We process personal data
Our work registering and managing domain names involves processing personal data on a daily basis. Naturally, we take good care of the data we handle. The principles we follow are set out in Article 23 of our General Terms and Conditions for .nl Registrants. Alongside our core domain registration activities, we develop internet-related initiatives. And we do research on the .nl zone and the wider internet.
For instance, we analyse the DNS traffic handled by the .nl name servers. That traffic sometimes includes personal data, such as IP addresses and the domain names linked to IP addresses. We also need to process personal data in order to deliver some of our services. That's the case with basic services such as registering and managing domain names. And with the Whois (the tool for looking up the details of a domain name) and our .nl Control service.
Striking a balance between security and privacy
For us, taking good care of personal data is more than a legal requirement; it's what we believe in. We've therefore devised and implemented a privacy review system based on a privacy policy. The system means we can take a structured approach to striking the best possible balance between the security and stability benefits of each initiative, and the privacy implications for .nl users.
Privacy Policy review
Back in 2014, we set up a Privacy Board because we wanted to make sure that our analysis of DNS traffic was done in a responsible, privacy-sensitive way. Since then, we've defined a privacy policy for every new activity or application we've developed, if the use of personal data is involved. Each policy is then reviewed by our internal Privacy Board.
Duties, responsibilities and roles
Whenever a new study or project is planned, our Privacy Board checks that proper precautions are taken to ensure that all information that includes personal data is handled with appropriate care. Privacy Board members flag up any research and project plans that are going to involve privacy-sensitive information. The Board's members therefore act as our Data Protection Officer's eyes and ears. The Privacy Board asks the study or project owner to draw up a privacy policy, which is then submitted to the Board for review. The review involves the Board assessing whether the planned use of privacy-sensitive data is consistent with SIDN's privacy policy and the applicable privacy legislation.
The Board members
The privacy board consists of experts from various departments within SIDN, each with their own expertise.
-
Renate Lombarts
Management assistant
I support Cristian to keep everything running smoothly. Through my role, I enable him and his team to focus on their work.
-
Manouk van Schellen
Customer Support Employee
-
-
Ferry Stelte
Chief Information Security Officer (CISO)
-
mr. Karin Vink CIPPE
Legal Counsel
Karin is also our data protection officer and Chair of the Privacy Board.
Privacy Board rulings
Privacy Policy | Privacy Policy Evaluation | Project description |
|---|---|---|
The SIDN data platform will be a central storage facility where large volumes of unmodified data are collected and stored. The stored data may be processed and used for various analytical purposes. | ||
Privacy Policy Evaluation FIRMBACKBONE Utrecht University-SIDN | Utrecht University (UU) aims to build a data infrastructure populated with information about – preferably all – Dutch enterprises for scientific research purposes. The project is called FIRMBACKBONE. In order to test the infrastructure and enrich the databank, UU needs data. SIDN wishes to contribute to the FIRMBACKBONE initiative, and to that end both parties want to share data and knowledge. | |
DNS4ALL is a prospective public DNS resolver service. The current DNS4ALL project is intended to investigate the best way to set up a public DNS resolver service, and to establish what is required in order to operate and maintain a public DNS resolver. | ||
DDoS-DB is the database and web dashboard for the storage of DDoS fingerprints. It is one of the core components of the DDoS Clearing House, a platform developed in the context of the CONCORDIA project, which enables organisations to share information about incoming DDoS attacks with other organisations. A DDoS fingerprint is a summary of the defining characteristics of a DDoS attack, such as source IP addresses, ports and protocols. | ||
ENTRADA is a platform that enables us to analyse DNS query data collected on the .nl name servers. We use ENTRADA for research aimed at increasing the security and stability of the .nl domain. | ||
DMAP is a multi-protocol internet crawler, which gathers data on the resources (web servers, mail servers, etc) linked to a set of domain names. DMAP also incorporates various classifiers for automatically analysing and classifying the collected data. | ||
A botnet is a network of malware-infected home computer equipment and servers, known as botnet clients, which are often used for DDoS attacks. The purpose of the Sinkhole study is to gather data on the behaviour of botnet clients by registering domain names and setting up a sinkhole. The set-up also enables the identification of resolver bugs that are vulnerable to abuse. | ||
In het BASTION-project worden IoT-honeypots (Internet of Things) gebruikt om data te verzamelen. De data uit de IoT-honeypots bieden een blik op de aanvalspatronen die IoT-devices kunnen krijgen. Het BASTION-project heeft als doel: het onderzoeken, en daarmee op termijn bestrijden, van misbruik van IoT-apparaten met botnets en andere malware. | ||
LEMMINGS is a system for the automatic detection of cancelled .nl domain names to which mail is probably still being sent. With the help of the .nl registrars, we use LEMMINGS to alert the former registrants of cancelled domain names to potential data breaches. Where appropriate, LEMMINGS sends former registrants an e-mail warning of the risks associated with domain name cancellation and highlighting the fact that mail is probably still going to their domain names. | ||
Privacy Policy Evaluation Requesting registrant data via the website | As a .nl registrant, you sometimes need to prove that you really are your domain name's registrant. You need to do that if you want your domain name transferred to another registrar, for example. On our website, you can also ask us to show you the contact details linked to your registration that aren't publicly visible in the Whois on sidn.nl. | |
If a .nl registrant loses track of the .nl domain names registered to them (typically because the registrations are managed by multiple registrars), then, once we have confirmed the registrant's identity, we can generate a list of their domain names using the .nl Domain Name Portfolio Checker. |
Contacting the Privacy Board
Questions about the published privacy policies or their assessment may be mailed to privacyboard@sidn.nl.
Privacy-related publications
We've published 2 articles describing the background to and creation of our Privacy Framework: