Schools that provide education at the levels regulated by Spanish education law must appoint a data protection officer (DPO). In public schools, the competent education authority usually appoints the DPO; in private or state-subsidised ("concertado") schools, it must be confirmed which entity is responsible. The external DPO must be involved in platforms, minors, images, student records, guidance, devices, providers and incidents, with independence and access to school leadership.
Why a DPO is mandatory for schools
Article 37 of the GDPR sets out the general cases in which a data protection officer must be appointed. Article 34.1 of the LOPDGDD (the Spanish Organic Law on Data Protection) expressly includes schools that provide education at any of the levels established in the legislation governing the right to education, as well as public and private universities.
The AEPD (Spanish DPA) confirms this in its FAQ: the obligation does not depend on the school's size or on whether it has suffered a security breach.
Before going further, it must be established who makes the appointment in each case:
| Type of school | Initial analysis |
|---|---|
| Public school | The education authority usually appoints a DPO for the schools under its remit. |
| Private | The owning entity must appoint the DPO and report it. |
| State-subsidised ("concertado") | The private owner usually handles its own processing; coordination with the authority is needed. |
| School group | A shared DPO is possible if it is accessible and adequately resourced. |
| Unregulated academy | Article 37 of the GDPR and the actual nature of the activity must be analysed; the education rule in Article 34 cannot be assumed automatically. |
The specific structure and the applicable regional regulations must be checked in each case.
Functions and position of the DPO
The DPO informs and advises, monitors compliance, takes part in data protection impact assessments (DPIAs), cooperates with the supervisory authority and acts as a point of contact. The DPO must be consulted from the design stage of each processing activity, not once the platform has already been procured or the incident has already gone public.
Its independence requires:
- Direct access to school leadership or ownership.
- No instructions regarding its conclusions.
- Sufficient resources, information and time.
- Protection against retaliation for performing its duties.
- No conflict of interest.
- A visible point of contact for families, students and staff.
The DPO does not replace the data controller. School leadership decides the purposes, the means and the acceptance of risk.
Map of processing activities in schools
A school typically processes data in at least these areas:
- Admission and enrolment.
- Academic record and assessment.
- Guidance and special educational needs.
- Health, allergies and medication.
- Canteen, transport and activities.
- Images, website, social media and class photos.
- Learning and management platforms.
- Devices, accounts and communications.
- Access control and video surveillance.
- Staff, recruitment and payroll.
- School conduct, discipline and child protection.
- Providers, insurance and relations with the authorities.
- Alumni and promotional activities.
Each processing activity needs a purpose, a legal basis, data, recipients, a retention period, security measures and an identified controller. The educational function can legitimise the data that is necessary, including certain special categories, but it does not allow that data to be reused for marketing or for profiling unrelated to that purpose.
Minors: stronger protection without blocking education
Age does not turn consent into the legal basis for everything. A school may process the information needed for its teaching function on the basis of legal obligation, protection of vital interests or other applicable legal bases. Promotional publication of images, optional applications, or purposes that are not necessary each require a separate analysis.
Information must be adapted to the age and level of understanding of the audience. Families and students need to know what is collected, for what purpose, who has access, how long it is kept and how to exercise their rights.
Parental authority, legal representation and the minor's own maturity must be distinguished from one another. Parents' access to school information may be affected by court rulings, situations of violence, or the best interests of the child. Sensitive cases must be escalated to the DPO and to the legal or child-protection team.
Educational platforms: assess before clicking "accept"
In March 2026, the Spanish data protection authorities published a set of basic principles for procuring and using digital educational platforms. The school or the education authority remains the controller of the data it hands over to the platform.
Before signing up, it is worth reviewing:
- Purpose and pedagogical necessity.
- Data and permissions required.
- Controller and processor roles.
- Advertising, profiling and the provider's own uses.
- Sub-processors and data transfers.
- Security, encryption and authentication.
- Retention, export and deletion.
