PRIVACY POLICY

This page lists our publicly available documents focussing on policies and visions.

INTRODUCTION

The Dutch Institute for Vulnerability Disclosure Foundation (hereinafter: DIVD), located at Maanweg 174 in The Hague, is responsible for the processing of personal data as set out in this privacy policy.

DIVD works strictly according to its own Code of Conduct https://www.divd.nl/code/ and under the watchful eye of a Board and the Supervisory Board https://www.divd.nl/team/.

WHICH PERSONAL DATA DOES DIVD PROCESS?

DIVD may process personal data obtained during its investigations and through publically available sources. Various personal data may be involved in its investigations. The personal data that DIVD could process are:

• First and last name
• Address
• Telephone
• E-mail address
• IP address
• (hashed) passwords
• Location
• Internet browser and device type
• Bank
• Other (special) data involved in the leak.

DIVD uses the need-to-know principle: for example, access to data processed within DIVD during an investigation is limited on the basis of someone’s role/function within DIVD and/or their involvement in that investigation. DIVD does not download personal data to prove that a leak exists. If it has to demonstrate a vulnerability by downloading data, this will only be done when absolutely necessary to demonstrate the existence of a leak: the invasion of privacy outweighs the importance of demonstrating the leak or warning the victim. This data will be deleted after closing the case and this deletion is monitored by the Case Lead.

DIVD also processes the personal data of its own employees and volunteers. Such records are kept for 5 years after the employment end date. Data from the personnel administration that is relevant for tax purposes, such as expense allowances, is kept for the period prescribed by law (7 years after the employment end date).

FOR WHAT PURPOSE DOES DIVD PROCESS PERSONAL DATA?

DIVD looks for vulnerabilities in systems and seeks contact details when a vulnerability is found. It then sends these contacts a notification containing an action to resolve the vulnerability. DIVD only processes these contact details to carry out victim and target notification, and to provide assistance. DIVD also contacts people who can remedy the vulnerabilities.

The core tasks of DIVD are:

• Performing scans for vulnerabilities on the internet
• Conducting investigations into vulnerabilities, vulnerable systems, data breaches and risk indicators
• Victim and target notification, possibly preventive warning of the victims of computer crime, or those who threaten to become one
• Answering questions or responding to contact requests.

DIVD also processes personal data for the following purposes:

• Forming research files for reporting purposes
• Archiving research results
• Conducting research administration
• Performing analyzes on scan data to discover trends, such as the extent to which vulnerabilities have been resolved after notification.

DOES DIVD USE AUTOMATED DECISION-MAKING?

DIVD does not use automated decision-making.

HOW LONG DOES DIVD STORE PERSONAL DATA?

DIVD does not store personal data longer than is strictly necessary to achieve the purposes for which it was collected. DIVD uses the following retention periods for information:

INFORMATION

• Financial information (for the tax authorities) 7 years
• Results of investigations - maximum 3 years *
• Results of reports - maximum 3 years *
• E-mail communication 10 years *

* This can change on request from a data subject.

DOES DIVD SHARE PERSONAL DATA WITH THIRD PARTIES?

DIVD does not sell personal data to third parties. To carry out victim and target notification, it is necessary to share personal data with third parties. It shares a data set that is as small as possible and only if there is a legitimate interest in doing so. In addition, DIVD provides data to third parties if necessary for the execution of an agreement with the subject or to comply with a legal obligation, and with organizations that process data on behalf of DIVD. Where necessary, DIVD concludes processing agreements to ensure a sufficient level of security and confidentiality of personal data. DIVD remains ultimately responsible for these processing operations.

These are third parties with whom personal data may be shared

• Nederlands Security Meldpunt.
• AAN, the Anti Abuse Network
• NCSC
• CONNECT2TRUST
• SIDN FUND
• PROSEC
• DTACT
• A2B INTERNET
• ESET
• MSP-ISAC
• FIRST GovCERTs
• HaveIbeenPwned
• Shadowserver

For more information about these parties, please refer to the statements on their websites.

VIEW, MODIFY OR DELETE DATA

You have the right to view, correct or delete your personal data held by DIVD. For those cases where DIVD processes data with the permission of the person to whom this data relates, this person has the right to withdraw your consent to the data processing or to object to the processing of his personal data by DIVD and has the right to data portability.

You can send a request for inspection, correction, deletion or data transfer of your personal data or a request for cancellation of your consent or objection to the processing of your personal data to Privacy@DIVD.nl. To ensure that the request for access has been made by you, DIVD may ask you to enclose a (privacy-friendly) copy of your proof of identity with the request. Make your passport photo, MRZ (machine readable zone, the strip with numbers at the bottom of the passport), passport number and citizen service number (BSN) black in this copy. This is to protect your privacy. If your request relates to IP addresses or domain names, you must also sufficiently demonstrate that these IP addresses and/or domain names are indeed your personal data. DIVD will respond to your request within twenty working days. DIVD would also like to point out that you have the option of submitting a complaint to the national supervisory authority, the Dutch Data Protection Authority. This can be done via the following link: https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-autoriteit-persoonsgegevens/tip-ons

Your copy of your proof of identity will be destroyed as soon as your request has been processed. Unless otherwise indicated, the e-mails of the request are kept for a normal period.

PROTECTION OF PERSONAL DATA

DIVD takes the protection of your data seriously and takes appropriate measures to prevent misuse, loss, unauthorized access, unwanted disclosure and unauthorized changes. Through strict control, we ensure that personal data is only accessible to employees who are working on the relevant case. If you suspect that your data is not properly secured or there are indications of misuse, please contact the DIVD privacy officer or the Data Protection Officer (FG) via the contact details below.

CONTACT DETAILS

For questions about the processing of your personal data, please contact the Privacy Officer of the DIVD. The contact details are:

Maanweg 174
2516 AB The Hague
Tel.: (+31) 70 41 90 309
Email address: privacy@divd.nl