The recent decision by the Slovenian Supervisory Authority (SI SA) underscores the critical importance of adopting the principle of data protection by design and by default within educational institutions. After investigating a data breach at a Slovenian high school, it became clear that key safeguards were disregarded, resulting in unauthorized access of student information by an external meal service provider.
Key Insights:
– Comprehensive Risk Assessment: The SI SA’s findings emphasized that the high school failed to carry out a thorough risk assessment. Despite the external provider needing access solely to student names and surnames, the school granted full access to sensitive data, such as account balances and subsidies. This oversight underscores the necessity for comprehensive risk assessments to identify and mitigate potential privacy risks efficiently.
– Implementation of Article 25 of GDPR: The decision serves as a pivotal reminder of the obligations under Article 25 of GDPR, which mandates data protection by design and by default. This principle aims to integrate data protection into processing activities and systems by default, rather than as an afterthought. Educational institutions, like other data controllers, have a duty to restrict data access strictly to what is necessary for each processing purpose.
– Long-term Measures: Although the school promptly reported the breach, it failed to implement long-term strategies to prevent similar incidents. This case illustrates that schools and other educational entities must not only react to breaches but also establish enduring protections to prevent recurrence. Adopting robust data protection protocols goes hand-in-hand with fostering trust and safeguarding student data integrity.
– Judicial Support for Enforcement: The local court’s dismissal of the school’s request for judicial protection further upheld the SI SA’s decision, reinforcing regulatory guidance that prioritizes meticulous adherence to data protection guidelines. This decision highlights the judiciary’s role in supporting supervisory authorities to enforce GDPR prescripts comprehensively.
In conclusion, for privacy professionals and data protection experts, this case exemplifies how critical data protection by design and by default is in education. Enhancing these protocols will not only align with GDPR’s demands but also fortify the safeguarding of personal data against unauthorized access and potential fraud.
Original source link: [Slovenian Supervisory Authority](https://www.edpb.europa.eu/news/national-news/2025/slovenian-sa-schools-must-adhere-principle-data-protection-design-and_en).