IP - 07121-1 / 2020/2263
|IP - 07121-1 / 2020/2263|
|Relevant Law:||Article 5 GDPR|
Article 6(1) GDPR
Article 32 GDPR
Article 32 GDPR
|National Case Number/Name:||07121-1 / 2020/2263|
|European Case Law Identifier:||n/a|
|Original Source:||IP Slovenia (in SL)|
The Slovenian DPA advised on whether a gym teacher's decision to ask children to record their dance videos and submit them to an online classroom was in accordance with Article 6 GDPR.
The Slovenian IP was requested to advise upon the legality of a gym teacher’s decision to ask children to be recorded dancing and submit the video to an online classroom.
Is article 6 (1) (c) GDPR the appropriate legal basis for a legitimate processing of the students’ data?
The Slovenian DPA does not find itself competent on deciding upon an individual school’s decision (article 2 ZlnfP), but can provide clarifications concerning legal data processing. The competent body according to the IP is the Ministry of Education. In that light and according to article 6 (1) GDPR, the IP considers consent as a non-appropriate legal basis for processing students’ data. Schools and teachers must be compliant with the provisions of article 6 GDPR and in particular with the principle of data minimization, according to which data collected and processed, should not be held or further used unless this is essential. In the case of the gym classroom the controller must not process more personal data than the strictly necessary for the educational process. Article 32 GDPR must also apply to ensure the adequate level of data security.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.
The Information Commissioner (hereinafter: IP) has received your e-mail asking if it is permissible for a gym teacher to ask children to be recorded at a dance and submit a video to an online classroom. On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter the General Regulation on Data Protection), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1) and 2 According to Article of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP), we provide our non-binding opinion on your issue. IP initially explained that, in accordance with Article 2 ZInfP autonomous and independent state body that, in addition to the tasks set out in that Article, on the basis of Article 49 of the PDPA-1 also gives non-binding opinions, interpretations, views, advice and recommendations with areas of personal data protection . Therefore, the IP cannot assess the legality or adequacy of the decision of an individual school regarding the organization of knowledge tests and tasks performed in the current situation, as this does not fall within its competence. Also, the IP cannot assess specific processing of personal data outside the inspection or other administrative procedure. The opinion can therefore only provide general explanations from the point of view of personal data protection, but we cannot assess other aspects of invasions of privacy or the adequacy of specific actions of individual controllers or comment on the adequacy of individual measures in the current emergency. The process of distance education has been designed by some teachers to require students to use modern information technologies, often with the processing of personal data. In distance education, children should use various tools for online communication, including tools with video calling and related forms of cooperation, or pupils / students must, according to the teacher's instructions, record the completion of the given task and pass the recording to the teacher. Assessing the extent to which the use of information technology is essential for the implementation of a quality and stimulating educational process and for ensuring the effective implementation of teachers' work obligations is primarily the task and duty of each school as the controller of personal data of its students. This type of education should be carefully considered and, in the opinion of the IP, should not unduly infringe on the privacy of students. Regarding distance education, IP has already issued optional opinions containing substantively similar issues to yours, namely: - opinion no. 07121-1 / 2020/600 of 15 April 2020, - opinion no. 07120-1 / 2020/299 of 15 April 2020, - opinion no. 07120-1 / 2020/274 of 6 April 2020. All IP opinions are published and available on our website: https://www.ip-rs.si/vop/ . It follows from those opinions that any processing of personal data must have a legal and appropriate legal basis under Article 6 (1) of the General Regulation. The position of the IP is that in the processing of personal data of students for the purposes of distance education and knowledge testing or. the consent of the individual is not, in principle, the appropriate legal basis. Namely, it is essential that distance education is about performing a public law task of an educational institution and not about activities for which students, or their legal representatives gave their free consent. According to IP, Clause 6 (1) (c) of the General Regulation is the appropriate legal basis for the processing of personal data of students in the online environment in the current emergency situation, when knowledge testing or completed tasks can also take place, as processing is necessary.to fulfill a legal obligation applicable to the operator. The legal obligation is broadly defined by laws in the field of primary and secondary education, including the Primary School Act (Official Gazette of the Republic of Slovenia, No. 81/06 - UPB, as amended), the Gymnasiums Act (Official Gazette of the Republic of Slovenia, no. 1/07 - UPB, as amended, and the Vocational and Professional Education Act (Official Gazette of the Republic of Slovenia, No. 79/06, as amended), which stipulate the obligation of schools to provide the envisaged forms of education, and the duty of pupils and students to fulfill their school obligations. The work obligations of teachers are further defined in the Organization and Financing of Education Act (Official Gazette of the Republic of Slovenia, No. 16 / 07– UPB, as amended), which in Article 119 also stipulates “collection and processing of data related to by performing educational and other work ". Due to the exceptional circumstances in which we find ourselves due to measures to prevent the spread of the COVID-19 virus, which have temporarily changed the educational process, the Information Commissioner is of the opinion that the Ministry of Education, Science and Sport should properly specify this legal basis . As already explained, IP cannot judge and comment on concrete ways to test knowledge or. completed tasks of students at a distance. However, it is important that schools and teachers respect the principles of personal data protection set out in Article 5 of the General Regulation, in particular the principle of minimum data , according to which personal data must be relevant, relevant and limited to what is necessary for the purposes for which they are processed. . In this case, this means that the controller may not process more personal data than is strictly necessary for the implementation of the educational process. The school or individual teacher must therefore know or. students' tasks should be checked in a way that least interferes with their right to the protection of personal data and privacy. Regarding the security of personal data, IP also emphasizes that the controller of personal data must adequately protect it at all stages of processing. The first paragraph of Article 32 of the General Regulation provides that the controller and the processor, taking into account the latest technological developments and implementation costs and the nature, scope, circumstances and purposes of processing, as well as risks to the rights and appropriate technical and organizational measures to ensure an adequate level of risk-based security. Ensuring the security of personal data can be particularly problematic when using online tools that teachers use at their own discretion and possibly without prior consideration of ensuring the security of personal data.