This is the privacy notice of Stichting (ISC)² Chapter Nederland / Dutch Chapter of (ISC)². In this document we describe to stakeholders how our Chapter processes personal data.
Our Chapter created this privacy notice to demonstrate our firm commitment to privacy. We respect your privacy and are committed to protecting it through compliance with the policies listed in this document.
Definition of personal data
The term ‘Personal data’ is defined in the GDPR, article 4(1). For convenience sake we reproduce the text here:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Maintenance and version
This notice is maintained by the Board of our Chapter. The Board may change this notice at any time. If they do, this will be reported on our website https://chapter.isc2.nl/privacystatement where we also always publish the latest version of the notice.
Your continued use of our services and websites after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates.
This is version 1.0 of the notice, which was published on May 25th, 2018.
We abide to Dutch Law.
This policy describes the type of information we may collect from you or that you may provide to us when you visit our websites
It describes our practices for collecting, using, maintaining, protecting and disclosing your personal information. By accessing or using our websites you agree to this policy.
This policy applies to information we collect:
- On our websites;
- in email, text, and other electronic messages between you, our websites or our staff;
- from your registration for an event we host through EventBrite or similar organisations;
- offline or through any other means, including on any other website operated by (ISC)2 or any third party.
It does not apply to information collected by:
- Any third party (including affiliates) including through any application or content (including advertising) that may link to or be accessible from our websites.
Spirit of our agreement
We care about your privacy. It is the core of what our profession is all about: to improve the well-being of all by ensuring data integrity, confidentiality and availability. Processing of personal data requires special care. Therefore when there can be doubt if data is personal data or not, we will treat any data you provide to us as if it were personal data. We will keep your data adequately protected and will limit the number of people that have access to your data, the amount of data that we have on you and the time we store that data to the minimum necessary to deliver our services to you. We will never provide any of your data to third parties without your explicit consent. We will promptly and adequately respond to any complaints you may have. If you withdraw consent, we will remove as much of your data as we are allowed by law. If we have doubt if we can adequately protect your data against misuse, we will destroy any information we may have on you to prevent misuse, even if that means we can no longer be of service to you. We will do our best to inform you about which data we have on you and we will ensure that any data that we have is indeed under our guard by your consent. We will be honest and open about what we do with your data.
What personal data we collect
We only collect personal data from you when you use https://registry.chapter.isc2.nl to register yourself (“the registry”).
The registry uses a session cookie for technical reasons, to allow you to complete a multipage form. This requires no consent on your behalf under the GDPR and none will be asked. Also, the registry will store your IP address and limit access to the registry to at most 30 page accesses per day per IP address.
The registry requires you to fill in your last name and email address and, if you have one, your (ISC)² registration number. To proof your identity later on, you need to provide a password (twice). The password will not be stored on our systems, merely a hash of it.
If you did provide an (ISC)² registration number, the registry software will contact the certification verification site of (ISC)² to establish if you are indeed still a member. It will use the last name and the (ISC)² registration number you provided to do so. If you are found to be a member of (ISC)², it will enrich the data you provided with data from the (ISC)² verification site: your first name and the date on which your registration by (ISC)² expires. If you are not found, you will need to provide your first name and place of residence yourself.
Your mail address will be used to send you a verification mail. This mail contains a link to our registry to allow you to verify your mail address. Any records we have of which the mail addresses are not verified will be deleted within 48 hours.
After verification of your mail address, which requires you to type in the password you provided before, you will be asked for explicit consent to become registered. If you provide such consent you are registered and your personal data is stored in our database.
When you visit our generic website chapter.isc2.nl, we also store cookies on your system. They are never used to track your behaviour, and merely for technical reasons, hence requiring permission to store these cookies is not required under EU law (anymore).
What we do with your personal data
We use your personal data to allow us to send information to you (via mail) about our Chapter and about events we organise or help organise. The main reason for us to do so is to allow you to visit our events to maintain or build knowledge. Our mails are often personalized, which requires us to use your personal data.
