Privacy statement fixed network and network services SURF

We are SURF, located at Moreelsepark 48, 3511 EP Utrecht. We can be reached at +31 88 787 30 00. SURF is the IT cooperation organisation for education and research in the Netherlands.

In the SURF cooperative, Dutch universities, universities of applied sciences, university medical centres, research institutions and mbo-institutions work together on IT innovation. More about the cooperative.

SURFinternet (SURF fixed network)

SURF's fixed network provides Dutch education and research with a fast and reliable Internet connection. The SURF network connects all users of the education and research communities, allowing them to collaborate nationally and internationally. More about the services.

SURFcert

SURFcert provides 24/7 incident response support to member institutions of the SURF network. An institution can report security breaches (incidents) to SURFcert. SURFcert then informs the institution about the progress of the incident and (if necessary) advises on how to resolve it. More about SURFcert's services.

DNS-resolving

DNS resolving, part of SURFdomeinen, allows users to reach services and systems on the Internet in a user-friendly way. The process is described in RFC 1034 and in general (worldwide) use. When a user wants to visit a website, they type in the name of the website (e.g. www.surf.nl). SURFdomains, more specifically DNS, ensures that this name is translated into the IP address of the website, so that the user's system can access the website, without the user having to do anything further. Learn more about SURFdomeinen.

For the Internet network, personal data are processed that are necessary to operate and provide a high-quality, fast and secure network. This processing can be split into several components:

1. Processing netflow data into aggregated internal statements. Using this information, the network is optimised for its users. For example, for establishing direct connections with other providers.
2. Processing netflow data into aggregated external overviews. To provide customers with insight into the use of the service they have purchased.
3. Processing of netflow data and other personal data. To be able to secure the network and thereby protect member institutions (proactively and reactively). This roughly consists of two parts:
   • The provision of netflow data to SURFcert. SURFcert uses the data, for example, to recognise and counter DDOS attacks and (targeted and undirected) hacking attempts.
   • Processing log files of the (network) equipment.
4. Processing of contact information. First of all, personal data are processed that are necessary to manage and deliver a high-quality and fast network. This includes data of internal and external contact persons for establishing contacts in case of changes and in case of troubleshooting.
5. Processing of administrators' activities. This information provides insight into the network's change history and is of great importance in troubleshooting.

SURFcert processes personal data for network and information security purposes, to secure and protect the SURF network and related services from incidental events or unlawful or malicious actions. Personal data is collected and processed to signal events and actions and is used in incident handling.

DNS resolving (part of SURF domains) requires the IP address of the user's system. The service ensures that the name of a system or service on the Internet is translated into its IP address so that the user's system can reach that system or service. To do this, the IP address of the user's system must be known, otherwise no communication can take place (sender and addressee must be known during the communication). The processing of this personal data is necessary for the functioning of the service and for detecting and tracking possible attacks and infections.

Basis for processing

Personal data may only be processed if there is a legitimate basis for doing so. We process your personal data in the case of the Internet network and associated network services to represent the legitimate interests of the participating institutions and its end users. These interests consist of being able to offer a fast and secure Internet, logging and collecting as little as possible about the end user. Data minimisation is our starting point.

Justified interest of SURF and the institutions in the context of the fixed Internet network: In order to provide a well-functioning and reliable Internet network, it is necessary to process personal data, such as users' netflow data, to a limited extent. Without this data, it is not possible, for example, to establish targeted faster connections with external parties (Peering). Management would also become too limited to guarantee the quality expected of the network. In addition, it is the policy within SURF that it is not possible to use the network anonymously so that in case of abuse a user can be identified. This is only possible indirectly: SURF is not able to do this, only with the institution's cooperation.

Interest weighed against the user's privacy interest: the infringement on the rights and freedoms of those involved is limited as much as possible. Part (currently only 1%) of the netflow data is processed temporarily. From that data, it is not possible to directly deduce which natural person is involved. It only shows which IP address visited which website (actually which IP address). This is not used for monitoring or profiling the user and the user is not restricted in their use.

