Version 16 January 2023
Changes since previous versions
- Changes in version 16 January 2023
- Added data processing of the eduID app
- Cookie overview updated
- Changes in version 29 September 2020:
- Several smaller textual changes to improve readability
Good to see that you are reading the privacy statement for eduID! The eduID and SURFconext team at SURF pay a great deal of attention to the protection of your personal data and you can read all about it in this privacy statement. If you have any questions or concerns about this privacy statement, please feel free to send an e-mail to firstname.lastname@example.org.
What is eduID?
Students increasingly want to study outside their own institution. For example, they are interested in subjects from different study programmes or they want to raise their profile on the labour market. Educational institutions also offer joint courses, the components of which are sometimes spread across several different institutions.
To facilitate this flexibility, students must be uniquely identifiable across institutions. In this way, different institutions can be sure that they are dealing with the same student and, for example, study results obtained can be exchanged. eduID makes this possible. Anyone directly and indirectly involved in education can use an eduID.
The plan is to introduce eduID for all students in education and research. It is not that far yet, but we are already going to use eduID for specific target groups. One of these are guest users of SURFconext. A guest user is a user who needs access to a service via SURFconext but does not have an account with one of the affiliated institutions.
Contact details of the person responsible for processing
Morale Park 48
3511 EP Utrecht, the Netherlands
What is the purpose and basis of the processing?
The processing of the data mentioned below is necessary in order to be able to offer a system to which users can log in to create an eduID account which they can use for authentication towards (certain) services connected to SURFconext.
The basis for the data processing is the performance of a contract. Every eduID user is asked to accept this agreement when creating an eduID account.
What data do we process from you?
eduID processes the following (personal) data:
- The e-mail address of the user, also username
- The user’s first and last name
- (Optionally) A self-chosen password
- A unique identifying number and associated pseudonyms provided to services
- The time and date of the first login for each service used with eduID
- Additional technical data:
- Preferred language for eduID interface
- Technical logging (user agent)
- IP address
- Temporary Session ID
It is possible to improve the reliability of your eduID account by connecting your institutional account to your eduID. If you choose to do so, for example because the service edubadges requires it, eduID also processes the following data:
- Name and URL of the connected institution
- The first and last name of the user as known within that institution
- Username of the connected institutional account
- Affiliation(s) within that connected institution (e.g. student or employee)
- Date when the connection is made
- Date when the connection will expire
You also have the option to use the eduID app. With the eduID app you can log in more securely and easily with eduID. More secure because logging in with the eduID app is also multi-factor authentication (MFA). This greatly reduces the risk of abuse. Easier because logging in with the eduID app is “passwordless” via a push message to your phone. Entering a password or clicking on a link in the email is no longer necessary. If you use the eduID app, eduID also processes the following data:
- A unique identifying number of your eduID app registration
- A uniquely identifying number from your phone to send a push message
- Optional: your mobile phone number if you chose your phone number as the recovery method
Which cookies does eduID use?
eduID places cookies on the device you are using for eduID. Cookies are tiny files which are being sent by an internet server and stored locally on your device. These cookies are necessary for eduID to function properly. eduID does not place any analytical or tracking cookies.
- Cookie ‘login_preference’ to remember how you want to login to eduID (e.g. using a Magic Link or a password). This cookie expires after 1 year.
- Cookie ‘lang’ to remember your preferred language for the eduID interface. This cookie expires after 1 year.
- Cookie ‘REGISTER_MODUS’ to indicate to eduID whether you must end up in the registration process. This cookie is only used during the active session and then automatically expires.
- Cookie ‘BROWSER_SESSION’ to ensure the Magic Link is being used in the same browser as the one where the login started. This cookie is only used during the active session and then automatically expires.
- Cookie ‘guest-idp-remember-me’ to remember your login on the current device. This cookie expires after 6 months.
- Cookie ‘username’ to remember your username so you don’t have to enter it next time.
- Cookie ‘REMEMBER_ME_QUESTION_ASKED_COOKIE’ to remember if eduID has asked you to stay logged in.
To whom do we provide your details?
eduID will only pass on your details to third parties if this is necessary in order to be able to provide you with the service in question. For example, eduID provides data to services to which you log in to using your eduID. Before the data is actually provided the first time you log on to a service via eduID, you will be shown an information screen showing exactly which data is provided to the service. Thanks to this screen, you can still prevent the service from receiving your details (by closing the window). Consequently, you can not use the service via eduID.
On My eduID, you can see which services you have used via eduID.
Furthermore, we only provide your details to other parties with your permission, unless it is legally required or permitted to provide your details. For example, the police may request information from us as part of a fraud investigation. SURF is then legally obliged to provide this information.
Where do we store your details?
The eduID infrastructure is hosted on SURFconext infrastructure. Its servers are located in Amsterdam and Utrecht, with a backup location in Tilburg.
How long do we store your data?
The retention period for eduID account data is thirty-seven months after your last login. Logging data is stored for six months.
What are your rights?
SURF processes your personal data, so you can determine what happens to it. What exactly can you do with the data provided to us?
By going to My eduID and logging in with your eduID, you can see an overview of all your details. You can also change the details you have provided directly to eduID here (name, password). For any other information and/or requests regarding the rights below, please contact eduID via email@example.com.
- You can ask us for access to the data we process about you. The information eduID has about you is visible on My eduID after logging in.
- You can ask us to erase your details if they are incorrect or no longer relevant. The data that eduID collects is collected under the terms of an agreement. Send an email to firstname.lastname@example.org if you wish to cancel this agreement and have your data erased.
- You can have your data rectified or supplemented when they are incorrect or no longer relevant. You provide your own details to eduID (e-mail address, name, password). Except for your e-mail address, you can change (rectify) these details yourself via My eduID. If you wish to change your e-mail address, please contact email@example.com.
- You can ask us to restrict the processing of your data. This means that the processing of your data will be suspended for a certain period of time.
- You can request a digital overview of the data we process about you and you have the right to transfer this data to another service provider.
If you feel that SURF is not handling your personal data properly, you can submit a complaint to SURF. If you and SURF cannot resolve the matter together, you can submit a complaint about SURF to the Dutch Personal Data Authority.
Changes to this Privacy Statement
Changes may be made to this privacy statement. We therefore advise you to consult this privacy statement regularly. The version number is shown at the top of this page.