Downloads
Blog
Who we are
Our customers
Contact
Software
Advice
Training & E-learning

DPIA on Ans Exam: can be used provided that corrective measures are implemented

December 16, 2025
Blog overview
/
DPIA on Ans Exam: can be used provided that corrective measures are implemented
Together with SURF, Privacy Company conducted a comprehensive Data Protection Impact Assessment (DPIA) on the SaaS assessment platform and API of Ans Exam B.V. Ans Exam is used by more than twenty Dutch educational institutions to develop, administer and assess exams in various formats, including peer-reviewed, group and paper-based assessments. Based on the current findings, the preliminary recommendation is that Ans Exam can continue to be used, provided that the agreed improvement measures are fully implemented.

Results of the DPIA

A total of 17 risks were identified:

• 13 high risks

• 3 medium risks

• 1 low risk

The main points of attention are:

• Incomplete description of processing activities in the Data Processing Agreement (DPA).

• Uncertainty about the division of roles between the parties involved.

• Insufficient transparency about sub-processors, cookie notifications and parts of the user interface.

Additional risks are related to the use of email tracking, application logging, retention periods and the ability to respond effectively to requests from data subjects.

Concrete improvement measures

The findings were carefully discussed with Ans Exam and translated into concrete measures. During the DPIA process, Ans Exam clearly demonstrated that it is highly motivated to address the identified risks and has proactively started to implement the recommended measures. As a result, a large number of risks have already been successfully mitigated before the completion of the DPIA.

Ans Exam has committed to:

• Updating the description of data processing in Appendix 1 of the processing agreement. This provides insight into all processing activities. The amended appendix is relevant to all existing and future agreements with customers.

• Describe the responsibilities of the controller and the processor in both the privacy statement and the processing agreement.

• Supplement and correct information about sub-processors.

• Disable notifications about email tracking.

• Update the cookie policy.

• Implement additional technical and organisational security measures agreed upon during the DPIA.

Follow-up

Ans Exam has committed to mitigating all remaining identified risks in the period Q1–Q3 of 2026. Together with SURF, we will verify the implementation of the agreed measures by the supplier and publish updates to the DPIA during 2026.

In addition, we are continuing to work with SURF on an improved version of Appendix 1 of the DPA for the institutions. The advice to the institutions is to conclude an updated DPA so that they can benefit from improved privacy provisions and functionalities.

It is also recommended to:

• require single sign-on (SSO) when using Ans Exam;

• use a dedicated domain.

These measures strengthen the overall privacy and security position of the platform.

Company publishes this blog about the findings with permission from SURF. See the press release and complete DPIA on the website of SURF.

Download
Sanne
Consultant
The Hague
Maanweg 174
2516 AB Den Haag
+31 708209690
info@privacycompany.nl
Berlin
Friedrichstrasse 68
10117 Berlin
+49 16098404354
info@privacycompany.nl
© Privacy Company
ImpressumPrivacy StatementCookie Statement