External DPO for state-funded schools: GDPR and children's data

·

A state-funded private school is not just any organisation. Every day it handles health data, academic records, family information, images of minors and communications with guardians. All of that constitutes special category personal data within the meaning of Article 9 of Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD). Non-compliance has a price: fines of up to 20 million euros or 4 % of total worldwide annual turnover, under Article 83.5 GDPR, plus the specific liability that the Spanish Data Protection Agency (AEPD) applies to educational institutions.

This article explains what obliges a state-funded private school to appoint an external Data Protection Officer (DPO), which data flows generate the greatest risk, and how compliance should be organised so that the school can demonstrate, during any AEPD inspection, that its house is in order.

Is a state-funded private school required to have a DPO?

The direct answer is yes, and the legal basis is twofold. First, Article 37.1 b) and c) GDPR requires a DPO to be appointed by any organisation that processes special category data at large scale or carries out systematic monitoring of individuals at large scale. Second, Article 34.1 a) LOPDGDD explicitly extends that obligation to teaching institutions that use or store personal data of minors.

An average state-funded private school with 300 or more pupils falls squarely into both categories: it manages academic records containing health data (allergies, psychopedagogical reports, special educational needs), CCTV systems on the premises, digital communication platforms with families and, in many cases, biometric access control systems. The AEPD has confirmed in multiple rulings that this processing profile triggers the DPO obligation.

What data does a state-funded private school process and why is it high-risk?

The inventory of processing activities at a state-funded private school is more extensive than it first appears. It is useful to group them in order to understand where the risk is concentrated:

Data category Specific examples Main legal basis GDPR risk level
Academic data Grades, assessment reports, enrolment history Public interest task (Art. 6.1.e GDPR) Medium
Health and special needs data Allergies, medication, psychopedagogical reports, SEN Vital interest or explicit consent (Art. 9.2 GDPR) High
Image data CCTV footage, activity photos, website or social media publications Legitimate interest or consent (with caveats for minors) High
Family and guardian data Contact details, address, custody arrangements, socio-economic status Contractual relationship (Art. 6.1.b GDPR) Medium-High
Teaching and non-teaching staff data Payroll, sick leave, trade union data, disciplinary sanctions Employment contract and legal obligation Medium-High
Biometric data Fingerprints or facial recognition for access control or canteen Explicit consent (Art. 9.2.a GDPR) Very high
Digital educational platforms Google Workspace for Education, Microsoft 365, third-party apps Data processing agreement (Art. 28 GDPR) High (international transfers)

Each of these categories requires a different legal basis, a specific retention period and, in high-risk cases, a Data Protection Impact Assessment (DPIA) prior to processing, as required by Article 35 GDPR.

The special regime for children's data in educational institutions

The LOPDGDD dedicates Article 7 to minors, setting 14 years as the age from which a minor may give their own consent. Below that age, consent must come from parents or legal guardians. However, Organic Law 8/2021 on comprehensive protection of children and adolescents against violence (LOPIVI) adds an additional layer: it places on the school an obligation to protect the minor's privacy in situations of violence, including restrictions on access to data about custody arrangements in contentious cases.

The AEPD published in 2023 the «Report on the processing of personal data of minors in the educational context», explicitly stating that publishing photographs or videos of pupils on the school's social media accounts without the express consent of their guardians constitutes a serious infringement. Many state-funded private schools have continued to do this out of habit, without understanding that a single image posted on Instagram without adequate consent can lead to a complaint to the AEPD.

Another critical point is the use of digital educational platforms based outside the European Economic Area. When a school contracts Google Workspace for Education or Microsoft 365 Education, those companies become processors within the meaning of Article 28 GDPR. The processing agreement must be signed, and international transfers must be covered by the Standard Contractual Clauses (SCCs) adopted by the European Commission in 2021 — an update that requires reviewing contracts signed before that date.

The external DPO's functions at a state-funded private school

The external DPO for educational institutions is not an adviser who produces documentation and then disappears. Article 39 GDPR assigns permanent, non-negotiable functions:

Internal DPO vs. external DPO: what suits a state-funded private school

The GDPR allows the DPO to be either an employee of the school itself or an external professional. For most state-funded private schools, the internal option raises structural problems: the school secretary or administrator generally lacks the legal and technical training the role requires; moreover, Article 38.3 GDPR prohibits the DPO from receiving instructions in the exercise of their functions, which creates conflicts of interest when the DPO is also responsible for executing the very processing activities they are supposed to supervise.

Criterion Internal DPO External DPO
Functional independence Difficult to guarantee: hierarchically dependent on the school High: external contractual relationship, no organisational dependence
Up-to-date regulatory knowledge Requires ongoing training at the school's expense The provider assumes permanent updating
Availability before the AEPD May be limited by other job duties Coverage guaranteed under the service contract
Cost Salary + training + time spent Service fee (no structural cost)
Continuity during sick leave or holidays Service left unattended Provider guarantees a substitute
Suitable for Large educational groups with their own legal team Independent state-funded private schools or groups of up to 5-6 schools

Real-world cases: frequent incidents in educational institutions

The AEPD's case law in the educational sector reveals recurring patterns that an active DPO could have prevented:

Publication of images without consent

A school publishes on its Facebook page photos of the Christmas festival featuring identifiable pupils, without having obtained the express consent of all families. The AEPD has sanctioned this type of conduct, treating it as a transfer of data to third parties (social network users) without a sufficient legal basis. The solution is not to close the school's social media accounts: it is to implement a differentiated consent protocol for the use of images in external media.

