Data Protection in Educational Centers

Data Protection in Educational Centers

Data Protection regulations(European and Spanish) in Educational Centers, whether public, subsidized or private, acquire special relevance due to the importance for public opinion of the processing of children’s data and the specific legal obligations required of these centers.

These obligations are the great unfinished business of educational centers, given the numerous queries received by our Legal Department. It is not enough to act in good faith and think that avoiding the disclosure or transfer of the data processed is to fully comply with the provisions of the Data Protection regulations.

Situation of educational centers

If we analyze the situation, from the moment parents apply for their children’s admission to school until the moment they leave, schools become recipients of personal data of students, parents, employees, etc. recipients of personal data of students, parents, employees, etc…

Type of data processed

Special category data:

The consideration of special category data refers to, for example:

• Reports from the Psychopedagogical Office or Medical Services.
• Allergies, celiac disease, or diseases affecting the digestive, endocrine or metabolic system.https://businessadapter.es/
• Physical or mental handicaps or disabilities.
• Ethnic minority background, immigrant status, religion, choice of ethics or religion, choice of extracurricular activities.

Negative certificate of criminal record

In reference to employees of educational centers, it is required with the entry into force of Law 26/2015, of July 28, of modification of the system of protection for children and adolescents, in which teachers and staff with direct contact with minors, must certify the lack of criminal record. This information is also considered special category.

Profiles:

• Academic or Curricular Data of the students.
• Physical and intellectual capabilities.

They are also necessary for the relationship with the school, contact information and identification of students or parents / legal guardians:

Basic data:

• First name Last name, students and parents or legal guardians, Mailing address, E-mail, Telephone, etc.

Images of minors

Special mention for its sensitivity, the images of minors as they affect both their personal privacy and their honor. The informed consent of the legal guardians of minors, will always govern as a rule before publishing photographs and the consent clause will also inform the purpose of the publication and where they will be published.

Obligation to designate a Data Protection Officer

Article 4 of the Law on Data Protection and Guarantee of Digital Rights(LOPD 3/2018), establishes as an obligation to appoint a Data Protection Officer (DPD or DPO), among many other activities, to the “Educational centers that offer teachings at any of the levels established in the legislation regulating the right to education, as well as public and private Universities”.

Having an expert Data Protection Delegate allows these centers to be updated on any publication with recommendations made by the Spanish Data Protection Agency(AEPD), as well as on possible sentences that could create jurisprudence. Likewise, among its functions is to attend the consultations or complaints of parents, students or workers, referring to the treatment of personal data.

The penalties for not having a Data Protection Officer can be very high.

Other obligations

As established by the Data Protection regulations(RGPD and LOPD GDD), the educational centers are responsible for their processing activities and therefore, they will ensure the security of the information processed by adopting appropriate security measures for the processing of the data they handle.

To recall some of the main obligations that any educational center must adopt in order to comply with the Data Protection regulations:

• Treatment Activity Record(RAT)
• Impact Assessment(EIPD)
• Customized Security Policies
• Staff training on data protection
• Standards for personnel
• Conduct periodic audits to verify that the measures adopted are effective.
• Security Breach Action Protocols
• Among other obligations

With the new EU Regulation 2016/679, of April 27, 2016, (GDPR) the measures to be adopted by data file controllers will be strengthened and one of the new features is that public centers will have to assume possible financial penalties in case of infringement.

Have your own Data Protection Delegate in Valencia

I want to have a Data Protection Delegate to ensure compliance with these regulations, avoiding penalties.

If you don’t want to look any further, request information from Business Adapter®, the best Data Protection Officers

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]I would like to hire a Data Protection Officer.[/su_button]