Home / Legal Publications / GDPR Enforcement Tracker Report / Public Sector and Education

Public Sector & Education

In the public and education sector, DPAs from 25 different countries (+1 in comparison to the 2023 ETR) have imposed a total of 243 fines (+52 in comparison to the 2023 ETR) on representatives of local governments (such as mayors), police officers, schools, universities and other public bodies or educational institutions amounting to a total of more than EUR 27.5 million (+3.4 million in comparison to the 2023 ETR).

Mainly consistent with the overall distribution of GDPR fines in the Enforcement Tracker, fines related to insufficient legal bases for data processing (83 fines in total) and insufficient technical and organisational measures (68 fines in total) cover the majority of fines in the public and education sector. The overall second largest type of GDPR violation (non-compliance with general data processing principles) is less relevant in the public sector and in education but has increased significantly in the recent past (47 fines in total).

Let's take a closer look

  • Since the Covid-19 pandemic, the use of digital products (e.g. messenger apps or video conferences tools) by universities or schools, in particular for holding online classes and examinations, increased significantly. In this context, numerous fines for the violation of the GDPR were issued for the use of software products/IT systems. For example, the Italian DPA (Garante) imposed a fine of EUR 200,000 on Bocconi University for the use of a remote monitoring software in online examinations (ETid-876). Although students were video monitored and snapshots were taken of them, they were not properly informed of the data processing. In other cases, fines were imposed on schools that processed special types of personal data such as biometric information (e.g. using facial recognition technology for monitoring student attendance, see ETid-67). DPAs have been especially critical of potential harm to children's data: The Icelandic DPA (Persónuvernd) imposed fines between EUR 13,300 and EUR 20,000 against five municipalities who had used a digital education system in schools but e.g. failed to provide a data processing agreement compliant with the GDPR. In these cases, particular consideration was given to the fact that children's data were affected (ETid-2139, ETid-2140, ETid-2141, ETid-2142, ETid-2153).
  • The number of fines regarding the processing of health data has also increased, in particular due to COVID-19 related violations. The Italian DPA imposed a fine of EUR 100,000 on the Veneto Region (ETid-1669). The Region, in the context of COVID-19 containment measures, had provided lists of information on unvaccinated employees (medical and nursing staff) to various healthcare facilities and the physicians in charge. The DPA found that the Region did not have a valid legal basis for such systematic disclosure of the lists to the physicians and that only the disclosure of the lists to the health authorities was covered by the legal decree in force at the time. Further, the Italian DPA also imposed a fine of EUR 176,000 on the city of Rome (Roma Capitale; ETid-1914) and a fine of EUR 239,000 on the administrator of several cemeteries in Rome (Ama S.p.a.; ETid 1915). The city had provided data of women who had abortions to the cemetery administrations, which then included the data on boards placed on the graves of the fetuses. The DPA found that the disclosure of the women's personal data was unlawful, as the related law only provides for the provision of the data of the deceased.
  • The highest fine in the public and education sector to date was issued by the Portuguese DPA, which sanctioned the Portuguese National Statistical Institute with a fine of EUR 4.3 million for numerous violations of several general data processing principles of the GDPR in connection with the 2021 census in Portugal (ETid-1524). The controller did not inform the data subjects about the voluntary nature of providing their religious and health data. Further, the controller had failed to exercise due diligence in selecting its processor, contrary to its obligation under Art. 28 GDPR, and had permitted the transfer of personal data outside the EEA without providing for additional security measures besides the European Commission's SCCS, as required under the Schrems II ruling. The DPA considered this to be a breach of Art. 44 GDPR and Art. 46 (2) GDPR. Finally, no data protection impact assessment was carried out for the census.
  • The second highest fine was issued by the Dutch DPA (AP), which sanctioned the Dutch Tax and Customs Administration in 2022 with a fine of EUR 3.7 million (the highest fine ever imposed by AP) for processing personal data such as health, citizenship and criminal personal data of more than 270,000 individuals (including minors) in a risk-of-fraud-list without a valid legal basis and appropriate technical and organizational measures to ensure adequate protection (ETid-1124). The data were stored for several years against the principle of storage limitation and contrary to the retention period established in the list. Further, a large number of individuals were falsely registered as possible fraudsters and the risk of fraud was also determined in a discriminatory manner based on the nationality and appearance of the data subject, among other factors. The processing of the data in the list had not been necessary for the proper performance of the administration's tasks. Also, the administration had violated the principle of purpose limitation.

Main takeaways

Public authorities have a special position of trust that requires particularly strict compliance with data protection laws and an outstandingly high level of data security. The same applies to schools and other educational establishments, in particular those that process personal data of minors. DPAs appear to have increased scrutiny of the public and education sector since the 2020 ETR, in particular in connection with the use of technology (e.g. online education tools used in schools and universities). It seems likely that this trend will continue in the future.

Further, the number of fines in the public sector for violations of data protection laws regarding the processing of sensitive data in general (especially health data) as well as profiling and tracking or surveillance of individuals continues to grow. In this context, it is notable that the highest and the second highest fines in the public and education sector result from an extensive and systematic collection and processing of personal data (including sensitive data) of citizens, mainly for statistical and profiling purposes.