Statement data breach IDW

Posted by Nuffic

Nuffic and SBB together compare foreign diplomas with the Dutch educational system. We do this within the partnership for international credential evaluation (IDW). The IDW uses ICT systems to process the data of persons who apply for such an evaluation. For this purpose, we work with a Dutch ICT party with a subsidiary company in Serbia.

Clear agreements have been made with this party about the processing of data. One of these is that personal data is anonymised before it is sent to the subsidiary, because it cannot be processed outside the European Union. However, the script that should anonymise this data did not work adequately. Therefore the data ended up in the test environment at the subsidiary without being anonymised.

Do you want to know whether your information was involved? All those involved will be informed personally. Would you like more information? Feel free to call +31 (0) 850870242 or send an e-mail to

At the subsidiary, the data was in a secure environment to which only specialised employees had access. Moreover, all employees of the subsidiary company signed a declaration that they would not disclose any of their work data. After it was discovered that this data was not allowed to be in the secure environment, it was immediately removed. At the moment, there is no reason to assume that the data has been misused.

Nuffic and SBB deeply regret this incident. Although there are no concrete indications of misuse, we are currently having an external investigation carried out into the possible misuse of personal data.

We have taken various actions to inform those involved and to assist them as best we can if they have any questions. More information can be found on the IDW website.