Creative Commons

The GDPR was put into action in May 2018. It outlines key principles that must be fol-lowed for any entity that is collecting personal data related to people living in the EU [1]. One of those entities that have to comply with the new Regulation is schools. This thesis focuses on primary and secondary education‧ it covers a wide range of contro-versial issues and aims to provide a full overview of a school’s obligations and respon-sibilities against GDPR. It determines major definitions in terms of school reality, en-lightens basic blur points, and stipulates what schools as Data Controllers must do. There are proposed 12 steps that a school can follow in order to achieve accordance with the Regulation. The development of a Privacy Policy, the designation of a Data Protection Officer, the appointment of a DPIA, are some of them that are included and explained thoroughly. Topics such as Cybersecurity at schools, children’s ‘datafica-tion’, AI -Artificial Intelligence and profiling, cloud computing are broached in rela-tion to education and transparency. Moreover, the special case of distance learning in the middle of covid-19 pandemic is fully analyzed. Due to rush transition to e-learning platforms plenty GDPR issues occurred and they are presented in this thesis. Finally, a couple of possible, mainly technical, solutions are proposed to the difficulties that might emerge in the effort to build a strong GDPR school environment. The im-portance of GDPR compliance is indicated in every chapter of this assignment.