The European Single Market is closely connected with the functioning of the European Union. Protection is warranted by support of an equal level playing field in all member states by ensuring a consistent and homogeneous application of the Treaty. Accordingly the TFEU determines several fundamental freedoms and allow for the free movement of goods, capital, services and people. This includes the flow of personal data of natural persons within the Union. Efforts to protect and maintain this free flow of personal data are now equivalent in all member states by the implementation of the General Data Protection Regulation (GDPR). The Regulation applies to identified or identifiable natural persons residing in the EEA, where their personal data is processed in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not. Among others, trainers, coaches, schools and institutions qualify as establishment.
The Regulation defines six data processing principles. These are lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; and integrity and confidentiality. The processing principles lead to accountability and compliance, and provide the data subject with distinct rights. Data subject rights include fair processing; the right to access; the right to rectification; the right to be forgotten; the right to restriction of processing; the right to data portability; the right to object; and the rights in relation to automated decision-making.
Compliance with the GDPR for schools and institutions is important. Negative consequences of infringements are severe. Accordingly, data breaches and other violations may result in fines and sanctions, civil claims and complaints, brand damage and loss of trust. Schools and institutions are subject to the GDPR Regulation when they process personal data of their staff, students, and other natural persons where these reside within the EEA. This includes the monitoring of their behavior within the Union, and the offering of goods or services. Data protection solutions may avoid administrative challenges.
GDPR for schools and institutions
Natural persons may share privacy sensitive personal data with schools, institutions and other trainers and coaches to receive further information, register for a course, study or membership, or even respond to a job offer. All such actions require careful and accurate processing of personal data to safeguard confidentiality, integrity and availability.
Schools and institutions may need to appoint a Data Protection Officer (DPO). This is mandatory for public authorities; when the core (or primary) business activities of the school or institution consist of regular and systematic monitoring of data subjects on a large scale; when the core (or primary) business activities consist of processing special categories of personal data on a large scale; or when EU member state law requires the appointment of a DPO. An independent DPO can mitigate risk and take the most difficult data protection task away from schools, institutions and other enterprises.
Employee data, including the personal data of volunteers and interns, is classified as special category and sensitive data. Consequently, employee data requires additional care. The data of employees is needed to perform contractual and administrative duties. Yet, processing of employee data need one of the following lawful grounds: consent; contractual or legal necessity; or legitimate interest.
The GDPR obviously does not prohibit schools and institutions from processing sensitive and personal data of employees. It merely provides for a framework that helps to protect the applicable data and reveals guidelines under which collecting, controlling and processing should take place.
Children and consent
Alongside employees, the personal data of natural persons under the age of 18 has special consideration under the Regulation. To avoid misconceptions and possible regulatory violations data processors must verify the age of the person before consent can be given; verify the parental responsibility; and then obtain parental consent. Individual member states may deviate from the Regulation by giving minors power of consent themselves. Applicability must be verified by the local laws of the countries where the data subject resides.
Marketing is often needed when schools and institutions want to recruit new students. To be effective, a response is evoked by the marketing efforts. This response often includes personal information that identifies a natural person. Therefore, the marketing efforts of schools and institutions are subject to the GDPR.
Marketing that identifies individuals in the EEA is allowed when the data processing principles are followed and can be demonstrated. In particular, schools and institutions must process the data in a lawful and fair manner; limit the purpose of processing; and ensure accuracy of processing.
Compliance and breaches
The GDPR requires schools and institutions to maintain certain protocols for reporting and recordkeeping. They also need to demonstrate compliance with the regulation. The demonstration of compliance is both theoretical and based on empirical and real situations. As such, risk factors can be identified, breaches can be evaluated and investigated, and appropriate follow up and actions can be taken.
To help schools and institutions to comply with the GDPR Regulation, the following solutions are available:
- Info Center: with a selection of 66 skillfully drafted documents that will give you all reports, templates, policies and guides you need to get the GDPR compliance job done;
- Mission Control: the 12 step approach guiding you on your path to GDPR compliance;
- Toolbox: A selection of 23 expertly designed and programmed tools to assist you on your implementation journey;
- Data Breach Support: professional assistance is recommended and mostly needed when things go wrong. This breach support service is 24hrs worth of 1-2-1 support after you have identified a data breach. Once you have purchased this package and notified us that there has been a breach, we will kick into action to protect your customers, information and your reputation. We will investigate and reconcile your data breach, inform your customers and develop a strategy with you, to prevent and protect against further breaches. Most importantly, we will deal with the supervisory authority so you don’t have to.
- Data Protection Officer: reliable, neutral and impartial professional DPO service with the expertise as required by article 37 of the Regulation. Pricing levels depend on the contract terms and size of the organization.