TOPdesk implements privacy improvements following SURF DPIA

TOPdesk is a service management platform used by vocational colleges, universities of applied sciences and universities. On behalf of SURF, Privacy Company carried out a DPIA on TOPdesk in close collaboration with TOPdesk, based on common usage scenarios in the sector. Privacy Company investigated which data institutions often process in TOPdesk in these scenarios and whether there are any risks involved.

Results and collaboration

The DPIA identified 9 high risks and 3 low risks associated with the use of TOPdesk. 3 of the high risks only apply when processing special categories of personal data. Institutions can take measures themselves to mitigate a number of high risks. TOPdesk has already mitigated 4 high risks (out of 9) during the DPIA process and made concrete commitments for the remaining 5. This proactive attitude is characteristic of the way TOPdesk acted during the DPIA process. TOPdesk has been very transparent and has invested a great deal of time and energy in providing the necessary information.  

Follow-up

TOPdesk will continue to implement the remaining measures. SURF will publish an update on this DPIA in 2026. 

Full report publicly available

The complete assessment can be found in the Data Protection Impact Assessment (DPIA) and in the Technical Appendix. 

More information about the effects on privacy protection when using American suppliers can be found in this information document (in Dutch).

Questions?

Do you have any questions about this DPIA? Please contact SURF at vendorcompliance@surf.nl.