Privacy policy
PROTECTION OF PERSONAL DATA
This privacy statement provides information about the processing and the protection of personal data as part of CERT-EU’s cybersecurity operations
Data Controller: CERT EU
Record reference: DPR-EC-07167.2
1. Introduction
2. Why and how do we process your personal data?
3. On what legal ground(s) do we process your personal data?
4. Which personal data do we collect and further process?
5. How long do we keep your personal data?
6. How do we protect and safeguard your personal data?
7. Who has access to your personal data and to whom is it disclosed?
8. What are your rights and how can you exercise them?
9. Contact information
10. Where to find more detailed information?
1. Introduction
2. Why and how do we process your personal data?
CERT-EU collects, manages, analyses and shares information with the constituents on threats, vulnerabilities and incidents on unclassified ICT infrastructure. It coordinates responses to incidents at inter-institutional and constituent level, including by providing or coordinating the provision of specialised operational assistance.
Your personal data will not be used for an automated decision-making including profiling.
3. On what legal ground(s) do we process your personal data
2. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2 Directive).
CERT-EU collects and processes data to contribute to the security of the ICT infrastructure of all Union institutions, bodies, offices and agencies by helping to prevent, detect, handle, mitigate, respond and recover from cybersecurity incidents and by acting as their cyber-security information exchange and incident response coordination hub.
CERT-EU does not focus on processing any special categories of data falling under Art. 10(1) or sensitive data falling under Art. 11. However, if this data is involved in a cybersecurity incident handled by CERT-EU, it will be processed manually as part of the incident investigation, including to establish whether a data breach has taken place.
4. Which personal data do we collect and further process?
2. Manual processing generally includes the following categories of data:
3. Any file (with user-id included) stored in, transmitted from / to a host involved in an incident (as victim, relay or perpetrator),
4. Email addresses, phone number, role, name, organisation,
5. Name of the owner of assets involved in an incident, user account name (for email, operating system, applications, centralised authentication services, etc),
6. Technical protocol data (IP address, MAC address) to which an individual may be associated.
Data is processed for specific purposes in particular:
• Personal data processed for Cyber Threat Management (first response, analysts and vulnerability assessment teams)
• Personal data processed for Incident response management including backups
Below you may find the processing activities in details:
online media sources (including name/surnames of authors, journalists etc).
cybersecurity information sharing partnership: different types of information based on the identified cyber risks (metadata, IP addresses etc)
personal data processed via the unified Portal allowing the exchange of information between CERT-EU and the various constituents. : each constituent can only access data related to their own organisation (personal data i.e. identification data, contract details etc, logs, etc)
This process analyses non-personal data. Personal data might mainly be IP addresses: please note that IP addresses are never related with specific individuals and may be related with threat actor groups (suspected malicious cyber activity groups).
Dissemination of reports on cybersecurity to inform the constituents about all possible cybersecurity threats and risks.
The monitoring services (including network traffic) include the review of various constituents' logs for indications of compromise and reviewing alerts generated by the systems: personal data captures might be any personal data coming from the constituents or from external parties (e.g. malicious actors, etc.). These data do not include names/surnames or direct links on specific individuals but rather IP addresses, connection information, files and logs.
Incident investigations: the general rule is that the personal data processed during investigations is not linked to a natural person (data subjects).IP addresses and other data which can be regarded as personal (online identifiers, logs).
Vulnerability assessments: mainly no personal data are processed.
IT operations: mainly processing of log files.
Emails;
CVs;
Results of evaluation tests;
Identity documents;
Cover letters;
Employee personal records;
Assessments and appraisals;
Job descriptions;
Identity documents, etc.
Email addresses (including mailing lists);
Identity documents (events, meetings – Official visits and organisation of events at CERT-EU);
Contracts (Service Level Agreements), quotes, invoices, memoranda of understanding, etc.;
E-passes.
5. How long do we keep your personal data?
2. For cybersecurity information sharing partnerships: 3 years.
3. For personal data processed via the unified Portal allowing the exchange of information between CERT-EU and the various constituents: 2 years.
5. For all other data: up to 10 years and an additional 10 year period for archiving.
8. For applicants placed on the reserve list, data is retained for a maximum of one year, in line with the validity of the reserve list.
9. For successful applicants, data is deleted as of the termination of employment at CERT-EU.
10.After staff leave CERT-EU, any personal data related to their employment is retained for no longer than one year.
12.For physical data processed by CERT-EU, namely e-Passes, a period of maximum two days after the date of the visit, event or meeting. The digital personal data contained in the visitor log and email correspondence are kept for a maximum period of two years in order to allow for reporting to CERTEU’s Steering Board and for traceability purposes.
13.Specific retention periods may be applied by DG HR(HR.DS), for data that are under their control.
