De Poolse privacywaakhond Urząd Ochrony Danych Osobowych (UODO) heeft een school voor basis- en middelbaar onderwijs berispt wegens het verwerken van persoonsgegevens van studenten, zonder dat deze verwerking werd gebaseerd op een van de grondslagen zoals omschreven in de AVG.
The President of the Personal Data Protection Office (UODO) imposed a penalty of a reprimand for the processing of students’ personal data without legal basis in connection with survey carried out by a school in the school year 2019/2020. The survey entitled “Diagnosis of student’s home and school situation” examined personal situation of students.
In connection with the survey, the school processed personal data of students, including minors, in particular names and surnames, attended class, indication of legal guardians (parents), family status (single parent, full family), information about death of a legal guardian (parent), separation of legal guardians (parents), their education and professional situation, the number of people in the household, financial situation, health condition and addictions of legal guardians (parents), housing situation and information on social benefits.
The processing of students’ personal data included collection, storage and destruction of those data.
In the course of the UODO’s inspection it was established that the survey was conducted to identify students who require psychological support from the school they attend. The survey was carried out by class teachers in classes 7-8 of elementary school and in high school classes as in blanco paper forms on direct instruction from school principal.
All returned copies of the survey were destroyed by an official commission. According to the findings of the inspection, personal data included in the surveys were not entered into electronic telecommunication systems, were not recorded on electronic data carriers or other information carriers, including in paper form. After collecting the surveys, the teachers did not make any scans or paper copies of them, nor did they make other additional documents containing personal data concerning the surveys. As of the date of the inspection, students' personal data obtained in connection with the surveys were no longer processed.
According to the evidence obtained as a result of the inspection, the surveys were conducted in a way that excludes the possibility of unauthorized disclosure of the data contained in them.
By conducting a survey among students, the school has violated the principle of lawfulness of data processing, according to which personal data must be processed lawfully, fairly and in a transparent manner for the data subject. The above principle has been developed in the content of Article 6(1)(c) of the GDPR, according to which the processing is lawful only if - and to the extent to which - the condition that the processing is necessary for compliance with a legal obligation to which the controller is subject is fulfilled.
The school, as a public entity, may process personal data within the scope of its tasks imposed by law. In turn, according to the Educational Law, schools process personal data to the extent necessary for the performance of the tasks and obligations arising from these regulations. The legal acts regulating the functioning of educational institutions do not specify such tasks and obligations of schools that would justify the processing of students' personal data in the way it was done in the penalised entity, in connection with the conducted survey.
The President of the UODO considered that, in the established circumstances of this case, a reprimand was sufficient. The unintended nature of the infringement was considered to be an attenuating circumstance. The school principal immediately took a number of corrective measures, such as: destruction of the survey forms or refraining from carrying out the survey by some teachers, organisation of training for staff to raise their awareness of personal data protection issues, and analysis of the incident of conducting the survey among students, given the risk to the rights and freedoms of natural persons. Moreover, on the basis of the circumstances of the present case, there are no grounds to consider that the data subjects have suffered damage as a result of the event. The President of the UODO has not received any signals that similar behaviours resulting in violations have taken place on the part of the school.
