Privacy is a very important issue to the National Cyber Security Centre (NCSC). As such, we treat your personal data very carefully and ensure that our data processing is in compliance with current laws and regulations.
In accordance with the Implementation Act of the General Data Protection Regulation (GDPR), the NCSC adheres to the following basic principles:
- the NCSC processes personal data for specific, expressly described and justified purposes;
- the NCSC does not process more personal data than necessary;
- the processing is conducted in such a way that invasion of privacy is minimised as much as possible;
- personal data is not retained any longer than is necessary.
The NCSC is part of the Ministry of Justice and Security. This privacy statement describes how the ministry handles personal data. The explanatory information below contains specific details about the processing of personal data at the NCSC. This explanatory information goes into effect on 1 July 2019.
Basis for personal data processing
The NCSC processes personal data as part of performing its statutory tasks. The basis for this processing is Article 6(1)(e) of the GDPR, i.e. a task carried out in the public interest. This task has been elaborated upon in Section 3 of the Network and Information Systems Security Act (Wbni).
Under the Wbni, the NCSC is charged with the task of informing and advising organisations within the central government and vital private service providers about threats and incidents related to their information systems. The NCSC assists these parties in taking measures in response to such incidents. The NCSC conducts analyses and technical research to this end. The goal is to prevent these parties’ electronic information systems from going offline or losing integrity and to strengthen the digital resilience of Dutch society.
Provision of personal data to third parties
Pursuant to the Wbni, the NCSC shares data with central government organisations and vital private service providers. This data is primarily threat-related and might, for example, contain an IP address of an attacker.
The NCSC can also provide personal data to third parties for the purpose of further strengthening the digital resilience of Dutch society. This provision of data to third parties involves informing or advising them about threats and incidents related to the network and information systems run by central government organisations or vital private service providers.
In order to prevent issues which would have a negative societal impact, the NCSC can also share personal data related to the network and information systems of other organisations in certain cases. The NCSC is only allowed to share data with a limited group of third parties. Such data could include, for example, email addresses that have been compromised due to an IT breach.
Data security and retention periods
Appropriate measures are taken to secure the data that is processed by the NCSC in order to prevent abuse. All of our processes have been designed to ensure that the NCSC is able to meet the aforementioned conditions. Employees of the NCSC are also bound by the duty of confidentiality contained in Section 272 of the Dutch Criminal Code and Section 2:5 of the General Administrative Law Act (Awb).
The NCSC retains personal data as long as necessary on behalf of the purpose for which it was collected or was required in accordance with the public records act and no longer than is legally permitted.
You have a number of rights, including the right of inspection and the right of correction. To exercise these rights, please contact the NCSC’s privacy officer. You will receive a response to your request within one month at the latest (with a possible extension of up to three months).
Contact regarding privacy statement
For general information or questions about the application of the GDPR, please contact the Data protection officer of the Ministry of Justice and Security at the following email address: firstname.lastname@example.org.
If you do not agree with the way in which the NCSC processes your data or has responded to your request(s), you can submit a complaint to the Dutch Data Protection Authority.
If have you specific questions about the NCSC and exercising your rights, please contact the NCSC’s privacy officer.