Justified interest of SURF and the institutions in the context of SURFcert: Processing personal data is necessary to provide a clean and safe network for the education and research institutions and their end-users. This requires personal data of contact persons at institutions and traffic data on the use of the network in order to resolve incidents.

Justified interest of SURF and the institutions in the context of DNS resolving: The processing of personal data (IP address of the user's system) is necessary for the functioning of the service, which is itself indispensable for the use of the Internet.

As a service provider of the fixed Internet network and SURFcert, we process the following data from you:

Log data on the network, so-called netflow data. Thisdata is stored for a maximum of three months.
Logging takes place on the network. In the process, the following (personal) data are processed: IP address (source), IP address (destination), IP protocol, Port for UDP, TCP or other (source), Port for UDP, TCP, ICMP or other (destination), IP Type of Service (ToS), the number of bytes, the number of packets.

Creating aggregated reports based on netflow data. These reports do not contain any personal data.
Aggregated reports on real-time traffic are produced for each institution, showing how much traffic has passed over a connection (not accessible to everyone). There is also SURF Dashboard where anyone who can log in can see all real-time traffic for all institutions. The reports cannot be traced back to individuals.

Incident data
The SURFcert team regularly receives incident reports relating to Internet network security. These reports may in some cases contain personal data. Incident reports are not kept longer than necessary, with a maximum retention period of 3 years.

As a service provider of DNS resolution, we process the following data from:

End-user IP address and DNS requests. This data is kept for a maximum of three months. 
When a user wants to visit a website, the web browser (normally) enters the name of the website (e.g. www.surf.nl). The service ensures that this name is translated into the IP address of the website so that the user's system can access the website. This data is stored in a privacy-friendly manner via hashing and encryption. To detect security problems, we do not need to know all DNS requests from an individual user; we just need to know which users have requested a specific domain name. Using cryptographic techniques, it is only possible to search this logging based on a domain name, from which then come the IP addresses that specifically searched for that domain name. It is not possible to search based on an IP address and therefore not possible to determine a user's search history. In this way, the privacy of users of this service is safeguarded as much as possible. 

In addition, DNS requests are monitored by comparing them with lists of known (potentially) malicious domain names and IP addresses. If a requested domain name or result appears on such a list, it will be logged, including the user's IP address.

In exceptional cases, specific addresses may be logged if necessary to ensure continuity and security of the service.
There are 3 specific situations where this may happen:

1. In cases of nuisance - if we receive unusually high traffic on the SURF DNS resolvers, and this has a disruptive effect, we look at which IP addresses we receive disproportionately high traffic from and what kind of traffic this is. This is necessary for service continuity, and so that we can inform the institution where the source of the nuisance is located and request it to take appropriate measures to remedy the nuisance.
2. For problem analysis - if an institution reports to SURF that they are experiencing problems with DNS resolving, it is in some cases necessary to inspect traffic for problem analysis. As much as possible, this involves ensuring that only traffic from the institution with problems is inspected.
3. For security incidents - in some cases it is possible to investigate specific security incidents based on traffic to DNS resolvers. At SURFcert's request, DNS traffic can be inspected for this purpose, to see if certain DNS names are being requested. For example, consider a ransomware infection that can be recognised because a certain DNS name is always requested.

In all the above situations, actual traffic is only stored if strictly necessary; in most cases, traffic will only be monitored live for a short period of time, without the traffic actually being stored. In the exceptional case that traffic is actually stored, we keep the storage period as short as possible. As a rule, this involves a few hours to a few days, with a maximum of one week.

Collecting aggregated that for research purposes. This data does not contain any personal data.

Only in certain cases do we share your data with third parties. Examples are: (i) for the provision of support, (ii) in the context of dispute resolution, or (iii) due to a legal obligation incumbent upon us.

