Compliancy
Via SURF, the members make joint arrangements with ICT and content suppliers regarding the supply and purchase of products and services. In this way, the members jointly ensure scale and an efficient point of contact for suppliers. Data Protection Impact Assessments (DPIAs) are part of this.
A DPIA is a data impact assessment to map out privacy risks for those involved. Under the General Data Protection Regulation (GDPR), a DPIA is necessary if large-scale processing of personal data or sensitive personal data is involved. In many cases, suppliers process personal data of SURF members (and their staff and students). It is therefore important that those concerned comply with legislation and regulations. A DPIA helps institutions to estimate the actual risks to those concerned. Institutions themselves assess whether they consider these risks to be acceptable. SURF's DPIAs help them do this. SURF collaborates with the authorities in carrying out DPIAs. A number of DPIAs have already been carried out jointly with the government.

International focus on negotiating power of Dutch education with big tech
SURF and the educational institutions consider secure education that meets our public values very important. That is why we join forces in the Netherlands and SURF, in collaboration with partners, enters into discussions with large and small vendors, within and outside Europe, to reach solid agreements.

Response to French findings regarding Google and Microsoft (free) online services
Recently there have been publications about Google's use of various online products in France.

Response to German findings regarding Microsoft 365
In a report dated Nov. 2, 2022, the Association of German Privacy Supervisors (hereafter; DSK) stated that the use of Microsoft 365 in Germany violates the General Data Protection Regulation (AVG).SURF, APS IT Services, SLB Services and SIVON noted with interest the DSK report and commissioned an investigation into these DSK findings.

Zoom
Following an intensive, collaborative consultation with SURF, Zoom has made and will continue to make changes to its privacy agreements for Education and Enterprise customers in European Economic Area (EEA). In addition to these changes SURF advises organisations to implement several measures themselves. As soon as these have been implemented, SURF advises that data subjects can use Zoom for highly confidential communications and will not face what SURF considers high privacy risks.

Microsoft OneDrive, SharePoint and Teams
SURF, together with the Ministry of Justice and Security (Strategic Supplier Management for the Central Government), has commissioned the Privacy Company to carry out a Data Protection Impact Assessment (DPIA) on Microsoft OneDrive, SharePoint and Teams.

Google Workspace
SURF and SIVON have reached an agreement with Google on a comprehensive set of contractual, organisational and technical measures concerning the use of Workspace for Education Plus and Workspace Education Fundamentals by educational institutions in the Netherlands. Given the importance of the use of Google services in educational institutions, SURF and SIVON will continue to monitor Google on behalf of the education sector.