GDPR starter kit for schools + education

Education affects minors + special category data — strictest GDPR regime. 6 core matters: (1) BSN use: only for pupil administration (Wabb-entitled). NEVER in EdTech tools without specific authorisation. (2) EdTech suppliers (Magister, Snappet, Google Workspace for Education, Microsoft 365): all need DPA + DPIA + Schrems II TIA for US suppliers. SIVON has negotiated ready-made DPAs for education. (3) Pupil photos: UAVG Art. 5 — under 16 parental consent. Separate per medium (website, social, school photo, yearbook). Prefer opt-in per use, not "general consent". (4) Pupil tracking system: data minimisation. What is REALLY needed for education? Not everything supplier offers. (5) Parent portal: separate data per parent (especially on divorce), check custody. (6) Breach procedure: child-data breach = almost always high risk → Art. 34 parent notification + AP. Oversight: Education Inspectorate + AP coordinate. Specific guideline on digital learning resources since 2023. Fines 2024-2025: school board fined for pupil-data breach via unsafe testing software. WBTR: directors can be held personally liable.