Address: Rue de la Loi 107, 1000 Brussels, BE Tel: +32 2 295 2100

Privacy policy

PROTECTION OF PERSONAL DATA

This privacy statement provides information about the processing and the protection of personal data as part of CERT-EU’s cybersecurity operations

Processing operation: CERT-EU Activities
Data Controller: CERT EU
Record reference: DPR-EC-07167.2
Table of Contents
1. Introduction
2. Why and how do we process your personal data?
3. On what legal ground(s) do we process your personal data?
4. Which personal data do we collect and further process?
5. How long do we keep your personal data?
6. How do we protect and safeguard your personal data?
7. Who has access to your personal data and to whom is it disclosed?
8. What are your rights and how can you exercise them?
9. Contact information
10. Where to find more detailed information?

1. Introduction

This document describes the processing by CERT-EU of personal data as part of its cybersecurity operations. For administrative purposes, CERT-EU is integrated as a Taskforce in the European Commission. CERT-EU and the European Commission are committed to protect your personal data and to respect your privacy. CERT-EU collects and further processes personal data pursuant to Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (repealing Regulation (EC) No 45/2001). This privacy statement explains the reason for the processing of your personal data, the way we collect, handle and ensure protection of all personal data provided, how that information is used and what rights data subjects have in relation to their personal data. It also specifies the contact details of the responsible Data Controller with whom you may exercise your rights, the responsible Data Protection Officer and the European Data Protection Supervisor. The information in relation to processing operation on CERT-EU Activities, undertaken by CERT EU is presented below.

2. Why and how do we process your personal data?

Purpose of the processing operation: CERT EU collects and uses your personal information to contribute to the security of the ICT infrastructure of all Union institutions, bodies and agencies and to enable CERT-EU to carry out its mission. CERT-EU's mission is to contribute to the security of the ICT infrastructure of all Union institutions, bodies and agencies by helping to prevent, detect, mitigate and respond to cyber-attacks and by acting as their cyber-security information exchange and incident response coordination hub.

CERT-EU collects, manages, analyses and shares information with the constituents on threats, vulnerabilities and incidents on unclassified ICT infrastructure. It coordinates responses to incidents at inter-institutional and constituent level, including by providing or coordinating the provision of specialised operational assistance.

Your personal data will not be used for an automated decision-making including profiling.

3. On what legal ground(s) do we process your personal data

We process your personal data, because:

(a) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body;

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Union institution or body.

Interinstitutional Arrangement 2018/C12/01 between the European Parliament, the European Council, the Council of the European Union, the European Commission, the Court of Justice of the European Union, the European Central Bank, the European Court of Auditors, the European External Action Service, the European Economic and Social Committee, the European Committee of the Regions and the European Investment Bank on the organisation and operation of a computer emergency response team for the Union's institutions, bodies and agencies (CERT-EU), OJ C12/1 of 13.1.2018.

Directive (EU) 2016/1148 of the European Parliament and of the Council (the ‘NIS Directive’) establishes a network of Computer Security Incidents Response Teams (CSIRTs), which shall be composed of representatives of the Member States' CSIRTs and CERT-EU, to contribute to the development of confidence and trust between the Member States and to promote swift and effective operational cooperation.

CERT-EU collects and processes data to contribute to the security of the ICT infrastructure of all Union institutions, bodies and agencies by helping to prevent, detect, mitigate and respond to cyber-attacks and by acting as their cyber-security information exchange and incident response coordination hub.

CERT-EU does not focus on processing any special categories of data falling under Art. 10(1) or sensitive data falling under Art. 11. However, if this data is involved in a cybersecurity incident handled by CERT-EU, it will be processed manually as part of the incident investigation, including to establish whether a data breach has taken place.

4. Which personal data do we collect and further process?

In order to carry out this processing operation CERT-EU collects the following categories of personal data:

1. Automated processing may involve any personal data flowing or stored on electronic networks of any of the EU Union entities.

2. Manual processing generally includes the following categories of data:

3. Any file (with user-id included) stored in, transmitted from / to a host involved in an incident (as victim, relay or perpetrator),

4. Email addresses, phone number, role, name, organisation,

5. Name of the owner of assets involved in an incident, user account name (for email, operating system, applications, centralised authentication services, etc),

6. Technical protocol data (IP address, MAC address) to which an individual may be associated.


Data is processed for specific purposes in particular:
• Personal data that might be processed for automated cybersecurity procedures (including from online media sources, cybersecurity information sharing partnership etc)

• Personal data processed for Cyber Threat Management (first response, analysts and vulnerability assessment teams)

• Personal data processed for Incident response management including backups


Below you may find the processing activities in details:
A. Personal data that might be processed for automated cybersecurity procedures:

online media sources (including name/surnames of authors, journalists etc).

cybersecurity information sharing partnership: different types of information based on the identified cyber risks (metadata, IP addresses etc)

personal data processed via the unified Portal allowing the exchange of information between CERT-EU and the various constituents. : each constituent can only access data related to their own organisation (personal data i.e. identification data, contract details etc, logs, etc)

B. Personal data processed for Cyber Threat Management (first response, analysts and vulnerability assessment teams):

This process analyses non-personal data. Personal data might mainly be IP addresses: please note that IP addresses are never related with specific individuals and may be related with threat actor groups (suspected malicious cyber activity groups).

Dissemination of reports on cybersecurity to inform the constituents about all possible cybersecurity threats and risks.

C. Personal data processed for Incident response management:

The monitoring services (including network traffic) include the review of various constituents' logs for indications of compromise and reviewing alerts generated by the systems: personal data captures might be any personal data coming from the constituents or from external parties (e.g. malicious actors, etc.). These data do not include names/surnames or direct links on specific individuals but rather IP addresses, connection information, files and logs.

Incident investigations: the general rule is that the personal data processed during investigations is not linked to a natural person (data subjects).IP addresses and other data which can be regarded as personal (online identifiers, logs).

Vulnerability assessments: mainly no personal data are processed.

IT operations: mainly processing of log files.

Internal processing activities for the functioning and the management of CERT EU
A. Personal data processed for CERT-EU recruitment procedures, HR and administrative purposes of CERT EU personnel:

Emails;

CVs;

Results of evaluation tests;

Identity documents;

Cover letters;

Employee personal records;

Assessments and appraisals;

Job descriptions;

Identity documents, etc.

B. Personal data processed for engaging and communicating with external stakeholders and for meetings and events:

Email addresses (including mailing lists);

Identity documents (events, meetings – Official visits and organisation of events at CERT-EU);

Contracts (Service Level Agreements), quotes, invoices, memoranda of understanding, etc.;

E-passes.

We have obtained your personal data from publicly accessible sources (websites, open sources other online sources, etc.), directly from the constituents, or directly from you in case you apply for a vacancy or are already working in CERT EU.

5. How long do we keep your personal data?

CERT EU only keeps your personal data for the time necessary to fulfil the purpose of collection or further processing, namely for the below mentioned periods:

Personal data that might be processed for automated cybersecurity procedures:
1. Data will be kept for up to 3 years. For online content, as long as the data remains publicly available.

2. For cybersecurity information sharing partnerships: 3 years.

3. For personal data processed via the unified Portal allowing the exchange of information between CERT-EU and the various constituents: 2 years.
Personal data processed for Cyber Threat Management:
4. For reports: 5 years and an additional 5 year period for archiving.

5. For all other data: up to 10 years and an additional 10 year period for archiving.
For Personal data processed for Incident response management:
6. Data is kept for up to 2 years. For network traffic up to few days.
Data processed for CERT-EU recruitment procedures, HR and administrative purposes of CERT EU personnel:
7. For unsuccessful applicants, data is retained for a maximum of one year following reception of the data to allow for the statutory period for the possible review of the decision taken in the selection procedure.

8. For applicants placed on the reserve list, data is retained for a maximum of one year, in line with the validity of the reserve list.

9. For successful applicants, data is deleted as of the termination of employment at CERT-EU.

10.After staff leave CERT-EU, any personal data related to their employment is retained for no longer than one year.
Personal data processed for engaging and communicating with external stakeholders and for meetings and events:
11.In the case of contracts, the files are retained for as long as they are valid and a further two years for traceability purposes.

12.For physical data processed by CERT-EU, namely e-Passes, a period of maximum two days after the date of the visit, event or meeting. The digital personal data contained in the visitor log and email correspondence are kept for a maximum period of two years in order to allow for reporting to CERTEU’s Steering Board and for traceability purposes.

13.Specific retention periods may be applied by DG HR(HR.DS), for data that are under their control.

6. How do we protect and safeguard your personal data?

All personal data in electronic format (e-mails, documents, databases, uploaded batches of data, etc.) are stored either on the servers of CERT-EU, or the respective EU institutions, agencies and bodies. Administrative documents may also be stored in paper form. CERT EU has implemented security measures to protect server hardware, software and the network from accidental or malicious manipulations and loss of data. Data is stored on servers managed by CERT-EU in line with the technical security provisions laid down in the Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission, its subsequent versions, its implementing rules (as adapted from time to time) and the corresponding security standards and guidelines, as well as the Commission Decision (EU, Euratom) 2015/443 of 13 March 2015 on the security in the Commission, its implementing rules and the corresponding security notices or on servers managed by the respective EU Union entities. These documents (as adapted from time to time) are available for consultation at the following address: https://ec.europa.eu/info/publications/security-standards- applying-all-european-commission-information-systems_en .

In order to protect your personal data, the Commission has put in place a number of technical and organisational measures in place. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.

