Czech Data Protection Authority imposes fine on school

Czech Data Protection Authority : Parental consent when processing pupils’ personal data. A school in the Czech Republic has been fined by the country’s Data Protection Authority. The penalty was imposed for processing pupils’ data without parental consent. An investigation into processing of personal data was conducted at the primary school, following a complaint submitted by the Hradec Králové Inspectorate.

What about the legal grounds?

According to Article 5 of the Czech Personal Data Protection Act, processing of personal data can be expedited:

  • only with data subject’s consent;

  • exclusively for a specific purpose; and

  • only to the extent necessary to fullfil the specific purpose

The inspection revealed that Google Suite email accounts had been set up for pupils without obtaining explicit consent. (In the Czech Republic such consent must come from parents or guardians of children under the age of 15.) The pupils’ full names were used in the email addresses, which is not necessary for email accounts. The school could have used email addresses that were less privacy-invasive. Evidently this was not considered at the time.

Data subjects’ privacy rights

Article 11 of the Czech Personal Data Protection Act requires data controllers to inform data subjects of:

  • the scope and purpose of personal data processing;

  • who will process personal data and the manner of processing;

  • any recipients that the data will be shared with; and

  • their right to access their personal data

Fair penalty by Czech Data Protection Authority?

In this particular case, the school received a penalty (sanction) of CZK 3,000 (approx £105). However, because the school made such a huge effort to remedy the violations, no remedial measures were imposed. Source: The Czech Republic Data Protection Authority (DPA) – Controlling Processing of Pupils Personal Data in Connection with Use of Google Suite in Primary School. View original document (in Czech) More stories like this

Contact the author
Peter Borner
Executive Chairman and Chief Trust Officer

As Co-founder, Executive Chairman and Chief Trust Officer of The Data Privacy Group, Peter Borner leverages over 30 years of expertise to drive revenue for organisations by prioritising trust. Peter shapes tailored strategies to help businesses reap the rewards of increased customer loyalty, improved reputation, and, ultimately, higher revenue. His approach provides clients with ongoing peace of mind, solidifying their foundation in the realm of digital trust.

Specialises in: Privacy & Data Governance

Peter Borner
Executive Chairman and Chief Trust Officer

As Co-founder, Executive Chairman and Chief Trust Officer of The Data Privacy Group, Peter Borner leverages over 30 years of expertise to drive revenue for organisations by prioritising trust. Peter shapes tailored strategies to help businesses reap the rewards of increased customer loyalty, improved reputation, and, ultimately, higher revenue. His approach provides clients with ongoing peace of mind, solidifying their foundation in the realm of digital trust.

Specialises in: Privacy & Data Governance

Contact Our Team Today
Your confidential, no obligation discussion awaits.