Privacy Policy

Version 17 June 2024

Please note: the Dutch version of the Privacy Polcy is authoritative.

Thank you for viewing the privacy policy for eduID! SURF’s eduID team pays a lot of attention to the protection of your personal data and you can read all about it in this privacy policy. If you have any questions or concerns about this privacy policy, please email help@eduid.nl. 

What is eduID?

An eduID account is a digital identity of the user offered and managed by SURF, which can be used in the field of education and research. Any person can create an eduID account, regardless of whether this person is affiliated with an institution. So not only students, but also internship or practice supervisors, (guest) lecturers, researchers, alumni, pre-registrants, professionals, people from the business community and others. With this account the user can log in to applications connected to eduID. These applications can be from institutions affiliated with SURF, from SURF itself or from third parties. 

Read more about eduID. 

Contact details SURF

eduID is offered and managed by SURF, a cooperative of Dutch educational and research institutions. 

SURF 
Moreelsepark 48 
3511 EP Utrecht, Netherlands
www.surf.nl 

The contact details of our data protection officer are: fg@surf.nl.

What data do we process from you?

eduID processes personal data of the natural person who is the holder of an eduID. This concerns the following data:

1. your e-mail address 
2. Your first and last name 
3. A unique identifying number and associated pseudonyms provided to services 
4. The date and time when the first login takes place for each service to which you log in with eduID 
5. Additional technical data: 
   • Preferred language eduID interface 
   • Technical logging (user agent) 
   • IP address 
   • Temporary Session ID

If you link your eduID to your institution’s account, eduID also processes the following data:

6. Name of the associated institution 
7. Your first and last name as known to the linked institution 
8. Username of your account at the linked institution 
9. Your role(s) within the linked institution (for example ‘student’ or ’employee’) 

If you use the eduID app, eduID also processes the following data: 

10. A unique identifying number from your eduID app registration 
11. A unique identifying number from your phone to send a push message 
12. Optional: your mobile phone number if you choose your phone number as the recovery method 

Why is eduID allowed to process your personal data?

Personal data may only be processed if there is a legal basis for this. The basis differs per purpose and who is the controller. 

SURF is the controller for several purposes. SURF ensures a lawful basis for processing personal data: 

• Purpose: when you create an eduID, you add several personal data such as name and email address. These are used by eduID and applications to which you log in to recognize you and communicate with you via email. 
  Lawfulness: execution of an agreement, namely the agreement between SURF and the person who creates an eduID. When creating, the user is shown the eduID terms of use and by agreeing to them, the eduID is created. 
• Purpose: to log in to an application with eduID where personal data can be provided to the application to recognize you, provide you with authorization or communicate with you via e-mail. This purpose applies to applications that are not prescribed or required by an institution with which you have a relationship. 
  Lawfulness: execution of an agreement, namely the terms of use that you accept when creating your eduID. 
• Purpose: To provide you with insight into your login history, we keep track of which application you have logged in to and what personal data has been provided to the application. 
  Lawfulness: execution of an agreement, namely the terms of use that you accept when creating your eduID. 
• Purpose: We process the technical data mentioned for the correct operation of eduID. 
  Lawfulness: execution of an agreement, namely the terms of use that you accept when creating your eduID. 

An institution is controller for several purposes. The institution ensures a lawful basis for processing personal data: 

• Purpose: to log in to an application with eduID where personal data can be provided to the application in order to recognize you, provide you with authorization or communicate with you via e-mail. This purpose applies to applications for which the institution requires logging in with eduID 
  Lawfulness: this is determined by the institution, and can be, for example: performing a task of public interest such as education, or the performance of a contract, such as an apprenticeship agreement, contract education or employment contract. 
• Purpose: some applications require more and/or reliable personal data before access can be granted. You can add this data to your eduID by linking your eduID to an external data source, such as an educational institution, for example your name as known to the institution, your relationship with the institution (e.g. student or employee) and the organization name. Providing these personal data to eduID is done under the responsibility of the institution. 
  Lawfulness: this is determined by the institution, and can be, for example: performing a task of public interest such as education, or the performance of a contract, such as an apprenticeship agreement, contract education or employment contract. 
  It is good to know that this data can subsequently be released under the responsibility of SURF when logging in to an application (see above).

To whom do we provide your data?

eduID only provides your personal data to third parties if this is necessary for you to access the application. For example, eduID provides data to applications to which you log in via eduID. The first time you log in to an application with eduID, you will see an information screen showing exactly what data is provided to the application. Your data will only be transferred if you agree to this. By closing this window, you can prevent the application from receiving your data. You cannot log in to the application with eduID. 

