HR2day is taking additional privacy measures following SURF’s DPIA

Identified risks

A significant proportion of the identified risks is caused by a lack of demonstrated transparency and control over usage data (data generated through the use of the platform) within HR2day’s underlying Salesforce platform. Salesforce is acting as a key sub-processor. Mitigating this risk is therefore a joint effort with Salesforce.

There are also risks relating to the general structure of HR2day and the way in which data processing and associated safeguards are organised. The risks associated with the mobile application via commercial app stores, for which a detailed risk assessment is still under development within the education and research sector, are therefore included for now without a risk assessment.

For a full explanation of the risks and the mitigating measures, SURF refers to the DPIA report.

Cooperation with institutions is required

For a number of measures, institutions are advised to take action themselves. In some cases, this involves adjusting the internal process and amending the data processing agreement with HR2day. Institutions may also need to provide active feedback to HR2day, for example by participating in working groups, on matters such as retention periods.

Follow-up

Institutions may continue to use HR2day for the time being. SURF Vendor Compliance will review the implementation of HR2day’s mitigating measures at the end of 2026 and publish an updated DPIA following its assessment.

Read the full report

The full findings of the investigation can be found in the Data Protection Impact Assessment (DPIA).

Questions?

Please contact us at  vendorcompliance@surf.nl