6. How do we protect and safeguard your personal data?
In order to protect your personal data, the Commission has put in place a number of technical and organisational measures in place. Technical measures include appropriate actions to address online security, risk of data loss, alteration of data or unauthorised access, taking into consideration the risk presented by the processing and the nature of the personal data being processed. Organisational measures include restricting access to the personal data solely to authorised persons with a legitimate need to know for the purposes of this processing operation.
Access to data is restricted by several means, such as user’s credentials (username and password), specific IP access lists, Multi-Factor Authentication.
7. Who has access to your personal data and to whom is it disclosed?
To execute its tasks CERT-EU shares personal data with CERT-EU staff, EC Staff, other EUIs Staff, any external providers, CERT-EU trusted partners (limited personal data related to cyberattacks and security incidents and other malicious actions) via confidential portals and secure channels.
The controller will transfer your personal data to the following recipients in a third country or to an international organisation in accordance with Regulation (EU) 2018/1725 and for:
Incident handling: If needed, data related to incidents is shared with trusted partners subject to all the necessary safeguards (contracts, NDAs)
Data sharing with trusted partners in the context of combatting and crime: international organisations based on bilateral agreements.
Data pre-existing in the public domain gathered in the context of combatting cyberattacks and cybercrime [IP addresses related to malicious activity, as Indicators of Compromise (IOCs)]: trusted partners, based on bilateral agreements.
CERT-EU sporadically forwards third party reports that exist in the public domain and are meant for wide dissemination, through the MISP threat sharing platform, to a community that includes third country organisations. Those reports may contain personal data.
Data sharing with trusted partners in the context of combatting and crime are transferred to international organisations:
2. UN OICT (Office of Information and Communications Technology): mutual sharing of cyber threat information
The controller will transfer your personal data based on:
Derrogations for specific situation (Article 50 of Regulation 2018/1725). The transfer is necessary for important reasons of public interest.
Based on Article 249 Treaty of the Functioning of the EU: “ The Commission shall adopt its Rules of Procedure so as to ensure that both it and its departments operate. It shall ensure that these Rules are published ”
In this context, public interest includes the processing operations needed for the management and functioning of the European institutions. This legal ground stems from Articles 3, 7, 14 and 15 Commission Decision 2017/46 on the security of communication and information systems in the European Commission. In addition, articles 36 and 37 of Regulation 2018/1725 apply as well as articles 13.7 of Commission Decision 2015/443. The processing of personal data is necessary for the protection of the EC’s information technology systems and infrastructures and proportionate to the fundamental rights and freedoms of the data subjects. The protection of other EUIs has also been taken into account and is part of the mandate of CERT-EU as described in the Interinstitutional Arrangement 2018/C12/01 between the European Parliament, the European Council, the Council of the European Union, the European Commission, the Court of Justice of the European Union, the European Central Bank, the European Court of Auditors, the European External Action Service, the European Economic and Social Committee, the European Committee of the Regions and the European Investment Bank on the organisation and operation of a computer emergency response team for the Union's institutions, bodies and agencies (CERT-EU), OJ C12/1 of 13.1.2018.
In this context, international cooperation with international organisations such as the UN and NATO are based on bilateral contracts, NDAs and other instruments. The NCI Agency and CERT-EU have established a robust partnership based on thorough cyber defence information sharing to improve incident prevention, prediction, detection and response.
The information we collect will not be given to any other third party, except to the extent and for the purpose we may be required to do so by law.
8. What are your rights and how can you exercise them?
You have the right to object to the processing of your personal data, which is lawfully carried out pursuant to Article 5(1)(a) on grounds relating to your particular situation.
You can exercise your rights by contacting the Data Controller, or in case of conflict the Data Protection Officer. If necessary, you can also address the European Data Protection Supervisor. Their contact information is given under Heading 9 below.
Where you wish to exercise your rights in the context of one or several specific processing operations, please provide their description (i.e. their Record reference(s) as specified under Heading 10 below) in your request.
9. Contact information
If you would like to exercise your rights under Regulation (EU) 2018/1725, or if you have comments, questions or concerns, or if you would like to submit a complaint regarding the collection and use of your personal data, please feel free to contact the Data Controller, at services@cert.europa.eu.
The Data Protection Officer (DPO)CERT-EU is a Taskforce of the European Commission, and the responsible Data Protection Officer is the DPO of the European Commission. You may contact the DPO ( DATA-PROTECTION-OFFICER@ec.europa.eu) with regard to issues related to the processing of your personal data under Regulation (EU) 2018/1725.
The European Data Protection Supervisor (EDPS)You have the right to have recourse (i.e. you can lodge a complaint) to the European Data Protection Supervisor ( edps@edps.europa.eu) if you consider that your rights under Regulation (EU) 2018/1725 have been infringed, as a result of the processing of your personal data by CERT-EU.
10. Where to find more detailed information?
This specific processing operation has been included in the DPO’s public register with the following Record reference: DPR-EC-07167.2