Privacy Statement for SURF's network and network services

This privacy statement explains how SURF deals with your personal details in connection with the use of the Internet network of SURF (the SURFinternet service) and the associated network services SURFcert and DNS-resolving (part of SURFdomains).

About this Privacy Statement

SURF attaches importance to the privacy of its institutions and the end users of the network. We therefore handle your personal data with care and comply with all applicable national and European legislation and regulations. How we do this is explained in this privacy statement.

This privacy statement relates to the following SURF services:

  •     SURFinternet (fixed network SURF
  •     SURFcert
  •     DNS-resolving (part of SURFdomains)

We have divided the privacy statement into various chapters. We have also placed the most important information directly in view.

Please note: DNS resolving is an additional service. The processing operations described in this statement that relate to DNS resolving only take place when this service is used.

Who are we?

We are SURF B.V. (SURF), located at Moreelsepark 48, 3511 EP Utrecht. You can reach us at +31 88 787 30 00.  SURF is the IT collaboration organisation for education and research in the Netherlands.

Within the SURF cooperation, the Dutch universities, universities of applied sciences, university medical centres, research institutions, and institutions for vocational training work together on IT innovation. More about the cooperative.

More about the services SURFinternet, SURFcert and SURFdomains

SURFinternet (SURF network)

SURF's network provides Dutch education and research communities with a fast and reliable Internet connection. With the SURF network, all users of the education and research communities are connected to one another and can collaborate nationally and internationally. More about SURFinternet.


SURFcert provides 24/7 incident response support to institutions connected to the SURFnet network. An institution can report security breaches (incidents) to SURFcert. SURFcert then informs the institution of the progress of the incident and gives advice (if necessary) on resolving the incident. More about SURFcert's services.

DNS resolving

DNS resolving (part of SURF domains) makes it possible for users to reach services and systems on the Internet in a user-friendly manner. The process is described in RFC 1034 and is in general use (worldwide). For example, when a user wants to visit a website, the web browser (normally) enters the name of the website (e.g. The service ensures that this name is translated into the IP address of the website so that the user's system can access the website without the user having to do anything else. More about the DNS resolving service.


For what purposes do we use your data?
  1. For the Internet network, personal data are processed that are necessary to manage and deliver a high-quality, fast and secure network. This processing can be divided into several parts.
  2. Processing of netflow data into aggregated internal overviews. Based on this information, the network is optimised for its users. For example, to establish direct connections with other providers.
  3. Processing netflow data into aggregated external overviews. To provide customers with insight into the use of the service they have purchased.
  4. Processing netflowdata and other personal data. To be able to secure the network and thus protect the connected institutions (proactively and reactively). This roughly consists of two parts:
  5. The provision of netflow data to SURFcert. SURFcert uses the data, for example, to recognise and counteract DDOS attacks and hacking attempts (both targeted and undirected).
  6. Processing of log files of the (network) equipment.
  7. Processing of contact information. First of all, personal data is processed that is necessary to be able to manage and deliver a high-quality and fast network. This concerns data of internal and external contact persons for making contact in case of changes and for solving problems.  
  8. Processing of the activities of administrators. This information provides insight into the change history of the network and is of great importance when resolving problems.

SURFcert processes personal data for the purposes of network and information security in order to secure the SURF network and related services and to protect them against incidental events or unlawful or malicious actions. Personal data is collected and processed to signal events and actions and is used in incident handling.

SURFdomains (DNS-resolving) only needs the IP address of the user's system. The service ensures that the name of a system or service on the Internet is translated into its IP address so that the user's system can reach that system or service. For this the IP address of the user's system must be known, otherwise no communication can take place (sender and addressee must be known during communication).

Basis for processing

Personal data may only be processed if there is a lawful basis for doing so. We process your personal data in the case of the internet network and related network services to serve the legitimate interests of the participating institutions and their end users. These interests consist of being able to offer a fast and safe internet, whereby as little as possible is logged and collected about the end user. Data minimisation is our starting point.

