Privacy Policy


AMS-IX Privacy Statement

Version 1.0, last revised on 23 May 2018


1. Introduction

Amsterdam Internet Exchange B.V. (AMS-IX) is committed to respecting and protecting all personal data it processes. This AMS-IX Privacy Statement gives an overview of the practical translation of this commitment into AMS-IX’s operations. It explains how AMS-IX collects, uses, shares, holds and retains personal data as required in the normal course and scope of AMS-IX’s business. Personal data is considered any information relating to an identified or identifiable natural person as defined by applicable privacy law1.

The AMS-IX Privacy Statement not only describes why AMS-IX processes personal data and how, but also how these data can be accessed, changed and deleted by data subjects. 

For any questions, suggestions or concerns about or related to this document, please contact AMS-IX at either privacy@ams-ix.net or +31 20 305 89 99. Physical correspondence can be directed to the AMS-IX Office: AMS-IX B.V., Frederiksplein 42, 1017 XN, Amsterdam, The Netherlands. 


2. Processing your personal data

The main reason that AMS-IX processes personal data is to support its role as an Internet Exchange Point (IXP)2 . As an IXP, AMS-IX facilitates the interconnection of networks, so called Autonomous Systems3 , so they can exchange IP-traffic between each other. This is the AMS-IX IXP service4.

Autonomous Systems who want to become AMS-IX customers enter into a contract, a Connection Agreement, for which AMS-IX needs to process personal data.

In addition to the establishing of the Connection Agreement, AMS-IX processes personal data to perform additional activities for the benefit of AMS-IX customers and to support the offering of the AMS-IX IXP service. We also process personal data of persons visiting our website.

2.1. Processing personal data to support the IXP functionality

2.1.1 Types of data collected from customers 

In order to use the AMS-IX IXP service, Autonomous Systems become a customer of AMS-IX. The ordering of the AMS-IX IXP service5 requires the customer to fill in an online application form that amongst others specifies roles for a set of named individuals who can perform certain responsibilities on behalf of the customer when interacting with AMS-IX. This means that to provide customers with the IXP service, or to perform a function related to the IXP service, AMS-IX collects and processes data from and about these customers that include personal data relating to private individuals (i.e. managers and other employees). 

The following types of data are included:

  • General customer contact details (such as the customer’s organisational name, address and contact phone number), in addition to the name, position and email address of members of staff who formally contact or interact with AMS-IX on behalf of the customer; 

  • Customer billing details, customer bank account and -credit card details; 

  • Credit information about the customer; 

  • Each authorised customer representative’s username and password for accessing the AMS-IX customer-portal; 

  • Records of each customer’s use of the AMS-IX IXP service and the customer’s communications with AMS-IX: this can be the customer’s order history with AMS-IX as well as email-correspondence between customer representatives and AMS-IX.

The collection of the included personal data is necessary for the performance of the Connection Agreement. 

AMS-IX does not publish the personal contact details provided by customers. Only the generic peering-contact email-address provided is mentioned on the connected networks list on the AMS-IX website so Autonomous Systems can reach out to each other to negotiate peering relations6 . If a customer decides to use a personal contact-email address for this, AMS-IX considers the customer to have given consent for this information to be published.

2.1.2 How these data, including personal data, is collected 

Besides the use of the online application that customers use to order the AMS-IX IXP service (see 2.1.1), AMS-IX collects data, which might include personal data, when customers interact directly with AMS-IX. For example, AMS-IX collects information when representatives from (prospect) customers provide information to AMS-IX or send emails to AMS-IX, or when customer details are entered on the AMS-IX website and/or customer-portal. 

AMS-IX may receive and/or collect data, including personal data, from: 

  • Anyone authorised to act on a customer’s behalf;
  • AMS-IX employees, agents, contractors and suppliers; 

  • Credit reporting bodies; 

  • Other telecommunication and information service providers, often other AMS-IX customers; and 

  • Public sources. 


