Privacy Policy
Version 18 October 2024
Please note: the Dutch version of the Privacy Policy is authoritative.
Changes since previous versions
- Changes in version 18 October 2024
- Added the data which is processed when verifying the eduID via iDIN or eIDAS.
- Changes in version 17 June 2024
- Large parts rewritten. The most important changes are:
- Purposes and lawfulness of processing. It is also indicated for which processing SURF is the controller and for which processing an institution.
- Retention periods expanded and explained why the retention period is used.
- Your rights and where you can exercise them are better described.
- Changes in version 16 January 2023
- Added data processing of the eduID app
- Cookie overview updated
- Changes in version 29 September 2020
- We changed the email address mentioned in this privacy policy from help@surfconext.nl to help@eduid.nl
- The privacy policy now explains which cookies eduID uses. eduID does not use any tracking or analytical cookies
- eduID now contains the feature to connect other accounts to eduID. The privacy policy desribes which (extra) data is being stored when you connect another account to your eduID
- Several smaller textual changes to improve readability
Thank you for viewing the privacy policy for eduID! SURF’s eduID team pays a lot of attention to the protection of your personal data and you can read all about it in this privacy policy. If you have any questions or concerns about this privacy policy, please email help@eduid.nl.
What is eduID?
An eduID account is a digital identity of the user offered and managed by SURF, which can be used in the field of education and research. Any person can create an eduID account, regardless of whether this person is affiliated with an institution. So not only students, but also internship or practice supervisors, (guest) lecturers, researchers, alumni, pre-registrants, professionals, people from the business community and others. With this account the user can log in to applications connected to eduID. These applications can be from institutions affiliated with SURF, from SURF itself or from third parties.
Contact details SURF
eduID is offered and managed by SURF, a cooperative of Dutch educational and research institutions.
SURF
Moreelsepark 48
3511 EP Utrecht, Netherlands
www.surf.nl
The contact details of our data protection officer are: fg@surf.nl.
What data do we process from you?
- eduID processes personal data of the natural person who is the holder of an eduID. This concerns the following data:
- your e-mail address
- Your first and last name
- A unique identifying number and associated pseudonyms provided to services
- The date and time when the first login takes place for each service to which you log in with eduID
- Preferred language eduID interface
- Browser used (name, version, OS, device type)
- IP address
- Temporary Session ID
- If you link your eduID to your institution’s account, eduID also processes the following data:
- Name of the associated institution
- Your first and last name as known to the linked institution
- Username of your account at the linked institution
- Your role(s) within the linked institution (for example ‘student’ or ’employee’)
- If you verify your eduID using iDIN, eduID also processes the following data:
- Your first name and surname as known to the bank through which the verification is carried out.
- Your date of birth as known by the bank through which verification is carried out.
- If you verify your eduID through eIDAS, eduID also processes the following data:
- Your first name and last name as known to the eID through which the verification is carried out.
- Your date of birth as known to the eID with which verification is performed.
- A PseudoID, an identifying number used to identify a natural person
- If you use the eduID app, eduID also processes the following data:
- A unique identifying number from your eduID app registration
- A unique identifying number from your phone to send a push message
- Optional: your mobile phone number if you choose your phone number as the recovery method
Why is eduID allowed to process your personal data?
Personal data may only be processed if there is a legal basis for this. The basis differs per purpose and who is the controller.
SURF is the controller for several purposes. SURF ensures a lawful basis for processing personal data:
- Purpose: when you create an eduID, you add several personal data such as name and email address. These are used by eduID and applications to which you log in to recognize you and communicate with you via email.
Lawfulness: execution of an agreement, namely the agreement between SURF and the person who creates an eduID. When creating, the user is shown the eduID terms of use and by agreeing to them, the eduID is created. - Purpose: to log in to an application with eduID where personal data can be provided to the application to recognize you, provide you with authorization or communicate with you via e-mail. This purpose applies to applications that are not prescribed or required by an institution with which you have a relationship.
Lawfulness: execution of an agreement, namely the terms of use that you accept when creating your eduID. - Purpose: To provide you with insight into your login history, we keep track of which application you have logged in to and what personal data has been provided to the application.
Lawfulness: execution of an agreement, namely the terms of use that you accept when creating your eduID. - Purpose: We process the technical data mentioned for the correct operation of eduID.
Lawfulness: execution of an agreement, namely the terms of use that you accept when creating your eduID.
An institution is controller for several purposes. The institution ensures a lawful basis for processing personal data:
- Purpose: to log in to an application with eduID where personal data can be provided to the application in order to recognize you, provide you with authorization or communicate with you via e-mail. This purpose applies to applications for which the institution requires logging in with eduID
Lawfulness: this is determined by the institution, and can be, for example: performing a task of public interest such as education, or the performance of a contract, such as an apprenticeship agreement, contract education or employment contract. - Purpose: some applications require more and/or reliable personal data before access can be granted. You can add this data to your eduID by linking your eduID to an external data source, such as an educational institution, bank or national eID. For example your name as known to the institution, your relationship with the institution (e.g. student or employee) and the organization name. Providing these personal data to eduID is done under the responsibility of the institution.
