APD/GBA (Belgium) - DOS-2022-02223

APD/GBA - DOS-2022-02223
Authority:	APD/GBA (Belgium)
Jurisdiction:	Belgium
Relevant Law:	Article 5(1)(a) GDPR Article 6(1)(e) GDPR Article 8(1) GDPR Article 9(2)(a) GDPR
Type:	Complaint
Outcome:	Upheld
Started:	18.05.2022
Decided:	18.04.2025
Published:	19.04.2025
Fine:	n/a
Parties:	parent School Knowledge center Z
National Case Number/Name:	DOS-2022-02223
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Dutch
Original Source:	GBA (in NL)
Initial Contributor:	Zibulateur

The Belgian DPA reprimanded a school for infractions on Article 5.1(a), Article 6.1(e), Article 9.2(a) and clarified the interpretation of Article 8.

English Summary

Facts

A complaint was filed on May 18, 2022, by a parent (the complainant) against a school (the respondent) for conducting an online survey about drug and alcohol use, gaming, and gambling among minor students. The complainant argued that the data was not processed anonymously and that his daughter's data was processed without the required free, informed consent.

Parents were informed that their children would participate in an online survey about drug and alcohol. In case parent did not want their children to participate they could opt out. One of the parents requested more information and was invited to the school for a meeting. The school claimed that as the survey was anonymously GDPR was not applicable. Additionally the school claimed they were not organizing the survey but the knowledge center Z was

On May 18, 2022 the parent filed a complaint with the DPA against the school and the knowledge center for following

Consent: The complainant claimed that the data of his daughter was processed without obtaining the required free, informed consent. This was particularly concerning because the survey involved processing sensitive health information, which requires explicit consent. Controller identification: The school was the data controller and failed to ensure anonymous data processing and proper consent, the knowledge center was a joint controller. Lack of Anonymity: The complainant argued that the data collected was not processed anonymously. This, according to the complainant, violated the principle of minimal data processing.

The DPA only proceeded with action against the school not the knowledge center.

The school argued that the data was anonymous and thus GDPR was not applicable. If GDPR would be applicable they (the school) were not the data controller, but rather the expertise center Z was responsible.

Holding

The litigation chamber determined that the school was indeed the data controller as per the Codex Secondary Education. The school was responsible for ensuring the legality of data processing, including obtaining explicit consent for processing health-related data. The Chamber found that the school did not adequately ensure the anonymity of the data and failed to obtain proper consent, thus violating GDPR principles.

Articles Violated:

Article 5.1(a): Lawfulness, fairness, and transparency. Article 6.1(e): Processing necessary for the performance of a task carried out in the public interest. Article 9.2(a): Explicit consent for processing special categories of personal data (health data).

The DPA also clarified the interpretation of Article 8 GDPR, which concerns the conditions for consent for children in relation to information society services, was not applicable in this case.

Although the DPA identified Article 6.1(e) GDPR as correct legal basis they stressed that explicit consent under Article 9.2(a) GDPR is still required.

Corrective Measures:

The school must clarify its role as the data controller and ensure compliance with GDPR, including obtaining explicit consent for processing health data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

1/14

Dispute resolution

Decision 70/2025 of 18 April 2025

File number: DOS-2022-02223

Subject: Questioning of minor pupils about substance abuse, gambling and

gaming in the context of developing a health policy at school

The Dispute Resolution of the Data Protection Authority, composed of Mr

Hielke HIJMANS, chairman, and Mr Dirk Van Der Kelen and Mr Jelle Stassijns, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data, and repealing

Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the "GDPR";

Having regard to the law of 3 December 2017 establishing the Data Protection Authority,
hereinafter referred to as “WOG”;

Having regard to the internal rules of procedure, as approved by the Chamber of

Representatives on 20 December 2018 and published in the Belgian Official Gazette on

15 January 2019;

Having regard to the documents in the file;

Has taken the following decision regarding:

Complainant: X, hereinafter referred to as “the complainant”

Defendant: Educational institutions Y, hereinafter referred to as “the defendant” Decision on the merits 70/2025 — 2/14

I. Facts and procedure

1. On 18 May 2022, the complainant lodges a complaint with the Data Protection Authority against

the defendant.