- Accessibility and alternatives.
- Analytics, artificial intelligence and automated decisions.
- Exit plan.
An application that collects more data than necessary, or that forces families to accept commercial uses, must not be imposed.
Contract and evidence
The Article 28 contract must cover instructions, confidentiality, security measures, sub-processors, rights, incidents, audits, and the return or deletion of data. It is also worth keeping the provider assessment, the version of the terms accepted, and the approval decision on file.
Free consumer accounts are generally not suitable for processing school records without a prior assessment and contract.
Images, recordings and social media
Photographing an activity for internal records is not the same as publishing it on an open social network. Purposes and channels must be kept separate.
A well-designed system should record:
- The student and their legal representatives.
- The authorised purpose.
- The specific distribution channels.
- The date and proof of the information provided.
- Withdrawal and its future effects.
- Any applicable protection restrictions.
Consent, when it is the legal basis, must be freely given, specific, informed and revocable. Participation in educational activities cannot be made conditional on accepting the promotional use of a student's image. Withdrawal does not require the impossible, but it does require future uses to stop and content to be taken down where feasible.
The school must have clear rules both for photographs taken by families at events and for publication by staff. Not everything visible at a school event is freely reusable.
Health and special educational needs
Data on allergies, disability, psycho-pedagogical reports or medication are special categories of data. Only those who need to act on them should have access. Teaching staff may need practical instructions, but not always the full clinical report.
Some recommended controls:
- Keep academic records, guidance and health data separate where appropriate.
- Limit the profiles with access and the ability to download.
- Avoid sending this information to general distribution groups.
- Keep reports in approved repositories.
- Define an emergency-response protocol.
- Delete local copies once they are no longer needed.
- Log any disclosures to professionals or public authorities.
Communications must be discreet. A visible allergy list may serve an urgent purpose, but it must be designed so as not to expose unnecessary information.
Devices, email and digital learning
The school must define institutional accounts, passwords, multi-factor authentication where appropriate, app installation, updates, backups and user deactivation. Shared devices need separate profiles and data wiping between uses.
Students should not be asked to use personal accounts for mandatory tools without a prior assessment. There must be an inventory of authorised applications. Teaching staff should not install, on their own initiative, services that process class data.
If generative artificial intelligence is introduced, the permitted uses, the prohibited data, the review of outputs and transparency towards families and students must all be established. School records or details of special educational needs must not be copied into public services without a contract and without authorisation.
Video surveillance and access control
Cameras require a purpose, necessity, proportionality, information, an appropriate location and a defined retention period. Particularly sensitive spaces and excessive capture must be avoided. Access to the footage must be limited and logged.
Video surveillance must not be used as a general substitute for supervision, or to continuously monitor teaching performance. When investigating an incident, only the relevant footage should be preserved, and requests should be handled with protection for third parties.
Biometric control requires a particularly strict analysis, since it processes special categories of data when it uniquely identifies individuals. Convenience is not enough: less intrusive alternatives must be assessed, and a DPIA carried out where appropriate.
Records, retention and leaving the school
Not everything is kept for the same length of time. A retention schedule by category must exist:
- Official academic record.
- Incomplete admission applications.
- Guidance and reports.
- Health and consent forms.
- Images and activities.
- School conduct and incidents.
- Billing and services.
- Access and security.
- Platform users.
When a student changes school, or the relationship ends, accounts must be revoked, devices recovered, documents transferred through an authorised channel, and auxiliary copies deleted. Data subject to a legal obligation is retained or blocked, as applicable.
Rights and family requests
The school needs a visible channel and a log of requests. It must verify identity proportionately and respond within the statutory deadline.
An access request may involve other people's data, protected notes, or information whose disclosure could affect the minor. A complete record that exposes third parties must not be handed over without review.
The right to erasure does not allow grades or documents that must be kept for legal reasons to be deleted. The response must explain the legal basis and the applicable limitations.
