School fined for processing data about minors without parental consent Summary Final decision A Flemish educational institution introduced a well- A fine of 1,000 EUR was upheld due to the following being survey directed at its students who were minors. violations: The survey was carried out using a digital SmartSchool • Excessive processing of personal data in light of system, which processed the students’ personal data. the processing purpose, contrary to the principle of An individual filed a complaint with the Belgian Data data minimization (GDPR, Article 5(1)(c)). Protection Authority (DPA), claiming that the school was processing students’ personal data without parental • Lacking a valid legal basis (GDPR, Article 6(1)). consent and that excessive information was processed beyond the necessary scope, contrary to the principle • Failing to obtain parental consent for data of data minimization. The complainant also argued that processing related to minors (GDPR, Article 8). the school should have conducted a data protection impact assessment (DPIA) but failed to do so. Our remarks The school argued that the data processing was lawful, • Compliance with the principles set out in Article 5 referring to a legal obligation as the basis for their of the GDPR, particularly the principles of lawfulness processing activities. and data minimization, is crucial as they constitute The Belgian DPA ordered the school to bring its fundamental tenets of data protection. Collecting processing activities into compliance with the GDPR only the necessary and relevant data for the and issued an administrative fine of 2,000 EUR. The intended purpose and avoiding excessive retention decision was appealed to the Brussels Market Court periods is crucial. Violations of these fundamental and subsequently referred back to the DPA who provisions are likely to be considered as significant reduced the initial fine of 2,000 EUR. breaches by the DPA and may result in fines being imposed. Published: 06-10-2021 Journal number: AR/2021/576 Tags: 01 Legal basis and principles of processing 99