Global DDoS Threat Alliance Privacy Notice

Nokia respects your privacy, and we are committed to protecting it. This privacy notice describes how we collect and process your personal data as part of Nokia GDTA. Further information on the GDTA can be found here. 

This privacy notice does not apply to personal data that is collected or processed by us as part of any Nokia services other than the GDTA.
 

When we act as a controller

GDTA is a solution offered by Nokia to organizations that operate networks ("Service Providers"). These networks allow the Service Providers to provide services to their customers and subscribers (like you). These Service Providers may include, for example, communications service providers (companies that provide mobile phone or broadband services), online gaming platforms, or streaming and on-demand programming platforms. Due to the nature of the internet and modern networks, the networks operated by these Service Providers are constantly exposed to security threats, such as distributed denial of service attacks ("DDoS"). Being able to detect and protect against these security threats is essential to the effective operation of the Service Providers' networks and, ultimately, to their ability to provide you with an uninterrupted and seamless service. 

Many Service Providers use information obtained through GDTA to assist them with monitoring their networks for these security threats and protecting against them. In order to do this, we need to analyze your personal data (that is contained within the network traffic data that your Service Provider shares with us) against the information held in our proprietary Deepfield Secure Genome feed. Deepfield Secure Genome is a cloud-based data feed that continuously scans and tracks billions of IP addresses, applications and services on the internet. This allows it to create a "security map" of the internet that can subsequently be used for real-time network traffic analysis and DDoS detection and prevention as part of the functionality offered via the Nokia Deepfield product portfolio. Further information on the Deepfield Secure Genome can be found here.

When we process your personal data as part of the GDTA, we act as a controller in the following circumstances:

• Where Deepfield Secure Genome scans the internet in order to collect personal data about you (e.g., your IP addresses, whether the IP address is on a denylist or blocklist, etc.); and 
• Where Nokia incorporates and retains your personal data (provided to us by your Service Provider) in the Deepfield Secure Genome feed. This allows us to enhance the information available in the feed to ensure that it is as accurate and up-to-date as possible, so that it can provide greater analysis and threat detection benefits for Service Providers. 

This privacy notice applies where we process your personal data as a controller, as explained above.
 

When we act as a processor

As part of the benefits provided to your Service Provider when they participate in GDTA, Nokia "matches" your personal data (that your Service Provider has shared with us) against the information held in Deepfield Secure Genome, as described above. This allows us to analyze your personal data against the information held in Deepfield Secure Genome so that we can provide aggregated and anonymized information and statistics about network traffic and security threats to your Service Provider. When we match your personal data in this way and subsequently aggregate and anonymize it for reporting purposes, we act as a processor on behalf of your Service Provider. Your Service Provider acts as the controller of your personal data for this processing. Please refer to your Service Provider's privacy notice for further information on this processing and the rights that you may have in relation to it.

Personal data is information that can identify you either on its own or after it is combined with other information we have access to. We may collect and process the following types of personal data about you:

• Network traffic data: your IP addresses, and whether the IP address is a suspected source of DDoS attacks;
• Location data: we may, in certain circumstances, be able to derive your approximate location by combining your IP address with third-party GeoIP location data (although we do not typically collect or process such location data); and
• Deepfield Secure Genome: we may match your personal data with personal data already held in our Deepfield Secure Genome (e.g., IP addresses; whether an IP address is on a denylist of known malicious IP addresses or a commercial or community-shared blocklist of malicious IP addresses; whether an IP address is on an allowlist of known and trusted IP address). 

We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offenses. If you believe that such information may have been collected by (or provided to) us, please inform us as soon as possible.

We and our services collect and use personal data in a variety of ways, including:
 

Information that is shared with us by your Service Provider

When we provide GDTA-based information services to your Service Provider (as described above), we will receive personal data about you from the Service Provider. This will primarily be contained within the network traffic data your Service Provider shares with us in order to receive benefits enabled by participation in GDTA.
 

Information that we derive from personal data provided by your Service Provider

We may derive certain information about you from the personal data that your Service Provider has shared with us. For example, we may be able to derive your approximate location by combining your IP address with third-party GeoIP location data (although we do not typically collect or process such location data).
 

Information that we derive from personal data provided by your Service Provider

We may derive certain information about you from the personal data that your Service Provider has shared with us. For example, we may be able to derive your approximate location by combining your IP address with third-party GeoIP location data (although we do not typically collect or process such location data).

Providing your Service Provider with GDTA services

We use your personal data to provide your Service Provider with GDTA-based information services (e.g., for network traffic analysis and DDoS prevention services). This involves collecting your personal data from the internet as part of Nokia Deepfield Secure Genome, as described above.
 

Developing and managing products and services

We use your personal data to develop and manage our products and services, including GDTA and Deepfield Secure Genome. This includes incorporating and retaining the personal data that your Service Provider shares with us in our Deepfield Secure Genome feed in order to improve it, as described above.
 

Aggregating and/or making your personal data anonymous

We may aggregate and/or anonymize personal data so that it no longer relates to an identified or identifiable person. We do so to generate other data that we may use and disclose for any purpose, as it no longer is personal data.

We will only use personal data for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason, and that reason is compatible with the original purpose. 
 

Legal basis for processing

We engage in the activities described above based on the following: 

• our legitimate interests (including product/service development and quality control, and being able to provide GDTA-based information services); and 
• the legitimate interests of third parties, such as those of Service Providers (including protecting their networks from DDoS attacks and malicious activity, protecting intellectual property rights, and detecting and preventing crime).

