Data Protection Impact Assessment (DPIA)
EduGPT - Pilot Phase
Organisation:
CivAI B.V. (EduGPT)
Version:
1.0 PILOT
Date:
30 August 2025
Status:
Final for Pilot
Contact:
privacy@edugpt.nl
Management Summary
EduGPT offers European educational institutions an AVG (GDPR)-compliant alternative to ChatGPT during a 3-month pilot phase (October – December 2025). The platform runs on Microsoft Azure within the EU and only processes personal data necessary for delivering AI services.
Key Pilot Characteristics
- Users: A maximum of 20 users per institution (teachers, educational support staff, researchers)
- Location: Data stays within the EU (Azure West-Europe)
- Training: No use of data for AI training
- Logging: Full audit logging
- Cost: Free during pilot
Risk Classification
| Risk Level | Description | Measures |
|---|---|---|
| HIGH | Unintended processing of special categories of personal data | Technical and organisational measures |
| MEDIUM | Possible data breaches, AI hallucinations | Encryption, training, disclaimers |
| LOW | Unauthorised access by third parties | Access control, MFA |
1. Description of the Data Processing
1.1 Context and Problem
More than 70% of teachers and students use ChatGPT or similar tools via private accounts for study and work purposes. This creates substantial risks:
- • AVG (GDPR) violations through data processing outside the EU
- • Shadow IT via WhatsApp and private tools
- • No control over educational data
- • Training of AI models on sensitive data (e.g. student reports)
1.2 EduGPT Solution
During the pilot, EduGPT offers a secure alternative that:
- • Provides the same ChatGPT functionality
- • Keeps data within the EU (Azure data centre Europe)
- • Does not perform training on user data
- • Provides audit trails for accountability
- • Delivers European support
1.3 Pilot Setup
- Period: October – December 2025 (3 months)
- Participants: max. 10 educational institutions
- Users: max. 20 per institution
- Cost: free
- Goal: validate product-market fit and gather educational requirements
2. Personal Data
2.1 Overview of Personal Data
| Category of Data Subjects | Type | Personal Data | Source |
|---|---|---|---|
| Users (teachers, students, staff) | Regular | Name, email address, role, institution | User registration |
| Users | Regular | IP address, browser info, timestamps | System logging |
| Users | Regular | Prompts, chat history | User interaction |
| Third parties (in documents) | Unknown | Potentially all categories, including special categories | Documents uploaded by users |
2.2 Critical Risks
Warning: Users may upload documents containing personal data of pupils or students, such as:
- • Medical data (dyslexia, ADHD)
- • Study progress, grades, mentoring reports
- • Behavioural or care information
- • Financial data (student finance, payment arrears)
3. Processing Activities
3.1 Overview of Processing Activities
| Processing | Personal Data | Purpose |
|---|---|---|
| Registration | Name, email, institution | Account creation |
| Authentication | Email, password | Granting access |
| Storage | All user data | Service delivery |
| AI processing | Prompts, documents | Generating responses |
| Logging | All actions + metadata | Audit trail, security |
| Backup | All data | Continuity |
| Deletion | All data | At user request |
3.2 Excluded Processing
No processing for:
- ❌ Marketing
- ❌ Product development
- ❌ Sale to third parties
- ❌ Profiling
4. Parties Involved
| Party | Role | Functions | Access to |
|---|---|---|---|
| CivAI B.V. (EduGPT) | Processor | Platform management, support | All data (encrypted) |
| Microsoft Ireland | Sub-processor | Azure hosting | Encrypted data, no keys |
| Educational institutions | Controller | Determining use | Data of own users |
| Users | Data subject / input party | Use of platform | Own data |
5. Technical and Organisational Measures
5.1 Processing Locations
- Primary hosting: Azure West-Europe
- Backup: Azure paired region (Belgium)
- Support: CivAI office (Netherlands)
- ❌ No transfer outside the EEA
5.2 Technical Specifications
- AI processing: Azure OpenAI Service (GPT-4)
- Security: TLS 1.3, AES-256 encryption, bcrypt hashing, JWT sessions
- No use of: profiling, automated decision-making with legal effects
6. Legal Bases
| Processing | Legal basis (Art. 6 AVG/GDPR) | Justification |
|---|---|---|
| Platform use | 6.1.b (contract) | Service provision |
