Privacy Policy Connect2Trust Foundation

Principle

1. The effectiveness of the privacy policy stands or falls with knowledge and willingness to conform to the privacy policy. Given the professional background of the participants and the role they play in the work field, it can be expected that they will handle confidential information – including personal data – with care.
2. Processing personal data is not a core activity of the Connect2Trust Foundation, but to avoid any misunderstanding about what is (not) possible and allowed and to fully comply with legal requirements, this document formalises the privacy policy for the Connect2Trust Foundation. (Prospective) participants are expressly made aware of this privacy policy upon joining and the privacy policy is summarised in a privacy statement for a wide audience.

Rights of data subjects; Connect2Trust Foundation as data controller

Principle

The Connect2Trust Foundation takes responsibility for the careful and secure collection, processing and storage of personal data of participants and other data subjects. When data subjects exercise their legal rights – such as the right to information, inspection, correction or deletion – Foundation Connect2Trust will facilitate this in accordance with laws and regulations.

Implementation

The ‘data subjects’ can exercise their rights by contacting the chairman and/or secretary of the Connect2Trust Foundation who will then handle the request (or have it handled).

Rights of data subjects; Connect2Trust Foundation as processor

Principle

1. The Connect2Trust Foundation objectively has the task of informing its participating organisations, as well as looking with its participating organisations for opportunities to inform organisations within their chains, regionally and/or (cross)sectorally in the field of cyber security. Performing this task requires the registration of personal data, in particular the contact details of representatives of its participants and technical personal data such as email and/or IP addresses. Unless otherwise stated, the term personal data hereinafter includes both contact data and technical data.
2. For these personal data, the Connect2Trust Foundation takes responsibility for the careful and secure collection, processing and storage of personal data. When data subjects exercise their right to information, inspection, correction or deletion and with regard to this collection of (personal) data, The Connect2Trust Foundation facilitates in accordance with laws and regulations. Data subjects are – when relevant – also referred to privacy statements.
3. The Connect2Trust Foundation will receive data from third parties including the National Cyber Security Centre (NCSC). In some cases, this data may be traceable to individuals. The Connect2Trust Foundation processes these personal data on the basis of the ‘legitimate interest’ basis, as defined in article 6 paragraph 1 sub f AVG. The processing of these personal data, insofar as it is strictly necessary and proportionate for cyber resilience purposes, serves a legitimate interest of Connect2Trust Foundation, because the Connect2Trust Foundation informs its target organisations about (potential) threats, vulnerabilities or incidents on the basis of this information.

Implementation

‘Data Subjects’ can exercise their rights by contacting the chairperson and/or secretary of the Connect2Trust Foundation, who will then handle the request (or have it handled).

Overview of processing

Principle

1. The Connect2Trust Foundation makes the (structural) processing of personal data transparent in a processing register. This primarily concerns the business contact details of participants. In case of structural processing of technical personal data that in some cases can be traced back to individual persons, these will be included in the processing register.
2. In any processing of personal data, only strictly necessary personal data will be processed with the shortest possible retention period.
3. Non-necessary personal data received by the Connect2Trust Foundation from third parties that may be traceable to individual persons not related to its own participants will be deleted within one month of receipt.

Measures

At a minimum, the register will include: Process, process owner, description of personal data, classification, retention period (retention), purpose of processing, recipients of the information, data exchange with third parties, third countries (when applicable), appropriate safeguards, risks and measures and whether or not a data protection impact assessment (DPIA) has been carried out.

DPIA

Principle & measures

The Connect2Trust Foundation carries out a Data Protection Impact Assessment (=DPIA, Data Protection Impact Assessment) on processing operations of personal data for which The Connect2Trust Foundation is responsible, if required by law or added value (risk management).

Privacy-by-Design & Privacy-by-Default

Principle & measures

The Connect2Trust Foundation applies Privacy-by-Design and Privacy-by-Default in the design and deployment of systems that process personal data.

Instructions

Participants who procure, build and/or provide systems are aware of the requirements of the AVG and secure this knowledge and functionality in the relevant systems.

Data protection officer

Principle

Given the very limited scope of activities around processing personal data, The Connect2Trust Foundation does not make use of the possibility to appoint (voluntarily) a Data Protection Officer (FG). Given the professional background of the participants, sufficient knowledge is present and – when relevant – activities around personal data protection are coordinated by the chairman and/or secretary of The Connect2Trust Foundation. Included are any contacts with the Personal Data Authority or other stakeholders.

Duty to report data breaches

Principle

The Connect2Trust Foundation takes responsibility for handling data breaches appropriately.

