Via SURF, the members make joint arrangements with ICT and content suppliers regarding the supply and purchase of products and services. In this way, the members jointly ensure scale and an efficient point of contact for suppliers. Data Protection Impact Assessments (DPIAs) are part of this.

Close up handen op laptop met mobiele telefoon

A DPIA is a data impact assessment to map out privacy risks for those involved. Under the General Data Protection Regulation (AVG), a DPIA is necessary if large-scale processing of personal data or sensitive personal data is involved. In many cases, suppliers process personal data of SURF members (and their staff and students). It is therefore important that those concerned comply with legislation and regulations. A DPIA helps institutions to estimate the actual risks to those concerned. Institutions themselves assess whether they consider these risks to be acceptable. SURF's DPIAs help them do this. SURF collaborates with the authorities in carrying out DPIAs. A number of DPIAs have already been carried out jointly with the government.

Student achter laptop


Following an intensive, collaborative consultation with SURF, Zoom has made and will continue to make changes to its privacy agreements for Education and Enterprise customers in European Economic Area (EEA). In addition to these changes SURF advises organisations to implement several measures themselves. As soon as these have been implemented, SURF advises that data subjects can use Zoom for highly confidential communications and will not face what SURF considers high privacy risks.

Read more

Microsoft OneDrive, SharePoint and Teams

SURF, together with the Ministry of Justice and Security (Strategic Supplier Management for the Central Government), has commissioned the Privacy Company to carry out a Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams.  

Read more

Studenten achter laptop
Student - fotograaf Kees Rutten

Google Workspace

SURF and SIVON have reached an agreement with Google on a comprehensive set of contractual, organisational and technical measures concerning the use of Workspace for Education Plus and Workspace Education Fundamentals by educational institutions in the Netherlands. Given the importance of the use of Google services in educational institutions, SURF and SIVON will continue to monitor Google on behalf of the education sector.

Read more