Sign up for free for our Privacy & Security event on 28 May

DPIA on European ESET security services: no high risks

July 16, 2026
Privacy Company has conducted a DPIA (Data Protection Impact Assessment) for SLM Cloud on the security services provided by the European cybersecurity provider ESET. The DPIA covers ESET Protect, ESET endpoint security for Windows devices, ESET server security and ESET Cloud Office Security for e-mail. ESET provides these services as cloud services, but some also as software for on-premises use.

With the permission of SLM Cloud, we are publishing this blog about our findings. For questions about the research, please contact the press spokesperson at the Dutch Ministry of Justice and Security via +31 (0)70 3707345.

Outcome: 16 low data protection risks

It follows from the technical tests that ESET Protect Elite adequately detects critical threats and security breaches from devices and cloud apps, including malicious e-mail, files and URLs that are exchanged via e-mail (Gmail) and via SharePoint, both within the tenant and when sent by an external individual.

SLM Cloud (strategic vendor management for cloud services, housed at the Dutch Department of Justice) has negotiated an amended data processing agreement with ESET, and ESET has implemented or announced measures to mitigate the identified 16 data protection risks. Importantly, ESET has already created a new sovereign EU exclusive private cloud option next to its standard cloud services. This means Dutch government organisations can choose between this new EU private cloud option and the air gapped on-premises solution without having to assess personal data transfer risks.

Government organisations still have to take a number of specific mitigating measures until ESET has implemented the agreed mitigation measures. ESET will take most of the agreed mitigation measures by the end of Q3 2026, 1 by the end of 2026. The 16 residual low risks with mitigating measures are shown in more detail in the table in the DPIA.

Five categories of personal data

This DPIA assesses the data protection risks for 5 categories of personal data:

  1. Security Event Data (the data generated by ESET about suspicious content and actions by admins and/or software to prevent threats)
  2. Account Data (of the admin and of the end user)
  3. Diagnostic Data (including the Telemetry Data)
  4. Support Data
  5. Website Data (both the restricted access Admin Console and 4 relevant publicly accessible websites)

This DPIA does not use the term Content Data, as these data are only processed by customers in their own environment. ESET’s security services scan the Content Data, such as visited URLs, executables and files, but when ESET processes these data, they are called Security Event Data in this DPIA.

The amended DPA negotiated by SLM Cloud now specifies these 5 relevant categories of personal data.

GDPR role of ESET

Initially, based on an analysis of ESET’s standard Data Processing Agreement (DPA), public Privacy Policy and relevant service terms, this DPIA assessed that ESET qualified as data controller for most categories of personal data, and for many essential and inevitable data processing purposes. This resulted in a number of high data protection risks related to a loss of control of the nature, purposes and impact of the data processing. ESET and SLM Cloud have since contractually agreed that ESET is a data processor for 4 specific purposes, for the 5 relevant categories of personal data (not the Content Data, since these remain at the customer).

These 4 main purposes are:

  1. Provide and maintain well-functioning and up-to-date software and services (with specific sub purposes).
  2. Secure the software and services (including vulnerability assessment and patch management).
  3. Provide technical support, including use of aggregated Support Data to improve the software and support for all customers.
  4. Process minimised Personal Data from ESET LiveGrid Feedback and Reputation for statistical purposes and to technically improve the software and services.

Since every supplier needs to use some personal data from its customers for its own legitimate business purposes, for example, to send invoices, SLM Cloud and ESET have also agreed on a limitative list of 8 specific authorised further processing purposes. This means ESET can further process these data (it obtains as processor) as controller, when strictly necessary and proportionate for these purposes, and within the constrictions agreed in the amended Data Processing Agreement. In abbreviated form these 8 purposes are:

  1. Comply with legal obligations (all personal data).
  2. Billing, fulfilling of orders and payment purposes (Commercial Contact Data, Account Data and some Diagnostic Data).
  3. Website analytics.
  4. Detection of licensing compliance, fraud detection/prevention, and protection of ESET’s rights (Account and Diagnostic Data).
  5. Improve and optimize the performance, and efficiency of the software and the IT infrastructure (Aggregated Diagnostic Data).
  6. Internal reporting, financial reporting, revenue planning, capacity planning, forecast modelling and product strategy based on analytics how the procured services are used (Aggregated (higher than a per-tenant level) Account, Diagnostic, Support Data and Website Data).
  7. Feedback by admins (only with valid consent) (Content Data, Account Data and Diagnostic Data).
  8. Audit purposes (all personal data).

Read the full DPIA in English on Open Overheid.
Read the Technical Appendix in English on Open Overheid.   

Download
Sjoera
Consultant