Do you know what kind of personal data a European school, as a data collector, has about you and your children?
Do you feel that we have to repeatedly give them personal data? Even if they have this information already?
How are European schools treating and protecting our personal data?
Do they destroy them properly or just through them in the bin?
Why they have so many papers with our personal data in an unprotected cupboard around the whole school?
Do you know how to request your personal data from the school?
You can get all of this information below, where I write about how to request your personal data from European schools quickly.
Table of Contents
What is the right of access?
The General Data Protection Regulation (GDPR), under Article 15, gives individuals the right to request a copy of any of their personal data which are being ‘processed’ (i.e. used in any way) by ‘controllers’ (i.e. European school), as well as other relevant information. These requests are often referred to as ‘data subject access requests or ‘access requests.
How do I exercise the right of access?
The GDPR does not set out any particular method for making a valid access request; therefore, an individual may make a request in writing or verbally. I would, however, encourage you to submit written access requests to avoid disputes over an access request’s details, extent, or timing. I have provided you with the template below for access requests made to the data protection office of each European school in writing.
Can I be charged a fee to make an access request?
No, for the standard case, as is this request. So, in most cases, individuals cannot be required to pay a fee to make a subject access request. Only in certain very limited circumstances, per Article 12(5) GDPR, where the initial request is ‘manifestly unfounded or excessive (which the controller must prove), can a controller charge a ‘reasonable fee for the administrative costs of complying with the request.
Controllers are also allowed to charge a reasonable fee, based on administrative costs, where an individual requests additional copies of their personal data undergoing processing. Anyway school has to legally prove that they had extra costs because of the request.
This is not the case in European schools since they can scan all the papers and send them to you by email.
Instead of having so much personal data on paper, they should use electronic data collecting. It would simplify their lives.
In what format should the information I request be provided?
The general rule is that a controller should respond to your access request the same way the request was made or in the way you specifically asked for a response. Where you make the request electronically (such as by email), controllers should provide the required information in a commonly used electronic format unless you request otherwise.
Are there any limits to my right of access?
Legally yes, but there is a high threshold to meet, and the controller must prove that the request was manifestly unfounded or excessive, in particular, considering whether the request is repetitive.
How to request your personal data from the European school in 1 minute
Bellow you fill find template on how to request your personal data under GDPR for both schools:
Luxembourg 1
The email address for sending a request for Luxembourg 2 school is LUX-DPO-CORRESPONDENT@eursc.eu.
Luxembourg 2
The email address for sending a request for Luxembourg 2 school is MAM-DPO-CORRESPONDENT@eursc.eu.
GDPR template request for a copy of your personal information
Title of the email: Request for access to a personal data
Dear Ms / Mr,
Based on Article 15 of The General Data Protection Regulation (GDPR) I would like to request a copy of all the personal data European school Luxembourg (1 or 2) is collecting about my family:
- Your last and first name
- Your child’s last and first name
- Your second child’s last and first name…
Can you please specify:
1. the purpose of the processing for each data collection,
2. the categories of data you are collecting about my family
3. any recipient(s) of the personal data to whom the personal data has or will be disclosed, in particular recipients in third countries or international organizations, and information about appropriate safeguards.
4. the retention period for each data and the criteria used to determine this retention period.
Thank you and kind regards,
Your first and last name
Wwhen should DPO respond?
GDPR request time limit is 30 days. DPO has to send you all the information. In certain. exceptional circumstances, they can extend the deadline by 60 days. Indeed they like to use this option with this explanation: Your request is complex for us because we had to consider the scope of the right of access to the General Rules of the European Schools, and we had to coordinate your request with the DPO of the OSG. Based on article 12, point 3 of the General Data Protection Regulation (GDPR), we inform you that we are extending the processing and transmission of personal data by two months. This can be legally challenged since the IT system allows immediate extraction of personal data. Unless you use an IT system, like European schools, where they store everything on paper in cupboards. Then you need to manually look for each and every paper. And there is a good chance you miss some of them.
In conclusion data access request timeframe is 30 days but only in exceptional cases this can be extended for another 60 days.
When is the best time to send a request?
If you are like me and think that European schools’ administration is bureaucratic mammoth, focused only on themself and totally ignoring the education process that they are paid for with public money, then you should send requests from March till the end of May.
Of course, you can send it any time you like but based on legal timing, which is 90 days, they will need to provide an answer right before the school holidays. The main exercise with how to request your personal data is that school has to give you any information they are collecting about your and your children. There is a high probability that they are collection far more that they are required under the law.
If there are many requests, this might cause insensitive to finally move to digital data collection.