2. The subject of the complaint concerns the online questioning via Smartschool of underage pupils about drug and alcohol use, gaming and gambling in order to develop a health policy at school. The complainant argues that there would be no anonymous data processing, which would violate the principle of minimal data processing. Furthermore, he states that his daughter's data is being processed without the required free, informed consent, which is all the more important given that the questioning involves processing information about his daughter's state of health for which explicit consent is required.

3. On 31 May 2022, the complaint is declared admissible by the First Line Service on the basis of

Articles 58 and 60 WOG and the complaint is transferred to the Dispute Resolution Chamber on the basis of Article 62, § 1 WOG.

4. On 2 February 2023, the Dispute Chamber decides on the basis of Article 95, § 1, 1° and Article 98

WOG that the file is ready for consideration on the merits and the parties involved are notified by registered mail of the provisions as stated in

Article 95, § 2, as well as those in Article 98 WOG. They are also notified on the basis of Article 99

WOG of the deadlines for submitting their defences.

The deadline for receipt of the defendant's conclusion of reply was set at 16 March 2023, that for the complainant's conclusion of reply at 6 April 2023 and that for the defendant's conclusion of reply at 27 April 2023.

5. On 3 February 2023, the complainant indicated that he wished to make use of the possibility

of being heard, in accordance with Article 98 WOG.

6. On 15 February 2023, the defendant requested a copy of the file (Article 95, § 2, 3°

WOG), which was sent to him on 16 February 2023, and the defendant

electronically accepted all communication regarding the case.

7. On 16 March 2023, the Dispute Chamber received the defendant's conclusion of reply. In essence, it is argued that the defendant does not act as a controller, and that the data are anonymous to which the defendant does not consider the GDPR to apply and that the principle of minimal data processing has been met. The defendant also states that Article 8 of the GDPR (Conditions for the consent of children in relation to information society services) does not apply. Decision on the merits 70/2025 — 3/14

8. On 3 April 2023, the Dispute Resolution Chamber receives the conclusion of the reply from the complainant. The complainant confirms the defendant's assertion that the pupils did not have to use the Smartschool platform to complete the survey. In summary, the complainant further states that the defendant is the controller for all pupil data that the complainant disputes as being anonymous. According to the complainant, there is also a problem in the area of technical and organizational measures to ensure the security of student data. Regarding the legal basis, the complainant states that consent should be the legal basis and that it should be informed, clear and unambiguous.

9. On April 27, 2023, the Dispute Chamber receives the conclusion of the reply from the defendant, in which the position is reiterated as in the conclusion of the answer.

10. On June 24, 2024, the parties are informed that the hearing will take place on July 5, 2024.

11. On July 5, 2024, the parties are heard by the Dispute Chamber.

12. On July 8, 2024, the minutes of the hearing are submitted to the parties.

13. The Dispute Chamber has not received any comments from the parties regarding the minutes. On 8 July 2024, the complainant will provide the Dispute Chamber

and the defendant with the manual on the organisation of the expertise centre Z-

pupil survey, which provides the option of completing the survey from

home, to which he referred during the hearing.

II. Reasons

a) Data controller and data processing

14. The complainant has filed a complaint against the defendant, a school with his 13-year-old daughter

as a pupil. In addition, the complainant indicates in the complaint that he has also sent his comments on the

use of consent to the education umbrella organisation and the organising non-profit organisation.

15. The defendant claims that he does not have the capacity of data controller, but states that the expertise centre Z acts as data controller

for the pupil survey. 1
16. The Dispute Chamber establishes that the Code of Secondary Education serves as a starting point

when determining the body to which the capacity of controller

1 Codification of 17 December 2010 concerning secondary education, coordinated on 17 December 2010 Decision on the merits 70/2025 — 4/14

should be attributed. This concerns in particular Article 123/22 of this Code 2

which states that the school is obliged to develop a policy on

pupil guidance that is tailored to the needs of the pupil population and the

context in which the school is located. As the defendant points out, the Flemish

Ministry of Education and Training provides schools with tools for drawing up a policy on

pupil guidance and also for drawing up an alcohol and drugs policy at

school. 3

17. The intended purpose is thus laid down in the relevant article 123/22 of the Codex

Secondary Education, namely the development of a policy on pupil guidance

tailored to the needs of the pupils and the context of the school. The realisation of this

purpose is explicitly attributed to the school in this provision of the Codex.

This means that drawing up an alcohol and drugs policy at school is a task that

is assigned to the school in the context of the development of a policy on

pupil guidance. Based on this provision in the Codex, this purpose must therefore

be regarded as being specific to the school, since the school is explicitly

designated in this provision as the body that determines the purpose of ‘development of a policy on

pupil guidance’, including a policy on alcohol and drugs. The purpose of

the processing is thus laid down in the Codex. The school can be considered as the controller, since it has been designated by law for the
4
realisation of this objective, this public task.

2
Art. 123/22. The school develops a policy on pupil guidance that is tailored to the pedagogical project, the needs of the pupil population and the context in which the school is located. The policy on pupil guidance includes the
guidance of pupils, supporting the actions of the teaching staff, the policy for the
prevention of isolation and fixation and for the phasing out of it, referred to in Article 123/24/1, if the school or centre
develops a policy on this, and the coordination of all pupil guidance initiatives at school level. The school
implements, evaluates and, if necessary, adjusts that policy. To strengthen that policy, the school implements a
professionalisation policy. The school designates one or more staff members within its staff framework who are charged with pupil guidance in whole or in part.
When drawing up and evaluating the policy on student guidance, the school involves relevant partners. For additional
substantive expertise, the school calls on the centre for student guidance. Pre-school support, the school seeks

external support from the pedagogical guidance service, possibly in collaboration with an external service.
For expertise relating to education for students with specific educational needs, the school involves the
learning support centre.
A policy on student guidance meets the following principles:

1° the interests of each student are central;

2° it is developed participatively and is supported by the entire school team;
3° it is goal-oriented, systematic, planned and transparent;

4° it is implemented discreetly;

5° it is clarified who takes on which task in the student guidance, mentioning the competent staff,
mentioned in article 123/24/4, § 1, 3°, if there is a policy for the prevention of isolation and fixation and for its reduction,
mentioned in article 123/24/1. 3 https://onderwijs.vlaanderen.be/nl/directies-en-administraties/onderwijsinhoud-en-leerlingenbegeleiding/ tweede-

onderwijs/schoolondersteuning-bij-grensstijgen-gedrag/alcohol-en-drugsbeleid-op-school
4 As set out in Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR
(paragraphs 22-24): https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-
controller-and-processor-gdpr nl. Decision on the merits 70/2025 — 5/14

18. In addition, Article 123/22 of the Code also determines the means that the school must use

to achieve the intended objective. These means are: firstly, involving relevant partners in the preparation and evaluation of the policy on

pupil guidance, and secondly, seeking external support from the

pedagogical guidance service, possibly in collaboration with an external service for the

purpose of school support.

19. It follows from this that both the purpose and the means are legally determined and

attributed to the school, which thus acts as the controller within the meaning of

5
Article 4, 7) GDPR.

20. After all, in order to achieve the intended purpose, the Code stipulates that the

school must involve relevant partners and engage an external service for support. As the defendant points out, the external service expertise centre Z

is recommended by the Flemish Ministry of Education and Training. It follows that the school is not under any obligation to have the student survey and the associated data processing carried out by the external service, expertise centre Z. It is therefore up to the school to make use of the free choice of expertise centre Z. This is confirmed in article 1 of the contract concluded between the defendant on the one hand and expertise centre Z on the other, which states that the school voluntarily participates in the student survey. This means that not only the purpose of student guidance that must be achieved by the school and is therefore entirely specific to the school, but also the means to that end are determined by the school. After all, it is the school that determines how the personal data of its students will be processed in order to achieve this purpose and that decides to make use of an external partner, in this case expertise centre Z, who will carry out this data processing on its behalf. 21. It is therefore the responsibility of the school to monitor the

processing of the personal data of its pupils in accordance with the

GDPR, in particular when the school decides to have the data processing carried

out by expertise centre Z and these data, as in the present case, may

lead to the processing of sensitive information. In this context, a contract was

concluded between the defendant on the one hand and expertise centre Z on the other. This shows

5
Article 4 GDPR.
For the purposes of this Regulation, the following definitions apply:

[…]
7) ‘controller’ means the natural or legal person, public authority, agency or other
body which, alone or jointly with others, determines the purposes and means of the
processing of personal data; where the purposes and means of such processing are
determined by Union or Member State law, that law may provide for the controller or the specific criteria for
its nomination; [own underlining] Decision on the merits 70/2025 — 6/14

that expertise centre Z can process the data obtained through the

student survey after having been commissioned by the school

as the controller. expertise centre Z can therefore be regarded as a

processor within the meaning of Article 4, 8 GDPR.

