Sanction imposed on an educational institution for using Google Workspace for Education

1. Key issues related to the incident

The procedure arises from a complaint filed with the AEPD in April 2024 against a private educational institution regarding the use of Google Workspace for Education (GWE) in providing educational activities.

Students accessed GWE through accounts created by the school itself and using Chromebook devices provided by the school. Through these accounts, students could use various digital applications for educational activities.

During the investigation, the school stated that the tool had been in use since the academic year 2021-2022 and was used by 531 students, of whom 395 were under 14 years old.

The school claimed that the use of the platform was limited to educational purposes and that certain technical measures had been adopted to restrict access to certain services and monitor device usage by students.

The AEPD analyzed various aspects related to the processing of personal data arising from the use of the different applications of this tool and the creation of GWE accounts and Chromebook devices, regarding compliance with the duty to inform, the legal basis for processing, the protective measures adopted by the school, the conduct of impact assessments, and the possible international data transfers arising from the use of Google's services.

2. GDPR non-compliances

Based on the described facts and the investigations carried out, the AEPD concluded that the school had failed to comply with several obligations established in the General Data Protection Regulation (GDPR).

1. Legitimacy of processing (Article 6 of the GDPR)

The school argued that the processing was justified by the fulfillment of legal obligations in the field of education or by the performance of tasks carried out in the public interest, in accordance with the twenty-third additional provision of the Organic Law on Education (LOE), which allows the processing of personal data necessary for the exercise of educational functions.

However, the AEPD reiterates that this legal authorization is limited exclusively to processing necessary for the performance of educational activities and the management of the teaching and learning process. Consequently, any processing of personal data carried out for purposes other than or that exceeds this educational function must have an independent legal basis that justifies the processing.

In the case under analysis, the AEPD concluded that the school had not sufficiently demonstrated that all processing operations arising from the use of the technological platform were effectively covered by this regulatory authorization, as investigations revealed that even the basic services of GWE were being used for purposes that extended beyond educational ones.

2. Principle of lawfulness, fairness, and transparency (Article 5.1.a of the GDPR)

Regarding the information provided to data subjects about the processing of their personal data, the AEPD concluded that the school had not adequately provided parents of students with the information required by regulations regarding the use of the technological platform or the characteristics of the associated personal data processing since it had not informed about all categories of personal data subject to processing, nor was there any record of information on international transfers.

Moreover, the school could not demonstrate that the information had been communicated to the data subjects, as the platform did not retain any record showing that such communication had occurred.

The AEPD considers that the lack of clear, complete, and accessible information about these processing operations constitutes a violation of the principle of fairness and transparency, which requires that data subjects be effectively informed about how their personal data is processed, and once again highlights the need to comply with the principle of proactive responsibility, according to which data controllers must not only comply with the obligations established by regulations but also be able to demonstrate this compliance.

3. Data protection impact assessment (Article 35 GDPR)

The educational institution provided a data protection impact assessment (DPIA) conducted before implementing the tool. However, the AEPD considered that this assessment was insufficient.

In this regard, the AEPD highlights that not all essential elements of processing were taken into account (again, regarding the categories of data processed and international transfers), which means that not all existing risks were analyzed; no proportionality analysis of the processing was included; and there is no evidence that the procedures and measures that the institution had identified as recommendations for improvement had been implemented.

3. Conclusions

This decision highlights the growing attention that data protection authorities are paying to the use of digital tools and technological platforms in the education sector, especially when it comes to the processing of personal data of minors.

The AEPD points out that, although educational institutions have specific legal authorization to process personal data in the development of their educational activities, this authorization does not cover any processing of personal data carried out within the school environment.

Consequently, when the use of technological tools involves processing that goes beyond strictly educational purposes or introduces new risks to the rights and freedoms of data subjects, schools must correctly identify the applicable legal basis, provide information in a transparent and accessible manner, and, finally, assess the associated risks—through an appropriate impact assessment—with the aim of adopting the necessary technical and organizational measures to ensure compliance with data protection regulations.

Informative note from the Data Protection Department of ECIJA Madrid.