Data Protection Impact Assessment (DPIA)
EduGPT - Pilot Phase
Organization:
CivAI B.V. (EduGPT)
Version:
1.0 PILOT
Date:
August 30, 2025
Status:
Final for Pilot
Contact:
privacy@edugpt.nl
Executive Summary
EduGPT offers European educational institutions a GDPR-compliant alternative to ChatGPT during a 3-month pilot phase (October – December 2025). The platform runs on Microsoft Azure within the EU and only processes personal data necessary for providing AI services.
Key characteristics pilot
- Users: Maximum 20 users per institution (teachers, educational support staff, researchers)
- Location: Data remains within the EU (Azure West-Europe)
- Training: No use of data for AI training
- Logging: Complete audit logging
- Cost: Free during pilot
Risk Classification
| Risk Level | Description | Measures |
|---|---|---|
| HIGH | Unintended processing of special personal data | Technical and organizational measures |
| MEDIUM | Possible data breaches, AI hallucinations | Encryption, training, disclaimers |
| LOW | Unauthorized access by third parties | Access control, MFA |
1. Description of Data Processing
1.1 Context and Problem
More than 70% of teachers and students use ChatGPT or similar tools via personal accounts for study and work purposes. This creates substantial risks:
- • GDPR violations due to data processing outside EU
- • Shadow IT via WhatsApp and personal tools
- • No control over educational data
- • Training of AI models on sensitive data (e.g., student reports)
1.2 EduGPT Solution
EduGPT offers a safe alternative during the pilot that:
- • Provides the same ChatGPT functionality
- • Keeps data within EU (Azure datacenter Europe)
- • Performs no training on user data
- • Provides audit trails for accountability
- • Delivers European support
1.3 Pilot Setup
- Period: October – December 2025 (3 months)
- Participants: max. 10 educational institutions
- Users: max. 20 per institution
- Cost: free
- Goal: validate product-market fit and gather educational needs
2. Personal Data
2.1 Overview Personal Data
| Category of Data Subjects | Type | Personal Data | Source |
|---|---|---|---|
| Users (teachers, students, staff) | Regular | Name, email address, position, institution | User registration |
| Users | Regular | IP address, browser info, timestamps | System logging |
| Users | Regular | Prompts, chat history | User interaction |
| Third parties (in documents) | Unknown | Potentially all categories, incl. special data | Documents uploaded by users |
2.2 Critical Risks
Warning: Users may upload documents containing personal data of pupils or students, such as:
- • Medical data (dyslexia, ADHD)
- • Study progress, grades, guidance reports
- • Behavioral or care information
- • Financial data (student finance, payment arrears)
3. Processing Activities
3.1 Overview of Processing
| Processing | Personal Data | Purpose |
|---|---|---|
| Registration | Name, email, institution | Create account |
| Authentication | Email, password | Grant access |
| Storage | All user data | Provide service |
| AI-processing | Prompts, documents | Generate responses |
| Logging | All actions + metadata | Audit trail, security |
| Backup | All data | Continuity |
| Deletion | All data | On user request |
3.2 Excluded Processing
No processing for:
- ❌ Marketing
- ❌ Product development
- ❌ Sale to third parties
- ❌ Profiling
4. Involved Parties
| Party | Role | Functions | Access to |
|---|---|---|---|
| CivAI B.V. (EduGPT) | Processor | Platform management, support | All data (encrypted) |
| Microsoft Ireland | Sub-processor | Azure hosting | Encrypted data, no keys |
| Educational institutions | Controller | Determine usage | Data of own users |
| Users | Data subject/inputter | Platform usage | Own data |
5. Technical and Organizational Measures
5.1 Processing Locations
- Primary hosting: Azure West-Europe
- Backup: Azure paired region (Belgium)
- Support: CivAI office (Netherlands)
- ❌ No transfer outside EEA
5.2 Technical Specifications
- AI processing: Azure OpenAI Service (GPT-4)
- Security: TLS 1.3, AES-256 encryption, bcrypt hashing, JWT sessions
- No use of: profiling, automated decision-making with legal effects
6. Legal Grounds
| Processing | Legal Ground (Art. 6 GDPR) | Motivation |
|---|---|---|
| Platform usage | 6.1.b (contract) | Service provision |
