What Personal data does Tilburg University Collect

Privacy Statement SURF SOC/SIEM

This statement contains information on how we handle the processing of personal data in the context of SURF SOC/SIEM.

Tilburg University processes personal data in the context of SURF SOC/SIEM by collecting login data from the ICT infrastructure. We collect this data in order to analyze it for possible attacks and thereby identify suspicious behavior in a timely manner. In this way we manage our information security and monitor security incidents. 

By means of the SIEM solution, personal data from Tilburg University's ICT infrastructure is collected and analyzed via network monitoring and log files. The SIEM functionality is outsourced to SURF and delivered by Fox-IT. Part of the SIEM system is the Splunk database. This is managed by UMBRIO. 

In this privacy statement we will further discuss why we collect data, what data we collect, how long the data is kept and the transfer of this data to third parties.

Privacy statement Tilburg University

This privacy statement explicitly addresses the processing of personal data within SURF SOC/SIEM. The central privacy statement of Tilburg University can be consulted on the webpage Privacy Statement Tilburg University.

The legal basis and purposes of the data processing  

The legal basis for processing personal data in the context of SURF SOC/SIEM is Tilburg University's legitimate concern to secure its networks and information, and thereby to protect individuals' data The purpose we pursue with the processing of your personal data is twofold:

  1. Demonstrable control of information security through internal controls and monitoring of security incidents. 
  2. Increasing the quality and availability of the necessary expertise by combining knowledge within Tilburg University, SURF cooperation, and possibly connecting via SURF SOC to the National Detection Network. 

In addition, the SIEM solution will provide SURFcert with additional options for fulfilling its tasks, thereby strengthening its operations. SURFcert processes personal data to secure networks managed by SURF and used by institutions such as Tilburg University. For example, by accessing incidents and data from institutions, SURFcert can proactively alert other institutions to certain threats. The legal basis for SURFcert's processing of personal data is also legitimate interest.

By processing your personal data, SURFcert has a broader purpose than just supporting Tilburg University, but aims to provide a safe and secure environment for the entire higher education and research sector.

The origin of your personal data

We collect the personal data we process from you through network monitoring and log files. The data is only accessed when an incident occurs that warrants the examination of the logged data. Only the data related to the incident is searched.

In order to detect any abuse and to verify if an administrator account has been hacked, within Tilburg University's SIEM environment, the data of administrators who have access to this environment is logged and stored. This includes the commands (keyboard strokes) entered by the administrators. Again, the log data is only accessed when an incident occurs that warrants examining the logged data. Only the data related to the incident is searched.

The type of data we process

We process personal data of everyone who communicates in any way with Tilburg University. This could include data from students, employees, visitors to our website and participants in scientific research. 

The personal data is forwarded without filtering to the SIEM environment. Because of this we do not have the possibility to exclude certain categories of personal data. 

The recipients of your personal data 

The personal data that we process from you is passed on to various parties. Processor agreements have been concluded with all these parties, or the processor has concluded a processor agreement. They are:

  • SURF: SURF as processor provides the SIEM functionality to Tilburg University. 
  • SURF as provider of SURFcert: SURFcert supports Tilburg University with high priority notifications and looks into the SIEM for the relevant log files. SURFcert thus gains access to the data used within the SIEM service and to the reports from the system. 
  • Fox-IT: Fox-IT delivers the final SIEM functionality as a sub-processor.
  • UMBRIO: UMBRIO is the sub-processor that manages the Splunk database used for the SIEM system. 

Protection of your personal data 

Personal data is stored and transmitted in encrypted form by all parties. Access to the data can only be obtained via Multi-factor Authentication. In addition, there is a restriction on the number of people who have access to the data. A record is also kept of who views what data in order to be able to detect misuse. There are processes in place, such as the four-eyes principle and periodic checks to prevent abuse. The storage and processing of personal data (including by third parties) takes place in the European Economic Area (EEA).

The retention periods of your personal data

The personal data stored in the SIEM system is kept for 183 days by default.
Within the network sensors, personal data is kept for 5 days if it is network data, and 183 days if it is metadata. 

SURFcert can use the data as long as it is present in the SIEM system. This is consequently a maximum of 183 days. If the analyses reveal Indicators of Compromise (IoCs)[1], SURFcert is entitled to use and share them for as long as reasonably necessary to perform the SURFcert function. 

After this 183-day period, the personal data will be automatically cleared and removed from the SIEM system. 

[1] An IoC is information that can help identify specific malicious behavior on a system or within a network. In practice, this is often IP addresses or domain names. These IoCs can contain personal data of so-called threat actors. A threat actor is a person or group of people who participate in an action that is intended to cause damage to a device or system.

Your rights with respect to data processing

Tilburg University, as the data controller, is the first point of contact for you as a data subject. As a data subject, you have rights in terms of disclosure, rectification, oblivion, restriction of processing, data portability, right to object and right to file a complaint with a supervisory authority. For more information on these rights and how to invoke them, please see here: What rights do I have? | Tilburg University.

Our Data Protection Officer (FG)

A Data Protection Officer has been appointed within Tilburg University to advise on and oversee data processing and legislation. Should you wish to contact the Data Protection Officer, you can reach him via the contact details below. For more information on the Data Protection Officer, please consult Tilburg University's central privacy statement.

Contact details