Czech Data Protection Authority : Parental consent when processing pupils’ personal data.
A school in the Czech Republic has been fined by the country’s Data Protection Authority. The penalty was imposed for processing pupils’ data without parental consent.
An investigation into processing of personal data was conducted at the primary school, following a complaint submitted by the Hradec Králové Inspectorate.
What about the legal grounds?
According to Article 5 of the Czech Personal Data Protection Act, processing of personal data can be expedited:
- only with data subject’s consent;
- exclusively for a specific purpose; and
- only to the extent necessary to fullfil the specific purpose
The inspection revealed that Google Suite email accounts had been set up for pupils without obtaining explicit consent. (In the Czech Republic such consent must come from parents or guardians of children under the age of 15.) The pupils’ full names were used in the email addresses, which is not necessary for email accounts. The school could have used email addresses that were less privacy-invasive. Evidently this was not considered at the time.
Data subjects’ privacy rights
Article 11 of the Czech Personal Data Protection Act requires data controllers to inform data subjects of:
- the scope and purpose of personal data processing;
- who will process personal data and the manner of processing;
- any recipients that the data will be shared with; and
- their right to access their personal data
Fair penalty by Czech Data Protection Authority?
In this particular case, the school received a penalty (sanction) of CZK 3,000 (approx £105). However, because the school made such a huge effort to remedy the violations, no remedial measures were imposed.
Source: The Czech Republic Data Protection Authority (DPA) – Controlling Processing of Pupils Personal Data in Connection with Use of Google Suite in Primary School.
View original document (in Czech)