Why GDPR in education demands special attention
Educational institutions process some of the most sensitive categories of personal data. Schools and universities collect not only basic identifying information about pupils and students, but also health data, academic performance records, family situations, and even personal views (through written assignments). When we add the fact that a significant portion of this data concerns minors, it becomes clear why GDPR imposes particularly stringent requirements on the education sector.
The General Data Protection Regulation treats children’s data as requiring enhanced protection. Article 8 of GDPR establishes special rules regarding children’s consent for information society services — in most EU member states, the age threshold ranges from 13 to 16 years. Below this threshold, parental or legal guardian consent is required.
Educational institutions simultaneously serve as data controllers (determining purposes and means of processing) and data processors (when carrying out tasks assigned by public authorities). This dual role complicates liability issues and requires precise identification of legal bases for processing each category of data.
Data protection authorities across Europe have repeatedly emphasized that the education sector requires particular supervisory attention. In 2025, several significant fines were imposed on educational institutions for GDPR violations — from improper video surveillance to data leaks from electronic grade systems.
Legal bases for data processing in education
Educational institutions can process personal data under several legal bases defined in Article 6 of GDPR. The most common basis is legal obligation (Art. 6(1)(c)) — schools and universities are legally required to maintain educational records, student enrollment registers, and reporting to supervisory authorities.
Performance of a task carried out in the public interest (Art. 6(1)(e)) constitutes the second key basis — education is a public task, and data processing is necessary for its fulfillment. This basis covers, among others, maintaining electronic grade books, assessment systems, and attendance records.
Consent (Art. 6(1)(a)) serves as the basis for processing beyond the statutory minimum — for example, publishing student photos on the school website, participation in competitions, or collecting data for marketing purposes. For students below the age threshold, parental or legal guardian consent is required.
Particular caution must be exercised when processing special categories of data (Article 9 GDPR) — health data, disability information, or psychological-pedagogical assessments. Processing such data requires an additional basis from Art. 9(2), most commonly in the form of national law regulating student welfare. nFlo supports educational institutions in conducting GDPR compliance audits and identifying proper legal bases for processing.
Data protection in e-learning systems
E-learning platforms have become an integral part of education, but their use involves significant data protection challenges. Systems like Moodle, Microsoft Teams, or Google Classroom process not only identifying data but also detailed student activity information — login times, learning patterns, test results, and even camera recordings during online exams.
A key challenge is data transfer to third countries. Many popular educational platforms store data on servers outside the European Economic Area, requiring additional safeguards (Standard Contractual Clauses, Transfer Impact Assessments). Following the Schrems II ruling, educational institutions must carefully analyze where and how their students’ data is processed.
Profiling students through adaptive learning algorithms requires conducting a Data Protection Impact Assessment (DPIA). Systems that automatically adjust the educational pathway based on student results effectively make decisions affecting that person’s situation — which is subject to special regulations under Article 22 GDPR.
The educational institution must ensure that the contract with the e-learning platform provider contains all elements required by Article 28 GDPR — a Data Processing Agreement (DPA). The agreement should specify the scope of processing, security measures, sub-processing rules, and data deletion procedures upon termination of cooperation.
Video and digital surveillance in schools
Video surveillance in educational institutions is subject to strict regulations. National education laws typically permit surveillance in schools solely for ensuring the safety of students and staff and protecting property. Cameras generally cannot be placed in classrooms (except in high-risk workshops), changing rooms, toilets, or staff rooms.
Surveillance recordings can typically be stored for a maximum of 90 days from the recording date, unless they constitute evidence in proceedings — then until the final conclusion of the case. School principals are obligated to inform students, parents, and staff about surveillance operating rules before it is activated.
Digital monitoring — tracking student activity on school computers and networks — constitutes an even more sensitive area. Content filters protecting students from inappropriate online materials are permissible, but detailed logging of a student’s internet activity and its review requires a clear legal basis and the principle of data minimization.
Exam proctoring — monitoring online exams through cameras and monitoring software — requires particular GDPR attention. The institution must conduct a DPIA, provide alternatives for students who do not consent, and guarantee the security of recordings. nFlo helps educational institutions secure surveillance systems and ensure their compliance with data protection regulations.
Rights of pupils and students as data subjects
Pupils and students (and parents in the case of minors) possess the full range of rights under GDPR. The right of access (Art. 15) entitles them to obtain copies of all processed personal data — from grades and service notes to information system logs. The institution has 30 days to fulfill such a request.
The right to rectification (Art. 16) allows correction of inaccurate data — for example, an incorrect address, but not the change of grades or pedagogical assessments, which represent a teacher’s professional judgment. The distinction between factual and evaluative data can be challenging in practice.
The right to erasure (Art. 17) — the so-called right to be forgotten — is significantly limited in the education sector. Educational institutions are required to retain educational records for periods specified by law (grade sheets — typically decades). Erasure is possible only for data processed on the basis of consent.
The right to data portability (Art. 20) takes on special significance when changing schools or universities. Students should be able to transfer their data — grade histories, credits, work — in a structured format to a new institution.
Data breaches — procedures and consequences
Educational institutions must have procedures for responding to personal data breaches in accordance with Articles 33-34 of GDPR. A breach — from a data leak from an electronic grade book to losing a USB drive containing a student list — must be reported to the Data Protection Authority within 72 hours if it may result in a risk to the rights and freedoms of individuals.
In cases of high risk (e.g., leak of student health data, disability information), notification of the data subjects — students and their parents — is also required. The notification should include a description of the breach, possible consequences, and recommended protective actions.
Fines for GDPR violations in the public sector (to which most educational institutions belong) vary by jurisdiction but can be substantial. For private institutions, standard GDPR limits apply — up to 20 million EUR or 4% of annual turnover.
Implementing appropriate technical and organizational measures helps both prevent breaches and mitigate their consequences. Encryption of data at rest and in transit, role-based access control, regular security audits, and staff training — these are the foundations of protection. nFlo offers educational institutions comprehensive cybersecurity services covering both technical aspects and regulatory compliance.
Practical steps for GDPR implementation in educational institutions
GDPR implementation in an educational institution should begin with an inventory of data processing activities — the Record of Processing Activities (Article 30 GDPR). The record should cover all processes: from enrollment and student registration, through e-learning and surveillance, to cooperation with external entities.
Appointing a Data Protection Officer (DPO) is mandatory for public institutions. The DPO should possess both legal and technical knowledge — in the education sector, understanding the specifics of IT systems used in teaching is crucial.
Data protection training should be mandatory for all staff — not only administrative but also teaching personnel. Teachers process student data daily and must understand the principles of their protection: data minimization, purpose limitation, integrity, and confidentiality.
Regular compliance audits — at least annually — allow identifying gaps and making corrections. The audit should cover both organizational aspects (policies, procedures, processing agreements) and technical aspects (IT system security, access control, encryption). Partnering with a specialized provider like nFlo ensures professional assessment of security posture and regulatory compliance, taking into account the latest DPA and ENISA guidelines for the education sector.
Cybersecurity for Your Industry
Learn more about cybersecurity in your industry:
