Data Protection statement

Also serves as Imprint / Impressum

Table of Contents

    Introduction

    Stichting Open CSIRT Foundation (hereinafter: OCF, us and we), a foundation with statutory seat in Amsterdam, The Netherlands, registered with the Dutch Chamber of Commerce under number 67116507 and registered office at Kwikstaartlaan 42, Unit E2030, 3704GS Zeist, The Netherlands, is dedicated to safeguarding the personal data that we process, as well as to developing and applying data protection solutions that are effective, fit for purpose and demonstrate an understanding of, and appreciation for the General Data Protection Regulation 679/2016 (GDPR) as well as applicable national data protection legislation. We are committed to ensuring ongoing and continued compliance with data protection legislation and guidance provided by the supervisory authorities with regard to OCF as a whole and all of our service offerings. This Privacy Notice concerns the processing of your personal data for which OCF is the Data Controller, in other words, OCF collects personal data directly or indirectly from you and decides the personal data needed to provide you a service, the purposes for which your personal data is being collected, how it is stored, shared and for how long will be retained. Considering the significance of this responsibility, OCF is strongly committed to put in place adequate measures and controls to protect your personal data, improve them and ensure that you can exercise your rights at any time.

    Data Protection Officer

    OCF has appointed an internal Data Protection Officer (DPO), for you to contact if you have any questions or concerns about the way OCF is processing your personal data. Together, OCF’s DPO and operatives are working to provide you accurate information and implement the measures to protect your privacy. Our DPO’s name and contact information are as follows:

    Roeland Reijers
    p/a OCF, Postbus 97, 3501DA Harmelen, The Netherlands
    dpo@opencsirt.org

    Dealing with your personal data

    OCF Events

    OCF organises and promotes events globally, including with face-to-face as well as online participation. In this context “events” shall be understood as any event, seminar, conference, training, webinar, info-share, networking event, working group meeting, workshop, social event or other gathering organised under the responsibility of OCF – this includes TF-CSIRT, Trusted Introducer and SIM3 related events. If you register for one of our events we may collect, depending on the nature of the event, the following information from you or someone within your organisation:

    • Name
    • Organisation or affiliation
    • E-mail address
    • Address
    • Contact telephone number
    • Job title (when requested)
    • Payment information (when requested)
    • Dietary requirements (optional)
    • Any special requirements (optional)
    • Specific accessibility requirements (optional)
    • Level of education and/or prior knowledge (optional)

    Event registration information will be collected, carefully analysed, and processed by our operatives. This information in anonymised form will be further used for statistical and reporting purposes. This information will be used by OCF to continuously improve our events.  During events, OCF may capture some collective and individual images, audio or video recordings, and collect information provided by others (especially during training sessions), to evaluate your performance as a speaker or as a trainer. We could also make and store a recording of your voice in certain instances. OCF will use this information, including your personal data, in online communication channels such as social media pages, websites and blogs. If you are a speaker at one of our events, we may also collect information including your name, institution/company and contact information.  We may invite you to provide more information about yourself. OCF may keep this information available on its websites or wiki pages for an indefinite period of time for educational purposes, but you are able to have your own personal data deleted at any time. This information, that could include pictures and an abbreviated biography (optional in both cases, and always provided by you), is managed by OCF. Rectification and removal requests can be submitted to the OCF operative responsible for the event, or, depending on the event, may be edited directly and managed via your account. OCF relies on a legitimate interest for collecting, storing and processing the information mentioned above. During or after the event, OCF might contact you to collect your feedback about your experience, ascertain event impact or manage a post-event collaboration. For this purpose, OCF may collect additional personal data such as gender, level of education and age group. This personal data will be anonymised and will be used for the purposes of reporting and statistics.

    Events held with third parties: if the event is being jointly run with or sponsored by a third party, this will be clearly communicated to you. If your personal data is to be shared with a third party, sponsors, exhibitors, it will be clearly specified on the event website or invitation. To understand how a third party will use your data, OCF will provide you a link to the third party’s Data Protection statement or otherwise inform you how to obtain a copy of it.  