22. In accordance with article 123/22 of the Code, it is also fully in line with the

designation of the school as controller that is included in the mutual

relationship between the defendant and expertise centre Z 6 that the

defendant itself is responsible for compliance with the legal basis on which the

student survey is based, because the defendant itself must obtain the

consent of the students over the age of 13, or of the parents or guardian for

students under the age of 13. The required prior information must also be

provided by the school itself. Furthermore, the mutual relationship between the parties

also stipulates that no one, not even the teacher(s), may look at the

answers or the screen of the students during the survey, neither physically nor via

PC monitoring. It is stated that the questionnaire asks for sensitive and personal

health data, which means that the student must be able to answer honestly with

respect for privacy. The relevant document adds that failure to

comply with the applicable legislation in this regard may have legal consequences for the

school. The Dispute Chamber notes that the parties hereby acknowledge

that the school acts as the controller, since the school is responsible for

compliance with the applicable provisions of the GDPR, and that the legal consequences that

may possibly result from failure to comply with the required principles and guarantees

regarding data processing must be attributed to the school and therefore not to

expertise centre Z, which does not have the capacity of controller or

joint controller.

23. The defendant himself, as controller, is responsible for the lawfulness of

the data processing. To this end, he himself requests the consent of the data subjects

in order to have a valid legal basis for the processing (Article 6 GDPR).

Since it often also concerns special personal data concerning health,

Article 9 GDPR must also be complied with. The defendant is also responsible for providing the essential information to the data subjects (Article 13 GDPR) regarding the processing of data

(i.e. collection of information on substance use, gambling and gaming; only for scientific purposes; determination of the retention period, no

access to the personal data due to the lack of possibility of re-identification
of the students, both on behalf of the school and of expertise centre Z).

6See the document: “Organising the expertise centre Z student survey: manual” referred to

in the contract between the defendant and expertise centre Z. Decision on the merits 70/2025 — 7/14

24. It follows from all these factual elements that the defendant undeniably

establishes the essential means of data processing. The defendant argues that he only follows the method of expertise centre Z to have pupils participate in the survey in order to state on that basis that the essential resources are not determined by him, but by expertise centre Z. The defendant argues that expertise centre Z determines which questions are asked, who can process the answers, which schools can participate, how the survey will be conducted, which reports are made, and that expertise centre Z has decided to offer the pupil survey digitally and no longer on paper. 

25. The role of expertise centre Z is limited to determining non-essential resources. The Dispute Chamber establishes that, with regard to the preparation and the actual taking of the survey, the role of expertise centre Z is limited to providing the school with the necessary instruments, such as a model document to be adapted by the school regarding informed consent to those involved, as well as a manual on the practical organisation of the survey with an accompanying instructional video and instruction card for both teachers and pupils. This concerns purely practical aspects relating to the pupil survey that expertise centre Z makes available as an external supporting partner based on its expertise in organising such a survey. The choice for a digital survey instead of a paper survey also belongs to such non-essential means.
Regarding the questionnaire that expertise centre Z provides to the school to conduct the

pupil survey, the Dispute Chamber notes that this list constitutes the concrete

elaboration of the objective intended by the school as laid down in article 123/22

of the Code. This questionnaire must therefore be regarded merely as the

concretisation of the category of personal data to be processed by the school that is

necessary for the purpose of drawing up an alcohol and drugs policy

at school, albeit based on the knowledge and experience of

expertise centre Z regarding the elaboration thereof.

26. Because the defendant has chosen to call on

expertise centre Z as an external partner that offers support for the student survey,

the defendant has chosen to have the student data processed

by expertise centre Z, where, after collection, the data from the completed questionnaires

are stored on an external server, in an aggregated database.

