Skip to content
Man's hand presenting a subliminal security shield and padlock
itslearning Sep 17, 20213 min read

Why GDPR matters and how it impacts schools and universities

Translation generated by an AI translation service

Privacy is a human right, and data protection laws are vital to prevent our privacy from being violated for mischievous purposes or commercial gain. But personal data also plays a key role in adopting new technologies to improve our lives and secure our wellbeing.

In 2018, the EU implemented GDPR (General Data Protection Regulation), a common data protection law, across the European Union. This article looks at what GDPR means in an educational environment.

Strengthening the rights of the individual

We live in an age where personal data is currency. Some of the biggest and most profitable technology companies in the world make their money almost exclusively from your personal data. And they are getting more and more clever about it. The financial incentives to violate the fundamental freedom to data privacy are huge. GDPR, which is among the world´s strictest data protection legislation, explicitly strengthens the individual rights of persons, and also allows supervising authorities to impose massive fines to deter companies from cashing in on the unlawful use of your data.

“Neither public nor private educational institutions are exempt from data protection laws.”

A single digital market

At the core, the EU (and the connected countries in the EEA) is a single market. For it to work, it needs to ensure the free movement of goods, capital, services and labor. Government and corporations in the union must compete on the same terms for the market to be efficient and for competition to be fair across the member states.

As itslearning can attest, providing services across the borders in EU/EEA has historically not been smooth sailing. Local law – though all based on the same EU directives – has on occasion put up obstacles to prevent companies from competing across borders when personal data has been involved.

With GDPR, the EU wants to make sure there can be one digital market, with the free flow of personal data within the EU/EEA. This is only possible if every country follows the same rule book, namely the GDPR. It is clear from Article 1.3 in GDPR, that the EU really wants us all to play by the same rules: The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

The impact on educational institutions and their suppliers

Neither public nor private educational institutions are exempt from data protection laws. In fact, educational institutions have a particularly strong responsibility for data privacy. An extensive amount of protection-worthy personal data is processed, and the data subjects, the students, cannot object to most of this processing. Schools also have a role to play in educating their students on how to protect their own privacy in online environments.

In GDPR terms, education institutions, or school owners, are considered “data controllers”. Data controllers determine the purposes for why personal data is processed and are responsible for the data protection rights of people whose data is being processed. All school owners must ensure they adhere to their legal obligations before processing personal data.

Vendors involved in the processing, such as itslearning, are considered “data processors” and are primarily responsible for safeguarding the processing, and following the data controllers’ instructions. Educational institutions should never hand over personal data to vendors unless they have made sure that it is properly safeguarded.

To read more about educational institutions and vendor responsibilities, continue on to:

For more information on your rights as an itslearning user, please visit our webpage: itslearning is GDPR compliant. This is the second in a series of updated posts on GDPR. Read the first one ‘GDPR and the role of the data protection officer‘.