Page 1

Processing compliance methodology
personal data in the school environment
This methodology contains only general principles on the protection of children's privacy and data,
parents and legal guardians and their application in the field of education.

Page 2

Steps to comply with GDPR
Basic principles and rights

Privacy Policy

1. The best interests of the child - they must adhere to this principle
all decision-makers for children.
It also applies to parents who should be aware of this principle
apply naturally, provided that there is a discrepancy between them
interests and interests of the child, the court should decide. subsequently

The security of processing starts with us in the basics
principles. In applying the principles and rules of personal protection
data, schools and school facilities must pay special attention
pay attention to the position of the child, because they always have to
respect his best interests.

2. The right to the privacy of the child - no child may be
exposed to arbitrary or unlawful interference with
- Personal data must be processed fairly,
privacy, family, home or correspondence, or
transparent and legal.
unlawful attack on his honor or reputation. It can happen
to situations where the best interests of the child and the right to privacy are
- They should be obtained only for a specific and lawful purpose.
contradictory. In such cases, it is possible that the right to
- All data must be adequate, relevant and limited
protection of privacy (including personal data) must be abandoned
to the necessary extent, it is the so-called principle of minimization.
the best interests of the child, e.g. if the teacher reveals
personal data to a social worker in order to protect the child, if
Don't process data you don't need and only have it
he is suspected of neglect or
for sure in yourself.
abuse.
- They must be correctly and continuously updated.
3. Representation - children need children to exercise most rights
legal representation. However, this does not mean the status of a parent - Personal data may not be stored longer than permitted
the purpose of their processing.
has absolute precedence over the position of the child. Children
gradually can contribute to the adoption of decisions that make them
- Personal data must be protected.
including their personal data. The primary level is
- The operator is responsible for compliance with these principles.
the right to be consulted.

Page 3

1. Approach the new legislation
rationally and prudently

The new legislation is not revolutionary in nature, it builds on the previous law.
The news it brings are, in particular, the obligation to keep records of processing
activities and the obligation to designate the responsible person, the information
notification obligation to the Office in case of breach of security
personal data, the extension of the rights of data subjects, the impact assessment it is intended to have
nature of exceptionality and should not cover such a wide range
operators.

Page 4

Current personal data
• The photo
• Name, surname, address
• E-mail, telephone number
• Date of birth
• Identification number
• Mark of the child

Sensitive personal data,
so-called special category of personal
data according to Art. 9 GDPR
• racial or ethnic origin ,
• political views,
• religious or philosophical
belief or membership
in trade unions,
• genetic data,
• biometric data on an individual basis
identification of the natural person,
• health data
• sexual life data
or sexual orientation.

Page 5

2. Distinguish between processing on the basis of law a
consent
You do not have to worry about processing personal under the law, especially school law
of the Act and related decrees. The legal obligation takes precedence over
the attitude and opinion of the person concerned. In the case of lawful processing is not
consent to the processing of personal data is neither necessary nor appropriate.
It is necessary to distinguish processing beyond the law, ie when the law directly
does not recall a specific situation, such as the publication of a photograph
pupil on the school website. Schools and school facilities should check in which
In some cases, they process personal data without being required to do so by law.