2.1.3 How AMS-IX uses these collected data

AMS-IX uses data collected to the extent necessary to provide customers with the AMS-IX IXP service as well as related support. In doing so, AMS-IX may use these data, which might include personal data, for related purposes as required in the normal course and scope of AMS-IX’s business, such as: 


  • Processing a customer’s application to become an AMS-IX customer: this is necessary for the performance of the Connection Agreement
  • Additional orders from existing AMS-IX customers: this is necessary for the performance of the Connection Agreement; 

  • Carrying out checks for credit-worthiness of prospect customers: this is necessary for the purpose of the legitimate interests pursued by AMS-IX B.V.; 

  • Provisioning the IXP service to the customer: this is necessary for the performance of the Connection Agreement 

  • Dealing with customer enquiries and providing customers with customer support: this is necessary for the purpose of the legitimate interests pursued by AMS-IX B.V.;

  • Managing the service provided to the customer by AMS-IX, including account management, billing, processing payments and collecting debts: this is necessary for the performance of the Connection Agreement 

  • Investigating complaints and carrying out dispute resolution: this is necessary for the purpose of the legitimate interests pursued by AMS-IX B.V.; 
 

  • Administering AMS-IX’s agreement with each customer: this is necessary for the performance of the Connection Agreement 


2.2 Other uses (processing) of personal data by AMS-IX besides for providing the IXP service and related support

AMS-IX also processes personal data when sending mailings to customers, and to organise and host events and meetings. This is necessary for the purpose of the legitimate interests pursued by AMS-IX B.V. 

  • Use of AMS-IX mailing lists: lists include names and mail addresses of those subscribed, and messages sent include name, email address, date and the message content. Messages are archived, not publicly, and visible to others who are subscribed to the same list(s). AMS-IX uses mailing lists for:
    • communicating with customers about the AMS-IX IXP service and any changes made: for example when it comes to informing and updating customers on maintenance- as well as trouble tickets;
    • informing customers via mailing lists about events that AMS-IX (co) organises;
    • informing customers about pricing, relevant organisational announcements, and special promotions that AMS-IX itself offers and which AMS-IX thinks may be of interest to customer, unless customer has requested AMS-IX not to do so. Those subscribed to AMS-IX mailing lists, can unsubscribe at any time or change their preferences.
  • Event registration administration for meetings and other organised events: AMS-IX may also publish lists of registered attendees on a website, with their consent, as part of its commitment to openness and transparency. The publishing of these lists is a common industry tool for attendees to prepare themselves for the meeting and set-up meetings with and contact other attendees of interest. These lists contain the names of the attendees and their organisations, but no contact details or other personal details. Opting out of having one’s name and organisation published on the attendee-list is an option. If one’s name has been published on an AMS-IX website as part of a list of attendees of an event or meeting and one wish to be deleted from the list, please contact marketing@ams-ix.net.

2.3 How AMS-IX shares data 

AMS-IX shares data with other organisations to the extent necessary for the delivery of the AMS-IX IXP service to customers, or when required by law. 

AMS-IX will only share customer information for marketing purposes (limited to mailings and events) after consent has been given. In particular, AMS-IX may disclose data, including personal data, to: 

  • AMS-IX’s suppliers like colocation providers and resellers of the AMS-IX service so AMS-IX can supply the IXP service to the customer; 

  • AMS-IX’s out-sourced service providers who perform supporting functions and services on AMS-IX’s behalf, such as:
    • first line support services, 
    • event services 
    • IT and cloud services;
      • in all these cases processing agreements are in place to see to it that the third parties, where AMS-IX is controller, comply with applicable data protection legislation;

  • Credit reporting bodies;
  • AMS-IX’s legal, accounting and financial advisers. 


2.4 How long AMS-IX retains personal data

AMS-IX will store personal data only as long as needed to satisfy the above purposes for which it was collected or as required by law. 

AMS-IX retains customer correspondence until 18 months after the Connection Agreement has been terminated. The same applies to personal customer contact-details as retained in the AMS-IX customer portal my.ams-ix, i.e. after the Connection Agreement has terminated. The Connection Agreement itself is retained for two years after termination. Unless longer retention is required by law. 

Registration data for events organised by AMS-IX as well as public attendee lists (see 2.2) are deleted six months after the event has taken place. 


3. Protection and secrecy of personal data

AMS-IX maintains strict procedures to authenticate people's identification and verify their right to authorise changes in the AMS-IX customer-portal my.ams-ix.net.

