| Blog   |

Digital school

GDPR in schools

The General Data Protection Regulation, or GDPR for short, has been officially in force since May 25.05.2018, XNUMX and serves to protect all personal data. Of course, this regulation also applies to schools - but what exactly does that mean? Everything about the GDPR in schools is presented here on the Sdui blog.

Table of Contents:

1. Definition: GDPR - General Data Protection Regulation

The General Data Protection Regulation consists of a total of 99 articles - here is the official wording of the first article.

“Article 1 GDPR Subject matter and objectives: (1) This regulation contains provisions for the protection of natural persons in the processing of personal data and for the free movement of such data. (2) This regulation protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. (3) The free movement of personal data in the Union may not be restricted or prohibited for reasons of the protection of natural persons when processing personal data. "

The following 98 articles describe exactly how and when a company or organization must save, use or immediately delete personal data of customers or prospects. In very simple terms, the GDPR is used for Protection of our digital data that can be clearly assigned to a person, so-called personal data. 

The category “personal data” includes more than you might think at first glance. Information like name, gender, address, email and phone number come straight to mind in this context. But less obvious information also falls under the GDPR, such as place of birth, dress size and - especially important for schools - also school and work references.

2. The 7 principles of the GDPR

One of the central articles of the current General Data Protection Regulation is Article 5 - Principles for the processing of personal data. Here the 7 fundamental principles of how an organization should handle personal data are clarified. These 7 principles are presented and briefly explained below.

  • "Legality, processing in good faith, transparency": Before an organization is allowed to use or store personal data in whatever form, active consent must be given. In addition, all information on the processing of personal data must be clearly written and easily accessible.
  • "Earmarking": Personal data may only be collected or processed for the purposes that have been legally agreed. Any further processing without consent is not permitted.
  • "Data minimization": The collection of personal data must be limited and reduced to what is really necessary.
  • "Accuracy": All lawfully collected personal data must be factually correct and, as far as accessible, up to date. Correspondingly collected data that is incorrect for the purpose of its processing must be deleted or corrected.
  • "Memory limit": Personal data must be stored in a certain form that enables direct identification of certain persons only as is necessary for the agreed purpose limitation.
  • "Integrity and Confidentiality": For personal data, adequate security must be guaranteed at all times through both technical and organizational measures. This includes "protection against unauthorized or unlawful processing and against unintentional loss, unintentional destruction or unintentional damage.
  • "Accountability": The responsible authority in the organization must be able to prove compliance at any time and can be held accountable if it is disregarded.

3. What must be done in schools in terms of GDPR?

With its official enactment in 2018, the General Data Protection Regulation turned a lot upside down, and not only in the economy, and put many companies in an emergency situation. All public bodies - including schools - are also subject to the General Data Protection Regulation and must take all appropriate measures. Which concrete steps have to be taken must be considered individually, depending on the existing circumstances in the schools. The five most frequent steps that schools have to go through to become a data protection-compliant school are presented here.

3.1 Appointment of a responsible data protection officer

Article 37 of the General Data Protection Regulation clearly states that every authority and public body without exception must appoint a data protection officer. It then of course follows that every public school in Germany must also appoint a data protection officer. In the school sector, there are some additional guidelines and special cases that a school must adhere to when determining the data protection officer.

For example, the data protection officer may not only be directly technically suitable, but may not be a member of the school management or a school IT administrator. Teachers with the appropriate qualifications and without any function in the school management are permitted to act as data protection officers. As in the public sector, the contact details of the data protection officer of a school must be published and also forwarded to the responsible supervisory authority of the federal state.

Public schools also have the option to jointly appoint a responsible data protection officer, who thus takes on this role for several schools at the same time. It is important that every school management explicitly agrees to this data protection officer. There are currently no exceptions in the General Data Protection Regulation based on the size of the school or the number of teachers.

3.2 Directory for which purposes personal data are processed

According to the General Data Protection Regulation, every school in Germany is obliged to to keep a written list in which it is precisely recorded which personal data the school works with and above all for what purpose it is stored or processed. This so-called directory of processing activities (VVS) serves as proof that the school adheres to the provisions of the GDPR. This directory can also be kept electronically and must be presented to the responsible supervisory authority when instructed.

3.3 Schools' obligation to provide information

Once a school personal data raises that come directly from the relevant person it is obliged to inform those affected or, in the case of underage students, also the relevant responsible persons about the data protection regulations. This is the case, for example, when a pupil is admitted to school.

Appropriate templates are usually provided by the federal state. You can often choose from lists that contain everything, depending on the type of school, and can be customized or adapted to the circumstances of the school.

3.4 Data processing by external third parties

Sobald a third party comes into contact with personal data from the school, processed or simply saved, a Contract for order processing (AV) can be concluded. This contract is then concluded between the school controller and the processor. Article 28 of the General Data Protection Regulation deals explicitly with the subject of order processing and lists the minimum contents of such a contract.

As a school, it is important to be aware that any transfer of data to third parties falls under this obligation. Common examples that are mentioned in this context include:

  • The use of any external servers or cloud services for data storage. Services that are made available by higher-level authorities such as the school authority.
  • Any maintenance services for existing IT systems that are related to personal data.
  • Even non-digital data processing must be protected by an order processing contract. An example here is the commissioning of an external company to dispose of files or other data carriers.

3.5 Data breach

It's clear: Nobody wants a data breach! But if for any reason it does happen, it is all the more important to know how to proceed afterwards. Here, too, the GDPR defines exactly when there is a breach of the protection of personal data in Article 4 under item 12: "a breach of security that leads to destruction, loss or alteration, whether unintentional or unlawful, or to unauthorized disclosure by or unauthorized Access to personal data that has been transmitted, stored or otherwise processed ”. Quite simply broken down: As soon as personal data has been unlawfully changed or made accessible to unauthorized persons, a data protection violation has occurred.

Basically must report any data breach to the responsible supervisory authority immediately or within 72 hours will. In the case of violations that have only a low risk of the rights and freedoms of natural persons, an exception to the reporting obligation can be claimed. This exception should really only be claimed after a thorough analysis of the data breach.

4. Conclusion: GDPR in schools

The General Data Protection Regulation has brought about many changes for companies and organizations. It is often viewed negatively, as a lot of work may have to be put into data protection. But this work also serves one of the most important aspects in the digital world - the real protection of our personal data.

The four most important statements on this page are briefly summarized here:

  • The GDPR protects all personal data of a natural person.
  • Article 5 of the GDPR includes the central principles and principles for handling personal data of natural persons.
  • Schools also have to adhere to the GDPR and even have additional requirements that they have to meet.
  • Data protection must never be taken lightly and serves to protect everyone.