Every school year, a school collects hundreds of pieces of data about its pupils: name, address, health data for the canteen or sick bay, photographs for the yearbook, grades, psycho-pedagogical reports and, in many cases, data about separated families with custody restrictions. All of that data belongs to minors, the category of persons that the General Data Protection Regulation (GDPR) and Spain's Organic Law 3/2018 on Data Protection and the Guarantee of Digital Rights (LOPDGDD) surround with reinforced guarantees. The problem is that many centres — both state-funded and private — still operate as if the applicable regime were the old 1999 Data Protection Act: a paper privacy notice, a generic consent at enrolment and little else. That model is no longer valid and exposes the centre, its governing body and its management team to fines of up to €20 million or 4% of annual global turnover.
This article explains, in concrete terms, what data may be processed, on what legal basis, what documentary obligations are essential and what mistakes educational centres make most frequently. If you are looking to implement compliance from scratch or review your existing framework, at Summum Consultoria we have been supporting organisations in regulatory compliance since 2007; our GDPR compliance service for educational centres covers the initial analysis, complete documentation and ongoing maintenance.
Which centres does the GDPR apply to?
The GDPR applies to any organisation that processes personal data of natural persons in the European Union, regardless of its size. That includes:
- State schools, whose data controller is the regional education authority (even though the centre acts in practice).
- Subsidised and private schools, where the controller is the governing entity (foundation, cooperative, company, religious congregation).
- Nursery schools (0–3 years) and special education centres, with additional particularities due to the young age of the children and the frequent presence of health data.
- Universities and vocational training centres, although this article focuses on non-university education.
The LOPDGDD adds, in its article 7, that children under the age of 14 cannot give consent to the processing of their data on their own; those with parental authority or guardianship must authorise it. For children aged 14 to 18, the minor themselves may give consent, except in cases involving particularly sensitive data (health, ethnic origin, ideology, etc.), where maximum caution must be exercised.
Categories of data processed by an educational centre
Before discussing legal bases, it is worth knowing what types of data a school typically handles. The table below summarises the most common categories and their level of sensitivity:
| Data category | Specific examples | GDPR sensitivity | Usual legal basis |
|---|---|---|---|
| Basic identifiers | Name, surnames, date of birth, address | Ordinary | Contractual relationship / public educational mission |
| Academic | Grades, assessment reports, academic record | Ordinary (with access restrictions) | Legal obligation (LOE / regional legislation) |
| Health | Allergies, medication, disabilities, medical reports | Special category (Art. 9 GDPR) | Vital interests / legal health obligation |
| Psycho-pedagogical | Guidance reports, ADHD, special educational needs | Special category | Educational legal obligation + consent |
| Image and voice | Class photos, activity videos, recordings | Ordinary (minors: reinforced) | Explicit consent of parents |
| Family and custody | Parents' data, custody arrangements, court orders | Ordinary / judicial | Legitimate interest / legal obligation |
| Financial | Bank account for direct debit of fees, grants | Ordinary | Contractual relationship |
| Behavioural and disciplinary | Incident reports, disciplinary proceedings | Ordinary (with restrictions) | Legal obligation (internal regulations) |
Legal bases for processing children's data
The most frequent mistake is using consent as a catch-all legal basis for all processing activities. Consent can be withdrawn at any time, which would create absurd situations (a parent withdraws consent and the centre can no longer store the pupil's grades). The GDPR provides six legal bases; educational centres typically rely on three:
1. Legal obligation
Organic Law 2/2006 on Education (LOE) and regional regulations oblige centres to maintain the academic record, communicate data to the education authority and retain records for specified periods. For these processing activities, no consent is required: the legal obligation alone justifies the processing. Attempting to seek consent for something already required by law confuses families and can create problems when someone withdraws it.
2. Explicit consent
This is the correct basis for processing activities that are not legally required: publishing photographs on the school website or social media, sending images of pupils to the media, using data for the entity's marketing purposes (e.g. sending the corporate newsletter to families), or sharing data with external school transport or extracurricular activity companies. Consent must be freely given, specific, informed and unambiguous. For children under 14, it must be given by the parents or legal guardians; between 14 and 18, the minor may give it themselves, but caution advisees also informing parents when sensitive data is involved.