Via My eduID you can see which services you have logged into with eduID. 

We will only provide your data to parties other than the above with your permission unless it is legally required or permitted to provide your data. For example, the police can request data from us in the context of a fraud investigation. SURF is then legally obliged to provide this information. 

There are also various parties involved in offering the platform. The following party processes personal data on the instructions and instructions of SURF: 

• Hosting and management provider

Where do we store your data?

The eduID infrastructure is hosted on SURF infrastructure. Its servers are located in Amsterdam and Utrecht, with a backup location in Tilburg.

How long do we keep your data?

The personal data obtained from an institution by linking your eduID to an institutional account will be kept for 6 months, except for the obtained first and/or last name, which will be kept for 6 years. This period has been chosen to keep this data sufficiently up to date. 

The retention period for all eduID account data is 5 years after the last time you log in somewhere with your eduID. This period has been chosen because in the process of lifelong development it is expected that there will be periods in which a user does not use his eduID, but that the eduID can become relevant to that person again. In the meantime, eduID will send reminders if the account is in danger of being removed. 

The technical log data is kept for six months to allow time to investigate any problems and incidents.

What rights do you have?

You have the right to have the personal data that eduID processes about you changed, supplemented, or deleted. You can also request access to the personal data that is processed about you. You can view the information that eduID has about you on My eduID. You can also change or supplement your details there. 

If it concerns automatic processing of data provided by you based on consent or the execution of an agreement, you can request an overview in a structured and common form of the personal data that we process about you via My eduID. You also have the right to have this data transferred to another party, provided this is technically possible. 

You can also submit a request to restrict the processing of your personal data, which will cause the controller to temporarily stop processing your data. This happens if: 

• you object (see further explanation below), or 
• you contest the accuracy of personal data being processed, or 
• you believe that the processing of data is unlawful, or 
• you believe that the controller no longer needs your personal data, but you need them in the context of a legal claim.

NB! If eduID restricts the processing of data necessary for running our services, this restriction may affect the functioning of the service. 

Right to object: 

You can object to the processing of your personal data if your data is processed based on a legitimate interest or on the basis of the performance of a task of public interest. If the controller has no compelling legitimate grounds to continue the processing, the processing will cease. 

If you object, you can also submit a request to restrict the processing of your personal data during this objection. 

How to file a complaint: 

If you believe that eduID is not handling your personal data properly, you can file a complaint with the data protection officer of SURF or an institution. You also have the right to file a complaint with the Dutch Data Protection Authority. More information about the Dutch Data Protection Authority and submitting complaints can be found at www.autoriteitpersoonsgegevens.nl

Where can you go to exercise your rights?

You can submit a request to exercise your rights to the organization responsible for processing your personal data (the controller). However, for eduID these can be different organizations: SURF or one of the participating institutions. SURF coordinates the requests and puts you in touch with the right person at the right institution. Please contact us at: help@eduid.nl. You can of course also contact the relevant institution directly.

Which cookies does eduID use?

eduID places cookies on the device you use to visit eduID. Cookies are small files that are sent by an internet server and stored on your device. The cookies that eduID places are necessary for the functioning of eduID. eduID does not place analytical or tracking cookies. 

Functional cookies 

eduID uses several functional cookies that ensure that eduID functions correctly: 

• Cookie ‘login_preference’ to remember how you log in (e.g. via magic link or password). This cookie is valid for 1 year. 
• Cookie ‘lang’ to remember in which language you wish to see the eduID interface. This cookie is valid for 1 year. 
• Cookie ‘REGISTER_MODUS’ to indicate whether you should proceed with the registration process. This cookie is only set during the session and then deleted. 
• Cookie ‘BROWSER_SESSION’ to ensure that you use the magic link in the same browser where the login was initiated. This cookie is only set during the session and then deleted. 
• Cookie ‘guest-idp-remember-me’, to enable you to remain logged in (in the browser where you use this). This cookie is valid for 6 months. 
• Cookie ‘username’ to remember your username so that you do not have to enter it next time. 
• Cookie ‘REMEMBER_ME_QUESTION_ASKED_COOKIE’ to remember whether eduID has asked that you remain logged in. 
• Cookie ‘TIQR_COOKIE’ to remember whether you have already logged in with the eduID app in this browser 
• Cookie ‘TRACKING_DEVICE’ to detect whether this is a new device that is being logged in. If this is a new device, a notification email will be sent.

Changes to privacy policy

Changes may be made to this privacy policy. We therefore recommend that you consult this privacy policy regularly. The version number is at the top of the page.