School fined 10,000 euros for opening email account for pupil under 14 without parental permission
The mother reported the breach to the Spanish data protection agency after learning that her daughter's identity had been impersonated and that several people were writing on behalf of her in Classroom
The Spanish data protection agency (AEPD) has finally resolved a case involving the creation of an email account for a 14-year-old student by her school, without her parents' consent. The parents found out about it when they discovered that their daughter's identity had been impersonated and that the user of her name was writing emails to different people, including on the Classroom platform. In the end, the school has been fined 10,000 euros for violating data processing regulations.
According to the resolution, the parents warned the school that the security measures "were not optimal" as soon as they learned about what was happening. They found that the email password for all students included the initials of the children, plus the mother's date of birth. "At no point were the students told to change the password, which opened the possibility of identity theft without much effort," the document states.
The parents complained to the Spanish data protection agency, which agreed to initiate disciplinary proceedings. In response, the school defended itself by claiming that the email address responded to an educational need and that it was created during the exceptional period of Covid-19, given the need for rapid adaptation of the educational systems in place at the time. "Therefore, the communication of the creation of the email address was carried out by means of emails with the minors' guardians and there was no impediment or refusal on the part of the guardian of the minor referred to in the complaint. However, after this period of exceptional adaptation, they adapted systems to obtain consent, following the requirements established by the legislator."
In response, AEPD stated that in no case does an emergency situation such as the global Covid-19 pandemic in itself legitimise the processing of personal data without the consent of the subject or their guardians. The fact that the email password created by the school for all pupils was the child's initials, plus the mother's date of birth "evidences the weakness and lack of reasonable security measures and, consequently, a breach of the data controller's data protection obligations".
According to the AEPD, the lack of adequate consent from the parents of a 14-year-old minor constitutes an infringement and violation of article 6.1 of the GDPR. There is no evidence that the school had "reasonable" security measures in place, in accordance with the possible estimated risks.
Finally, data protection agreed to impose several fines: for the infringement of Article 6.1 of the GDPR, as defined in Article 83.5 of the GDPR (4,500 euros); for the infringement of Article 13 of the GDPR, as defined in Article 83.5 of the GDPR (1,000 euros); and for the infringement of Article 32 of the GDPR, as defined in Article 83.4 of the GDPR (4,500 euros).
Comentar es una ventaja exclusiva para registrados
¿Ya eres registrado?
Inicia sesiónNecesitas ser suscriptor para poder votar.