Personal data held in my.ams-ix.net is not publicly available and authorised customer representatives can only see their own organisation’s details after logging in, including the registered contacts for their organisation. 

AMS-IX maintains a high level of physical security and protection for all its computer, storage and network facilities that are involved in the processing of personal data. AMS-IX is ISO27001:2013 certified.


4. Visitors to the AMS-IX website, use of Cookies

When the AMS-IX website https://ams-ix.net/ is visited, small files are recorded on the visitor’s computer (or any other device that is used to visit the website) through the visitor’s web browser. These files, called ‘cookies’, help enable website features and functionality while browsing the website. 

The AMS-IX website uses cookies that:

  • Are strictly necessary for the provision of the services that are available through the website and facilitate the use of these services (e.g. to identify someone when logged in the member portal)
  • Improve the website experience by recording information about settings (e.g. your location)
  • Collect anonymous statistical information on the use of the website that helps AMS-IX improve the performance of the AMS-IX website (e.g. the number of visitors to each part of our websites and their origin)

For detailed information about the cookies used by AMS-IX, the purpose of these cookies and the period they remain active, please see the dedicated AMS-IX cookie policy: https://ams-ix.net/about/cookie-policy.

AMS-IX will use the above information only to the extent required for AMS-IX’s legitimate interests, or where this is necessary to help provide requested AMS-IX IXP service to member or customer. 


AMS-IX uses Google Analytics for www.ams-ix.net . This tool helps us keep track of the use of the website: which pages are visited and how long do visitors stay there. This data helps us improve our website to offer visitors a better browsing experience. The cookies set by Google because of this do not contain or collect personal identifiable information7.

During a visit to the AMS-IX website, other third parties may also set cookies on a visitor’s device. These cookies are set when a page is visited which has content embedded from third party sites, such as YouTube.

One can disable cookies, or specifically third party cookies, by adjusting the web browser settings. Please check the “help” menu of the browser for information about how to change the cookie preferences. However, if all cookies are disabled, one may not be able to use all supported website features.


5. Accessing and changing information

Data subjects have the right to ask AMS-IX to provide access to, rectify or delete any data relating to them or to restrict the processing of data relating to them. Furthermore, data subjects have the right to object against processing, and to request data in a standardized, machine-readable format (data portability). 

In order to fulfil its obligations in this respect, AMS-IX may request data subjects to identify themselves.

AMS-IX customers have the possibility to access registered data via the AMS-IX customer portal. Persons registered as being authorised can access and change personal contact details using the customer portal on behalf of their organisation. AMS-IX will always help those who may have trouble modifying their own data. 

Those subscribed to AMS-IX mailing lists, can unsubscribe at any time or change preferences by accessing this web page: https://lists.ams-ix.net/mailman/listinfo.

Please contact privacy@ams-ix.net or +31 20 305 89 99 for requests or in case there are questions or concerns about the accuracy or appropriateness of any other personal data held by AMS-IX. AMS-IX will respond and seek to correct any problems as soon as possible.

A complaint concerning the processing of personal data by AMS-IX can also be directed to the Dutch data protection authority, the Autoriteit Persoonsgegevens. See https://autoriteitpersoonsgegevens.nl/en/ for more details in English.


6. Changes to this privacy statement

AMS-IX may change this privacy statement from time to time, either because of internal or regulatory changes, or following feedback received. The latest version of the privacy statement is available at https://ams-ix.net/about/privacy-policy.

We will proactively notify our customers and suppliers on substantive or material changes to this privacy statement.


---------

1 Art 4 (1) of the General Data Protection Directive (GDPR)
2 http://www.ix-f.net/ixp-definition.html
3 https://www.ripe.net/manage-ips-and-asns/as-numbers
4 For more information see https://ams-ix.net/about/about-ams-ix
5 As described on https://ams-ix.net/connect-to-ams-ix/how-to-connect
6 https://ams-ix.net/connected/
7 Our use of Google Analytics is configured in a privacy friendly way, in line with a recommendation of the Dutch Data Protection Authority https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/handleiding_privacyvriendelijk_instellen_google_analytics_mrt_2018.pdf