3. Vital interests
This justifies processing health data without consent when there is a risk to the pupil's life (e.g. a medical emergency in the playground). It applies on a one-off and exceptional basis, not as a general rule.
Essential documentary obligations
The GDPR is based on the principle of accountability: it is not enough to comply — you must be able to demonstrate compliance. These are the minimum documentary elements every educational centre must have in place:
Record of Processing Activities (RoPA)
An internal document listing all the centre's data processing activities: what data is processed, for what purpose, what legal basis covers it, how long it is retained and whether it is shared with third parties. The Spanish Data Protection Agency (AEPD) has published guidance templates for the education sector. The RoPA is not routinely shared with anyone, but must be available if the supervisory authority requests it during an inspection.
Information clauses (Arts. 13 and 14 GDPR)
At the point of data collection (enrolment, forms, school apps), the centre must inform parents — and, where appropriate, the pupil themselves — of: the identity and contact details of the controller, the purposes and legal bases of the processing, the retention period, the rights that can be exercised and, where applicable, the contact details of the Data Protection Officer. Clauses in small print at the bottom of a paper form are no longer sufficient if they are not legible and comprehensible.
Data Protection Officer (DPO)
Article 37 of the GDPR requires certain controllers to designate a DPO. State schools are clearly obliged to do so, as public authorities. For subsidised and private schools, the obligation depends on the scale of special category data processing; in practice, any school handling health or psycho-pedagogical data of tens or hundreds of pupils falls within the obligation. The DPO may be an in-house person with specific training or a specialist external service. Their function is not to implement compliance but to supervise and advise on it, acting as the contact point with the AEPD.
Data processing agreements with processors
Any external company that accesses pupils' data on behalf of the centre — a digital education platform, catering company, transport service, academic management software provider — acts as a data processor and must sign an agreement (or contractual clause) governing what they may do with that data, for how long and with what security measures. Without that agreement, the centre is jointly liable for any breaches committed by the supplier.
Technical and organisational security measures
There is no closed list of mandatory measures; the GDPR requires that they be appropriate to the risk. In a school, reasonable minimum measures include: role-based access controls to the academic management platform, encryption of portable devices containing pupil data, a secure document destruction protocol (certified shredder), annual data protection training for staff, and a security breach management protocol (knowing what to do and who to notify within the first 72 hours if an incident occurs).
The ten most common mistakes in educational centres
In the compliance projects we have carried out, these are the errors that appear most frequently:
- Using class WhatsApp groups containing pupil and family data without a legal basis or privacy notice.
- Publishing photos of pupils on social media without written consent signed by both parents (or the one with sole custody).
- Not having a data processing agreement with the academic management platform (Alexia, Raíces, Clickedu, etc.) as a processor.
- Retaining records indefinitely without applying the deletion periods set out in education regulations.
- Not informing the pupil of their own rights when they are 14 or older.
- Sending grade reports by email without encryption or verification that the recipient is the correct parent.
- Sharing lists of pupils with allergies in the canteen with the external service without a processing agreement.
- Not recording or reporting security breaches: a stolen laptop containing pupil grades must be reported to the AEPD within 72 hours if it poses a risk to those affected.
- Transferring data to the parents' association (AMPA) without a clear legal basis (the AMPA is an independent entity; the transfer requires consent or a specific legal authorisation).
- Not having a designated DPO when required, or having one without them being registered with the AEPD.
The special case of digital education platforms
The rapid digitalisation of the education sector — driven in part by the Ministry's 2021–2025 Educational System Digitalisation Plan — has multiplied the use of videoconferencing platforms, virtual classrooms, gamification apps and learning tracking tools. Many of these tools, especially those of North American origin, raise problems from the outset:
- International transfers of data outside the European Economic Area that may not be properly covered.
