Slovenian SA: schools must adhere to the principle of data protection by design and by default
Background information
- Date of final decision: 27 February 2025
- National case
- Controller: High school
- Legal Reference(s): Article 25 (Data protection by design and by default)
- Decision: reprimand
- Key words: education, data protection by design and by default
Summary of the Decision
Origin of the case
The Slovenian Supervisory Authority (SI SA) initiated an ex officio inspection after receiving an official data breach notification. A school reported an unauthorized access to student data by its external meal service provider, contracted for school meals. The provider had been granted access to the school’s entire student database, including sensitive data like subsidies and account balances, despite only requiring names and surnames for meal tracking.
Key Findings
The SI SA identified significant shortcomings in the school’s data protection practices. An external meal service provider was granted unrestricted access to the entire student database, including unnecessary information such as subsidies and account balances. The school neglected to implement adequate measures to comply with data protection by design and by default, as mandated by Article 25 of the GDPR. The inspection procedure revealed a lack of proper risk assessment to identify and mitigate the risks posed by granting such extensive access to sensitive data. While the school promptly reported the breach, it failed to implement effective, long-term measures to address the root causes and prevent recurrence. The case highlights the importance of adopting sufficient data protection protocols in educational institutions to ensure the security and integrity of students' personal data.
Decision
The Slovenian SA issued a reprimand to the school and its principal as the responsible person. The controller filed a request for judicial protection with the Local Court, which dismissed the request and upheld the decision of the Slovenian SA. The court emphasized that proper implementation of the principles of data protection by design and by default could have prevented subsequent abuses, including unauthorized data alterations by the external provider and even potential fraud.