Do you know what kind of personal data European school, as a data collector, has about you and your children? Do you have a feeling that we have to give them personal data repeatedly? Even if they have this information already? How are European schools treating and protecting our personal data? Do they destroy them properly or just through them in the bin? Why they have so many papers with our personal data in an unprotected cupboard around the whole school?
You can get all of this information below, where I write about how to request your personal data from the European schools quickly.
What is the right of access?
The General Data Protection Regulation (GDPR), under Article 15, gives individuals the right to request a copy of any of their personal data which are being ‘processed’ (i.e. used in any way) by ‘controllers’ (i.e. European school), as well as other relevant information. These requests are often referred to as ‘data subject access requests’, or ‘access requests’.
How do I exercise the right of access?
The GDPR does not set out any particular method for making a valid access request, therefore a request may be made by an individual in writing or verbally. I would, however, encourage you to submit written access requests to avoid disputes over the details, extent, or timing of an access request. I have provided you with the below template for access requests that are made to the data protection office of each European school in writing.
Can I be charged a fee to make an access request?
No, for the standard case as is this request. So, in most cases, individuals cannot be required to pay a fee to make a subject access request. Only in certain very limited circumstances, per Article 12(5) GDPR, where the initial request is ‘manifestly unfounded or excessive’ (which the controller must prove), can a controller charge a ‘reasonable fee’ for the administrative costs of complying with the request.
Controllers are also allowed to charge a reasonable fee, based on administrative costs, where an individual requests additional copies of their personal data undergoing processing. Anyway school has to legally prove that they had extra costs because of the request.
This is not the case in European schools since they can scan all the papers and send them to you by email.
Instead of having so much personal data on paper, they should use electronic data collecting. It would simplify their lives.
In what format should the information I request be provided?
The general rule is that a controller should respond to your access request in the same way the request was made, or in the way in which you specifically asked for a response. Where you make the request electronically (such as by email), controllers should provide the required information in a commonly used electronic format, unless you request otherwise.
Are there any limits to my right of access?
Legally yes, but there is high threshold to meet, and the controller must be able to prove that the request was manifestly unfounded or excessive, in particular taking into account whether the request is repetitive.
How to request your personal data from the European school in 1 minute
The email address for sending a request for Luxembourg 2 school is LUX-DPO-CORRESPONDENT@eursc.eu.
The email address for sending a request for Luxembourg 2 school is MAM-DPO-CORRESPONDENT@eursc.eu.
Template for sending a request
Title of the email: Request for access to a personal data
Dear Mr Fernandez,
Based on Article 15 of The General Data Protection Regulation (GDPR) I would like to request a copy of all the personal data European school Luxembourg (1 or 2) is collecting about my family:
- Your last and first name
- Your child’s last and first name
- Your second child’s last and first name…
Can you please specify:
1. the purpose of the processing for each data collection,
2. the categories of data you are collecting about my family
3. any recipient(s) of the personal data to whom the personal data has or will be disclosed, in particular recipients in third countries or international organizations, and information about appropriate safeguards.
4. the retention period for each data and the criteria used to determine this retention period.
Thank you and kind regards,
Your first and last name
When should DPO respond?
DPO has 30 days to send you all the information. In certain circumstances, they can extend the deadline by 60 days. Indeed they like to use this option with this explanation: Your request is complex for us because we had to consider the scope of the right of access in relation to the General Rules of the European Schools and we had to coordinate your request with the DPO of the OSG. Based on the article 12 point 3 of the General Data Protection Regulation (GDPR), we inform you that we are extending the processing and transmission of personal data by two months. This can be legally challenged since the IT system allows immediate extraction of personal data. Unless you don’t use an IT system, like European schools and store everything on paper in cupboards. Then you need to manually look for each and every paper. And you miss some of them.
When is the best time to send a request?
If you are like me and think that European school’s administration is bureaucratic mammoth, focused only on themself and totally ignoring education process that they are paid for with public money, then you should send request from not till the end of May.
Of course, you can send it any time you like but based on legal timing, which is 90 days, they will need to provide an answer right in the middle of the school holidays.
If there are many requests, this might cause insensitive to finally move to digital data collection.