27. The contract concluded between the defendant and expertise centre Z stipulates that

expertise centre Z processes the collected data of the school if it has sole access

7 Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR (paragraphs 39 et seq.):
https://www.edpb.europa.eu/our-work-toodocuments/guidelines/guidelines-072020-concepts-controller-and-
processor-gdpr nl Decision on the merits 70/2025 — 8/14

to the data in an anonymised database. It also stipulates that no one, not even

expertise centre Z, can link the individual results to a specific person.

In addition, no one, except expertise centre Z, can link the school data to the

school, because each school is given a unique code that only expertise centre Z knows. The

school receives a report from the expertise centre Ze with the anonymous results of

the school, which helps the school to gain insight into the world of the pupils

who attend the school in order to plan a preventive offer tailored to these results.

This is sufficient reason for the defendant to state that no

personal data is being processed on his behalf.

28. In this regard, the Dispute Chamber recalls that it is not necessary

for the controller to have actual access to the data that is being

processed. Someone who outsources a processing activity and has a decisive influence on the

purpose and means of the processing must be considered the controller, even if he or she never

actually has access to the data. The Court of Justice of the European Union has

confirmed this in the judgment in IAB Europe. The anonymous reporting based on the

aggregated data processing carried out by expertise centre Z in response

to the information collected by means of the student survey, does not

detract from the fact that the defendant does indeed act as the controller.

29. The Dispute Chamber points out that it is established that the student survey, at the time

it is conducted, implies the processing of personal data because the school collects information

provided by the students via the questions asked. The fact

that the defendant uses the method whereby the student, after logging in, must

adjust his login details by means of the assigned unique login code, in the

sense that a new password must be chosen, but with retention of the

user name, does not change this. Each participating student initially

provides information relating to his person by means of the answers to the questions

asked. The Dispute Chamber judges that the whole of the answers is normally

so specific and specific to a specific person, such that that person is

identifiable. In addition, the contract concluded between the

defendant and expertise centre Z stipulates that a unique code is generated per pupil

with which the pupil can log in to the school computer or to their own

computer, mobile phone or tablet. Furthermore, this contract also stipulates that for students who do not have their own mobile phone

8
Guidelines 07/2020 on the concepts of “controller” and “processor” in the GDPR (paragraphs 44-45):
https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-
processor-gdpr_nl
9 Judgment of 7 March 2024, C-604/22, ECLI:EU:C:2024:214, para 69. Decision on the merits 70/2025 — 9/14

, the school must provide the possibility of completing the questionnaire in the

computer room. In order to facilitate the creation of the login codes,

the school must provide expertise centre Z with an Excel list with the first name and class code of

all students. These elements do not indicate that there is anonymous

10 11
data within the meaning of Article 4.1 GDPR and Recital 26 GDPR. In contrast, the defendant only

states during the hearing that the survey was conducted in the

school and that the pupils who were not present at school within the

intended time slot did not participate in the survey. The defendant adds that the

school has one internet line with one IP address, so that no unique person can be

identified on the basis of the IP address used for completing the survey. The

claim that pupils could only participate from the school via a single IP address was

however not substantiated by the defendant.

30. The Dispute Chamber notes that the defendant in no way makes it

plausible that the anonymity of the processed data is guaranteed. The defendant states in the

conclusion that since the survey came from expertise centre Z and it was clearly stated by

expertise centre Z that this survey was completely anonymous and that no one

could deduce from the data or the results who provided which information, the

defendant decided to participate in the research. In this context, the

Dispute Chamber points out that Article 5.2 GDPR provides for an accountability obligation on the part

of the controller, in this case the defendant, as explained above.

The Dispute Resolution Chamber considers that if the defendant considered anonymous data processing by Expertise Centre Z sufficient to achieve the intended purpose, the defendant should have ensured that the data of the

10Article 4 GDPR:

For the purposes of this Regulation, the following definitions shall apply:

