Privacy statement

Z-CERT is the cybersecurity expertise centre for the healthcare sector. Z-CERT is an 'other computer crisis team' within the meaning of Article 3(2)(c) of the Network and Information Systems Security Act (Wbni) and was designated in 2020 as the sectoral CERT (Computer Emergency Response Team) for healthcare in the Netherlands. In its role as a computer crisis team, it performs supporting activities prior to and during security incidents based on, among other things, its task in the public interest (Article 6(1)(e) of the GDPR). This is a task stemming from the Wbni. Z-CERT works closely with the National Cyber Security Centre (NCSC) and other (sectoral) CERTs.

Besides cybersecurity, Z-CERT attaches great importance to privacy. We therefore handle your personal data carefully and ensure that the processing complies with applicable laws and regulations, including the General Data Protection Regulation (GDPR) and the Implementation Act General Data Protection Regulation (UAVG).

Z-CERT adheres to the following principles:

• Z-CERT processes personal data for specific, explicitly defined and justified purposes;
• Z-CERT processes personal data based on legal grounds as referred to in Article 6 of the GDPR;
• Z-CERT does not process more personal data than necessary;
• Processing takes place in a manner where the impact on privacy remains as small as possible;
• Z-CERT ensures that personal data is accurate and updated where necessary;
• Personal data is not stored longer than necessary;
• Z-CERT implements data security within its own organisation, including personal data, in accordance with the ISO 27001 standard. 

Z-CERT has a task in the public interest regarding the prevention, handling and coordination of security incidents within the healthcare sector affiliated with it. This task in the public interest stems from the Wbni.

Z-CERT allows healthcare institutions to join its services based on an agreement. These healthcare institutions thus become participants of Z-CERT.

Certain services, including the monitoring of IP addresses and domain names, require the processing of (technical) information regarding the IT infrastructure of a participant. Z-CERT takes into account the fact that an IP address can be indirectly traced back to an individual. Additionally, information about digital threats is shared with participants through various communication channels that participants can use.

In addition to the relationship between Z-CERT and the healthcare sector, it also has an employment relationship with its own staff and a relationship as a client. This is based on a (temporary) employment contract, a contract for services, secondment agreement or detachment agreement.

Z-CERT also processes personal data based on consent and provides the opportunity to withdraw this consent if desired. The given consent remains valid until the moment of withdrawal. For this ground, one can think of participating in a Z-CERT event where photos are taken. Z-CERT asks the attending persons in advance whether they may be photographed. 

Z-CERT may as a sectoral CERT share information about threats, incidents and vulnerabilities with its participants.

Per purpose, we indicate below which data we process from you, for what purpose we process these data and how long this information is stored.

Z-CERT supports its participants especially during the handling of (possible) cybersecurity incidents and to prevent electronic (information) systems within the healthcare sector from failing or being compromised. Additionally, through the various communication channels, we ensure that participants are informed early about possible digital threats.

The tasks of Z-CERT include in particular:

• Responding to and advising on mitigating security incidents in the healthcare sector;
• Monitoring (international) incidents and informing and warning healthcare institutions about (possible) incidents;
• Collaborating with other organisations at both national and international level, including other sectoral CERTs, industry organisations in healthcare and the Dutch government;
• Maintaining collaboration-oriented contacts within the healthcare sector. Besides our supporting role before and during cybersecurity incidents, we regularly organise webinars and events to inform our participants and increase the cyber resilience of the entire healthcare sector.

Contact information is processed in the context of these tasks and technical incident information may also be shared with and by Z-CERT in which personal data is processed (for example an IP address or a compromised business email address). Z-CERT maintains contact with healthcare institutions and processes personal data in the framework of performing the above tasks. Being able to inform participants early requires the most current and correct contact information of a participant. This mainly concerns:

• First and last name contact person;
• Job title contact person;
• (Business) email address;
• (Business) telephone number.

At present, Z-CERT has no specific ground for processing special categories of personal data during the handling and coordination of incidents.

Therefore, Z-CERT considers itself a 'third party' within the meaning of the GDPR should it receive (and thereby process) this type of personal data in carrying out the aforementioned tasks around handling incidents. 

Retention period

Z-CERT does not store contact details of participants longer than necessary unless there is a statutory obligation to keep personal data for a longer period.

Z-CERT checks whether IP addresses and domain names of participants are on so-called blocklists. Additionally, Z-CERT regularly receives lists of vulnerable systems from healthcare institutions. If there are any peculiarities, we contact the participant and provide advice on action. For this purpose, we mainly process:

• IP addresses and domain names
• (Business) email address
• (Business) telephone number 

Retention period

Z-CERT does not store this technical information and contact details of participants longer than necessary unless there is a statutory obligation to keep personal data for a longer period.

To inform participants of Z-CERT about developments in the field of cybersecurity and information security, Z-CERT regularly organises webinars and (online) events. For this, we mainly process:

• Name contact person participant (or other party involved in a webinar or event);
• (Business) email address;
• (Business) telephone number.

We use this personal data to send the invitation and inform about the content of, for example, the webinar or to inform about an event to which Z-CERT contributes.

In addition, Z-CERT regularly organises projects based on the information needs that exist within participants in the field of information security and cybersecurity. This information need can be translated via a project into a new product or service within Z-CERT. This is to contribute from Z-CERT to cyber resilience within the health sector. For this, we mainly process:

• Name contact person participant (or other party participating in the project within Z-CERT);
• (Business) email address;
• (Business) telephone number.

We use the personal data to maintain contact with you during the project and to exchange information in the context of the project between project members. 

