AFAS takes action following SURF’s DPIA
Identified risks
A number of identified risks relate to the division of responsibilities under data protection law, contractual risks and the rights of data subjects. SURF emphasises that these risks relate primarily to diagnostic data. Data on staff members that institutions enter into Profit themselves are not included in this.
Risks have also been identified relating to the overall design of Profit and the organisation of data processing and associated safeguards. Mobile applications available via commercial app stores, for which a more detailed risk assessment is still being developed within the education and research sector, have been included for the time being without a risk assessment. A full explanation of the risks and the mitigating measures can be found in the DPIA report.
Cooperation with institutions is necessary
For a number of measures, institutions are advised to take action themselves. This includes adjusting their internal processes and amending the data processing agreement between the institutions and AFAS.
Follow-up
For the time being, institutions may continue to use Profit. SURF will review the implementation of AFAS’s mitigating measures in early 2027 and will publish an updated DPIA following its assessment.
Read the full report
Read the full findings of the study in the DPIA.
Any questions?
Please contact us via vendorcompliance@surf.nl.
(Sub)processors in the United States
SURF is especially alert to processing by vendors and their associated sub-vendors that are located in the US. For more information, see the previously prepared general information document on the use of US-based vendors.