Privacy notice

Privacy notice

Last update: 20180504 - version 1.0 - This Privacy notice is licensed under a Creative Common Attribution 4.0 International (CC BY 4.0) license.

About this privacy notice

Your privacy is very important to us and it is our view that we, CIRCL (hereafter referred to as “we”), have an exemplary role in protecting it. Therefore, this Privacy Notice is created to inform you, the user of our website (hereafter referred to as “you”), about our data processing activities and your rights as a data subject.

We collect and process your personal data in accordance with the applicable data protection legislations such as, but not limited to, Regulation (EU) 2016/679 on the protection of natural persons with regards to the processing of their personal data and the free movement of such data (“GDPR”) and the national law adopting GDPR.

It may occur that we change or amend our Privacy Notice in order to ensure that its content accurately reflects regulatory developments. Any such modification, if substantial, will be clearly communicated to you, either via the website or via other appropriate means. The latest applicable version will be available on our website.

This privacy notice tends to avoid legal jargon which is less accessible.

Should you have any questions or remarks regarding this Privacy Notice, do not hesitate to contact us.

Processing of personal data

By “personal data” we understand any information that can identify you, both directly and indirectly.

By “processing” we refer to anything we do with such personal data, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

By “data controller” we understand the person responsible for the processing of your personal data, this is the entity which determines the means and purpose of the processing activities. For our website and all related services, the data controller is:

CIRCL - Computer Incident Response Center Luxembourg
c/o "security made in Lëtzebuerg" (SMILE) g.i.e.
16, bd d'Avranches
L-1160 Luxembourg
Grand-Duchy of Luxembourg
Tel: (+352) 247 88444
Email: info@circl.lu

What personal data do we collect on our website and to which end?

We collect and process your personal data in order to offer our services and provide you, the user, with a safe and comfortable experience when visiting our website. The following paragraphs provide a detailed indication of the personal data we collect and for which specified purposes.

When you are surfing our website, we collect and process web server logs, including IP addresses, user-agents, URLs, date and time logs. We collect those logs for our legitimate interest as these logs enable the technical and functional management of our website. Furthermore, we analyse the data to ensure optimal security of our website.

When you report an incident via the CIRCL report form, we process the reporter’s contact information and any other details of the reported incident (e.g. phishing email headers). We will use these details, if provided, for further case management and to facilitate our ticket system. In that case, we collect personal data for the public interest, to help our constituency handle security incidents (e.g. help with compromised websites).

When you use the URL abuse service, we process the source IP address of the submitter and the submitted URL.

Your public PGP key, should you choose to upload it, is collected and stored on our OpenPGP key server. We use your public PGP key to promote the use of encryption at large, for example in emails and for the Malware Information Sharing and Threat Intelligence Sharing Platform (MISP).

We confirm that we process your personal data in a fair and lawful manner and only for the explicit and legitimate purposes as above-mentioned. At all times, we strive to ensure that your personal data is adequate, relevant and not excessive in relation to the purposes for which they are processed.

Does our website use cookies?

No, our website does not use any cookies or analytic components.

How long do we retain your personal data?

In no circumstances, we keep your personal data for a longer period than strictly necessary to fulfil the purpose for which it was collected.

As the retention period is dependent on the purpose for which the personal data were initially collected, the purpose is the criterion that is used to determine the appropriate retention period.

After expiry of the retention period, we strive to securely erase, destroy or anonymize personal data that is no longer required in relation to the purpose for which they were collected.

Sharing personal data

Your personal data is only processed for internal purposes within CIRCL. We formally confirm that we will not sell, rent or otherwise commercially transfer to or share with a third party the personal data we are collected from our website. However we do share the public PGP key you uploaded in the PGP network, so your public key will be publicly available on our network.

Contact details of the reporter of an incident and all other information related to the incident will not be shared without the reporter’s consent, except if they are required in the scope of a legal investigation. For more information about sharing personal data in the scope of vulnerability disclosure, please refer to CIRCL’s responsible vulnerability disclosure statement and the “Confidentiality” section of CIRCL’s guide to report and incident.

CIRCL actively participates to Open Data initiatives in scope to better understand threats and security at large. Information shared in Open Data are pseudo-anonymized, reduced and aggregated in order to limit risk of potential information leak. Nevertheless, if any potential leak is discovered, please contact us.

As our web server is hosted and managed in Luxembourg, your personal data is in no circumstances transferred to third countries outside the EU.

Security of your personal data

We are striving to keep your personal data secure. To that end, we have adopted the appropriate legal, organizational and technical precautions to prevent any unauthorised access and use of your personal data. These measures include, but are not limited to the encryption of all traffic between our website and your browser.

Nevertheless, please note that perfect security is very difficult to reach.

Is any potential leak that you have discovered, please report it to CIRCL.

As a matter of transparency and consistency, CIRCL publishes information about leaks discovered in TR-46 - Information Leaks Affecting Luxembourg and Recommendations including any potential leak which could target CIRCL as is.

Your rights as a data subject

At CIRCL we aim to be transparent, not only about how we process personal data about you, but also about your rights that are linked to such processing. Therefore, we want to remind you of the existence of the following rights:

  • Right to request access to the personal data we hold about you;
  • Right to rectification or erasure of such data; and
  • Right to obtain restriction of processing or to object to such processing.

You can exercise these rights by contacting us through contact. In order to avoid unlawful access to your personal data, we will request you to provide a proof of your identity.

If you have any queries about this Privacy Notice or experiencing any other privacy issue, we are striving to promptly dealing with any privacy-related complaints. If you have a complaint related to the processing of your personal data by CIRCL, including a data breach, please contact us.

If you have questions regarding the way your request relating to personal data protection has been dealt with, please do not hesitate to contact us.

We are kindly open to work with you on this topic.