Legitimate interest of SURF and the Institutions in the context of the fixed Internet network: In order to be able to provide a well-functioning and reliable Internet network, it is necessary to process a limited amount of personal data, such as users' net flow data. Without this data, it would not be possible, for example, to establish targeted faster connections with external parties (peering). Management would also be too limited to guarantee the quality expected of the network. In addition, the policy within SURF is that it is not possible to use the network anonymously so that, in the event of abuse, a user can be identified. This is only possible indirectly: SURF is not able to do this, only with the cooperation of the institution.

Importance weighed against the privacy interest of the user: the infringement on the rights and freedoms of those involved is limited as much as possible. A portion (currently only 1%) of the netflow data is processed temporarily. It is not possible to directly deduce the identity of a natural person from this data. It only shows which IP address visited which website. This is not used for monitoring or profiling of the user and the user is not restricted in his use.

What data do we use and how long do we keep them?

As a service provider of the fixed internet network and SURFcert, we process the following data about you:

Log data on the network, so-called netflow data. This data is kept for a maximum of three months.

Logging takes place on the network. The following (personal) data are processed: IP address (source), IP address (destination), IP protocol, Port for UDP, TCP or other (source), Port for UDP, TCP, ICMP or other (destination), IP Type of Service (ToS), the number of bytes, the number of packets.

Creating aggregated reports based on netflow data. These reports do not contain any personal data.

For each institution, aggregated reports are produced on real-time traffic to show how much traffic went over a connection (not available to everyone). There is also where anyone who can log in can see all the real-time traffic of all the institutions. The reports cannot be traced back to individuals.

Incident data

The SURFcert team regularly receives incident reports relating to the security of the Internet network. In some cases, these reports may contain personal data. Incident reports are not kept longer than necessary, with a maximum retention period of 3 years.

As a service provider of DNS resolving, we process the following data of:

IP address of the end user. This data is stored for a maximum of 1 minute.

When a user wants to visit a website, the name of the website is (normally) entered in the web browser (e.g. The service ensures that this name is translated into the IP address of the website, so that the user's system can access the website. For this, the IP address of the user's system must be known, otherwise no communication can take place (sender and recipient must be known during communication). However, this address of the user is only used during the process and afterwards (after max. 1 minute) automatically deleted.

In exceptional cases, specific addresses may be logged if this is necessary to ensure continuity and security of the service.

There are 3 specific situations in which this can happen:

  1. In case of nuisance - if we receive an unusually large amount of traffic on the SURFnet DNS resolvers, and this has a disruptive effect, we check from which IP addresses we receive a disproportionately large amount of traffic and what kind of traffic this is. This is necessary for service continuity, and so that we can inform the institution where the source of the disruption is located and request it to take appropriate measures to remedy the disruption.
  2. For problem analysis - if an institution reports to SURFnet that they are experiencing problems with DNS resolving, it is in some cases necessary to inspect traffic for problem analysis. As much as possible, care is taken to ensure that only traffic from the institution with problems is inspected.
  3. In the case of security incidents - in some cases it is possible to investigate specific security incidents based on traffic to DNS resolvers. At the request of SURFcert, DNS traffic can be inspected for this purpose to see whether certain DNS names are being requested. An example of this is a ransomware infection that can be recognised because a particular DNS name is always being requested.

In all the above situations, actual traffic is only stored if strictly necessary; in most cases, live monitoring of traffic will only take place for a short period of time, without the traffic actually being stored. In the exceptional case that traffic is actually stored, we keep the storage period as short as possible. As a rule, this is between a few hours and a few days, with a maximum of one week.

Collecting aggregated data for research purposes. These data do not contain any personal data.

Who has access to your data?

Only in certain cases do we share your data with third parties. Examples are: (i) to provide support, (ii) in the context of resolving disputes, or (iii) because of a legal obligation incumbent on us.