Biometric access control for the canteen

A school introduces a fingerprint system so that pupils can access the canteen without a card. Biometric data are a special category under Article 9.1 GDPR; they require the explicit consent of the legal guardian and a prior DPIA. Several Spanish schools have received requirements from the AEPD for introducing these systems without meeting those requirements. The DPO must issue an opinion before procurement, not after.

Security breach in the academic management platform

A ransomware attack encrypts the server where the school stores records for 400 pupils. Without an active notification protocol, the school takes 10 days to notify the AEPD, when the deadline is 72 hours from the moment the breach is discovered (Art. 33 GDPR). The fine for the breach itself may be lower than that imposed for late notification.

Transfer of data to third parties without a formalised processing agreement

The school contracts an extracurricular activities company that accesses the pupil list and their contact data through the management system. No Article 28 GDPR processing agreement exists. If that company suffers a breach or uses the data for its own purposes, liability also falls on the educational institution.

How to implement GDPR compliance in a state-funded private school step by step

The process of bringing an educational institution into compliance follows a logical sequence. At Summum Consultoría, with more than 15 years of experience supporting organisations in regulatory compliance and offices in five locations (Valladolid, Burgos, Palencia, Aranda de Duero and Las Palmas), we have refined a methodology that always starts from a real inventory of processing activities:

  1. Initial processing audit: identify all the school's data flows, including digital platforms, suppliers, surveillance systems and communications with families.
  2. Record of Processing Activities (RoPA): document each processing activity with its purpose, legal basis, retention periods and recipients.
  3. Gap analysis and action plan: compare the current situation with GDPR and LOPDGDD requirements and prioritise the highest-risk processing activities.
  4. DPIAs for high-risk processing: biometrics, extended CCTV, platforms involving international transfers.
  5. Documentary compliance: information clauses (Art. 13-14 GDPR) in enrolment forms, processing agreements with suppliers, website privacy policy, internal protocols.
  6. Staff training: initial session for teaching staff and senior management; annual update.
  7. Appointment and registration of the DPO: communication to the AEPD of the delegate's name and contact details.
  8. Ongoing supervision: periodic review of the RoPA, rights management, breach notification and adaptation to regulatory changes.

If the school belongs to a religious congregation or to an educational group with several schools, the shared external DPO service allows coverage to be extended to all schools in the group under a single contract, with individual adaptation to each site.

Risks of non-compliance: sanctions and reputational consequences

The AEPD has direct sanctioning authority over educational institutions. GDPR infringements are classified at three levels:

Beyond the financial penalty, the reputational consequences of a sanction published in the BOE are devastating for an institution whose principal asset is the trust of families. The AEPD publishes its rulings with the name of the data controller and a description of the facts. In the educational sector, that publicity can translate directly into a loss of enrolments.

Frequently asked questions

Does a small state-funded private school with fewer than 100 pupils also need a DPO?

Yes, if it processes special category data (health, special educational needs, biometric data) or operates CCTV on the premises. Article 34.1 a) LOPDGDD does not set a minimum pupil threshold for teaching institutions: the obligation arises from the type of data processed, not the size of the school. The AEPD has confirmed this interpretation in recent rulings. An external DPO is particularly cost-effective for small schools, because the cost is shared across the provider's client base.

Can the school head teacher act as DPO?

In theory the GDPR does not expressly prohibit it, but in practice it creates a conflict of interest that the AEPD has viewed with concern. The DPO must supervise the controller's processing activities and may come into conflict with decisions made by the head teacher themselves. Furthermore, head teachers generally lack the legal and technical training that the delegate role requires. The European Data Protection Board (EDPB) recommends in its Guidelines 07/2020 that the DPO should be external where there are real risks of conflict of interest, as is the case in educational institutions.

How long does the school have to respond to an access request from a parent or pupil?

Article 12.3 GDPR sets a deadline of one month from receipt of the request. That deadline may be extended by two further months where the request is complex or numerous, but the controller must inform the applicant of the extension within the first month. Failure to respond within the deadline is itself a GDPR infringement reportable to the AEPD, regardless of whether the underlying processing is correct or not.

Does the school need a DPIA to install CCTV cameras in the playground?

It depends on the scope. The AEPD published in 2018 the list of processing activities requiring a mandatory DPIA, and it includes CCTV in spaces where special category data are processed or where those affected are particularly vulnerable, such as minors. A CCTV circuit covering playgrounds, canteens and corridors of a school falls within that category. The DPIA must be carried out before installing the system, not afterwards; and if the outcome shows a high residual risk, the AEPD must be consulted beforehand (Art. 36 GDPR).