Access to data is restricted by several means, such as user’s credentials (username and password), specific IP access lists, Multi-Factor Authentication.

7. Who has access to your personal data and to whom is it disclosed?

Access to your personal data is provided to the Commission staff responsible for carrying out this processing operation and to authorised staff according to the “need to know” principle. Such staff abide by statutory, and when required, additional confidentiality agreements.

To execute its tasks CERT-EU shares personal data with CERT-EU staff, EC Staff, other EUIs Staff, any external providers, CERT-EU trusted partners (limited personal data related to cyberattacks and security incidents and other malicious actions) via confidential portals and secure channels.

The controller will transfer your personal data to the following recipients in a third country or to an international organisation in accordance with Regulation (EU) 2018/1725 and for:

Incident handling: If needed, data related to incidents is shared with trusted partners subject to all the necessary safeguards (contracts, NDAs)

Data sharing with trusted partners in the context of combatting and crime: international organisations based on bilateral agreements.

Data pre-existing in the public domain gathered in the context of combatting cyberattacks and cybercrime [IP addresses related to malicious activity, as Indicators of Compromise (IOCs)]: trusted partners, based on bilateral agreements.

CERT-EU sporadically forwards third party reports that exist in the public domain and are meant for wide dissemination, through the MISP threat sharing platform, to a community that includes third country organisations. Those reports may contain personal data.

Data sharing with trusted partners in the context of combatting and crime are transferred to international organisations:
1. NATO NCIRC (NATO Cybersecurity Incident Response Center): mutual sharing of cyber threat information. The NATO Computer Incident Response Capability (NCIRC) and the Computer Emergency Response Team of the European Union (CERT-EU) signed a legally binding technical arrangement on 10 February 2016. The NCI Agency and CERT-EU have established a robust partnership based on thorough cyber defence information sharing to improve incident prevention, prediction, detection and response.

2. UN OICT (Office of Information and Communications Technology): mutual sharing of cyber threat information


The controller will transfer your personal data based on:

Derrogations for specific situation (Article 50 of Regulation 2018/1725). The transfer is necessary for important reasons of public interest.

Based on Article 249 Treaty of the Functioning of the EU: “ The Commission shall adopt its Rules of Procedure so as to ensure that both it and its departments operate. It shall ensure that these Rules are published ”

In this context, public interest includes the processing operations needed for the management and functioning of the European institutions. This legal ground stems from Articles 3, 7, 14 and 15 Commission Decision 2017/46 on the security of communication and information systems in the European Commission. In addition, articles 36 and 37 of Regulation 2018/1725 apply as well as articles 13.7 of Commission Decision 2015/443. The processing of personal data is necessary for the protection of the EC’s information technology systems and infrastructures and proportionate to the fundamental rights and freedoms of the data subjects. The protection of other EUIs has also been taken into account and is part of the mandate of CERT-EU as described in the Interinstitutional Arrangement 2018/C12/01 between the European Parliament, the European Council, the Council of the European Union, the European Commission, the Court of Justice of the European Union, the European Central Bank, the European Court of Auditors, the European External Action Service, the European Economic and Social Committee, the European Committee of the Regions and the European Investment Bank on the organisation and operation of a computer emergency response team for the Union's institutions, bodies and agencies (CERT-EU), OJ C12/1 of 13.1.2018.

In this context, international cooperation with international organisations such as the UN and NATO are based on bilateral contracts, NDAs and other instruments. The NCI Agency and CERT-EU have established a robust partnership based on thorough cyber defence information sharing to improve incident prevention, prediction, detection and response.

The information we collect will not be given to any other third party, except to the extent and for the purpose we may be required to do so by law.

8. What are your rights and how can you exercise them?

You have specific rights as a ‘data subject’ under Chapter III (Articles 14-25) of Regulation (EU) 2018/1725, in particular the right to access, your personal data and to rectify them in case your personal data are inaccurate or incomplete. Where applicable, you have the right to erase your personal data, to restrict the processing of your personal data, to object to the processing, and the right to data portability.

You have the right to object to the processing of your personal data, which is lawfully carried out pursuant to Article 5(1)(a) on grounds relating to your particular situation.

You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.

Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request.

9. Contact information

The Data Controller

If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller, at services@cert.europa.eu.

The Data Protection Officer (DPO)

CERT-EU is a Taskforce of the European Commission, and the responsible Data Protection Officer is the DPO of the European Commission. You may contact the DPO ( DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.

The European Data Protection Supervisor (EDPS)

You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor ( edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed, as a result of the processing of your personal data by CERT-EU.

10. Where to find more detailed information?

The Commission Data Protection Officer (DPO) publishes the register of all processing operations on personal data by the Commission, which have been documented and notified to him. You may access the register via the following link: https://ec.europa.eu/dpo-register.

This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-07167.2

We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.