Comments on findings
Response to French findings regarding (free) online services from Google and Microsoft
22 December 2022 - There have recently been publications about the use of various online products of Google in France. Educational institutions there are part of the state, and the processing of (personal) data therefore falls under the rules for processing by state institutions. As the use of some Google services is partly free, procurement rules do not in principle apply to them. However, according to French policy rules, this is necessary. The storage of sensitive data should also not be subject to rules of non-EU countries. Therefore, the French government now advises against using (free) online services from Google and Microsoft. However, these French rules do not apply in the Netherlands. Unlike the GDPR, there are no specific conditions that data from educational institutions may only be stored in the Netherlands or in the European Union. Nor do specific purchasing conditions apply that require free online services not to be used. The developments in France therefore give no reason at present to doubt the legality of the use of Google services by Dutch educational institutions.
SURF and SIVON continue to consult with Google on the use of Google Workspace for Education by Dutch educational institutions.
Response to German findings regarding Microsoft 365
20 December 2022 - In a report dated 2 November 2022, the Association of German Privacy Supervisors (hereafter; DSK) stated that the use of Microsoft 365 in Germany violates the General Data Protection Regulation (GDPR). SURF, APS IT Services, SLB Services and SIVON have taken note of the DSK report with interest and have ordered an investigation in response to these DSK findings.
Conclusion: legitimate use of Microsoft 365 in Dutch education
Following the investigation, SURF, APS IT-diensten, SLBdiensten and SIVON conclude that there is no reason to doubt the lawfulness of the use of Microsoft 365 by Dutch education and research institutions. In 2019, SURF, APS IT-diensten and SLBdiensten (note 1) have already reached agreements with Microsoft on the use of Microsoft 365 within central government and Dutch education and research, which include additional privacy agreements. Many of the findings mentioned by DSK in the report were already identified in previously conducted Data Protection Impact Assessments (DPIAs) and subsequently mitigated in additional agreements. In addition, following the EDPB (European Data Protection Board) guidelines on processing outside the EEA in July 2021, we have once again entered into additional privacy agreements with Microsoft where necessary.
Continuous monitoring of lawfulness of great importance
SURF, APS IT-diensten, SLBdiensten and SIVON recognise the importance of privacy and strive to embed privacy agreements in contracts with vendors. We therefore attach great importance to the continuous evaluation of (cloud) services and assessing their legitimacy. Together with SIVON, SURF, APS IT-diensten and SLBdiensten keep an eye on changing laws and regulations, periodically testing them against existing contracts and adjusting them where necessary. In addition, we remain in constant discussion and negotiation with vendors to ensure that services can be used safely and responsibly.
Note 1: Educational and research institutions use these contracts through SURF, APS IT-diensten and SLBdiensten.