AEPD develops guidance on obligations and responsibilities for the use of mobile devices in schools

  • In education, smartphones or tablets are often used, often owned by students or their families. 
  • These devices can collect a lot of information and process it for different purposes beyond mere educational function
  • Data processing generated can seriously affect learners’ rights and freedoms and their comprehensive development
  • The report states that if a school requires students to use their personal equipment for a pedagogical activity, it may incur liability if there are breaches of the rules.
  • The Agency advises against its use in schools if the intended pedagogical purpose can be achieved through another more suitable resource
  • These guidelines are addressed to educational administrations, school management teams, teachers and families.
Responsabilidades y obligaciones en la utilización de dispositivos digitales móviles en la enseñanza

(17 September 2024). The Spanish Data Protection Agency (AEPD) has issued guidance on ‘Responsibility and obligations in the use of mobile digital devices in early childhood, primary and secondary education’, analysing the implications that the use of this technology may have and what principles schools and educational authorities must comply with in order for the processing of personal data resulting from the use of these devices to comply with data protection rules. This guidance is addressed to educational authorities, school management teams, teachers and families.

Currently, mobile phones or tablets are often used in schools, often owned by students or their families. In many cases, services and products used in schools as a teaching method process large volumes of personal data hosted in the cloud by third parties beyond the school or educational authority itself.

These devices can collect many student data, such as device identifiers, user accounts, geo-location, usage habits, etc., information that can be processed for purposes other than the educational function. In this regard, the AEPD underlines that the processing of this information must comply with the General Data Protection Regulation (GDPR).

The guidance sets out the situations that may arise with regard to the regulation of the use of mobile phones in centres (prohibiting or limiting the possibility of wearing devices; that they are used in the classroom at the request of teachers or that there is no regulation on their use) and the responsibilities involved in each of them.

Furthermore, the Agency notes that the use of smartphones and other digital devices for educational purposes, owned by learners and their families, may generate data processing that seriously affects their rights and freedoms, in particular their right to non-discrimination and education; private and family life; the physical and mental integrity of the child, the protection of his or her personal data, as well as his or her comprehensive development as an individual.

Therefore, the Agency advises against the use of smartphones and other digital mobile devices in schools if the intended pedagogical purpose can be achieved through another more suitable resource.

The AEPD stresses that, in order to comply with the GDPR, such data processing in the field of education must positively overcome the assessment of appropriateness, necessity and proportionality.

It also points out that processing operations which deviate from the purpose for which they are collected are unlawful and, in addition to administrative liability for infringements of data protection legislation, may give rise to liability for damages for which educational establishments and administrations could be jointly and severally liable.

This guidance complements the Guide to Educational Centres published by the Spanish Data Protection Agency and is in addition to other resources available in the ‘Education and minors’ area of the Agency’s website.