Trappenhuis met lopende studenten
News

AFAS and SURF are taking the next step together following the DPIA

SURF has carried out a Data Protection Impact Assessment (DPIA) on AFAS’s Profit, an all-round HRM and payroll system. A DPIA is a tool for identifying privacy risks to data subjects, such as users.

On our advice, institutions may continue to use Profit for the time being. AFAS has indicated that it will implement mitigating measures for the identified risks by the end of 2026. At the same time, SURF advises institutions to also take measures.

Clarity on the findings

A total of 14 high risks were identified, for which mitigating measures have been set out in the DPIA. Once these have been implemented, only low residual risks will remain. Some of these relate to the division of responsibilities under data protection law, contractual agreements and the rights of data subjects. SURF emphasises that these points primarily concern diagnostic data. Most of the risks therefore do not relate to the data on staff that institutions enter into Profit themselves. 

SURF has also examined the general design of Profit and the organisation of data processing and associated safeguards. 

Mitigating measures by AFAS 

AFAS has indicated that it will implement the mitigating measures by the end of 2026.

SURF will retest and reassess the measures in early 2027. We will then publish an updated DPIA and indicate whether the mitigating measures have been implemented. AFAS has been cooperative and transparent throughout the entire process. Clear agreements have been made on how and when the measures will be implemented. This means that institutions can continue to use Profit for the time being and maintain continuity in their processes.

What institutions can do themselves 

SURF also advises institutions to make adjustments within their own organisations. These adjustments can be found in the DPIA. Examples include fine-tuning internal processes and amending the data processing agreement between the institution and AFAS. 

This requires a practical approach. Identify which agreements currently apply, who is responsible internally, and which process steps may need to be tightened up

Software use requires collaboration 

The outcome of the DPIA shows that the careful use of software requires collaboration. AFAS is working on the agreed measures. Institutions must review their own processes and agreements, whilst SURF monitors and tests progress. This creates a clear path forward for all parties involved. 

Read the full report

Read the full findings of the study in the DPIA on the website over SURF Vendor Compliance.

Any questions?

Please contact us via vendorcompliance@surf.nl.

(Sub)processors in the United States

SURF is especially alert to processing by vendors and their associated sub-vendors that are located in the US. For more information, see the previously prepared general information document on the use of US-based vendors