Committed to Safe Online Pharmacy

General Data Protection Regulation Notice

Identity and contact details of controller

National Association of Boards of Pharmacy® (NABP®) is the registry for the verified .pharmacy top-level domain. The purpose of the .pharmacy program is to help ensure the public’s health and safety by granting the .pharmacy domain to eligible online pharmacies and pharmacy and medication-related online businesses that adhere to .pharmacy program standards. These standards require qualifying online businesses to meet licensure, legal, and professional practice criteria to earn the domain. NABP is controller and processer of data associated with the .pharmacy program for the purposes of General Data Protection Regulation (GDPR). If you have any concerns as to how your data is processed you may contact NABP by sending an email to

How your information will be used

Your organization has a business interest in applying for a verified .pharmacy domain. Approval to receive a .pharmacy domain requires NABP to review your organization and its online presence, including medication-related websites. NABP seeks to ensure that your organization is properly licensed and adheres to applicable laws and professional pharmacy practices in the jurisdictions where your organization conducts business. Pursuant to the submission of its .pharmacy application, your organization may have supplied NABP with your name, home address, email address, and, as applicable, pharmacist license or registration number. The information we collect and process helps us to communicate with the organization and verify data related to the organization and its pharmacy-related operations. For example, the data we collect and process may be used to verify the address and registration status of the dispensing pharmacy, the validity of the license of the pharmacist manager who oversees the dispensing process for medicines, and that the applicant’s website meets .pharmacy program standards, including the requirement that prior to dispensing a medication, a valid prescription must be received, as defined by the applicable jurisdictions. We will keep and use your information to enable us to monitor your organization, its operations, and the websites approved for one or more .pharmacy domains. If your organization does not provide the requested data, we may not be able to verify your organization, personnel, operations, or its website(s), which may result in closure or denial of your organization’s application for the requested .pharmacy domain(s). Through the .pharmacy program we do not have, nor will we process any information relating to your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric data, or sexual orientation. Additionally, we do not use any automated decision making with regard to your personal data. We may transfer your information to one or more regulatory bodies or other recipients to verify licensure, licensure status, or licensure history or to obtain other information required for NABP to process your organization’s .pharmacy application, verify its operations, or to monitor your organization’s use or operations of its .pharmacy domain(s). Your information will be transferred to the United States for processing; however, we will not transfer your information to a third or another country unless we have information indicating you are licensed there, were licensed there, or are seeking licensure in the third or another country. Your personal data will be stored by NABP for as long as your organization’s .pharmacy domain is in effect and registered or if your organization’s .pharmacy domain application is closed, withdrawn, or expired, and for one year following the cessation, closure, withdrawal, or expiration of the .pharmacy domain or application. If in the future we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any relevant information.

Your rights

Under GDPR you have a number of rights with regard to your personal data. Where we are processing data based on your consent, you have the right to withdraw that consent at any time, understanding that if consent is withdrawn, NABP may be required to close, suspend, or terminate a .pharmacy domain that your organization may have registered or close any pending application. Subsequent withdrawal of consent will not affect the lawfulness of the information processing before your consent was withdrawn. You have the right to request from us access to and rectification or erasure of your personal data, the right to restrict processing, object to processing as well as, in certain circumstances, the right to data portability. If you are remaining in your position at your organization, you do not have the right of erasure of your personal data because the purpose of the .pharmacy program, and its information processing, is to further public interest and protections in the area of public health and to help to ensure high standards of quality and safety of pharmacy practices and medicinal products. If you are stepping down from your position at your organization, and a successor has been communicated to NABP, then you may invoke your right of erasure of your personal data. You have the right to lodge a complaint to the Information Commissioners’ Office if you believe that we have not complied with the requirements of GDPR with regard to your personal data.