Retention period

Data is not stored longer than necessary but in any case during the duration of a project. For webinars, we generally store contact details as long as needed to communicate about the content of the webinar with the persons participating in it. 

Have you responded to one of our job vacancies or sent an open application? Then we process your personal data to be able to process your application.

For this, we process the following personal data:

• NAW-details applicant (Name, Address, Place of residence);
• (Business) email address;
• (Business) telephone number;
• Curriculum Vitae;
• Cover letter;
• Provided references (Name, email address, telephone number provided reference);
• Any other information you submit with your application.
• Submission of a Certificate of Conduct (VOG) forms part of the recruitment procedure within Z-CERT. This is when you start working at Z-CERT. 

Retention period recruitment procedure

Should you not start working at Z-CERT after the end of the recruitment procedure, we do not store the application data longer than two weeks after ending this procedure.

When we cannot offer you a position at this time, we can – with your consent – store your application data for up to one year after ending the recruitment procedure. We can then still approach you for a suitable position within Z-CERT. You can withdraw your consent at any time by sending us an email to [email protected].

Retention period personal data after starting work at Z-CERT

If you start working with us, we store your application data in the dedicated and shielded personnel file. We store these data during the employment relationship. After termination of the employment relationship, Z-CERT may be legally obliged to keep certain information and personal data for a longer period, for example due to the fiscal retention period of 7 years. This period runs from the moment the employment relationship ended.

Do you start working at Z-CERT or accept a commission from us? Then Z-CERT processes information from you that is needed for, among other things, salary payments and invoicing (if you are hired externally by Z-CERT), mainly concerning the following personal data:

• Name, address and place of residence (internal or external) employee;
• Citizen Service Number (BSN) (internal employee);
• Date of birth;
• Nationality;
• Type of ID document, document number and validity period;
• IBAN number (internal or external) employee;
• (Business) email address;
• (Business) telephone number;
• Company name external employee;
• Invoice number and bank details external employee. 

There are specific statutory obligations on the basis of which Z-CERT must process personal data during situations where there is absence or reintegration of employees within Z-CERT. Think here of having to comply with the Working Conditions Act and care legislation (for example the Improvement Gatekeeper Act) in the context of, for example, reintegration. Within this legislation, there are specific retention periods that apply on the basis of which Z-CERT must keep information and personal data. These specific retention periods are included in the processing register within Z-CERT. Z-CERT mainly processes in these situations:

• Name employee;
• (Business) email address;
• (Business) telephone number;
• Telephone number and (nursing) address;
• Whether the sick leave relates to an occupational or traffic accident;
• The probable duration of the absence.

Z-CERT does not process special categories of personal data or information regarding the employee's health in this. However, there is contact with our occupational health service and our absence insurer.

Retention periods

Regarding salary administration, Z-CERT stores the information needed during the duration of the employment contract or contract for services. A longer retention period applies to personal data that Z-CERT must store following fiscal retention periods.

Z-CERT stores the necessary information during the period of sick leave but not longer than necessary. Additionally, personal data is stored according to the statutory retention periods determined for that purpose. For example, absence data may be stored for a maximum of 2 years after the end of an employment contract. 

Z-CERT takes the protection of your personal data seriously and takes appropriate measures to prevent misuse, loss, unauthorised access, unwanted disclosure and unauthorised modification of this data. Z-CERT regularly carries out internal and external security audits and is certified according to the ISO 27001 standard. 

In addition, (internal and external) employees of Z-CERT are bound by confidentiality and sign a confidentiality agreement for this purpose. 

If you discover a vulnerability regarding the systems or website of Z-CERT, you can use the dedicated Coordinated Vulnerability Disclosure (CVD) process as described on our website. The procedure can be found via the link. 

Z-CERT normally does not share personal data without your consent unless sharing personal data is necessary in the context of our services or there is a statutory obligation incumbent on Z-CERT. Sometimes, for example, personal data must be shared with our occupational health service, government authorities or other parties (IT suppliers).

Rights

As a data subject, you have several rights under the GDPR, such as:

• The right of access to your personal data;
• The right of rectification, correction of your personal data;
• The right to restriction of processing of your personal data;
• The right to erasure, the right to have your personal data deleted;
• The right to object;
• The right to data portability.

To exercise these rights, you can contact the Privacy Officer of Z-CERT.

Within one month, you can expect a response to your request. Should it concern a complex request, this period can be extended by a maximum of two months.

A request can be submitted via the email address: [email protected] or you send a letter by post to the postal address below. If necessary, we can request further information from you by phone to establish your identity. If after asking additional questions there is still doubt regarding your identity, we can ask you to provide a shielded copy of your identity card. After identification, this copy will of course be immediately deleted. 

On this website, we only place functional cookies and anonymous statistical cookies. With these, we measure which pages are viewed and how often, so we can improve our site and distinguish between humans and bots. No personal data is collected and no tracking cookies are used. 

Contact regarding this privacy and cookie statement Do you have a question or complaint about the processing of your personal data by Z-CERT? Then you can contact the Privacy Officer within Z-CERT via the email address: [email protected].

Or direct your question or complaint by post to:

Stichting Z-CERT Attn: Privacy Officer 

Stationsplein 121 

3818 LE Amersfoort

If you disagree with the way Z-CERT has handled your complaint, you can file a complaint with the Autoriteit Persoonsgegevens (Dutch Data Protection Authority). 

Z-CERT reserves the right to make changes to this privacy statement. It is advisable to consult this privacy statement regularly, so you are aware of these changes.

Z-CERT expects to review this privacy statement again in the context of the national implementation of the NIS2 legislation.