Downloads
Blog
Who we are
Our customers
Contact
Software
Advice
Training & E-learning

DPIA on TOPdesk: nine high-risk issues

January 20, 2026
Blog overview
/
DPIA on TOPdesk: nine high-risk issues
On behalf of SURF, we carried out a Data Protection Impact Assessment (DPIA) involving technical analysis of TOPdesk, one of the larger service management platforms. SURF commissioned this DPIA on behalf of more than 30 Dutch higher education and research institutions.

The DPIA has identified nine high-risk issues associated with the use of TOPdesk by educational and research institutions. Six of these risks stem from the platform’s design. The remaining three risks apply to institutions that process special categories of personal data using TOPdesk.

TOPdesk has made a swift start on addressing the six high risks on its own side and has – prior to the delivery of the final version of the DPIA – already mitigated four(!) of these. In the course of 2026, TOPdesk will implement further measures to mitigate the two remaining high risks. The three other risks must be mitigated by the organisations using TOPdesk themselves; measures to this end are also recommended in the DPIA.

Service management platform

SURF has asked us to examine a number of TOPdesk use cases to identify specific risks that may arise in practice. The use cases examined are:

  • The use of TOPdesk as a ticketing system for IT services (e.g. reporting bugs)
  • The use of TOPdesk as a system for handling security incidents and data breaches
  • The use of TOPdesk for recording questions, incidents or complaints relating to social safety, integrated safety and confidentiality issues
  • The use of TOPdesk for processing sensitive information from devices, incident, application and complaint management
  • The use of TOPdesk for authorisation and access management

Application and audit logging were also examined as part of the deployment of TOPdesk.

The investigation

The DPIA began with an examination of TOPdesk’s documentation, relevant terms and conditions, contracts and agreements – the so-called ‘paper reality’. This was followed by a number of interviews with technical and legal experts from TOPdesk, staff from an educational institution using TOPdesk, and representatives from SURF. To assess the extent to which the (technical) reality corresponds with the paper reality, we conducted a technical investigation at the educational institution using TOPdesk. For this purpose, test accounts were created and a special monitoring tool – a man-in-the-middle proxy – was deployed. This tool maps the flows of personal data. We also examined the log files generated when using TOPdesk. Finally, the institution where the technical investigation was carried out submitted a request to TOPdesk for assistance with an access request on behalf of the test account holders.

Based on all of this, we analysed the risks to data subjects.

The outcome

The result of this DPIA is that, by the end of 2026, TOPdesk can be used by an educational or research institution without posing high risks to data subjects – provided that all proposed measures have been implemented. The recommended measures are listed by risk in this (lengthy and English-language) table:

Download
Evan
Consultant
The Hague
Maanweg 174
2516 AB Den Haag
+31 708209690
info@privacycompany.nl
Berlin
Friedrichstrasse 68
10117 Berlin
+49 16098404354
info@privacycompany.nl
© Privacy Company
ImpressumPrivacy StatementCookie Statement