Data Protection Authorities publish a ten-point manifesto of basic principles for the contracting and use of digital educational platforms

• The Authorities remind everyone of the specific protection required for the processing of data concerning minors and the fact that the use of these platforms is not voluntary for students or their families.

• With the publication of this ten-point plan, the Authorities are committed to promoting a preventative approach in which educational administrations, private and charter schools, and companies that offer cloud-based educational platforms are aware of their roles and their respective obligations

The Spanish Data Protection Agency (AEPD), the Catalan Data Protection Authority (APDCAT), the Basque Data Protection Authority (AVPD), and the Andalusian Council for Transparency and Data Protection (CTPDA) have developed a ten-point compliance guide that systematically outlines the basic data protection principles to be considered by educational authorities and companies offering cloud-based educational service platforms when contracting and using these platforms. These principles are also applicable to public, state-subsidized, and private educational institutions.

The use of these digital educational platforms presents specific risks and challenges for the protection of personal data. This has led to pronouncements by the Data Protection Authorities, within the framework of their respective competencies, addressed to both educational authorities and educational institutions. One of the objectives of these guidelines is to promote proactive compliance with regulations, protecting users of these services first and foremost, and creating an environment of trust and legal certainty.

Data protection authorities emphasize in the document that digital educational platforms allow students, teachers, and families to interact and collaborate for educational purposes, as well as develop digital skills and facilitate the teaching function. However, they also state that the implementation of these platforms entails a significant responsibility, as it involves the massive processing of personal data, particularly information relating to minors, which requires specific protection.

The authorities reiterate that, in addition to this enhanced protection related to the processing of minors' data as outlined in the regulations, the use of these platforms is not voluntary for students or their families. Rather, it constitutes the institutional tool provided for the exercise of the educational function, with subsequent participation by students, parents, or guardians.

The Authorities have identified 10 key points that must be taken into account:(1) Respect for rights and freedoms in the processing of personal data, (2) Determination of data controller responsibility, (3) Legitimate basis and purpose limitation, (4) Impact assessment and participation of the data protection officer, (5) Transparency and information, (6) Data processing agreement and control of sub-processors, (7) Safeguards in international transfers, (8) Data protection by design and by default, (9) Information security, and (10) Guarantee of the rights of individuals.

With the publication of this ten-point guide, the Data Protection Authorities aim to promote a preventive approach in which educational administrations, public, subsidized, and private schools, and companies that offer cloud-based educational platforms are aware of their roles and respective obligations, so that they can take the appropriate measures.