Page 6

3. On what basis does the school process personal data?

Consent - used when you give your child or his or her parents real opportunity and control over how they are to be used.
personal information. Although the consent of the GDPR allows use does not mean that the processing is in line with the
with the requirements of personal data protection legislation. The school must always choose the appropriate legal basis for processing and
has other reasonable grounds for processing personal data.
Consent must be free, specific, informed, unambiguous and verifiable. Consent is given according to the purpose. On appeal
consent, the school is obliged to delete the student data.
Appropriate legal basis : Photographs, publication of works of art at the exhibition together with data (name, surname, class);
Legitimate interest - a proportionality test is required in which the GDPR warns that you have to deal with interests,
fundamental rights and freedoms of the data subject who require the protection of personal data, in particular if the data subject is
child . It does not apply to processing carried out by public authorities in the performance of their tasks. Together with your consent at least
legal basis used.
Appropriate legal basis: camera system (protection of property) ;
Contract - processing must be necessary for the purposes of performing the contract, e.g. application for a card / card (here may be
appropriate legal basis and consent), a dual education system (apprenticeship contract);
Vital interest - should be used only in exceptional or life-threatening situations, e.g. in the event of an accident or
child injury;
Legal obligation - the school must find an obligation in the relevant law that requires the processing of personal data and find out
whether the processing of personal data is necessary to fulfill a legal obligation. Appropriate question before applying this legal
basis: Do I need this information to fulfill a legal obligation, such as the obligation to insure the child, to keep the child's personal file?
Public interest - the processing of personal data must be necessary for the performance of a task in the public interest or in
with the exercise of official authority. The school must identify what role it plays in the public interest, and such a role (purpose) should also follow
from law or decree. However, it is not strictly defined as a legal obligation, such as an obligation to lead a teacher
documentation. Appropriate question before using this legal basis: I need this data to keep the school running,
education?

Page 7

4. Information obligation

In providing information to children and their legal guardians, special emphasis should be placed on
providing layered information based on the use of a simple, concise language that is
easy to understand. The shorter notice should contain the basic information to be provided at
collection of personal data, which should be accompanied by a more detailed notification, for example
through a link to the website of the school or school facility, and stating that information
about the processing of personal data can also be found out in person, for example from the responsible person, the director
nurseries, etc. It is appropriate to place the information obligation in the school and school facilities,
for example, on the notice board at the entrance to the building or in the locker rooms.
The information must always be provided to the legal representative and, after reaching the mental capacity, also
child (in a suitable form, for example at the beginning of the school year, or as part of a teaching
hours).
It is especially important to be properly informed about the rights of the person concerned , mention may be made of the right of access,
which is usually exercised by a legal representative but always in the best interests of the child. The child may be entitled to exercise
their rights and themselves (eg special regulation in the Education Act according to § 144 paragraph 1 letter m) the child has the right
for information concerning his person and his educational results ...). Rights of the persons concerned
the school equips properly and on time (without undue delay within 1 month at the latest). If any right
cannot be complied with, the person concerned shall be informed of the reasons.
A sample of the information obligation can be found https://dataprotection.gov.sk/uoou/sk/content/vzor-informacnej-povinnosti-pre-zamestnanca

Page 8

5. Responsible person

6. Records of processing
activities

School
are u
leads
records
Schools a
school
devices
perhaps
on processing activities and provides
within the meaning of the GDPR as public authorities ,
their continuous updating. It's not going on at the office
as in certain situations they decide on
no registration. The records are for the case
rights and obligations of natural persons, as well as from
personal data protection proceedings; or
title of their founder.
controls, but they are also a good tool for revision
rights of access to individual purposes
processing, ie what the employee has
For this reason, all schools and school
facilities have a duty to determine who is responsible for what purpose of processing access.
report the person and his / her contact details to the Office.
Model records of processing activities
you will find
https://dataprotection.gov.sk/uoou/sk/content/vzorrecords-of-processing-activities