In addition, we use a number of carefully selected suppliers, also known as processors, who in the context of providing services to us in some cases have access to some of your data. They may not use this data for their own purposes. For example, we not only store data on our own (local) systems, but we also use third parties who perform this service on our behalf. We require all such suppliers to take appropriate security measures with respect to your data and to act in accordance with our instructions.

Your rights as a user

As a user of SURF's Internet network, you have a number of rights that you can exercise in accordance with the applicable legislation and regulations governing the protection of personal data. For example, you can contact us to request (i) access to the personal data we hold on you, (ii) to correct your data, (iii) to have your data removed, (iv) to limit the processing of your data, (v) to transfer your data, and (vi) to object to the processing of your personal data. +

Please note that in certain cases we may ask you for additional information to enable us to identify you.

Right of access

You may ask us whether we are processing personal data relating to you and you may access this data by receiving a copy of it. When granting your access request, we will also provide you with additional information, such as the purpose of the processing, the categories of personal data involved and other information necessary for you to exercise this right effectively.

Right to rectification

You have the right to correct your data if it is incorrect or incomplete. At your request, we will correct inaccurate personal data about you and complete incomplete personal data, taking into account the purposes for which they are processed; this may include the provision of an additional statement.

Right to erasure ("right to be forgotten")

You also have the right to have your personal data deleted, which means the deletion of all your data, both by us and, to the extent possible, by other data controllers with whom we have previously shared your data. Incidentally, deletion of your personal data only takes place in certain cases prescribed by law; these cases are listed in Article 17 of the AVG. This includes cases where your personal data is no longer needed for the purpose for which it was originally collected and cases where it has been processed unlawfully. Due to the way we organise certain services, it may take some time for backups to be deleted.

Right to restriction of processing

You have the right to have the processing of your personal data restricted, which means that the processing of your data will be suspended for a certain period of time. Circumstances that may give rise to the exercise of this right include cases where the accuracy of your personal data is disputed but some time is needed to verify it. This right does not prevent us from continuing to store your personal data. You will be informed before the restriction is lifted.

Right to data portability

The right to data portability means that you have the right to obtain the personal data relating to you, if technically possible, in a structured, accessible and machine-readable form and to transfer it to another controller. Upon request and if technically possible, we will transfer your personal data directly to the other controller.

Right of objection

You have the right to object to the processing of your personal data. This means that you can request us to stop processing your personal data. This only applies if 'legitimate interests' are the legal basis for the processing.

Denying or limiting rights

There may be situations in which we are entitled to deny or limit the rights referred to in this chapter. In all cases we will carefully consider whether there are grounds for doing so and will inform you accordingly.

For example, the right of access may be denied where it is necessary to protect the rights and freedoms of other persons, or your personal data may be deleted where the processing of such data is necessary to comply with legal obligations. The right to data portability cannot be exercised if this personal data has not been provided by you or if the data has not been processed by us on the basis of your consent or in performance of a contract. When assessing the requests, we will also have to take into account the often limited extent of the processing we do (think of the limited retention periods in DNS resolving and the sometimes lack of identifying data). This affects the extent to which we can comply with certain requests. In the context of data minimisation, we will not process any additional personal data, just to be able to comply with a request for inspection, for example.

Exercising your rights

If you wish to exercise any of your rights, please send an e-mail to: In the event of unresolved issues, you also have the right to submit a complaint to the Dutch Data Protection Authority.


SURF may make amendments to this Privacy Statement. We therefore recommend that you consult this Privacy Statement regularly.


We take your privacy seriously. If you have specific questions or comments about your rights, please contact us. Please contact our IT Helpdesk or Privacy Officer. You can best reach us at:

Contact details SURF



Moreelsepark 48

3511 EP Utrecht

+31 88 787 30 00

Contact person for privacy matters

Chinny Bomers