After the entry into force of the General Data Protection Regulation and subsequently the LOPDGDD, data protection in Spain has undergone important modifications that translate into a notable increase in the protection of the rights of the interested parties and the way in which they must the processing of these personal data is carried out.
In the case of educational centers, the law imposes an additional obligation by including them in the category of entities that are obliged to designate a Data Protection Officer, responsible for ensuring that the entity complies with current legislation and also adopts a responsibility proactive in relation to data processing.
In relation to the data processing carried out by the centers, there are some basic guidelines that must be taken into account in relation to the data collected from both students and their families and that affect different temporal moments of the treatment:
At the time of collection. Data collection must include basic information about the processing, that is, the purpose for which the data is collected and its legality, whether or not it is mandatory to provide the data and the consequences of refusing to provide it, the recipients of the data. , the rights of the interested parties and where to exercise them, the identity of the data controller or the data of the designated DPO.
Furthermore, the principle of minimization requires that only strictly necessary data be collected, ignoring all those that are irrelevant for the purposes of the processing and that, in many cases, are requested out of mere “inertia”. Thus, data such as the place of birth of the father or mother of the student or the current account number for direct debiting complementary services in which they have not requested a place or have not been admitted should not be collected.
Finally, it is important to consider who should collect this data, a responsibility that falls on the center and the people designated by it and in which entities or people outside said establishment and who do not have to have access to said establishments should not participate. data.
During treatment. After collection, the necessary technical and organizational measures must be implemented to guarantee that only the people who are going to carry out said processing and in relation to the described and informed purposes have access to them. In this sense, it is essential to properly store and safeguard the data so that unauthorized persons can access, modify or delete them. Thus, both the open dissemination of data in places such as the centers' websites and the display of data on bulletin boards for longer than a reasonable time so that interested parties can access information necessary to them must be avoided. This is the case, for example, of students participating in complementary activities.
Likewise, the indiscriminate communication or transfer of this data to third parties must be avoided. This is the case of companies or external entities that offer or provide services to students outside of the educational services of the center. Thus, in the case of excursions or participation in activities, the necessary authorization to communicate said data must be requested from the people who have custody of the minors.
At the end of the treatment. Once the students leave the educational center, only the minimum and strictly necessary data should be kept, evaluating the rest of the information collected data by data. In this sense, although it is clear that data such as the student's grades must be kept unchanged, other data referring to the family, the student's environment, current account data for direct debit of receipts and other similar data, should be eliminated as soon as possible. possible and the legal and fiscal obligations of the entity allow it.
In summary, the processing of minors' data requires special diligence since, as rights holders, Recital 75 of the GDPR considers them “vulnerable” interested parties, which implies that the processing of their data is considered “special risk.” ; Therefore, not only must appropriate measures be adopted, but it must be proven, by virtue of the principle of proactive responsibility, that said measures have been adopted by those responsible and in charge of the treatment.