Page 9

Taking appropriate security measures

7. Security

a) Technical measures - securing the building by means of mechanical means of restraint (lockable
doors, windows, grilles), secure storage of physical media of personal data (storage of paper documents in
lockers or safes), devices for destroying physical data carriers (eg
equipment
on the
shredding
documents), rules
access
third
persons
to personal data, identification, authentication and authorization of persons, use of logos, firewall, protection against
threats coming from a publicly accessible computer network (hacker attack), rules for downloading files from
publicly accessible computer network, spam protection, backup, etc.
b) Organizational measures - training, determination of instructions that the person is obliged to apply during processing
personal data, the definition of personal data to which a particular person should have access for the purpose of performing his or her
duties or tasks, managing passwords, controlling access to the facility and protected areas of the operator
(eg through technical and personnel measures), the maintenance and cleaning regime of the protected
premises, rules for the processing of personal data outside the protected area, treatment of business
mobile phones, laptops and their protection, use of e-mails only for work purposes, control activities
the operator to comply with the safety measures adopted, specifying the manner, form and
periodicity of its implementation, informing the persons concerned about the control mechanism, if it is with the operator
established (scope of control and methods of its implementation).
Art. 24, 25, 32 GDPR - risk analysis. Art. 35 GDPR - impact assessment, from which the obligation to prepare an assessment
impact is regulated in Art. 35 par. 3 GDPR.
GDPR defines some security measures - anonymization, encryption (for example, if they are sent by e-mail
sensitive data to the parent), pseudonymisation, which the operator may voluntarily introduce into his processes.
Page 10

What do security mean?
measures?

• The school protects the personal data it processes from being misused by appropriate and available means. Above all
stores personal data in places, school environments or in a system to which they have limited access only
persons designated and authorized by the Director.
• The school will take measures to ensure that the processing of personal data is reviewed by the school principal or his / her
person or responsible person. Such measures include, in particular, the issuing of instructions on how to dispose of them safely
with personal data for pedagogical and non-pedagogical staff, orally or in writing, determination
work obligations in the employment contract, as well as the determination of instructions within the framework of contracts concluded with third parties,
for example, providing personal data destruction services.
• The school continuously evaluates the adopted rules of personal data protection, as the system of personal data protection
is a living mechanism. Some procedures may prove outdated or have not worked.
• When handling personal data, each employee respects their nature and adapts the actions accordingly.
connected. In particular, the employee does not disclose personal data without verifying that such a procedure is possible
data to persons who do not prove the right to obtain them. The employee will always try to provide basic information
the person concerned; otherwise refer the person concerned to the responsible person or to the school head.
• The school actively cooperates with the responsible person in the processing of personal data.
• The school immediately deals with any security incident related to the protection of personal data, in cooperation
with the responsible person and rather a record of him.
• Pedagogical documentation is permanently stored in lockers in school offices. Class teacher
they are lent only for the time strictly necessary to make the entries. Student data should not be reported
from school, provide copies to strangers and the like.
Page 11

• Personal data kept in electronic form, for example in the case of an electronic student book, are only stored
in a secure system. This system is accessible to individual teachers and other authorized persons
school principals, only on the basis of a unique login name and password and only within the scope of the authorization given
functional classification. Passwords must be protected and not shared with anyone. When working with electronic records
the authorized person must not leave the computer without logging off. Parents and students have secure remote access
exclusively to the own data, on the basis of the assigned password, passed on individually by the class teacher.
• Employees' personal files are also kept securely in lockers, accessible only by the director
school, or its representative and personnel and payroll department.
• Student lists are not published, provided without the consent of legal representatives to other natural persons or
legal persons or state bodies which are not required by law.
• If forms and templates are used for keeping pedagogical documentation, it is necessary to check whether
do not require unnecessary data.
• If an employee finds a privacy violation, he or she will immediately prevent another unauthorized person
handling of personal data and report this fact to the school principal or the responsible person.
• The school principal or the responsible person is obliged to inform the staff about all significant ones
facts and procedures relating to the processing of personal data. They will ensure that they are properly instructed
on the rights and obligations of personal data processing and, as far as possible, provide training; and
training in the field of personal data protection.
• Teachers are not advised to use their own computer when working at home. First, because a private computer lives
mostly used by other members of the household, but it is also not enough to ensure the safety of one's own
devices. The use of business facilities should be safer. It is up to the school head to determine the rules
use of business mobile phones, tablets or laptops.
• Obligations and recommendations for the processing of personal data can be incorporated, for example, into school regulations,
rules of procedure, the internal data protection directive.