To our affiliates, for the purposes described in this notice 

While only the Nokia entities listed above as controllers (see the section entitled "Who we are") will normally have access to your personal data, in certain circumstances, we may also need to provide our affiliates (see list) with access to your personal data to use in the ways described in this notice. 

To authorized third parties and suppliers

We may share your personal data with external third parties and suppliers for the purposes described in this notice. This may include IT, computing, cloud services and technology solutions providers.

To comply with applicable laws and regulations

This may include laws outside your country of residence.

To cooperate with public and government authorities

We may disclose personal data to respond to a request from authorities or to provide the information we believe is necessary or appropriate. These can include authorities outside your country of residence.

To cooperate with law enforcement

We may disclose personal data to certain authorities or other third parties, for example, to law enforcement agencies in the countries where we, or third parties acting on our behalf, operate.

For other legal reasons

We may also disclose and otherwise process personal data in accordance with applicable law to defend Nokia's legitimate interests, for example, in civil or criminal legal proceedings.

In connection with a sale or business transaction

If we decide to sell, buy, merge or otherwise reorganize our business in certain countries, this may involve us disclosing personal data to prospective or actual purchasers and their advisers or receiving personal data from sellers and their advisers.

International transfers of personal data

Our products and services may be provided using resources and servers located in various countries around the world. It is possible that your personal data may be transferred across international borders, including to countries outside the United Kingdom or European Economic Area (EEA) that do not have laws providing specific protection for personal data or that have different legal rules on data protection. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access your personal data. To address concerns about transfers from the United Kingdom or EEA to countries not considered adequate by the UK Secretary of State or European Commission, we have implemented appropriate measures to protect your personal data.  For example, we use standard contractual clauses adopted by the UK Information Commissioner's Office and European Commission and binding corporate rules. We also require the use of appropriate technical and organizational information security measures.

This notice does not address, and we are not responsible for, the privacy, information, or other practices of any third parties (e.g., your Service Provider), including any third party operating any website or service to which our services link.

• We take reasonable steps to keep the personal data we possess accurate and to delete incorrect or unnecessary personal data. We retain personal data for as long as needed or permitted to fulfill the purposes outlined in this notice or otherwise communicated to you, unless a longer period is required by law.
• The criteria used to determine our retention periods include: 
  • the length of time we have an ongoing relationship with your Service Provider and are providing products or services to it;
  • the amount, nature and sensitivity of the personal data;
  • the purposes for which we process your personal data and whether we can achieve those purposes through other means;
  • the potential risk of harm from unauthorized use or disclosure of the personal data;
  • whether there is a legal obligation to which we are subject; and
  • whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

In some circumstances, we will anonymize personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
 

Privacy and security are key considerations for us in the creation and delivery of our products and services. We take appropriate steps to address information security, physical security, risk of data loss and other such risks. We take into consideration the risk represented by the processing of personal data and the nature of the data being protected. Also, we only give access to our databases containing personal data to authorized persons with a justified need to access such information. Unfortunately, however, you should be aware that no data transmission or storage system can be guaranteed to be 100% secure.

As the controller of your personal data, we are responsible for ensuring that you can exercise your privacy rights in respect of the personal data that we process. If you would like to request to access, correct, update, suppress, restrict, or delete personal data, or object to the processing of personal data, or if you would like to request to receive a copy of your personal data for purposes of transmitting it to another company (to the extent these rights are provided by applicable law), you can contact us using the form available here - Contact us – and selecting "Privacy" as the relevant category for the question or feedback. We will respond to your request consistent with applicable law.  

In the request, you should make clear what personal data you would like to have changed or whether you would like to have your personal data suppressed from our database. For your protection, we may need to verify your identity before implementing your request. We will try to comply with the request promptly and to the best of our ability.

Please be aware that where it is not possible to identify you from the information that we hold or process, we are not required to comply with your requests to access, correct, update, suppress, restrict, or delete personal data or to receive a copy of your personal data for purposes of transmitting it to another company.

If you are not satisfied with how we have dealt with your request(s), you can let us know by contacting us using the form available here - Contact us – and selecting "Privacy" as the relevant category for the question or feedback. If you are still dissatisfied, you may also file a complaint with the UK Information Commissioner's Office (where you are based or where an alleged infringement of applicable data protection law took place in the United Kingdom) or an EU/EEA data protection authority for your country or region where you reside or your place of work or where an alleged infringement of applicable data protection law occurs. Details for the UK Information Commissioner's Office are available online at https://ico.org.uk/make-a-complaint/. A list of EU/ EEA data protection authorities is available at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.

The identities and details of the Nokia companies that are controllers in respect of your personal data are provided above.

If you have any questions about this privacy notice, or Nokia privacy practices, you can contact our Group Data Protection Officer at:

Nokia Corporation c/o Privacy
Karakaari 7
P.O. Box 226
FI-00045 Nokia Group
Finland

If you wish to exercise any of your privacy rights or have any questions or concerns about your personal data, you can also contact us by using the form available here - Contact us – and selecting "Privacy" as the relevant category for the question or feedback.

The LAST UPDATED text at the top of this privacy notice indicates when it was last revised. Nokia may change this notice at any time, with or without notice. Any changes will become effective when we post the revised privacy notice on our website. We recommend that you revisit this notice from time to time to learn of any such changes.  If this notice is changed in a material way, Nokia will add text advising of such change at the beginning of this notice and on this site's home page for 30 days.