As you might remember, Leene Soekov sent out an urgent email with the title “URGENT Covid 19 – Pupil’s Contract“. This message was sent as an urgent one that required immediate reaction from parents and pupils. School administration requested that we send our papers back in less than 16 hours when children return to the school.
Whit this document they started a new data collection and they failed to comply with the General Data Protection Regulation (GDPR). Personal data refers to any information that relates to an identified or identifiable living individual.
This data collection is not legal
After lengthy discussions with the data protection officer of both European schools in Luxembourg, I realise they are taking data protection very lightly. Mr Guillaume Fernandez, data protection officer, was not able to adequately explain all the questions regarding this data collection. Because of this, I think they did it illegally, so I issued a legal challenge before the National Data Protection Commission (CNDP). Bases for my legal complaint is supported with the following points.
There must be specific purposes for collecting personal data
GDPR provides six bases for data collection and data processing:
- The vital interest of the individual,
- The public interest,
- Contractual necessity,
- Compliance with legal obligations,
- The unambiguous consent of the individual,
- The legitimate interest of the data controller
School is collecting unnecessary personal data. To present pupils with the rules again Covid-19, they should use educational means and not forcing pupils and parents to enter the contract and starting new data collection. None of the schools in Luxembourg and also other European schools (like European school in Frankfurt) were using this method. Still, they presented such information during the education process in the classroom.
Personal data must be processed lawfully and transparently
Data collector should ensure fairness towards the individuals whose personal data is being processed. That kind of information must be publicly available before you start data collection. At the time of collecting their data, people must be informed clearly about at least:
- who your company/organisation is (your contact details, and those of your DPO if any);
- why your company/organisation will be using their personal data;
- the categories of personal data concerned;
- the legal justification for processing their data;
- for how long the data will be kept;
- who else might receive it;
- whether their personal data will be transferred to a recipient outside the EU;
- that they have a right to a copy of the data (right to access personal data) and other fundamental rights in the field of data protection
- their right to complain with a Data Protection Authority (DPA);
- their right to withdraw consent at any time;
Pupils and parents were not informed in advance why this new data collection is necessary, how will they store it and for how long. They just sent an email saying you have to sign it till tomorrow morning, without any legal justification.
In my opinion, Leene Soekov didn’t even inform data protection officer that they would be starting a new data collection.
The school must install appropriate technical and organisational safeguards…
That ensures the security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technology. School’s DPO provided data that personal data is kept in educational advisers offices in cupboards and folders. Not a very safe solution.
The whole direction of the school has access to personal data
DPO answer to this part was: “The access is limited to the Educational Advisors and the Direction of the School.“
Access to personal data should be kept to a minimum, and not everybody in the school administration can have access to personal data.
Article 15 of the “General rules of the European Schools”
Data Protection Officer also presented information that they started data collection According to Article 15 of the “General Rules of the European Schools”,
“The Director shall be responsible for security on school premises. Should a particular event occur at the school (e.g. death, serious accident, fire, explosion, infectious disease, threats, etc.), the Director must notify the relevant service.”
Of course, Article 15 has nothing to do with this data collection.
Many of you asked me why did I put Per Frithiofson in the title. The reason is he, as director of the school, is responsible for everything that is happening in the school. The good and the bad things.
CNDP presented decision. You can read about it here – European School was illegally collecting personal data.