Page 12

• Non-discrimination - Some information, such as race or disability information, can discriminate against a child. Tieto
information is obtained to ensure that the school or school facility is informed about pupils with cultural,
language or economic difficulties and need to be given increased attention. When processing such information,
the criteria should be the principle of the best interests of the child and the principle of purpose limitation. The student's religion should not be mentioned
take no unnecessary conclusion if the data are only needed for administrative purposes (eg completing classes
religion, preference for certain foods). Information about the child's family's assets and income can also be a source
discrimination, but are processed in the best interests of the child, for example if the parent applies for a benefit or a reduction in the fee.
All information that could lead to discrimination must be protected by appropriate security measures, for example
by processing them in separate files, by qualified and designated persons, provided that confidentiality is maintained; and
next.
• Access to data - data contained in the student's personal file must be subject to strict confidentiality. Approach
data should be provided to legal guardians (child if mature enough) and must be strictly regulated and limited to
school authorities, school inspectors, health professionals, social workers and law enforcement agencies.
In some cases, it is also sufficient to provide data in an anonymised form. In the opinion of the office schools and school facilities
are entitled to provide data from the student's documentation only to persons who can prove their claim on the basis of authorization
stipulated by a special law. It is always necessary to consider all risks when providing co-operation, to prevent unauthorized ones
persons to view and read in the student's documentation, to prevent unauthorized copying, data transfer, modification or deletion
records and put in place measures to identify and verify to whom the data have been made available. The main subjects with which you get school
the data exchanged are other state authorities, other schools and school facilities and social protection authorities. The most important aspects
providing data are to make sure that the school is entitled to do so (based on the law, public interest, consent), or where they have
be given data guarantees its security, make sure that the persons concerned are informed of the recipients. If data is sent
by e-mail, make sure it is your work e-mails, or use encryption in case you make a mistake in the recipient
there is no potential risk to the rights of the persons concerned. Do not provide by phone, e-mail or in person without verification,
that you are communicating sensitive data to an authorized person.
• Not every teacher or non-teaching staff has access to all the data that the school processes, but only to the data that the
he desperately needs for his work. For example, a class teacher has access to the data of students and their parents only within him
only the educational counselor has access to the assigned class, to the data on the pupil's health status, to the examination reports and assessments,
leading pedagogical staff, class teacher. The school principal, deputy principal, control bodies are likely to have
access to the entire database. The parent has the right only to access data about his child.

Page 13

9. Mediation contracts - required
11. Data retention period and archiving
fulfillment of requirements according to Art. 28 GDPR. As
time
long
- inasaccordance
it
with the accepted registration
will not be possible due to the disagreement of the other in accordance with the rules of procedure and within the time limits laid down
Contracting Party, it will be more appropriate to terminate
special law. Personal information is
cooperation
with such
subject,
kept only for as long as is necessary
on the grounds that it does not meet the requirements of to
theachieve
GDPR.the purpose of the processing, including
School, resp. the school facility is responsible for
archiving.
processing of personal data, even if it is up to
processing intermediary involved.
12. Performed by a school or school facility
cross-border processing or transfers
personal data to third countries? Free movement
10. Notification obligation in case
personal data between the Slovak Republic and
privacy violations - school
guaranteed by EU Member States; basic
must, without undue delay, no later than 72
provided that personal data are processed at
hours after that about this fact
any processing operation with personal data
learned
to announce violation
protection data, both inside and outside the EU
personal data of the Office, except in the
compliance with the principle of legality, therefore, must be
when the violation is not likely
based on a legal legal basis under
will lead to a risk to the rights and freedoms of individuals
Art. 6 par. 1 GDPR.
persons. However, every incident is worth having
documented, even if not notified to the Office.
In case of high risk, the school must
13.
Voluntary
possibility certification,
also notify the persons concerned. Form for
accreditation, introduction of a code of conduct.
the notice is published on the Office's website.