- Privacy policies that allow the provider to use pupils' data to improve their models or for advertising.
- Absence of data processing agreements adapted to the European GDPR.
The Spanish Data Protection Agency (AEPD) published in 2023 a specific guide on data protection in the educational sphere that addresses the use of these tools and sets out criteria for assessing whether their use is compatible with the GDPR. Before implementing any digital platform that processes data of minor pupils, the centre or the education authority must carry out a Data Protection Impact Assessment (DPIA) when the processing involves high risk.
Sanctions and recent AEPD proceedings
The AEPD has sanctioned educational centres and administrations for infringements related to children's data. Among the most illustrative cases in recent years:
- Centres that published lists of pupils with health data (allergies) on notice boards accessible to unauthorised third parties.
- Schools that installed video surveillance systems in school spaces without the required notice to the school community.
- Management platforms contracted without processing clauses compliant with Article 28 GDPR.
- Transfer of images of minors to the media without explicit consent from parents.
Sanctions in the education sector typically range from €3,000 to €300,000 depending on the severity, although for public bodies the AEPD may issue a reprimand instead of a fine (Article 77 LOPDGDD). In any case, the reputational damage to an educational centre — whose relationship with families is built on trust — can be more costly than the fine itself.
If your centre needs a review of its current situation or a full implementation, our GDPR compliance team for the education sector has worked with centres in Castilla y León and the Canary Islands since 2007, with over 200 regulatory compliance projects supported. The process starts with a situation diagnosis, continues with the preparation of all mandatory documentation and concludes with training for the teaching staff and management team.
Frequently asked questions
Can the school publish photos of pupils on its website or Instagram without asking permission?
No. A person's image is personal data protected by the GDPR. In the case of children under 14, the publication of photographs — whether on the centre's website, on social media or in the press — requires explicit written consent from those with parental authority or guardianship. This consent must be specific to each channel and purpose: a generic consent at enrolment stating «I authorise the use of images» is not valid. AEPD Instruction 1/2006 on video surveillance and the agency's own criteria are clear on this point. If there is a custody dispute, the school must exercise particular caution and request the court documents regulating the custody and communication arrangements.
What minimum information must the enrolment form include?
At the point of data collection, the controller must provide at least: (1) the identity and contact details of the controller and, if applicable, the DPO; (2) the purposes of the processing and the legal basis; (3) the recipients or categories of recipients to whom the data will be disclosed; (4) the planned retention period or the criteria for determining it; (5) the rights of access, rectification, erasure, restriction, portability and objection, and how to exercise them; (6) the right to lodge a complaint with the AEPD. This information may be provided in a simplified layer format (readable summary) with a reference to a full privacy policy on the website.
Can the school share a pupil's data with their GP or social services?
It depends on the specific situation. Communication to health or child protection services may be covered by legal obligation (protocols for detecting situations of risk or abuse) or by the minor's vital interests in emergency situations. In these cases, parental consent is not required, although the communication must be documented. What is not covered is sharing academic or behavioural data with unrelated third parties not connected to the protection of the minor (for example, with another school the pupil might transfer to) without a clear legal basis, a processing agreement or an authorised transfer.
How long must the school retain a pupil's academic record?
Education regulations establish that the academic record has permanent value and must be retained indefinitely by the education authority (or by the centre on its behalf). However, other documents — behavioural reports, extracurricular activity authorisations, one-off reports — have much shorter retention periods. As a general rule, once a pupil leaves the centre, data held purely for administrative management purposes must be deleted or anonymised within a reasonable period (usually between 3 and 5 years, or the time needed to deal with potential claims). The RoPA must expressly record these retention periods.
What happens if a parent requests access to their child's data?
The right of access may be exercised by parents on behalf of their children under 14; from that age onwards, the minor may exercise it themselves. In cases of separation or divorce, both parents with shared parental authority have the right of access, unless a court order provides otherwise. The centre must respond within one month of the request (extendable to three months in complex cases, notifying the extension). Refusing to provide access or unjustified delay may give rise to a complaint to the AEPD.