Home / Publications / GDPR Enforcement Tracker Report / Public Sector and Education

Public Sector & Education

In the public and education sector, DPAs from 24 different countries (+2 in comparison to the 2022 ETR) have imposed a total of 191 fines (+55 in comparison to the 2022 ETR) on representatives of local governments (such as mayors), police officers, schools, universities and other public bodies or educational institutions amounting to a total of more than EUR 24 million (+9.9 million in comparison to the 2022 ETR).

Mainly consistent with the overall distribution of GDPR fines in the Enforcement Tracker, fines related to insufficient legal bases for data processing (72 fines in total) and insufficient technical and organisational measures (58 fines in total) cover the majority of fines in the public and education sector. The overall second largest type of GDPR violation (non-compliance with general data processing principles) is less relevant in the public sector and in education (29 fines in total).

Let's take a closer look


  • During the Covid-19 pandemic, the use of digital products (e.g. messenger apps or video conferences tools) by universities or schools, in particular for holding online classes and examinations, increased significantly. In this context, numerous fines for the violation of the GDPR were issued for the use of software products/IT systems. For example, the Italian DPA (Garante) imposed a fine of EUR 200,000 on Bocconi University for the use of a remote monitoring software in online examinations (ETid-876). Although students were video monitored and snapshots were taken of them, they were not properly informed of the data processing. In other cases, fines were imposed on schools that processed special types of personal data such as biometric information (e.g. using facial recognition technology for monitoring student attendance, see ETid-67).
  • The number of fines regarding the processing of health data has also increased, in particular due to COVID-19 related violations. The Italian DPA imposed a fine of EUR 100,000 on the Veneto Region (ETid-1669). The Region, in the context of COVID-19 containment measures, had provided lists of information on unvaccinated employees (medical and nursing staff) to various healthcare facilities and the physicians in charge. The DPA found that the Region did not have a valid legal basis for such systematic disclosure of the lists to the physicians and that only the disclosure of the lists to the health authorities was covered by the legal decree in force at the time.
  • The first fine with regard to the Ukraine war is also noteworthy: the Portuguese DPA (CNPD) imposed a fine of EUR 170,000 on the Setúbal municipality regarding the collection of personal data of Ukrainian refugees (ETid-1498). At the arrival of the refugees the municipality collected various personal data, such as name, date of birth, marital status, etc. However, the municipality had not sufficiently informed the data subjects about the data processing and had also failed to implement sufficient technical and organizational measures and to define a retention period for the data.
  • The highest fine in the public and education sector to date was issued by the Portuguese DPA, which sanctioned the Portuguese National Statistical Institute with a fine of EUR 4.3 million for numerous violations of several general data processing principles of the GDPR in connection with the 2021 census in Portugal (ETid-1524). The controller did not inform the data subjects about the voluntary nature of providing their religious and health data. Further, the controller had failed to exercise due diligence in selecting its processor, contrary to its obligation under Art. 28 GDPR, and had permitted the transfer of personal data outside the EEA without providing for additional security measures besides the European Commission's SCCS, as required under the Schrems II ruling. The DPA considered this to be a breach of Art. 44 GDPR and Art. 46 (2) GDPR. Finally, no data protection impact assessment was carried out for the census.
  • The second highest fine was issued by the Dutch DPA (AP), which sanctioned the Dutch Tax and Customs Administration in 2022 with a fine of EUR 3.7 million (the highest fine ever imposed by AP) for processing personal data such as health, citizenship and criminal personal data of more than 270,000 individuals (including minors) in a risk-of-fraud-list without a valid legal basis and appropriate technical and organizational measures to ensure adequate protection (ETid-1124). The data were stored for several years against the principle of storage limitation and contrary to the retention period established in the list. Further, a large number of individuals were falsely registered as possible fraudsters and the risk of fraud was also determined in a discriminatory manner based on the nationality and appearance of the data subject, among other factors. The processing of the data in the list had not been necessary for the proper performance of the administration's tasks. Also, the administration had violated the principle of purpose limitation.

Main takeaways

Public authorities have a special position of trust that requires particularly strict compliance with data protection laws and an outstandingly high level of data security. The same applies to schools and other educational establishments, in particular those that process personal data of minors. DPAs appear to have increased scrutiny of the public and education sector since the 2020 ETR, in particular in connection with the use of technology.

As expected, the number of fines in connection with COVID-19 related GDPR violations has increased further since the 2022 ETR. We consider it likely that even more COVID-19 related violations will be registered and sanctioned in the coming years. Further, the number of fines in the public sector for violations of data protection laws with regard to the processing of sensitive data (e.g. health data), profiling and tracking or surveillance of individuals continues to grow. It seems likely that this trend will continue in the future. In this context, it is notable that the highest and the second highest fines in the public and education sector (both imposed in 2022) result from an extensive and systematic collection and processing of personal data (including sensitive data) of citizens, mainly for statistical and profiling purposes.