Polish DPA imposes a Penalty of a Reprimand for the Processing of Students’ Personal Data

Sep 1, 2020

Source: European Data Protection Board

The President of the Personal Data Protection Office (UODO) imposed a penalty of a reprimand for the processing of students’ personal data without legal basis in connection with survey carried out by a school in the school year 2019/2020. The survey entitled “Diagnosis of student’s home and school situation” examined personal situation of students.

In connection with the survey, the school processed personal data of students, including minors, in particular names and surnames, attended class, indication of legal guardians (parents), family status (single parent, full family), information about death of a legal guardian (parent), separation of legal guardians (parents), their education and professional situation, the number of people in the household, financial situation, health condition and addictions of legal guardians (parents), housing situation and information on social benefits.

The processing of students’ personal data included collection, storage and destruction of those data.

In the course of the UODO’s inspection it was established that the survey was conducted to identify students who require psychological support from the school they attend. The survey was carried out by class teachers in classes 7-8 of elementary school and in high school classes. It was conducted in the form of in blanco paper forms on direct instruction from school principal.

All returned copies of the survey were destroyed by an official commission. According to the findings of the inspection, personal data included in the surveys were not entered into electronic telecommunication systems, were not recorded on electronic data carriers or other information carriers, including in paper form. After collecting the surveys, the teachers did not make any scans or paper copies of them, nor did they make other additional documents containing personal data concerning the surveys. As of the date of the inspection, students’ personal data obtained in connection with the surveys were no longer processed.

According to the evidence obtained as a result of the inspection, the surveys were conducted in a way that excludes the possibility of unauthorized disclosure of the data contained in them.

By conducting a survey among students, the school has violated the principle of lawfulness of data processing, according to which personal data must be processed lawfully, fairly and in a transparent manner for the data subject. The above principle has been developed in the content of Article 6(1)(c) of the GDPR, according to which the processing is lawful only if – and to the extent to which – the condition that the processing is necessary for compliance with a legal obligation to which the controller is subject is fulfilled.

The school, as a public entity, may process personal data within the scope of its tasks imposed by law. In turn, according to the Educational Law, schools process personal data to the extent necessary for the performance of the tasks and obligations arising from these regulations. The legal acts regulating the functioning of educational institutions do not specify such tasks and obligations of schools that would justify the processing of students’ personal data in the way it was done in the penalised entity, in connection with the conducted survey.

The President of the UODO considered that, in the established circumstances of this case, a reprimand was sufficient. The unintended nature of the infringement was considered to be an attenuating circumstance. The school principal immediately took a number of corrective measures, such as: destruction of the survey forms or refraining from carrying out the survey by some teachers, organisation of training for staff to raise their awareness of personal data protection issues, and analysis of the incident of conducting the survey among students, given the risk to the rights and freedoms of natural persons. Moreover, on the basis of the circumstances of the present case, there are no grounds to consider that the data subjects have suffered damage as a result of the event. The President of the UODO has not received any signals that similar behaviours resulting in violations have taken place on the part of the school.

To read the press release is Polish, click here.
To read the full decision in Polish, click here.

For further information, please contact the Polish SA: http://kancelaria@uodo.gov.pl

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Recent news

EDPB: ‘Consent or Pay’ models should offer real choice

Brussels, 17 April - During its latest plenary, the EDPB adopted an Opinion following an Art. 64(2) GDPR request by the Dutch, Norwegian & Hamburg Data Protection Authorities (DPA). The Opinion addresses the validity of consent to process personal data for the...

read more

CSC elects 2nd Deputy Coordinator

The Coordinated Supervision Committee (CSC) has elected Matej Sironic from the Slovenian Data Protection Authority (DPA) as its Deputy Coordinator for a term of two years. Sironic will be the second Deputy Coordinator, and will work along with Sebastian Hümmeler from...

read more