Shadowserver Europe

Privacy Statement

1.0 Introduction

This Privacy Statement provides information on the processing of personal data by ‘Stichting The Shadowserver Foundation Europe’, hereafter ‘Shadowserver’, ‘we’ or ‘us’. Shadowserver is committed to protecting the privacy of individuals who visit our website and make use of our Services.

In this Privacy Statement we describe who we are, how, when and for which purposes we process your personal data, how you can exercise your privacy rights and all other information that may be relevant to you.

All references to data protection related terminology (such as ‘personal data’, ‘processing’, ‘controller’, ‘processor’) are to be read in line with the definitions given under the General Data Protection Regulation (GDPR; 2016/679). Unless specifically defined, other terms used throughout this statement have the same definitions as those given in the Shadowserver Terms of Service, available at https://www.shadowserver.org/wiki/pmwiki.php/Shadowserver/TermsOfService.

This Privacy Statement may be changed over time, we encourage you to consult this Privacy Statement regularly for any changes. We will inform you of significant changes to this Privacy Statement. The most up-to-date Privacy Statement is published on https://www.shadowserver.eu. This Privacy Statement applies since the 18th of April 2019. The last modifications to this Privacy Statement were made on 29th March 2019.

2.0 When does this Privacy Statement Apply?

Shadowserver processes personal data for the purposes as indicated in this Privacy Statement. Those personal data and the purposes for processing depend on the relation with and/or service provided by Shadowserver.

Personal data as mentioned in this Privacy Statement means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as for example a name, an identification number, location data or an online identifier.

The information provided in this Privacy Statement is applicable in relation to the use of Shadowserver's website, the Shadowserver IRC channels, the Shadowserver mailing lists and the related applications and services offered by us such as Shadowserver’s free daily network remediation reports (the "Services" as set out under Section 4), in so far as the data processed is personal data. Please note that this Privacy Statement does not address the processing of personal data by Shadowserver outside of those environments.

3.0 Who is Responsible for your Personal Data?

‘Stichting The Shadowserver Foundation Europe’ is the controller of the processing of all personal data that fall within the scope of this Privacy Statement. This Privacy Statement indicates what personal data are processed by Shadowserver, for what purposes, and with which external parties that data may be shared. Shadowserver may share your personal data with external parties only insofar as this is indicated in this Privacy Statement.

4.0 Which Categories of Personal Data May We Process about You?

Based on the type of interaction you have with Shadowserver, certain categories of personal data may be processed. We only collect and process the minimum amount of personal data necessary or appropriate to fulfil the purposes as set out in this Privacy Statement.

The various types of Services with Shadowserver and the categories of personal data which are processed in relation thereto are set out below:

4.1 Through the Shadowserver public website

In order for you to navigate our Shadowserver public website and to be able to offer you our Services, the following categories of personal data are processed:

  • Application/website access logs (IP address)
  • Cookie details (cookies, IP address)

4.2 Through the Shadowserver IRC channels and mailing lists

In order for you to use the Shadowserver IRC channels and mailing lists, the following categories of personal data are processed:

  • Application/website access logs (IP address)
  • Account details (username)
  • Contact details (such as name, organization, telephone number, email address)

4.3 Through the free daily network remediation report sighup process

In order for you to use the Shadowserver free daily network remediation reports, the following categories of personal data are processed:

  • Contact details (such as name, organization, telephone number, email address, networks of responsibility)
  • Account details (username)
  • Application/website access logs (IP address)
  • Cookie details (cookies, IP address)

4.4 Through security incident data

Data related to misconfigured, abusable, compromised, infected devices or malware samples identified by Shadowserver in the course of its day to day operations:

  • Technical details needed for incident response (such as (incident response) network logs, IP addresses, domain names, URLs, spam e-mail, etc.)

5.0 How do we collect your personal data?

Shadowserver may collect your personal data:

  • Directly from you when you visit our website; or
  • Directly from you when you sign up via the Shadowserver website for any of our Services, such as the Shadowserver IRC channels or the Shadowserver mailing lists; or
  • When you register for Shadowserver’s free daily network remediation reports - either through the Shadowserver website or directly via a project website, such as through the SISSDEN customer portal.
Shadowserver does not knowingly collect personal data from, or direct any of our content specifically to, children under the age of 13. If you are under 13, you may not use our Services and you may not send us any personal data without parental consent. If we learn or have reason to suspect that you are under the age of 13 and if we have no record of parental consent, we will promptly delete such personal data.

6.0 For which purpose do we process your personal data?

The following sets out when and for which purposes Shadowserver may process your personal data:

6.1 When you make use of Shadowserver Services

a) To register you as a user of our Services, administrate your account and to ensure the confidentiality and security of your account
For you to be able to make use of our Services, your personal data is entered into our systems in order for you to make use of them. We will also administrate your account and ensure that the information on your account is confidential and adequately secured.