We also use a number of carefully selected suppliers, also called processors, who in the context of providing services to us may in some cases have access to some of your data. They may not use this data for their own purposes. For example, we store data not only on our own (local) systems, but also use third parties who perform this service on our behalf. We require all these suppliers to take appropriate security measures with regard to your data and to act in accordance with our instructions.

As a user of the SURF Internet Network, you have a number of rights which you can exercise under applicable laws and regulations governing the protection of personal data. For example, you can contact us to request (i) access to personal data we hold about you, (ii) correction of your data, (iii) deletion of your data, (iv) restriction of the processing of your data, (v) transfer of your data, and (vi) objection to the processing of your personal data. +

Note: We may in certain cases ask you for additional information so that we can establish your identity.

Right to access

You may ask us whether we process personal data about you and you may access this data by receiving a copy of it. When granting your access request, we will also provide you with additional information, such as the purpose of the processing, the categories of personal data concerned and other information you need to substantially exercise this right.

Right to rectification

You have the right to correct your data if it is inaccurate or incomplete. At your request, we will correct inaccurate personal data about you and complete incomplete personal data, taking into account the purposes for which they are processed; this may also include the issue of an additional statement.

Right to erasure ("right to oblivion")

You further have the right to have your personal data deleted, which entails the deletion of all your data, both by us and, to the extent possible, by other controllers with whom your data has previously been shared by us. Incidentally, deletion of your personal data takes place only in certain cases prescribed by law; these cases are listed in Art. 17 of the GDPR. These include cases where your personal data are no longer needed for the purpose for which they were originally collected and cases where they have been unlawfully processed. Due to the way we set up certain services, it may take some time for backups to be deleted.

Right to restrict processing

You have the right to have the processing of your personal data restricted, which means suspending the processing of your data for a certain period of time. Circumstances that may give rise to the exercise of this right include, for example, cases where the accuracy of your personal data is disputed but some time is required to verify it. This right does not prevent us from continuing to store your personal data. Before the restriction is lifted, you will be informed accordingly.

Right to data portability

The right to data portability means that you have the right to obtain the personal data relating to you, if technically possible, in a structured, common and machine-readable form and to transfer it to another controller. Upon request and if technically possible, we will transfer your personal data directly to the other controller.

Right of objection

You have the right to object to the processing of your personal data. This means that you can request us to stop processing your personal data. This only applies if 'legitimate interests' is the legal basis for the processing.

Denying or limiting rights

There may be situations in which we are entitled to deny or limit the rights referred to in this chapter. In all cases, we carefully consider whether there is reason to do so and inform you accordingly.

For example, the right to access may be denied where this is necessary to protect the rights and freedoms of other persons, or your personal data may be refused erasure if the processing of this data is necessary to comply with legal obligations. The right to data portability cannot be exercised if these personal data have not been provided by you or if the data have not been processed by us on the basis of your consent or in performance of a contract. When assessing requests, we will also have to take into account the often limited degree of processing we do (think of the limited retention periods in DNS resolving and the sometimes lack of identifying data). This affects to what extent we can fulfil certain requests. We will not process additional personal data in the context of data minimisation, just to satisfy a request for inspection, for example.

Exercising your rights

If you wish to exercise any of your rights, please send an email to: communicatie@surf.nl. In case of unresolved issues, you also have the right to file a complaint with the Personal Data Authority.

SURF may make changes to this privacy statement. We therefore advise you to consult this privacy statement regularly.

We take your privacy seriously. If you have specific questions or comments about your rights, please contact us. Please contact our IT helpdesk or privacy contact person. The best way to reach us is via:

SURF contact details

General

SURF

Moreelsepark 48

3511 EP Utrecht

communicatie@surf.nl

+31 88 787 30 00

Contact person for privacy matters

Chinny Bomers

chinny.bomers@surf.nl