1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data
data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in

particularly by reference to an identifier such as a name, an identification number,

location data, an online identifier or to one or more factors specific to the physical,

physiological, genetic, mental, economic, cultural or social identity of that natural

person; 11
Recital 26 GDPR:
The principles of data protection should apply to any information relating to an identified or identifiable
natural person. Pseudonymised personal data which can be attributed to a natural person by
using additional information should be considered as data relating to an identifiable natural person.
In determining whether a natural person is identifiable, account should be taken of all the means
which are reasonably likely to be used by the controller or by another person to
identify the natural person, directly or indirectly, such as selection techniques. In determining whether
means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the
costs and time required for identification, taking into account the technology available at the time of the
processing and technological developments. The
data protection principles should therefore not apply to anonymous data, namely data which

does not relate to an identified or identifiable natural person or to personal data rendered
anonymous in such a way that the data subject is not or no longer
identifiable. This Regulation therefore does not cover the processing of such anonymous data, including for statistical or research purposes.
12Article 5.2. GDPR: The controller shall be responsible for and be able to demonstrate compliance with paragraph 1

(‘accountability’). Decision on the merits 70/2025 — 10/14

students would indeed be processed anonymously by expertise centre Z and that

the necessary technical and organisational resources were deployed for this purpose by

expertise centre Z.

31. Because the defendant states in his defence that he did not act as

controller, the Dispute Chamber must determine that the defendant

did not carry out this assessment under Article 5.1 e) and f) GDPR in conjunction with Articles 24.1 and 28.1 GDPR.

In the absence of documents in the file concerning the extent to which the necessary technical and organisational measures were or were not provided, the

Dispute Chamber limits itself solely to this comment. The same applies to the assessment against

Article 5.1 c) GDPR. Although the defendant indicates that an anonymous survey is sufficient

to achieve the intended objective, in the absence of documents to support the

anonymity of the pupils concerned, it cannot be verified whether the principle of minimum data processing

was respected (Article 5.1 c GDPR). It is not clear from

the documents in the file whether a substantive combination of the answers to the questions

can lead to re-identification of a pupil or not. It is also clear how the anonymity of the pupils is ensured if

an Excel list with the first name and class code of all pupils must be provided by the defendant to

expertise centre Z per pupil and a unique code is generated with which the pupil can log in on the school computer or on their own computer, mobile phone or

tablet.

32. The Dispute Chamber decides that although the defendant, as the controller, can call on expertise centre Z

for substantive support, this does not make expertise centre Z a controller,

jointly with the defendant. 14

b) Lawfulness of the processing

33. The development of a policy on pupil guidance is an obligation imposed

on the school, which is based on article 123/22 of the Codex

13Article 24.1 GDPR. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in

compliance with this Regulation. Those measures shall be reviewed and, where necessary, updated.

Article 28.1 GDPR.

Where processing is carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and
organisational measures in such a way that processing meets the requirements of this Regulation and
protects the rights of the data subject.

14 See, in the same vein, Decision on the substance 31/2020 of 16 June 2020 Decision on the substance 70/2025 — 11/14

Secondary Education. In article 3, 17°/1/1 of the Codex

15
SecondaryEducation, student guidance is understood to mean a set of preventive and supportive measures.

Student guidance is situated in four domains: the educational career, learning and

studying, psychological and social functioning and preventive health care. The

measures always start from an integrated and holistic approach for the

four guidance domains and this from a continuum of care.

34. The defendant indicates that it has decided autonomously that this data collection

would best be done by means of an anonymous survey, in order to tailor the policy

to the needs of the student population. Here too, the defendant takes the position that the

data processing concerns an anonymous survey and that the GDPR therefore does not

apply, so that no permission needs to be requested and not even a

ground for legality is required. To this end, the defendant refers to consideration 26 of the GDPR

with regard to anonymous data processing.

35. As already explained above, the defendant does not demonstrate on the basis of documents that the

student survey already took place anonymously at the time of data collection. The

defendant, as the controller, is obliged under Article

123/22 of the Secondary Education Code to develop a policy on

student guidance. This does not in itself entail an obligation for the defendant to

survey the students, nor an obligation for the students to participate in this

survey. However, this does not alter the fact that drawing up an alcohol and drugs policy at

school, as part of student guidance, can be regarded as a task of general interest on the part of the

school. The student survey can be organised on this basis. After all, it goes without saying that alcohol and drug prevention is an important part of student guidance and, in that perspective, fits within the needs of the student population as stated in Article 123/22 of the Code. The Dispute Chamber determines that the defendant can rely on the task of general interest assigned to it (Article 6.1 e) GDPR) 16 which is anchored in a legal standard in accordance with Article 6.3 GDPR. The legal basis to be used by the defendant for the

pupil survey is therefore Article 6.1 e) GDPR, so that the defendant is thus

entitled to process the collected data or have them processed by a

processor such as expertise centre Z.

