Mr Privacy

TOP 5 GDPR FINES IN APRIL 2026

1️⃣ Italy: Poste Italiane S.p.A. – €6,624,000
The Italian Data Protection Authority fined Poste Italiane for excessive intrusion into users’ privacy through mandatory and disproportionate app permissions, which enabled extensive monitoring of user behaviour beyond what was necessary for service provision.
Violated law: Art. 5(1)(a), Art. 5(1)(c), Art. 6 GDPR.

2️⃣ Italy: Postepay S.p.A. – €5,877,000
Sanctioned in a parallel case for the same underlying practices as Poste Italiane: excessive access to device and usage data via mobile applications, lacking proportionality and a valid legal basis.
Violated law: Art. 5(1)(a), Art. 5(1)(c), Art. 6 GDPR.

3️⃣ Spain: UNICAJA BANCO – €400,000
The AEPD fined Unicaja Banco for inadequate technical and organisational measures to restrict access authorisations, leading to insufficient protection of personal data.
Violated law: Art. 32 GDPR.

4️⃣ Spain: AXA Seguros Generales, S.A. – €200,000
Fined for data processing without adequate security guarantees, exposing personal data to undue risks.
Violated law: Art. 32 GDPR.

5️⃣ Spain: ARES CAPITAL – €200,000
Sanctioned for unlawful employee surveillance, including monitoring via employees’ private mobile phones without a valid legal basis or proportional safeguards.
Violated law: Art. 6 GDPR, Art. 5(1)(a) GDPR.

Student Rights — What Every Learner Deserves to Know About Their Data

Data protection is not only a school obligation — it is a student right. Children and young people have legal rights over the personal data schools hold about them. Schools have a duty to respect those rights and to help students understand them.

The key data rights every student has:

Right to Access (DSAR): Students — and parents on behalf of younger children — can request a copy of all personal data the school holds about them. Schools must respond within 30 days.
Right to Rectification: If data held about a student is inaccurate — a disciplinary record, an academic note, a medical entry — it must be corrected upon request.
Right to Erasure: In defined circumstances, students can request that their data be deleted. Schools must assess and respond to these requests.
Right to Object: Students can object to certain processing activities — particularly those based on legitimate interests rather than consent.
Right to Restrict Processing: Students can request that processing be restricted while accuracy is disputed or a complaint is pending.

Teach older students about their data rights as part of digital citizenship education. Respect those rights when they are exercised. Document your responses carefully.

Data Protection as a School's Competitive Advantage

In a competitive educational landscape, the school that earns and maintains parent trust is the school that thrives. And in an era of rising data awareness, demonstrating strong data protection practices is one of the most powerful trust-building tools a school can deploy.

Why data protection is a strategic differentiator:

Enrolment Trust: Parents increasingly factor institutional trustworthiness into school selection. A school known for protecting student data stands apart.
Reputation Resilience: Schools with mature data practices respond to incidents more effectively — and suffer less reputational damage.
Staff Professionalism: Quality educators are attracted to schools with professional governance standards. Data protection is visible governance.
Regulatory Readiness: Strong data practices position schools favourably for inspections, accreditations, and external reviews.
Word of Mouth: Parents talk. A school that handles data thoughtfully becomes known for it — and that reputation attracts enrolment.

Make data protection a visible part of your school's identity. Tell parents what you do to protect their children's information.

CCTV in Schools — Safety Tool or Privacy Risk?

CCTV cameras are increasingly common in school corridors, car parks, and entrances. They serve a real security purpose. They also create data protection obligations that most schools have never fulfilled.

What every school with CCTV must address:

Notice: Students, parents, and staff must be informed that CCTV is operating. Visible signage at every camera point is legally required.
Purpose Limitation: Footage collected for security purposes cannot be repurposed to monitor teacher performance, student attendance, or staff behaviour beyond safety.
Access Restriction: CCTV footage must be accessible only to named, authorised individuals — not to all staff, not to all administrators.
Retention: Standard best practice is 30 days of retention unless footage is relevant to an active investigation or complaint.
Classroom CCTV: Cameras in classrooms raise heightened concerns. The educational justification must be robust, parents and students must be informed, and the necessity proportionate to the risk.

A CCTV camera is a data collection device. Operate it with a policy, proper notices, access controls, and a defined retention schedule.

Alumni Data — When Does Your School's Data Obligation End?

Many schools hold student records for decades after students have left — exam scripts from fifteen years ago, admission forms for students who never enrolled, medical records from students who graduated a decade back. This is not good custodianship. It is a data protection liability.

What every school must address:

Retention Limits: Data protection law requires that personal data is not kept longer than necessary for the purpose for which it was collected. Indefinite retention violates this principle.
Legacy Data Risk: Old records held without purpose are at risk of breach, misuse, and accidental disclosure — with no lawful justification for continued retention.
Alumni Programmes: If your school maintains an alumni network or contacts former students for fundraising or events, this requires specific consent from those individuals as adults.
Secure Disposal: When retention periods expire, records must be disposed of securely — not thrown in a skip or digitally deleted by dragging to the Recycle Bin.

