NL | EN

eduID Privacy Statement

Version: 14 November 2018

Nice of you to check out the eduID privacy statement! The SURFnet eduID Team paid a great deal of attention to the protection of your personal data and you can read all about that here. If you have any questions or concerns after you have read this privacy statement, please send an e-mail to support@eduid.nl or contact your own educational institution.

  • Service description
  • Controller and contact information
  • Personal data processed
  • Purpose of and basis for data processing
  • Third parties to whom data is provided
  • Data storage
  • Where can users go to access, rectify, and remove their data?
  • Retention periods
  • Your rights
  • Changes to the privacy statement

Service description

Increasingly, students want to study outside the borders of their own institution. They are for example interested in a variety of different courses, they want to combine subjects that cannot be found within a single institution or they want to make themselves more attractive for the job market. Institutions have different visions when it comes to promoting and facilitating such student mobility. Almost all study programmes offer some room for free choices, and some educational institutions even offer joint courses. Some institutions and courses take it a step further, offering students a lot of freedom in compiling their own curriculum.

This increased flexibility in education poses both technical and administrative challenges. On a technical level, this makes linking educational achievements to accounts with other institutions tricky. And when it comes to administration, it is challenging to (digitally) store educational achievements and share them if a student is no longer studying at a certain institution. As these challenges go beyond a single institution, there is a need for collaboration to invent solutions that can be used by all institutions, programmes, and students. To solve (some of) these problems, SURFnet believes there is a need for an 'eduID' (working title): an educational identity that is not linked to a specific institution.

SURFnet has taken the initiative in developing such an 'eduID'. Although many aspects still need to be worked out, and SURFnet expects it will take at least 5 to 10 more years before an 'eduID' becomes widely available, SURFnet would like to gain some practical experience by way of Proof of Concepts and pilots. This means that for these PoCs/pilots, SURFnet is developing systems in which personal data will be processed.

This privacy statement relates to the pilot being carried out along with the educational team as part of EduBadges. An EduBadge is a new, innovative record of achieving an educational outcome. As educational achievements normally have to be usable once a student has completed their studies, introducing an eduID is sensible: this identity exists independently of any specific institution where someone is studying. Students participating in the EduBadges pilot would therefore create an eduID themselves, and link it to their institutional account through SURFconext to be able to request a badge.

This is a pilot involving only a few institutions; it has a fixed end date, after which all the data and personal data gathered up to that point will be deleted.

Controller and contact information

SURFnet, Utrecht, the Netherlands; www.surfnet.nl
eduID Support; support@eduid.nl

Personal data processed

eduID has 3 data categories: 1) personal data received from the educational institution through SURFconext; 2) data provided to eduID by the user; 3) data created by eduID itself. See a detailed summary below:
  1. Received from the institution through SURFconext, once the user has linked their eduID to the institution:
    1. Persistent pseudonym
    2. Institution e-mail address
    3. User name and surname
  2. Submitted to eduID by the user:
    1. Chosen username (= e-mail address as standard, but can be changed later)
    2. Chosen password for the eduID account
    3. Name + Surname (not required for registration)
    4. Linked accounts
      1. Google: provides full profile, but we only use: identifier, e-mail, name
      2. SURFconext: see above
  3. Generated by eduID:
    1. User account identifier (pseudonym)
    2. eduID number
    3. EduBadges ID number (pseudonym)
  4. Additional technical data:
    1. Technical logging (user agent)
    2. Temporary Session ID
    3. Functional cookies

Purpose of and basis for data processing

The data listed above has to be processed to be able to offer a system in which students can log in so they can create an eduID account which they are able to use for authentication with other services. eduID offers users an institution-independent identifier which has the potential of being used for the rest of their lives, with the identifier not being dependent on where the student is studying at a given time. This offers a range of opportunities, including being able to link specific educational certificates (badges) and maintain a file with all the results. (NB: these services are not provided by eduID itself - eduID merely offers a straightforward way of identifying and authorising users.) eduID also offers the option of linking various accounts, including temporary ones, such as an institutional account through SURFconext and/or a Google account, private or otherwise. This feature improves the ease of use.

The basis for data processing is the data subject's consent. The data subject can withdraw their consent at any time if they so wish; see the heading "Where can users go to access, rectify, and remove their data?" below. Third parties to whom data is provided

eduID only submits data to the EduBadges pilot which are also offered through SURFnet. No data is provided to third parties.

Data storage

The eduID infrastructure and pilot are hosted on SURFcumulus (Vancis) infrastructure).

Vancis data centres are located in the Netherlands.

A backup of eduID infrastructure is stored in SURFdrive.

Where can users go to access, rectify, and remove their data?

You can find a summary of your data by going to https://pilot.eduid.nl and logging in using your eduID. You can also directly rectify the data you provided to eduID yourself.

To amend attributes eduID receives from your institution through SURFconext, please contact your institution's helpdesk.

For more information and/or requests, please contact eduID at support@eduid.nl.

Retention periods

The EduBadges pilot will run until 31 December 2020. All data will be deleted 2 weeks from this date at the latest. Before it is deleted, eduID may ask all users to give their consent to store the data longer.

Your rights

  • Right of access: the data eduID holds on you can be viewed after logging in to https://pilot.eduid.nl.
  • Right to erasure: the data eduID gathers is gathered on the basis of consent. If you withdraw your consent for this, we will delete your data. Please send an email support@eduid.nl to withdraw your consent.
  • Right to rectification: part of your data is provided by you, and part comes from your institution through SURFconext. For the part coming from your institution, please contact their helpdesk if you want to rectify any data.
  • Right to restriction of processing: you have the right to restrict the processing of your personal data, meaning the processing of your data will be suspended for a given period. Circumstances that may give rise to you exercising this right include cases in which the accuracy of your personal data is being disputed and it is taking some time to verify this. This right does not prevent us from continuing to store your personal data. When the restriction is lifted, you will be informed in advance.
  • Right to data portability: the right to data transferability means that you have the right to obtain the personal data about you in a structured, common, machine-readable format if technically possible and you are entitled to transfer it to another controller. We will transfer your personal data directly to the other controller on request if this is technically possible.
  • Right to object: you have the right to object to your personal data being processed. This means that you can ask us to no longer process your personal data. This only applies if 'justified interests' are the legal basis for processing the data.
If you feel that SURFnet is not handling your personal data correctly, you may file a complaint with SURFnet. However, if you and SURFnet are unable to resolve the issue and SURFnet's response to your complaint does not lead to an acceptable result, you have the right to submit a complaint about SURFnet to the Data Protection Authority. You can find more information about the Data Protection Authority and file a complaint at www.autoriteitpersoonsgegevens.nl. To exercise these rights, please contact support@eduid.nl or your educational institution. Om deze rechten uit te kunnen oefenen, kun je contact opnemen met support@eduid.nl of je eigen onderwijsinstelling.

Changes to the privacy statement

Changes may be made to this privacy statement. We therefore recommend that you review this privacy statement regularly. The version number is shown at the top of this page