SURF finalizes DPIA on Adobe Creative Cloud and Document Cloud for Education

SURF and Privacy Company have conducted a Data Protection Impact Assessment (DPIA) on Adobe Creative Cloud and Document Cloud for Education. SURF confirms that institutions may continue using these products, as Adobe has committed to implementing mitigation measures to address the identified risks. At the end of 2026, we will review whether the supplier has fully implemented these measures. 

Adobe within education institution in the Netherlands 

Adobe is a software company that develops applications for digital content creation, document management, and design. Many Dutch education institutions use these products within the creative domain.  

Risks identified

The DPIA identified nine high risks and eight low risks. The most significant risks relate to product features that limit the user’s ability to delete documents or stop them from being shared, restrictions that prevent administrators from fully facilitating the user’s rights, and the disproportionate processing involved in Adobe’s Content Credentials feature, and SURF’s current contractual framework. The latter risk is related to the education institution use Adobe’s online Data Processing Agreement (DPA), which means the high risk arises from the fact that each educational institution enters into its own agreement and may operate under different versions. 

Adobe's collaborative approach and committed measures

Throughout the DPIA process, Adobe worked closely with SURF to address all identified issues. Adobe assessed the feasibility of requested technical mitigations and identified which measures it will implement by the end of 2026.

Adobe has committed to working with SURF on contractual changes as part of the current contract renewal defined in the DPIA. Additional commitments are providing transparency on applicable subprocessors, complying with legal transparency requirements about cookies and similar technologies, providing clear messaging and prompts to users about publicly shared documents, and allowing users to delete items in the Creative Cloud web application in the same manner as the desktop application.

The DPIA outlines the measures that educational institutions and Adobe should adopt to mitigate all identified high risks. These measures are expected to reduce risks to a low residual level, eliminating the need for prior consultation with the Data Protection Authority. Although reducing low risks is not strictly necessary, implementing recommended measures helps better protect the rights and freedoms of data subjects.

Educational context considerations

In art institutions or art courses where students explore experimental or provocative themes, educators should be aware that content involving non-reportable child sexualization and extreme sexual content (when reported) may conflict with Adobe’s content policies, potentially resulting in account restrictions. Institutions should therefore be familiar with these policies when using Adobe’s products and services.

Follow up

SURF will continue to work with Adobe throughout the ongoing contract renewal negotiations to address identified contractual risks and implement agreed-upon measures. As a significant number of measures have already been implemented or scheduled, SURF is satisfied with Adobe's collaborative approach and commitment to protecting the rights and freedoms of data subjects in educational settings.

Adobe has committed to implementing remaining measures according to the agreed timeline. SURF and Privacy Company will verify implementation and publish updates to the DPIA as progress is made. SURF recommends that educational institutions review the DPIA findings and implement the outlined mitigating measures (or measures that have the same or similar effect) when using Adobe Creative Cloud and Document Cloud for Education.

Adobe’s perspective 

Adobe notes that its commitments should not be interpreted as an acknowledgement of any legal obligation or agreement with the assigned risk levels. The improvements "should instead be viewed in the spirit of making improvements requested by a specific customer with unique requirements due to the context of how they use Adobe services." SURF believes that the mitigation of identified risks is required for Adobe and schools to make use of Adobe's products and services to be compliant with the GDPR. We look forward to continuing this collaboration with Adobe to ensure that students can use Adobe's products and services in a safe and compliant manner. 

Full report publicly available

The full findings of the assessment can be found in the Data Protection Impact Assessment (DPIA) report.

More information about the effects on privacy protection when using American vendors can be found in this information document.