15 Codification concerning secondary education, coordinated on 17 December 2010
16
Article 6 GDPR:
1. Processing is lawful only if and to the extent that at least one of the following conditions is met:

[…]
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; Decision on the merits 70/2025 — 12/14

36. As explained above, Article 9 of the GDPR on special personal data is also relevant. The content of the questionnaire concerns the use by the pupil in question of substances (tobacco, alcohol, cannabis, other illegal drugs, etc.) and activities (gaming and gambling), as well as the extent to which the pupils come into contact with these substances in their own environment. The answers given to these questions are used to gain insight into the health status of the person concerned and to assess the extent to which they have or do not have a healthy lifestyle. This means that it is certain that personal data are processed within the meaning of Article 9 of the GDPR, and that an exception to the prohibition on processing these personal data must therefore also apply.

37. The fact that the defendant, in the context of its task of general interest, conducts a

student survey does not exclude that the participation of the students is voluntary and that the

data collection, as part of the larger data processing that the

student survey entails after the personal data of the students

have been collected, is based on explicit consent (Article 9.2 a) GDPR).

This explicit consent is required in view of the fact that the

survey collects information about the state of health of the students, in this case also

of the complainant's daughter. The defendant, as controller, can only process the

personal data of the students if explicit consent is given. After all, none of the other

exceptions to the prohibition on processing these personal data apply.

38. The Dispute Chamber hereby clarifies that, with regard to pupils under the age of 18,

this explicit consent must be given by the parents or guardian as

legal representatives. The defendant states in the conclusion that if consent

were the valid legal basis, it would have been sufficient if the controller

could have asked the consent of the data subject himself,

in the present case the complainant's daughter, since she was already 13 years

old at the time of the facts. The Dispute Chamber clarifies in this regard that the age limit of 13

years only applies with regard to the application of Article 8 GDPR and Article 7 of the Act of 30 July 2018,

taken in implementation of Article 8.1, paragraph 2 GDPR. Both the complainant and the

defendant agree that Article 8 of the GDPR does not apply. The Dispute

Chamber agrees with this position, since the parties' defence explained that only the

information letter regarding the student survey was sent via Smartschool, while the

survey as such did not take place via Smartschool. Consequently, there is no

offer of an information society service, which constitutes an essential

17Law of 30 July 2018 on the protection of natural persons with regard to the processing
of personal data Decision on the merits 70/2025 — 13/14

condition for the application of Article 8 of the GDPR. Since Article 9.2 a) GDPR applies, the general rule (Article 488 B.W.) must be applied that for minors, including pupils under the age of 18, the consent of the parents or guardian is required for the processing of health data.

39. Since the defendant has not assumed the capacity of controller and has therefore not checked on what legal basis the student survey and the associated data processing of the participating students is based, the Dispute Chamber finds that an infringement of the principle of legality in Article 5.1a) GDPR, as well as Article 6.1.e) GDPR and Article 9.2.

a) GDPR, has been committed.

III. On corrective measures and penalties

40. It is up to the Dispute Chamber to determine, on the basis of the possibilities available to it under Article 100, § 1 WOG, the most appropriate penalty for the infringement of Article 5.1 a) GDPR, as well as Article 6.1.e) GDPR and Article 9.2. a) GDPR

41. In doing so, the Dispute Chamber takes into account to a significant extent the uncertainty that

prevailed in the mutual relationship between the defendant and expertise centre Z,

in particular regarding the question of the designation of the controller.

Since this decision of the Dispute Chamber provides clarification in this regard, it

offers the defendant the opportunity to adapt and to provide the necessary transparency

regarding the correct legal basis, namely Article 6.1 e) GDPR in order

to avoid any further uncertainty in this regard, and Article 9.2 a) GDPR

regarding the processing of health data.

IV. Publication of the decision

42. Given the importance of transparency with regard to the decision-making of the

Dispute Chamber, this decision will be published on the website of the

Data Protection Authority. However, it is not necessary for the identification

data of the parties to be made public directly for this purpose.

18
Art. 488. Civil Code: The age of majority is set at the full age of eighteen; at that age one is capable of all acts of civil life.