What does SURF do in terms of the GDPR?

23 MAY 2018

The new European GDPR privacy legislation has been applicable since 25 May 2018. The GDPR has a significant impact on how institutions deal with personal data. What does SURF do in this respect, and what can you expect from us in the near future?

GDPR: safeguarding privacy

The General Data Protection Regulation (GDPR) contains rules on the handling of personal data. These rules are the same for all organisations across the EU. The regulation requires careful processing of personal data in order to protect the privacy of data subjects and their data.

Standards framework and implementation assistance

The research and education institutions and SURF have already made significant efforts in terms of privacy and the GDPR already in recent years. Since 2015, a standards framework for cloud services has been established, several GDPR meetings have been held and several publications have helped institutions to implement the GDPR. A wiki has also been made available. Read more about how SURF pays attention to the GDPR.

Making SURF services GDPR-proof

Of course, the SURF services are also subject to the GDPR. SURF has catalogued all its services and examined how personal data are processed for each service. The question we asked ourselves in this respect was what role SURF plays in terms of the GDPR. Sometimes it fulfils the role of controller (for example SURFinternet) and sometimes it fulfils the role of processor (for example SURFdrive). Different rules apply to each role.

New processor agreement and privacy statements

We are currently working on a SURF-wide processor agreement for all institutions. This agreement is based on the  Standards Framework for Cloud Services. SURF creates a separate annex with specification for each service for which it acts as a processor. If SURF acts as a controller for the service, we inform the institutions and users with special privacy statements. We will publish these statements shortly. Finally, for newly developed services we use the principles of privacy by design and security by design, so that any new services always meet our high standards.

More information on the GDPR in workshops

The GDPR is now in force, but that does not mean that all issues have been resolved. We will continue to support our institutions and inform them about the privacy aspects of our services. Workshops on the GDPR and the privacy aspects of the SURF services are also coming soon. We will announce the dates on SURF News and surf.nl/agenda.

Useful links

If you have any questions about the GDPR, do not hesitate to contact privacy@surf.nl .

Latest modifications 20 Sep 2018