Obligations of those involved in children’s school, leisure and recreation activities
Schools and other parties involved in children’s leisure and recreation activities need to ensure that the processing of personal data is in accordance with the laws on personal protection and must be able to demonstrate this.
This includes:
the processing must be based on a legal authorisation,
the principles of the law must be fulfilled,
appropriate training on the processing must be provided, where appropriate, and
to assess whether an impact assessment on personal protection is necessary
Generally, consent cannot be based on other than a completely voluntary service. Data protection laws allow such processing to be carried out only if it is necessary and based on legal authority.
The responsible person must demonstrate the necessity of each processing.
Access control in schools:
Limiting parents’ access to the classrooms is not a requirement of the Data Protection Act, but a safeguard that schools can decide on themselves.
Confidential statements:
Schools cannot require parents to sign declarations prohibiting them from discussing school matters. Employees must keep confidence according to law.
Pictures and video:
Schools need parental consent for photo-taping and photo-display of children, and such photo-display must comply with data protection laws.
Social media use:
Schools are not advised to use social media like Facebook to share personal information about children.
Student calendar:
The lists of students may be distributed to parents or parents' associations, if proportionality is observed and the rights of individuals are respected.
CCTV:
Electronic monitoring with CCTV in schools is permitted for a clear purpose and must be accompanied by rules on safety and proportionality. In some cases, a so-called impact assessment on personal protection must be carried out.