Breaches and child protection
Some common incidents:
- Mass email with visible addresses.
- Record sent to the wrong family.
- Public link to documents.
- Lost device.
- Compromised teacher account.
- Provider exposing a class's data.
- Sexual or violent content circulated online.
The procedure must coordinate privacy, security, school leadership and child protection. It must contain the incident, preserve the evidence, assess the risk, decide on notification and communication, and activate urgent channels when harmful content is involved.
Every breach must be documented. The provider must notify the school without undue delay.
Annual plan for the external DPO
Start of the school year
- Review enrolments, information and consent forms.
- Validate platforms and new applications.
- Check account creations, deactivations and profiles.
- Train staff according to their role.
- Review health, image and incident protocols.
During the school year
- Sample-check contracts and access.
- Handle new projects and rights requests.
- Review incidents and the measures adopted.
- Report to school leadership quarterly.
- Oversee DPIAs and new technologies.
End of the school year
- Revoke temporary accounts and access.
- Clean up copies and abandoned platforms.
- Review retention and transfers.
- Issue the compliance report and next year's plan.
Provider assessment
| Criterion | Question | Evidence |
|---|---|---|
| Necessity | Is it essential for the function? | Pedagogical/technical report |
| Data | Does it collect only what is necessary? | Inventory and configuration |
| Own use | Advertising, profiling or training? | Contract and policy |
| Security | Encryption, MFA, logs and incidents? | Documentation and evidence |
| Sub-processors | Who has access and where? | List and changes |
| Exit | Does it export and delete? | Proof of reversibility |
| Minors | Appropriate design and transparency? | Interface and information |
Common mistakes
- Appointing a DPO but not consulting them.
- Using consent as the basis for all educational activity.
- Accepting free platforms without a contract.
- Installing applications on individual initiative.
- Publishing images under a generic authorisation.
- Sharing full reports with people who only need instructions.
- Using personal accounts to handle school records.
- Keeping access active after someone has left.
- Handing over records without protecting third parties.
- Keeping accounts and copies indefinitely.
School checklist
- DPO appointed, notified and accessible.
- Roles between the owner and the authority defined.
- Processing activities and legal bases inventoried.
- Information adapted to families and students.
- Platforms assessed before signing up.
- Contracts, sub-processors and transfers under control.
- Images separated by purpose and channel.
- Health and guidance data with minimal access.
- Applications and devices inventoried.
- Retention and account deactivation documented.
- Breaches and rights handled with rehearsed procedures.
- Annual plan and reports to leadership in place.
Frequently asked questions
Do all schools need a DPO?
Schools that provide education at the regulated levels are expressly included under the LOPDGDD.
Can a group of schools share a DPO?
Yes, provided the DPO is accessible, independent and has sufficient resources for all of them.
Does family consent legitimise any platform?
No. The school must assess necessity, the contract, security and rights. Consent does not fix a disproportionate platform.
Can teaching staff use a free application?
They should not do so with student data without the controller's prior authorisation and assessment.
Can an image from an activity be published?
It depends on the purpose, the legal basis, the information provided and the channel. Promotional publication must be kept separate from educational documentation.
Does the DPO decide which platform to buy?
The DPO advises and oversees; school leadership decides and must document how it addresses the risks and recommendations received.
Official sources consulted
- GDPR (Regulation (EU) 2016/679), in particular Articles 5, 6, 8, 9, 12-14, 28 and 32-39.
- LOPDGDD (Spanish Organic Law 3/2018 on Data Protection), Article 34.
- AEPD (Spanish DPA): are schools required to appoint a DPO?
- AEPD: guide for schools (PDF)
- AEPD: principles for procuring digital educational platforms, March 2026
Summum Consultoría can take on the role of external DPO and put together an annual plan tailored to the school. Leadership retains responsibility and must integrate privacy with the educational function and child protection. If you would like to assess how this would fit your school, our external DPO service and our GDPR for schools proposal are designed to support exactly this process.