Measures

The Connect2Trust Foundation will always register a (suspected) data leak and, if relevant, the chairman, vice-chairman and/or secretary of The Connect2Trust Foundation will report the incident to the Personal Data Authority and the person(s) involved.

Instructions

Third parties and the participants report a (suspected) data breach to the chairman and/or secretary of The Connect2Trust Foundation (contact details are included in the Privacy Statement).

Processor agreements

Principle

1. The Connect2Trust Foundation only processes personal data of participants if absolutely necessary. There are no processor agreements with suppliers or customers; however, the Connect2Trust Foundation makes clear agreements in the event of possible ad hoc use of personal data with relevant stakeholders/parties.
2. In the unlikely event of (structural) processing of personal data, we lay down the relevant agreements in a processing agreement. The processor agreement is a legal document and will be concluded at the same legal level and by the same legal entity as the contract.
3. The Connect2Trust Foundation only shares personal data with third parties if this is absolutely necessary to perform the agreement concluded with you and to comply with any legal obligations. Each third party will be reviewed for a lawful basis for handling this personal data and each participant will be informed with which third party(ies) this data is shared. In other cases, the Connect2Trust Foundation will only provide your personal data to other parties if you have given your express consent. We will only provide this information to third parties from whom we can expect an adequate level of security and confidentiality of your data.

Measures

In cases as mentioned in paragraph 9.1, approval of the board of the Connect2Trust Foundation is always required. If necessary, they will seek (legal) advice from specialists.

Principles

Principle

1. The Connect2Trust Foundation informs participants and other relations what (their) personal data will be requested and used for. By signing the acceptance form – signed by each participant individually – in the membership guidelines, permission is granted to the Connect2Trust Foundation to register business contact data. Explicit permission is also thereby given to Connect2Trust for the temporary registration of IP addresses which is provided to Connect2Trust on a voluntary basis by the participants.
2. The Connect2Trust Foundation may receive technical personal data (such as email and/or IP addresses) from its participants or external parties such as the NCSC, which in some cases may be traceable to individuals. This always involves ad hoc processing, justified by the interest to be served, namely cyber resilience, by informing data subjects about (potential) threats, vulnerabilities or incidents.

Measures

1. To ensure that The Connect2Trust Foundation deals correctly with the legal basis regarding the processing of personal data, the following measures have been taken for the registration of contact details:
   • We record agreements around legal basis; the processing register shows which basis is used.
   • If consent is withdrawn by a data subject, the process in section 2 or 3 will be initiated.
2. To ensure that The Connect2Trust Foundation deals correctly with the legal basis regarding the storage of technical personal data, the following measures have been taken:
3. The Connect2Trust Foundation will enable its participants to enter and manage their own technical personal data as much as possible. The participant may also delete its own technical personal data during or upon termination of membership;
4. The Connect2Trust Foundation will only store technical personal data traceable to the information provided by participants of the Connect2Trust Foundation during a participant’s membership term. Such data will be deleted within a maximum of one month after termination of membership if this has not already been done by the participant himself;
5. The Connect2Trust Foundation may be asked, but never obliged, by competent (inter)national competent authorities to also inform victims on the basis of technical personal data not traceable to information provided by participants of the Connect2Trust Foundation;
6. In all cases other than those described above under paragraph 2 of Article 10.2 under B and C, the Stichting Connect2Trust will remove technical personal data that is not traceable to information provided by participants of the Stichting Connect2Trust within a set retention period. This period shall be agreed, within legal limits, by the participants jointly with the Connect2Trust Foundation on the basis of the time required for research by the participants on possible relevance of the technical personal data received while observing the shortest possible retention period. The maximum retention period is 18 months from receipt.

Instructions

If participants of The Connect2Trust Foundation are faced with any processing of personal data based solely on the consent of data subjects, approval of the chairperson and/or secretary is always required.

Speech

Principle

The chairman, vice-chairman and/or secretary are responsible for speaking out about incidents or undesirable situations involving the protection of personal data by The Connect2Trust Foundation so that material and immaterial damage (image) for The Connect2Trust Foundation and third parties can be minimised or prevented.

Measures

1. To be prepared for a successful (crisis) spokesperson in the event of an incident, the following measures will be taken:
   • Appoint spokesperson; possibly on behalf of the chairman / vice-chairman / secretary;
   • If third parties are involved, one spokesperson is appointed, who handles external communication on behalf of all parties.
     
2. Immediately prior to the spokesperson on a specific incident, the spokesperson line and core message are determined and the directly involved/participants Connect2Trust Foundation informed. Participants who are approached by third parties to make statements about the incident always refer to the spokesperson or contact the spokesperson.