We also use the data in our registry to periodically verify if you are still a member in good standing. If you are not we may contact you to offer assistance.
We also use your personal data to match against personal data exported from databases maintained by third parties. An example would be personal data you provide to EventBrite to register to one of our events, which we match against our registry to find out if you are actually a member of our chapter or not. In general we will – at least initially – limit participation to our own events to those that registered in our database. If we find that you registered to one of our events but we can not find your data in our registry, we will contact you to to resolve the matter. Also, this gives us a way to maintain the quality of our data.
Sometimes we work with external event providers whom agree to give discounts to our registrees. In such cases we provide the external provider with a database of (one time) unique codes, one for each registered person in our database. Our registrees can use this code to register with the external event provider to get a discount. After the event we may require a list of codes of people that actually visited the event. We then use this data to credit the registree’s CPEs. Note that no personal data is ever exchanged and the codes are randomly generated one-time codes.
How long we keep your personal data
In general we will only keep your personal data for as long as is required to provide the service to you that you requested from us.
We are not allowed to remove your data when that would be against the law. For example if we are required to support police investigations. We will also not remove your data if we are still obliged to perform a service to you which requires your personal data to do so, for example if you registered with us for an event for which you are entitled to a discount and for which we need to provide CPE registration.
Each year, we will inform you about the data we have on you. This will be done by sending you a link to a page on our registry website, which requires you to authenticate yourself and on which you can indicate if you still want your personal data in our databases. If you have not provided explicit consent within one year after being prompted we will remove your data and we will no longer offer any service to you.
How we ensure the quality of your personal data
Under Dutch law you have the right to have your data corrected if you find any flaws in it. You can also require us to remove your data from our systems given that this does not prevent legal action. You have the right to know which personal data we have on you and the right to have us transfer any personal data to other similar service providers in a well know technical format (e.g. XML or CSV). You can send mail to firstname.lastname@example.org to require to have these rights exercised.
We will use third-party data – mostly that of event organisers and (ISC)² – to improve the quality of our data, for example if you have registered with such third parties with an alternate mail address we will try to correlate the new mail address with our data and register the new data for future usage to allow us to register CPEs on your behalf. This additional data is seen as your personal data too and will also be removed if your personal data is removed.
How we protect your personal data
All our websites only use allow encrypted traffic (using SSL technology. i.e. using the HTTPS protocol), which requires a valid X509 certificate. We use the services of “Let’s encrypt”.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data during transmission to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.
Our registry and the registry databases run on hosts that run a hardened Open Source operating system and additional monitoring software to detect breaches and hacks. We use Open Source software when possible.
Our registry hosts are maintained by ONE administrator (and only ONE), using encrypted connections and strong authentication. Automatic controls are in place to transfer administration to another person might harm come to the current administrator. After transfer of privileges again only ONE person has access to the core systems of our Chapter.
Your personal data as stored in the registry database can also be accessed read-only to authenticated members of our board and committees, only on a need to know basis and always using strong authentication and encrypted connections. This way of access, for example, is used to allow us to send you personalised mail.
Backups are made and stored on a secure system on a daily basis. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Where We Store Your Personal Data
The personal data we collect from you will be transferred to, and stored in, the Netherlands. It will be processed by staff operating within the European Union.
We may use cloud providers / storage providers etc. that are not located in the EU for example Google docs. In such cases we will preferably employ providers that adhere to similar or stricter laws than the EU GDPR.
If we are not absolutely sure that your personal data is secure on non-EU servers, we will always encrypt the data using a strong algorithm and sufficiently strong key and only decrypt the data locally, on EU soil and by EU residents.
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Children Under the Age of 16
Our websites are not intended for children under 16 years of age. No one under age 16 may provide any personal data to or on the Website. We do not knowingly collect personal information from children under 16. If you are under 16, do not use or provide any information on this Website or on or through any of its features/register on the Website. If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 16, please contact us via email at registry.chapter.isc2.
External links on our websites