| Educational data | 6.1.e (public interest) | Educational purposes |
| Security logging | 6.1.f (legitimate interest) | Security |
| Legal retention | 6.1.c (legal obligation) | Compliance |
7. Retention Periods
| Data | Retention Period | Motivation | Action |
|---|---|---|---|
| Chat history | As long as user wants | User control | Delete on command |
| Uploaded documents | Linked to chat | Part of conversation | Deleted with chat |
| Account data | Active + 6 months | Administration | Automatically deleted |
| Security logs | 12 months | Incident response | Automatic rollover |
| Audit logs | 7 years | Educational accountability | Archiving |
| Backup | 30 days rolling | Disaster recovery | Overwritten |
8. Rights of Data Subjects
| Right | Implementation | Processing Time |
|---|---|---|
| Access | Export function | 5 working days |
| Rectification | Account settings | Immediate |
| Erasure | Delete function | 5 working days |
| Portability | JSON/CSV export | 5 working days |
| Objection | Privacy officer assessment | 5 working days |
9. Risk Assessment
9.1 Identified Risks
Personal data breach
HIGH
Hack/leak of pupil or student data. Probability: Low, Impact: Very high
Special personal data
HIGH
Upload medical/care data. Probability: High, Impact: High
AI hallucinations
MEDIUM
Incorrect output in lesson context. Probability: Medium, Impact: Medium
Unauthorized access
MEDIUM
Account compromise. Probability: Low, Impact: High
Vendor lock-in
LOW
Azure dependency. Probability: High, Impact: Low
9.2 Risk Management
| Risk | Technical Measures | Organizational Measures | Residual Risk |
|---|---|---|---|
| Data breach | Encryption, TLS, access control | Incident response, training | Low |
| Special data | Encryption, audit logs | Warnings, onboarding | Medium |
| AI hallucinations | Model settings | Training, disclaimers in UI | Medium |
| Unauthorized access | MFA, session timeout | Awareness training | Low |
| Vendor lock-in | Container architecture | Exit strategy 2026 | Low |
10. Special Personal Data (Article 9 GDPR)
10.1 Risk Identification
High risk: Users may upload special data such as:
- • Care records
- • Medical certificates
- • Study guidance
10.2 Mitigation Measures
- Technical: Encryption of all data
- Interface: Warnings in UI
- Training: Instruction for teachers/researchers
- Policy: No content analysis by EduGPT
11. Purpose Limitation and Proportionality
11.1 Permitted Purposes
✅ Only for education-related AI services
11.2 Excluded Purposes
- ❌ No product development with data
- ❌ No sale/sharing with third parties
- ❌ No marketing
11.3 Necessity and Proportionality
- Necessity: AI use is reality, safe alternative is only option
- Proportionality: Minimal data collection, user maintains control
- Subsidiarity: Prohibition doesn't work, commercial tools are not GDPR-compliant
12. Recommendations and Implementation
12.1 Points of Attention for Educational Institutions
- Conclude processing agreement
- Instruct users on responsible use
- Align data breach and retention procedures
- Adapt internal procedures
12.2 Educational Institution Decision-making
- Agree to pilot participation
- Processing agreement signed
- Users instructed
- Internal procedures adapted
13. Planning and Milestones
| Milestone | Date | Status |
|---|---|---|
| DPIA final | September 2025 | ✅ |
| Pilot start | October 2025 | ⏳ |
| Interim evaluation | November 2025 | ⏳ |
| Pilot evaluation | December 2025 | ⏳ |
| Go/No-go production | January 2026 | ⏳ |
14. Legal Framework
- GDPR: Fully applicable
- Education legislation (WVO, WHW): Indirectly relevant, institutions remain ultimately responsible
- BIO 2.0: Government/education baseline, design compliant, not certified
- EU AI Act: Prepared (low risk)
Annexes
- Annex A: Technical specifications (Azure Web Apps, PostgreSQL, OpenAI Service, Blob Storage, Key Vault)
- Annex B: Incident Response Plan
- Annex C: Processing Agreement
- Annex D: Contact details CivAI/EduGPT
Document Approval
| Function | Name | Date | Signature |
|---|---|---|---|
| Privacy Officer | |||
| CISO | |||
| Management |
This document has been prepared in accordance with the requirements of the General Data Protection Regulation (GDPR) and contains a thorough analysis of the privacy impact of the EduGPT pilot phase.