What are you looking for?

Improved accessibility mode

SURF strives for a website that is accessible to everyone. We are working on a full accessibility mode.
studenten aan het werk aan ronde tafels
News

SURF completes DPIA for Adobe Creative Cloud and Document Cloud for Education

SURF and Privacy Company have conducted a Data Protection Impact Assessment (DPIA) on Adobe Creative Cloud and Document Cloud for Education. SURF confirms that institutions may continue using these products, as Adobe has committed to implementing mitigation measures to address the identified risks. At the end of 2026, we will review whether the supplier has fully implemented these measures.

Adobe within education institution in the Netherlands 

Adobe is a software company that develops applications for digital content creation, document management, and design. Many Dutch education institutions use these products within the creative domain.

Risks identified

The DPIA identified nine high risks and eight low risks. The most significant risks relate to product features that limit the user’s ability to delete documents or stop them from being shared, restrictions that prevent administrators from fully facilitating the user’s rights, and the disproportionate processing involved in Adobe’s Content Credentials feature, and SURF’s current contractual framework. The latter risk is related to the education institution use Adobe’s online Data Processing Agreement (DPA), which means the high risk arises from the fact that each educational institution enters into its own agreement and may operate under different versions. 

Adobe's collaborative approach and committed measures

During the DPIA process, Adobe worked closely with SURF to address all identified risks. Adobe has specified which measures it will implement before the end of 2026, and SURF will monitor these commitments.

The report outlines the steps Adobe will take to mitigate the high risks, as well as the actions educational institutions themselves can take to reduce the identified low risks. 

Adobe’s perspective

Adobe notes that its commitments should not be interpreted as an acknowledgment of any legal obligation or as agreement with the assigned risk levels. Adobe states that the improvements should be understood in the context of implementing enhancements requested by a specific customer with unique requirements due to the way these Adobe services are used.

SURF considers mitigating the identified risks essential to enable both Adobe and educational institutions to use Adobe products and services in compliance with the GDPR. We look forward to continuing our collaboration with Adobe to ensure that students can use Adobe’s products and services in a secure and compliant manner.

Do you want to know more about Adobe’s privacy measures and content policies? Check out SURF Vendor Compliance page.

Full report publicly available

The full findings of the assessment can be found in the Data Protection Impact Assessment (DPIA) report.

More information about the effects on privacy protection when using US suppliers can be found in this information document (in Dutch).

Related topics: