look at any gTLD registry that responds, you will generally not see any personal data, more emails, names, Addresses, etc. But it is "temporary". Of course, not everyone is happy with this: LEAs, IP attorneys and others are very keen to revert to the old model … This can (it will appear) in done, because whois will be phased out by RDAP (which has been mandatory in the gTLD world since August 2018), and RDAP being built on a healthier design, can make (where whois couldn't) much easier multi-level access, i.e. having an authentication layer and therefore modifying the amount of results given (with or without personal data, and how much) depending on who interrogates. But we are far from a working model on this scene.
For ccTLDs, each registry must decide what to do, things are unclear. You will find some who are wrong on the side of "show nothing, or almost nothing at all", for example
.de (you don't even see the recording date anymore …), then others do the complete opposite, like
.IS (http://domainincite.com/22939-iceland-breaks-ranks-on-whois-will-publish-emails: "The Icelandic ccTLD has become what I believe to be the first registry to declare that it will continue to publish email addresses in public Whois records after the General Data Protection Regulation has entered into force. ")
So you can find various articles explaining how the GDPR killed the whois, such as:
You now raise another important point about the "privacy products" of some registrars.
In many (but not all) TLDs, and at least in gTLDs, you have a registry / registrar model: one registry, multiple registrars.
A client goes to a registrar, gives him all his data (including personal and paying for the domain), the registrar stores it locally, also sends it or part of it to the register, which stores it on his side.
This model can then have the consequence (at least because ICANN decided to do so, but there is for the most part no technical reason, because the last thin register in the world gTLD will be "soon" thick like all the others) that there are actually two whois servers (or RDAP for that matter) for a given domain name: a registry side, a registrar side.
Of course, each server responds with locally stored data, but that explains why not everyone can respond with the same data.
Because if you take / buy a "confidentiality" service from the registrar (or a third party), this is what happens:
- you give your personal data to the registrar; it is stored in its database
- the registrar sends to the register ANOTHER set of personal data, a blank "confidentiality"; in this way of doing things, the register never sees the "real" data (which has its own set of consequences, because with this the register cannot even know who the real declarer is)
- so if you query the whois / RDAP server of the registry, you will get at most "confidentiality" data and not the real ones,
- and if you contact the registrar's whois / RDAP server, while technically it has the real data locally, because you have activated this confidentiality service, the registrar will respond with this confidentiality data instead of the real ones.
And then, as noted above, in addition to a given dataset that should have been provided, the recent changes due to the GDPR, "scrub" the data and essentially create almost empty results.
This is indeed something to take into account if you want to transfer domains between registrars. A previous ICANN rule, for example, in gTLDs, required registrars to get formal and explicitly positive recognition (via some specific emails called FOA for Form Of Authorization ) from the registrar / administrator contact before being able to proceed with a transfer request. This data was mainly extracted from the whois by the registrars, but of course now that the response from the whois is almost empty of substance, it can no longer work (and therefore the transfers revert to their previous model were the exclusive possession of the value "authInfo" because the domain was sufficient to prove ownership and therefore to start transfers).
Typically, registrars will ask you to provide new contact data if you decide to transfer as they will not be able to collect it from the current configuration. When a transfer occurs, nothing changes at the registry level, except who is the registrar. As soon as the transfer is complete, the new registrar is (mainly) free to modify all data, including contacts (but see the new ICANN regulations which deal with a change of registrant essentially in the same way as 39; a change of registrar, with various checks and periods), then reapply, or not (depending on what the registrar provides and what customers have chosen) a confidentiality service as explained above.
Come back to:
I live in the Netherlands and I have a .com domain in Namecheap. According to Namecheap support, my data becomes public in Who is if I deactivate their Who is Guard.
More specifically in .COM, it is always a light register, which means that the register does NOT have contact data (the registrar NEVER sends them to register). This will change, it is expected (but postponed more than once, the question is obviously related to everything that has been discussed previously), but it is like that today. So if you make a whois query for a .COM in the registry, you will never see contact data, no matter which service you enable or disable at the registrar level, because the registry has no data contact for the domain.
Now, at the registrar level, they are "free" to do whatever they want, I mean they can have their own interpretation of the GDPR, how much that applies to them or not, etc.
At least on one of their pages, they say this:
When you register a domain, ICANN asks registrars to provide it
with your contact details (such as name, e-mail, address and telephone)
number). This is then added to the Whois database. This database lists
the owners of each domain name online, and it can be searched by
anyone on the Internet.
It's not very clear to me or maybe a little wrong: I don't know who "them" is in the first sentence, but if it is supposed to be ICANN then it & # 39; s 39 is completely wrong, ICANN has no operational role in daily registrations, so they have no data. There is also no "Whois database" even if everyone makes this mistake. whois is a protocol for querying data. The database queried is in a registry or registrar, and is not a "whois database" in the same way that you use HTTP to contact web servers, but it does Suddenly does not make websites "HTTP databases".
But even apart from that, it cannot really be "searched". whois is a request protocol (RDAP too, and has extensions for real search capabilities, but it should not happen to anyone to implement it for obvious technical and non-technical consequences of this), you ask details on a specific area. You cannot request details of a registrant's name, address or telephone or other numbers. There are various online services providing this type of "reverse lookup" (like: give me a list of domain names owned by "Foo Bar Inc."), and how do they do it? They make whois queries, store the results (in a "database" too), and can therefore search there, but with various limitations (whois is limited in number, their data will never be fresh, several TLDs are against this, see https: / /www.domainpulse.com/2019/06/25/domaintools-appeals-to-seek-to-continue-flouting-nz-whois-terms-of-use/, etc.)
So I have no idea what happens if you don't use "WhoisGuard". Your supplier should be able to explain the situation clearly to you, and if this is not the case or if you are not satisfied with his response, it will certainly be the right time to report it. look for another.