Spain's data protection agency fines school after pupils access inappropriate online content

The Spanish data protection agency (AEPD) has fined a private school in Madrid - the Holy Mary Catholic School - for misuse of the Google Workspace for Education (GWE) platform. According to the investigation, children were accessing online content inappropriate for their age through the suite.

The investigation started when a mother noticed that her children had access to video games and YouTube through the school's accounts. According to the AEPD, the school violated several articles of the GDPR law.

The data protection agency has stated that the processing of data of 531 students (395 of them under 14 years of age) lacked a solid legal basis, since it could not be based exclusively on a "legal obligation" or "public interest" for a use that exceeded the strict academic management.

One of the key aspects of the resolution refers to the lack of transparency: "This information did not contain relevant aspects of the data processing that the data subjects should have been aware of." The school did not adequately inform about international data transfers to the US, inherent in the use of Google servers.

In addition, although the school claimed that it only processed basic identifying data, the investigation showed that much more sensitive information was collected: IP addresses, cookies, activity logs and metadata from Chromebook devices. "The platform collects student usage data that is associated with student profiles, such as device information, access to content viewed or uploaded by users, etc.," the resolution states.

The AEPD also considers that the data protection impact analysis that the school has provided "does not reflect the full reality of the processing", as it ignores the risks arising from Google's tracking of minors' online activity.

The AEPD reiterates that privacy must be guaranteed "by default" - something the school failed to demonstrate conclusively by not providing documentation on regular security reviews of student accounts.

The school has chosen to acknowledge its responsibility and voluntarily pay a fine that initially amounted to 20,000 euros, but which, after legal reductions, has been set at 12,000. This implies that the school accepts responsibility for the alleged infractions and the AEPD requires it to adopt immediate corrective measures.

The text concludes by urging the school to provide, within three months, a valid legal basis for continuing to use the platform or, failing that, to cease processing and delete the data.