| Educational data | 6.1.e (public interest task) | Educational purposes |
| Security logging | 6.1.f (legitimate interest) | Security |
| Statutory retention | 6.1.c (legal obligation) | Compliance |
7. Retention Periods
| Data | Retention Period | Justification | Action |
|---|---|---|---|
| Chat history | As long as user wishes | User control | Delete on command |
| Uploaded documents | Linked to chat | Part of conversation | Deleted with chat |
| Account data | Active + 6 months | Administration | Automatically deleted |
| Security logs | 12 months | Incident response | Automatic rollover |
| Audit logs | 7 years | Educational accountability | Archiving |
| Backup | 30 days rolling | Disaster recovery | Overwritten |
8. Data Subject Rights
| Right | Implementation | Turnaround |
|---|---|---|
| Access | Export function | 5 working days |
| Rectification | Account settings | Immediate |
| Erasure | Delete function | 5 working days |
| Portability | JSON/CSV export | 5 working days |
| Objection | Privacy officer review | 5 working days |
9. Risk Assessment
9.1 Identified Risks
Personal data breach
HIGH
Hack/leak of pupil or student data. Likelihood: Low, Impact: Very high
Special categories of data
HIGH
Upload of medical/care data. Likelihood: High, Impact: High
AI hallucinations
MEDIUM
Incorrect output in teaching context. Likelihood: Medium, Impact: Medium
Unauthorised access
MEDIUM
Account compromise. Likelihood: Low, Impact: High
Vendor lock-in
LOW
Azure dependency. Likelihood: High, Impact: Low
9.2 Risk Mitigation
| Risk | Technical Measures | Organisational Measures | Residual Risk |
|---|---|---|---|
| Data breach | Encryption, TLS, access control | Incident response, training | Low |
| Special categories of data | Encryption, audit logs | Warnings, onboarding | Medium |
| AI hallucinations | Model settings | Training, disclaimers in UI | Medium |
| Unauthorised access | MFA, session timeout | Awareness training | Low |
| Vendor lock-in | Container architecture | Exit strategy 2026 | Low |
10. Special Categories of Personal Data (Article 9 AVG/GDPR)
10.1 Risk Identification
High risk: Users may upload special categories of data such as:
- • Care records
- • Medical statements
- • Study mentoring
10.2 Mitigating Measures
- Technical: Encryption of all data
- Interface: Warnings in UI
- Training: Instruction of teachers/researchers
- Policy: No content analysis by EduGPT
11. Purpose Limitation and Proportionality
11.1 Permitted Purposes
✅ Only for education-related AI service provision
11.2 Excluded Purposes
- ❌ No product development using data
- ❌ No sale/sharing with third parties
- ❌ No marketing
11.3 Necessity and Proportionality
- Necessity: The use of AI is a reality; a secure alternative is the only option
- Proportionality: Minimal data collection, the user retains control
- Subsidiarity: Banning does not work; commercial tools are not AVG (GDPR) compliant
12. Recommendations and Implementation
12.1 Points of Attention for Educational Institutions
- Conclude a Data Processing Agreement
- Instruct users on responsible use
- Align data breach procedures and retention periods
- Adapt internal procedures
12.2 Educational Institution Decision-Making
- Approval to participate in pilot
- Data Processing Agreement signed
- Users instructed
- Internal procedures updated
13. Planning and Milestones
| Milestone | Date | Status |
|---|---|---|
| DPIA finalised | September 2025 | ✅ |
| Pilot start | October 2025 | ⏳ |
| Interim evaluation | November 2025 | ⏳ |
| Pilot evaluation | December 2025 | ⏳ |
| Go/No-go production | January 2026 | ⏳ |
14. Legal Framework
- AVG/GDPR: Fully applicable
- Education legislation (WVO, WHW): Indirectly relevant; institutions remain ultimately responsible
- BIO 2.0: Government/education baseline; designed in line with it, not certified
- EU AI Act: Prepared (low risk)
Annexes
- Annex A: Technical specifications (Azure Web Apps, PostgreSQL, OpenAI Service, Blob Storage, Key Vault)
- Annex B: Incident Response Plan
- Annex C: Data Processing Agreement
- Annex D: Contact details CivAI/EduGPT
Document Approval
| Role | Name | Date | Signature |
|---|---|---|---|
| Privacy Officer | |||
| CISO | |||
| Management |
This document has been prepared in accordance with the requirements of the General Data Protection Regulation (AVG/GDPR) and contains a thorough analysis of the privacy impact of the EduGPT pilot phase.