Do you know what kind of personal data a European school, as a data collector, has about you and your children?
Do you feel that we have to repeatedly give them personal data? Even if they have this information already?
How are European schools treating and protecting our personal data?
Do they destroy them properly or just through them in the bin?
Why they have so many papers with our personal data in an unprotected cupboard around the whole school?
Do you know how to request your personal data from the school?
You can get all of this information below, where I write about how to request your personal data from European schools quickly.
Table of Contents
What is the right of access?
The General Data Protection Regulation (GDPR), under Article 15, gives individuals the right to request a copy of any of their personal data which are being ‘processed’ (i.e. used in any way) by ‘controllers’ (i.e. European school), as well as other relevant information. These requests are often referred to as ‘data subject access requests or ‘access requests.
How do I exercise the right of access?
The GDPR does not set out any particular method for making a valid access request; therefore, an individual may make a request in writing or verbally. I would, however, encourage you to submit written access requests to avoid disputes over an access request’s details, extent, or timing. I have provided you with the template below for access requests made to the data protection office of each European school in writing.
Can I be charged a fee to make an access request?
No, for the standard case, as is this request. So, in most cases, individuals cannot be required to pay a fee to make a subject access request. Only in certain very limited circumstances, per Article 12(5) GDPR, where the initial request is ‘manifestly unfounded or excessive (which the controller must prove), can a controller charge a ‘reasonable fee for the administrative costs of complying with the request.
Controllers are also allowed to charge a reasonable fee, based on administrative costs, where an individual requests additional copies of their personal data undergoing processing. Anyway school has to legally prove that they had extra costs because of the request.
This is not the case in European schools since they can scan all the papers and send them to you by email.
Instead of having so much personal data on paper, they should use electronic data collecting. It would simplify their lives.
In what format should the information I request be provided?
Controllers should typically match the method or specific format requested by individuals when responding to access requests. For instance, if a request is made electronically, such as via email, controllers are generally expected to provide the necessary information in a commonly used electronic format, unless otherwise specified.
Controllers should adhere to the general rule of responding to access requests in the same format as the request was made or in the format specifically requested by the individual. When a request is made electronically, such as via email, controllers are typically expected to provide the required information in a commonly used electronic format, unless stated otherwise. This approach not only simplifies the process for individuals but also ensures that the information is delivered in a manner that is convenient and accessible to them.
Are there any limits to my right of access or GDPR request?
Legally yes, but there is a high threshold to meet, and the controller must prove that the request was manifestly unfounded or excessive, in particular, considering whether the request is repetitive.
How to request your personal data from the European school in 1 minute
Bellow you fill find template on how to request your personal data under GDPR for both schools:
Luxembourg 1
The email address for sending a request for Luxembourg 2 school is LUX-DPO-CORRESPONDENT@eursc.eu.
Luxembourg 2
The email address for sending a request for Luxembourg 2 school is MAM-DPO-CORRESPONDENT@eursc.eu.
GDPR template request for a copy of your personal information
Title of the email: Request for access to a personal data
Dear Ms / Mr,
Based on Article 15 of The General Data Protection Regulation (GDPR) I would like to request a copy of all the personal data European school Luxembourg (1 or 2) is collecting about my family:
- Your last and first name
- Your child’s last and first name
- Your second child’s last and first name…
Can you please specify:
1. the purpose of the processing for each data collection,
2. the categories of data you are collecting about my family
3. any recipient(s) of the personal data to whom the personal data has or will be disclosed, in particular recipients in third countries or international organizations, and information about appropriate safeguards.
4. the retention period for each data and the criteria used to determine this retention period.
Thank you and kind regards,
Your first and last name
When should DPO respond?
The GDPR request time limit is normally 30 days, but in exceptional circumstances, the deadline can be extended by 60 days. This extension is often used when the request is complex and requires considering the scope of the right of access to the General Rules of the European Schools, as well as coordinating with the DPO of the OSG. According to Article 12, Point 3 of the GDPR, we are notifying you that the processing and transmission of personal data will be extended by two months. It’s worth noting that this extension may be legally challenged if the personal data is easily extractable through an IT system. However, if the data is stored in physical form, such as paper documents in cupboards, manual searching would be necessary.
Then, you need to manually search through each individual paper, which increases the likelihood of missing some of them. The standard time limit for GDPR requests is typically 30 days, but it can be extended by an additional 60 days in exceptional circumstances. This extension is commonly applied when the request is complex and requires careful consideration of the scope of access rights outlined in the General Rules of the European Schools, as well as coordination with the Office of the School’s Data Protection Officer (DPO).
In conclusion data access request timeframe is 30 days but only in exceptional cases this can be extended for another 60 days.
When is the best time to send a request?
If you are like me and think that European schools’ administration is bureaucratic mammoth, focused only on themself and totally ignoring the education process that they are paid for with public money, then you should send requests from March till the end of May.
Of course, you can send it any time you like but based on legal timing, which is 90 days, they will need to provide an answer right before the school holidays. The main exercise with how to request your personal data is that school has to give you any information they are collecting about your and your children. There is a high probability that they are collection far more that they are required under the law.
If there are many requests, this might cause insensitive to finally move to digital data collection.