Create a documented retention schedule for every category of student record. Set disposal dates. When the time comes, dispose of records with the security they deserve.

Health Records in Schools — Who Really Needs to Know?

Schools hold significant student health information — allergies, chronic conditions, medications, mental health diagnoses, and disability documentation. This is special category data under data protection law, subject to the strictest legal protections.

The challenge: balancing access with protection.

Need-to-Know — Not Every Teacher: Not all staff need to know about a student's mental health diagnosis. Identify specifically who needs what health information to perform their role.

Emergency Access: Critical information (severe allergies, emergency medication protocols) must be accessible quickly in an emergency — but secured at all other times.

Tiered Health Information: Consider a tiered model — emergency health information available to all staff who may encounter the student in an emergency; detailed medical records restricted to pastoral and medical leads only.

Parental Updates: Health information changes. Schools must have a clear process for parents to update records and for those updates to reach relevant staff promptly.

Staff Conversations: Discussions about student health must always occur in private, among relevant staff only.

Apply the minimum necessary principle. Share health information only with those who need it to keep the student safe.

Disciplinary Records — Sensitive Data with Lasting Consequences

A student's disciplinary record is among the most sensitive data a school holds. Mishandled, it can follow a child for years — affecting school transfers, university admissions, and future employment.

Why disciplinary records require exceptional care:

Proportionality: Not every disciplinary incident warrants a permanent formal record. Minor incidents resolved informally need not be documented in a student's permanent file.
Restricted Access: Disciplinary records must be accessible only to staff with direct educational responsibility for the student — not to all teaching staff, administrative staff, or support staff.
Defined Retention: Minor incidents should have short retention periods. More serious incidents may be retained longer. All records must eventually be destroyed securely.
Transfer Discipline: When sharing records with another school, share only what is genuinely necessary for the receiving school to safeguard and educate the student — not an exhaustive history.
Student Rights: Students and parents have the right to know what disciplinary records are held and, in some cases, to challenge inaccurate entries.

Disciplinary records are not character verdicts. They are time-limited data that must be handled with restraint and care.

Parent Communication — Data Protection in Every Message Your School Sends

Every message your school sends to parents involves the processing of personal data. This is true whether the message goes by email, SMS, WhatsApp, or paper circular. Most schools have never examined these processes through a data protection lens.

The data protection issues in school communications:

Mailing List Security: Parent email and phone lists are personal data. Who manages them? Are they accurate and current? Are they stored securely?
BCC Is Not Optional: Mass emails must use BCC. Sending to all parents in the TO field exposes every parent's email address to every other parent — a data breach.
Individual vs. Mass Communication: Information about a specific student must never appear in a mass communication. This seems obvious — yet it happens.
Communication Preferences: Parents must be able to update their contact details and communication preferences, and schools must act on those updates promptly.
Retention of Communication: Email correspondence with parents is a record. How long do you retain it? Is it stored securely?

One poorly sent mass email can expose hundreds of parents' contact details and constitute a reportable data breach. Review your practices today.

Send a message to learn more

Photography in Schools — Capturing Moments Without Violating Rights

School life generates hundreds of photos — sports days, prize-givings, class photos, graduation ceremonies. These are precious memories. They are also personal data, and posting them online without consent can cause real harm.

What every school must get right about student photography:

Parental Consent Is Required: Explicit parental consent must be obtained before photographing children and publishing their images publicly.

Social Media Is Not Risk-Free: Photos on school social media pages can be downloaded, saved, cropped, and misused by anyone who sees them.

Some Students Must Not Be Photographed: Families in domestic violence situations, custody disputes, or witness protection may face genuine safety risks from online publication of a child's image.

Third-Party Photographers: Parents taking photos at school events and professional event photographers both operate within your school's data protection framework. You must manage their activities.

Commercial Use: Using student photos in school marketing or commercial materials requires separate, specific consent.

Integrate photography consent into enrollment. Review it annually. Never post a child's image online without documented, specific consent.

Special Educational Needs Data — Handle with Extreme Care

Students with learning disabilities, developmental conditions, mental health needs, and physical health challenges generate data that falls into the most sensitive legal categories. This data demands extraordinary protection.

Why SEN data requires the highest standard:

Special Category Status: SEN records typically intersect with health data — the most legally protected category under Act 843.
Need-to-Know Principle: Only staff directly responsible for a student's educational support should ever access their SEN records.
Stigma and Discrimination Risk: Inadvertent disclosure of a student's learning difficulty or mental health need can lead to bullying, exclusion, and lasting harm.
Parental Expectations: Families share this information in confidence, expecting it to be protected rigorously and used only to support their child.
Separate Storage: SEN records should be stored separately from general academic records, with more restrictive access controls.

A student's learning difficulty is their private medical information. Every person in your school who handles it is a data steward with a profound responsibility.