Lawfulness: this is determined by the institution, and can be, for example: performing a task of public interest such as education, or the performance of a contract, such as an apprenticeship agreement, contract education or employment contract.
It is good to know that this data can subsequently be released under the responsibility of SURF when logging in to an application (see above).
To whom do we provide your data?
eduID only provides your personal data to third parties if this is necessary for you to access the application. For example, eduID provides data to applications to which you log in via eduID. The first time you log in to an application with eduID, you will see an information screen showing exactly what data is provided to the application. Your data will only be transferred if you agree to this. By closing this window, you can prevent the application from receiving your data. You cannot log in to the application with eduID.
Via My eduID you can see which services you have logged into with eduID.
We will only provide your data to parties other than the above with your permission unless it is legally required or permitted to provide your data. For example, the police can request data from us in the context of a fraud investigation. SURF is then legally obliged to provide this information.
There are also various parties involved in offering the platform. The following party processes personal data on the instructions and instructions of SURF:
- Hosting and management provider
Where do we store your data?
The eduID infrastructure is hosted on SURF infrastructure. Its servers are located in Amsterdam and Utrecht, with a backup location in Tilburg.
How long do we keep your data?
The personal data obtained from an institution by linking your eduID to an institutional account will be kept for 6 months, except for the obtained first and/or last name, which will be kept for 6 years. This period has been chosen to keep this data sufficiently up to date.
The retention period for all eduID account data is 5 years after the last time you log in somewhere with your eduID. This period has been chosen because in the process of lifelong development it is expected that there will be periods in which a user does not use his eduID, but that the eduID can become relevant to that person again. In the meantime, eduID will send reminders if the account is in danger of being removed.
The technical log data is kept for six months to allow time to investigate any problems and incidents.
What rights do you have?
You have the right to have the personal data that eduID processes about you changed, supplemented, or deleted. You can also request access to the personal data that is processed about you. You can view the information that eduID has about you on My eduID. You can also change or supplement your details there.
If it concerns automatic processing of data provided by you based on consent or the execution of an agreement, you can request an overview in a structured and common form of the personal data that we process about you via My eduID. You also have the right to have this data transferred to another party, provided this is technically possible.
You can also submit a request to restrict the processing of your personal data, which will cause the controller to temporarily stop processing your data. This happens if:
- you object (see further explanation below), or
- you contest the accuracy of personal data being processed, or
- you believe that the processing of data is unlawful, or
- you believe that the controller no longer needs your personal data, but you need them in the context of a legal claim.
NB! If eduID restricts the processing of data necessary for running our services, this restriction may affect the functioning of the service.
Right to object:
You can object to the processing of your personal data if your data is processed based on a legitimate interest or on the basis of the performance of a task of public interest. If the controller has no compelling legitimate grounds to continue the processing, the processing will cease.
If you object, you can also submit a request to restrict the processing of your personal data during this objection.
How to file a complaint:
If you believe that eduID is not handling your personal data properly, you can file a complaint with the data protection officer of SURF or an institution. You also have the right to file a complaint with the Dutch Data Protection Authority. More information about the Dutch Data Protection Authority and submitting complaints can be found at www.autoriteitpersoonsgegevens.nl
Where can you go to exercise your rights?
You can submit a request to exercise your rights to the organization responsible for processing your personal data (the controller). However, for eduID these can be different organizations: SURF or one of the participating institutions. SURF coordinates the requests and puts you in touch with the right person at the right institution. Please contact us at: help@eduid.nl. You can of course also contact the relevant institution directly.
Which cookies does eduID use?
eduID places cookies on the device you use to visit eduID. Cookies are small files that are sent by an internet server and stored on your device. The cookies that eduID places are necessary for the functioning of eduID. eduID does not place analytical or tracking cookies.
Functional cookies
eduID uses several functional cookies that ensure that eduID functions correctly:
- Cookie ‘login_preference’ to remember how you log in (e.g. via magic link or password). This cookie is valid for 1 year.
- Cookie ‘lang’ to remember in which language you wish to see the eduID interface. This cookie is valid for 1 year.
- Cookie ‘REGISTER_MODUS’ to indicate whether you should proceed with the registration process. This cookie is only set during the session and then deleted.
- Cookie ‘BROWSER_SESSION’ to ensure that you use the magic link in the same browser where the login was initiated. This cookie is only set during the session and then deleted.
- Cookie ‘guest-idp-remember-me’, to enable you to remain logged in (in the browser where you use this). This cookie is valid for 6 months.
- Cookie ‘username’ to remember your username so that you do not have to enter it next time.
- Cookie ‘REMEMBER_ME_QUESTION_ASKED_COOKIE’ to remember whether eduID has asked that you remain logged in.
- Cookie ‘TIQR_COOKIE’ to remember whether you have already logged in with the eduID app in this browser
- Cookie ‘TRACKING_DEVICE’ to detect whether this is a new device that is being logged in. If this is a new device, a notification email will be sent.
Changes to privacy policy
Changes may be made to this privacy policy. We therefore recommend that you consult this privacy policy regularly. The version number is at the top of the page.