Spanish supervisory authority (Agencia Española de Protección de Datos – AEPD) has published an opinion on GDPR parents’ access right to their children over 18 University marks and other associated information.
Data related to University enrolment, marks or scholarship is personal data according to GDPR, and where the University is disclosing such information to the parents, the University is processing personal data, which means that it must comply with GDPR requirements and be covered by a legal basis. So what about GDPR parents’ access to their adult childrens’ student data?
Lawfulness of processing comprises other scenarios apart from consent, so even where the student has not consented the disclosing, parents may access the data. Article 6.1 (f) states that processing shall be lawful if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”. Due to the Regulation is quite similar to the previous one at this point, AEPD has largely relied on Court of Justice of the European Union (CJEU)’s pronouncements in this matter.
AEPD refers to ECLI:EU:C:2017:336 CJEU’s Judgment and claims that Article 6.1 (f) requirements are cumulative ones, so all of them need to be met before the disclosure of personal data in these cases:
- There are legitimate interests pursued by the controller or by a third party;
- Processing is necessary to fulfill such legitimate interests;
- Legitimate interests are not overridden by the interests or fundamental rights and freedoms of the data subject.
AEPD asserts that legitimate interests exist where the student is economically dependent, and the University is supported financially by parents. Such dependency criterion applies as well to child support scenarios and other similar ones, but, according to AEPD, it does not apply where the son / daughter is missing and there are evidences that show a lack of choice in leaving home.
Anyway, the data subject shall have the right to object, so the controller must inform about the disclosure to let him/her be aware of it. In case the individual exercises that right, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