    OCF Services

    OCF develops the services that its auditors (SIM3), members (TF-CSIRT & Trusted Introducer), partners and other clients or interested parties need in order to further OCF’s goal of helping to enhance cyber security and safety worldwide. In order to provide you the best services, OCF may collect the following personal data from you, depending on the service that we are providing to you:

    • Name and affiliation
    • Username
    • E-mail address
    • Log records
    • IP address
    • SSH public key(s)
    • Technical log data
    • Device information
    • The region or general location where your computer or device is accessing the Internet
    • Unique device identifiers
    • Application ID

    For more details, please consult the specific Data Protection statements for our Services, available on the official websites for each service. OCF uses this information to provide you with the services you wish to use including:

    • to present content from the services you requested in an effective manner to you;
    • to carry out contractual obligations arising from any contracts entered between you and us or your service provider;
    • to register you for events and other services you have requested;
    • to assist us in maintaining records of events for internal and external security and audit purposes;
    • to respond to any concerns or queries you have in relation to our services or websites;
    • to help diagnose problems with our servers and to administer our websites, analyse trends, track visitor movements and gather broad demographic information that assists us in identifying visitor preferences;
    • to help you collaborate with others, some services provide different ways authorised users can collaborate, such as shared communication channels and services;
    • to provide you with information, products or services that you request from us or which we think may be of interest to you;
    • to help us deliver a better service to you, we may collect certain technical information that does not directly identify an individual: such information tells us about the equipment you are using, browsing actions, the resources accessed and the operating systems used; we use analytics and similar services, as explained in our Cookie Policy to help us deliver a better service to you;
    • to contact you about our services or related services;
    • to ensure that the data you provide remains safe and secure by using appropriate monitoring and auditing mechanisms.
    • We may engage with Third Party Services; when enabled by you we may share data with them to enable their services to operate effectively. It is your responsibility to check the privacy setting and notices in these Third-Party Services.
    • We may engage Third Party Service Providers to process information and provide storage services. OCF will ensure that appropriate security controls are in place with any Third-Party Provider.
    • We may use aggregated or de-identified data for other purposes such as identified users from specific countries or average time using services. 

    OCF Publications

    OCF may use various channels to provide you with content, such as websites, social media channels managed by OCF, newsletters and mailing lists. Any subscription for OCF publications is always on a voluntary basis and you can at any time unsubscribe*. We may need your e-mail address or social media identifier to be provided in order to send you OCF publications. OCF relies on a legitimate interest to process your personal information for purposes of fulfilling your request to receive our publications.

    * the exception there is information sent to you via the official channels used for Certified SIM3 Auditor, or TF-CSIRT members, as these can only be unsubscribed from by requesting to OCF to cancel the Auditor Certification, or the TF-CSIRT membership. 

    OCF Recruitment

    OCF’s recruitment process is handled internally, applying the same standards as set in this Data Protection statement. We will handle the private data of applicants with the utmost care.

    Website(s)

    This OCF website https://www.opencsirt.org/* or https://opencsirt.org/* aims to not collect information automatically, nor store it in log files. We do not use cookies, nor web beacons, nor google analytics or any such data collecting service.

    The above also specifically holds for the SIM3 online tool page at https://sim3-check.opencsirt.org/#/ – it is our design choice that we do not wish to collect any data from those using the SIM3 online tool, as the auditing/assessment information associated with using the tool is generally speaking of a confidential nature.

    The policies for specific websites for OCF services like especially TF-CSIRT or the Trusted Introducer are explained in the Data Protection statements on their respective websites.

    Data storage and retention periods

    Any financial (processing) and other legally relevant information will be kept for 7 years, as this is required by Dutch law for a Foundation such as OCF. Other types of information have different policies set:

    Events

    Attendee lists and feedback forms for any events will be kept no longer than 3 years. Photographs of events will be stored and archived for an unlimited period.

    Services

    Your personal information (name, contact details, workplace) is stored for the duration of your use of the services provided and an additional 12 months after you cease using our services. OCF keeps this data in order to deal with any queries that may arise following your use of our services. You can consult the retention periods for each OCF service on the respective website(s).  

    Publications

    OCF will retain your information so long as you wish to remain a subscriber to one or more of our publications.

    Recruitment

    Personal data relating to candidates who are unsuccessful will be retained for a maximum of 12 months after a hiring decision has been made (unless you have asked us to retain your details to allow us to notify you of any similar vacancies in the future). After this time, it will be securely destroyed and permanently deleted. If you start work with us, any personal data processed as part of your employment records will normally be held for a period of 7 years from the end of your employment with us, except where we are:

    • legally required to retain the information for longer;
    • legally required to delete the information within a specified period;
    • required to supply personal data in relation to any legal or other type of dispute, either with you or with a third party.