For this purpose, we process the following personal data categories about you:

  • Contact details (such as name, organization, telephone number, email address, networks of responsibility)
  • Account details (username)
This purpose has a legal basis under Article 6(1)(b) and (f) GDPR, processing is necessary in order to be able to provide you our Services or based on a legitimate interest pursued by Shadowserver.

Shadowserver has a legitimate interest to process your personal data to make sure your account details remain confidential and secure.

b) To deliver our Services to you and for their technical, functional and operational management
If you make use of our Services, we process personal data to be able to offer you our Services, their functionalities and to allow our administrators to manage our Services.

For this purpose, we process the following personal data categories about you:

  • Contact details (such as name, organization, telephone number, email address, networks of responsibility)
  • Account details (username)
  • Application/website access logs (IP address)
  • Cookie details (cookies, IP address)
  • Technical details needed for incident response (such as (incident response) network logs, IP addresses, domain names, URLs, spam e-mail, etc.)
This purpose has a legal basis under Article 6(1)(a), (b) and (c) GDPR, processing is based on consent or necessary in order to be able to provide you our Services or based on a legitimate interest pursued by Shadowserver.

Shadowserver has a legitimate interest to process your personal data to manage our Services in order for us to be able to provide them.

If you surf to and navigate our website, we may process personal data collected through the use of cookies. We use cookies to make our website more accessible to you and to allow you to navigate more easily. For more information on the use of cookies on our website, please consult our Cookie Statement.

c) For the development and improvement of our Services
We process your personal data in order to assess, analyze and improve our Services. We use aggregated personal data to analyze customer accounts and to adjust our Services accordingly.

For this purpose, we process the following personal data categories about you:

  • Contact details (such as name, organization, telephone number, email address, networks of responsibility)
  • Account details (username)
  • Application/website access logs (IP address)
  • Cookie details (cookies, IP address)
  • Technical details needed for incident response (such as (incident response) network logs, IP addresses, domain names, URLs, spam e-mail, etc.)
This purpose has a legal basis under Article 6(1)(f) GDPR, processing is based on a legitimate interest pursued by Shadowserver.

Shadowserver has a legitimate interest to process aggregated personal data to improve our (customer) Services.

6.3 When you interact with Shadowserver

a) For organizational management
We process your personal data in the day to day performance and management of our organization. We may conduct organizational changes, audits, organizational investigations and implement organizational controls. Also, we may process your personal data for archiving purposes, legal and organizational consulting and in the context of dispute resolution.

For this purpose, we process the following personal data categories about you:

  • Contact details (such as name, organization, telephone number, email address, networks of responsibility)
  • Account details (username)
  • Application/website access logs (IP address)
  • Technical details needed for incident response (such as (incident response) network logs, IP addresses, domain names, URLs, spam e-mail, etc.)
This purpose has a legal basis under Article 6(1)(b) and (f) GDPR, processing is necessary in order to be able to provide you our Services and based on a legitimate interest pursued by Shadowserver.

Shadowserver has a legitimate interest to process your personal data to manage and organize our organization.

b) To communicate with you (online and offline)
If you get in touch with us via our contact details or via our website, we will use your personal data in order to reply and answer your question.

For this purpose, we may process the following personal data categories about you:

  • Contact details (such as name, organization, telephone number, email address, networks of responsibility)
  • Other personal data if communicated by you through your correspondence with us
This purpose has a legal basis under Article 6(1)(f) GDPR, processing is based on a legitimate interest pursued by Shadowserver.

Shadowserver has a legitimate interest to process your personal data to be able to communicate with you.

6.4 To comply with the law

In some cases, we process your personal data to comply with applicable laws and regulations. Also, in order to comply with applicable laws and regulations, we may need to disclose your personal data as a consequence of a request of a regulatory agency or supervisory authority. We will only adhere to such requests if there is a valid legal obligation to do so. Where appropriate, Shadowserver may also work together with national and/or governmental organizations on matters of public interest.

For this purpose, we may process the following personal data categories about you:

  • Contact details (such as name, organization, telephone number, email address, networks of responsibility)
  • Account details (username)
  • Application/website access logs (IP address)
  • Cookie details (cookies, IP address)
  • Technical details needed for incident response (such as (incident response) network logs, IP addresses, domain names, URLs, spam e-mail, etc.)
  • Other personal data if communicated by you through your correspondence with us
This purpose has a legal basis under Article 6(1)(c) GDPR, Article 6(1)(e) GDPR and Article 6(1)(f) GDPR, processing is necessary for the compliance with a legal obligation, for the performance of a task carried out in the public interest or based on a legitimate interest pursued by Shadowserver.

