Slovenian SA: schools must adhere to the principle of data protection by design and by default

The Slovenian Supervisory Authority (SA) launched an inspection ex officio after receiving an official notification regarding a data security breach. A school reported unauthorized access to students’ personal data by an external catering service provider contracted to supply meals at the school. The provider had been granted access to the school’s entire student database, including sensitive data such as subsidies and account balances, although it only needed the students’ names and surnames to monitor the catering services.

The Slovenian SA identified significant deficiencies in the school’s data protection practices. The external catering provider received unrestricted access to the entire student database, including unnecessary information such as subsidies and account balances. The school failed to implement appropriate measures to ensure compliance with the principle of data protection by design and by default, as required under Article 25 of the GDPR. Although the school promptly reported the breach, it failed to implement effective long-term technical and organizational measures to address the root causes and prevent recurrence. The case highlights the importance of adopting proper data protection protocols in educational institutions to ensure the security and integrity of students’ personal data.

The Slovenian SA issued a reprimand to the school and its principal, as the person responsible. The controller filed a request for judicial protection with the local court, which dismissed the request and upheld the decision of the Slovenian Supervisory Authority. The court emphasized that proper implementation of the principle of data protection by design and by default could have prevented the subsequent abusive practices, including unauthorized modifications of the data by the external provider and even potential fraud.

This example draws attention to the specific nature of the school environment, where the processing of students’ personal data requires special care. IT systems are often used in schools for various purposes—from managing school records to organizing meals. Precisely because of the complexity of such solutions, it is essential for schools, when establishing cooperation with external providers, to clearly define the scope of data access granted to providers and, by implementing adequate measures, ensure strict compliance with the data minimization principle.

NCPDP, as the national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the legal framework on personal data protection and to ensure that data processing operations are conducted in accordance with the applicable law.