    Any personal data contained in any work-related correspondence may be retained for longer, dependent on the relevant retention period for that work or matter.

    When and how we share information with others

    OCF will share your personal data with third parties only in ways that are described in this Data Protection statement.

    We provide and support some of our services through contractual arrangements with service providers and other third parties. OCF and our service partners use your personal data to operate our website(s) and provide services and events to you.

    The personal information OCF collects from you is stored in one or more databases hosted by third parties that may be located within the EU or outside the EU. These third parties do not use or have authority to access to your personal data for any reason other than cloud storage and retrieval.

    We will also disclose personal data in the following circumstances:

    • if we are required or permitted to do so by law, regulatory or other legal process;
    • to protect our rights, reputation, property or the safety of us and others;
    • to defend or enforce our rights or your obligations.

    We do not sell personal information to anyone or share it with third parties who are facilitating the delivery of other services.

    Transferring personal data from the EU

    OCF is headquartered in The Netherlands (NL), and our services are run mostly from there (NL), as well as from France (FR), Germany (DE) and Poland (PL), all inside the EU. Personal data we collect about you will generally be processed in these locations. OCF endeavours to apply suitable safeguards to protect the privacy and security of your personal data and to use it only within the authorisation you have given and the practices described in this Data Protection statement.

    In some cases, OCF may transfer your personal data to countries outside the EU, for example if we use a third party for processing services or storing data or for obtaining feedback on one of the services or events we provide. If we do transfer personal data to third countries, we will ensure that such transfers are compliant with our obligations under relevant data protection legislation and that appropriate technical and operational controls are in place to keep your personal data secure.

    If personal data is transferred from the EU to the USA, the EU-US Privacy Shield will be used. This framework was developed to enable companies to comply with data protection requirements when transferring personal data from the EU to the USA.

    OCF also minimises the risk to your rights and freedoms by not collecting or storing any sensitive information about you without your explicit consent.

    Data subject rights

    You have the following rights regarding your personal data:

    • You have the right to request access to your data.
    • You have the right to ask us to rectify your personal data.
    • You have the right to ask us to erase your personal information.
    • You have the right to object to your data being processed by us.

    You also have the right to inquire what personal data we hold about you, and to present a complaint to the relevant Supervisory Authority in The Netherlands: “Autoriteit Persoonsgegevens” at https://autoriteitpersoonsgegevens.nl if you feel your personal data is not being managed by OCF as described here.

    Please note that submitting a Data Subject Access Request might be connected with providing information confirming your identity and other legally relevant information.

    Security of your personal data

    OCF takes the confidentiality, integrity and availability of your personal data very seriously. We take appropriate security precautions to protect your personal data from loss, misuse or unauthorised access, disclosure, alteration and destruction. When you access an OCF service, we will provide adequate security controls to keep your personal data safe in accordance with the classification of the personal data we have collected from you.

    Although we exercise due care to ensure your personal data remains secure, there is no absolute guarantee of security when using services online. While we strive to protect your personal data, you acknowledge that:

    • there are security and privacy limitations on the Internet which are beyond our control;
    • the confidentiality, integrity and availability of any and all information exchanged using these services cannot be 100% guaranteed;
    • we cannot be held accountable for activity that results from your own neglect to safeguard the security of your login credentials and equipment that results in a loss of your personal data.

    If you feel this not sufficient then please do not provide any personal data.

    Changes and updates to this statement

    Services and products offered to you may change from time to time and this Data Protection statement will be updated accordingly. We reserve the right to amend this Data Protection statement at any time – in such case, an updated version of the Privacy Notice will be posted here and we encourage you to check it from time to time. We may e-mail periodic reminders of our notices and terms that are currently in effect and any changes that may have been made to them.

    OCF keeps this Data Protection statement under regular review; the last update was in August 2023.

    Question, concerns and complaints

    The OCF head office is based in The Netherlands. Please let us know if you have any questions, complaints or concerns about how OCF processes your personal data or about this Data Protection statement, by contacting OCF’s DPO as stated above.

    If you wish to raise a complaint directly with the relevant supervisory authority in The Netherlands, please contact the “Autoriteit Persoonsgegevens” at https://autoriteitpersoonsgegevens.nl