Shadowserver has a legitimate interest to process your personal data for this purpose in order to assist with the carrying out of matters of public interest.

7.0 Who has access to your personal data?

7.1 Access to your personal data within Shadowserver

We ensure that your personal data is shared internally within Shadowserver only to the extent necessary to serve the purposes set out in this Privacy Statement. Our employees are aware of the need to respect your privacy and are authorized only to access personal data when it is necessary for them to carry out their respective functions.

7.2 Access to your personal data by external parties

The following categories of external parties may have access to personal data, only if relevant, for the provisioning of their products or services to us:

With regard to personal data categories listed under 4.1, 4.2 and 4.3 (related to the Shadowserver website, Shadowserver IRC and mailing lists, and the Shadowserver free daily network remediation reports) we may share these categories with:

  • The Shadowserver Foundation (to be able to provide the Services for the purposes as set out in this Privacy Statement)
  • IT partners (to provide technical and operational maintenance)
  • Provider of an analytics tool (to obtain analytics on the use of our website)
With regard to personal data categories listed under 4.4 (related to security incident data) we may share these categories of personal data with:

  • The Shadowserver Foundation (to be able to provide the Services for the purposes as set out in this Privacy Statement)
  • National Computer Security Incident Response Teams (CSIRTs), Law Enforcement Agencies (to allow these government recognized organizations to conduct incident handling and analyses on security breaches within their respective jurisdictions) and verified ISP-providers.
When external parties are given access to your personal data, we have taken the required contractual, technical and organizational measures to ensure that your personal data are only used by those external parties to the extent that such use is necessary for the purposes set out in this Privacy Statement. The external parties may only access your personal data in accordance with contractual agreements and obligations as agreed with Shadowserver and according to applicable law.

Is your personal data transferred internationally? If your personal data are transferred to an external party in a country outside of the European Economic Area (EEA), we take measures to ensure that your personal data are adequately protected. We do this by entering into EU Standard Contractual Clauses with these external parties or by ensuring that there is an EU adequacy decision in place such as the EU-US Privacy Shield Framework.

In other cases, your personal data will not be supplied to external parties, except where strictly required by law.

7.3 The use of your personal data by data processors

If an external party processes your personal data solely following instructions from Shadowserver, it acts as a data processor. Prior to interacting with such data processors, we enter into a data processing agreement with them for the processing of personal data. In this agreement we include obligations to ensure that your personal data are processed by the data processor solely to provide services to us and that this is done subject to the same level of protection as awarded to you by Shadowserver.

7.4 Change of ownership

Shadowserver is a non-profit foundation. In the event that a change of ownership should occur, we will ensure the same standard of protection and confidentiality of your personal data is guaranteed. The new owner will have to abide by the conditions set out in this Privacy Statement or in our Terms of Service. Shadowserver will notify you of such situations before any transfer of personal data takes place.

8.0 How are your personal data secured?

Shadowserver has taken adequate safeguards to ensure the confidentiality and security of your personal data. We have taken steps to implement technical, physical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access as well as all other forms of unlawful processing (including, but not limited to, unnecessary collection) or further processing.

9.0 How long are your personal data retained?

Shadowserver ensures that it retains personal data only if it is necessary for specific purposes. Your personal data will be deleted or made anonymous when your personal data is no longer necessary for the purposes for which these personal data were collected.

10.0 How can you exercise your privacy rights?

You have the right to request access of an overview or copy of your personal data, and under certain conditions, rectification and/or erasure of personal data. In addition, you may also have the right of restriction of processing concerning your personal data, the right to object to processing as well as the right to data portability.

To invoke your right of access, rectification, and/or erasure of personal data, your right of restriction of processing, and/or your right to object to processing as well as to invoke your right to data portability, please contact us by using the contact details at the bottom of this Privacy Statement. Please keep in mind that we may ask for additional information to verify your identity.

If you have given your consent to a certain purpose, you can withdraw your consent at any time. Please keep in mind that withdrawal does not have retroactive effect. You can contact us by using the contact details at the bottom of this Privacy Statement.

11.0 Can you lodge a complaint?

You can lodge a complaint with your local data protection supervisory authority when you have a complaint about the use of your personal data by Shadowserver. For example, if you believe that we do not process your personal data carefully, or because you have sent us a request to access or rectification of your personal data and you are not satisfied with our reply or we did not reply in a timely manner.

The contact details of the Dutch data protection supervisory authority are:

Autoriteit Persoonsgegevens

Bezuidenhoutseweg 30

2594 AV The Hague

The Netherlands

12.0 How can you contact us?

If you have any questions about the way we process your personal data, please read this Privacy Statement and our [Cookie Statement] first. For additional questions or complaints, please contact: privacy <<@>> shadowserver.eu