Proteccion de datos

GDPR for Educational Centres

Schools, academies, universities and training centres process data from minors, families and staff under a particularly demanding legal framework. If you use educational apps, cloud platforms or surveillance cameras, non-compliance with the GDPR is not a remote possibility: supervisory authorities have sanctioned educational centres of all sizes across Europe.

RegulationGDPR · LOPDGDD · AEPD Instruction 1/2022
ProfileSchools, academies, vocational training, universities, language schools
Estimated timeline6-10 weeks for the full compliance cycle

The General Data Protection Regulation (GDPR, EU 2016/679) and Spain's Organic Law 3/2018 on Personal Data Protection and the Guarantee of Digital Rights (LOPDGDD) impose specific obligations when processing data belonging to children under the age of 14. In education, that is virtually a daily reality: academic records, photographs taken at school events, digital learning platforms (LMS), family communication apps and video surveillance systems in corridors or canteens. The AEPD's Instruction 1/2022 on mobile devices in schools adds an additional layer of obligations that many centres are still unaware of.

The problem is not simply having a privacy policy published on the website. The AEPD has investigated and sanctioned centres for sharing images of students with third parties without a legal basis, for using US-based video-calling platforms without adequate international transfer safeguards, or for collecting biometric data (fingerprints for canteen access) without assessing proportionality. The reputational risk is high: a complaint from a family can trigger an inspection that stalls technology projects and damages the centre's image within the educational community.

Summum Consultoria has worked since 2007 with organisations of diverse nature and understands the specific case law of the education sector: dual consent rules (parents or guardians for children under 14, and the student themselves from age 14 onwards), contractual relationships with educational technology providers, the management of scholarship data and socioeconomic information, or the processing of health data for students with special educational needs. Our legal team tailors the analysis to the reality of each centre, without generic templates, and works side by side with the management team to ensure compliance does not hinder the educational mission.

The GDPR for Educational Centres process.

The process · four stages
01

Initial assessment

We map all data processing activities at the centre: academic records, digital platforms (LMS, communication apps, video conferencing), security cameras, health and special needs data, scholarship records and families' financial information. We identify the applicable legal bases and gaps in relation to the GDPR, the LOPDGDD and AEPD Instruction 1/2022.

02

Records of processing activities and risk analysis

We draft the Records of Processing Activities (RoPA) tailored to the structure of the centre: we distinguish processing activities based on the educational contract, those grounded in legitimate interest, and those requiring express parental consent. We carry out a Data Protection Impact Assessment (DPIA) where required: video surveillance, biometrics, academic performance profiling using predictive technology.

03

Legal documentation and clauses

We draft or review: information clauses for enrolment and extracurricular activities, website privacy policy, age-differentiated parental consent forms, data processing agreements with technology providers (Google Workspace for Education, Microsoft 365, LMS platforms), and internal protocols for managing security breaches within the statutory notification deadlines (72 hours to the supervisory authority).

04

Training and ongoing support

We train the management team and teaching staff on their practical day-to-day obligations: what to do when a family requests access to or erasure of data, how to handle the use of images on the centre's social media, what to require from new educational platforms before deploying them. Teaching centres offering regulated education are required to designate a Data Protection Officer (DPO) under Article 34 of the LOPDGDD; Summum Consultoria can take on that role as external DPO.

What is included

What GDPR for Educational Centres includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Records of Processing Activities

    A complete and up-to-date RoPA covering all the centre's processing activities: enrolment, academic records, health, video surveillance, digital platforms and family communications.

  • Data Protection Impact Assessment (DPIA)

    Risk analysis for high-risk processing activities: biometrics in the canteen, automated academic profiles, video surveillance in sensitive areas or the use of AI in the classroom.

  • Legal clauses and forms

    Information texts for enrolment, age-differentiated parental consents (under and over 14), image authorisation forms and templates for extracurricular activities.

  • Contracts with technology providers

    Review and execution of data processing agreements with Google, Microsoft, LMS platforms, communication apps and any provider that accesses student or staff data.

  • Security breach protocol

    Internal procedure to detect, contain and notify incidents within the statutory deadlines. Communication templates for the supervisory authority and for affected individuals according to the severity of the breach.

  • External DPO or ongoing advisory

    External Data Protection Officer: mandatory for all teaching centres offering regulated education under Article 34 of the LOPDGDD, regardless of size. We also offer a permanent advisory service to handle queries from the management team.

Frequently asked questions about GDPR for Educational Centres.

What is the minimum age at which a minor can give consent on their own under Spanish law?

Article 7 of the LOPDGDD sets the age at 14. Below that age, consent must be given by the holder of parental responsibility or guardianship. From the age of 14, the minor may consent directly, although informing the family as well is recommended as good practice. This rule applies both to the use of educational platforms and to the publication of images on the centre's website or social media channels.

Is it prohibited to use US-based video-conferencing platforms such as Google Meet or Zoom?

They are not prohibited, but their use requires the provider to offer adequate safeguards for the international transfer of data. Since the EU-US Data Privacy Framework entered into force in July 2023 (European Commission Adequacy Decision), providers certified under that framework can be considered valid. The centre must sign a data processing agreement with the provider and review its sub-processing clauses before using the platform with student data.

Are educational centres required to appoint a Data Protection Officer?

Yes, as a general rule. Article 34 of Spain's LOPDGDD expressly requires all teaching centres that provide regulated education at any level — as well as public and private universities — to designate a DPO. The obligation applies regardless of the size of the centre and is met by appointing either an internal or external DPO, whose designation must be notified to the AEPD. For public centres, several regional governments have appointed a shared DPO covering their dependent schools. Summum Consultoria can act as external DPO or support the appointment process.

What are the rules if we install cameras at the school?

Video surveillance in schools is expressly regulated: cameras must be limited to general access areas (entrances, corridors, car parks) and must never point to areas where students have a reasonable expectation of privacy (toilets, changing rooms). Standardised signage is required, recordings must be retained for no longer than 30 days unless there is a criminal or disciplinary reason, and a proportionality analysis is mandatory. If recordings are processed using facial recognition or other biometric analysis techniques, they become special category data requiring a DPIA.

How often does data protection documentation need to be updated?

The RoPA and impact assessments must be reviewed whenever the centre brings on a new technology provider, changes the purpose of an existing processing activity, or suffers a security breach. As a minimum, a full annual review is recommended, plus a specific review before the start of each school year — which is typically when new platforms are introduced or school management providers change.