Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Netherlands: AP publishes advice on use of social media by educational institutions

On June 13, 2024, the Dutch data protection authority (AP) published advice on the use of social media by educational institutions. In particular, the AP highlighted that the advice was issued pursuant to a request for prior consultation by an educational institution about the use of social media apps. The educational institution in question wanted to post photos and stories on the social media platform with the permission of students and teachers.

Considerations when using social media and controllership

The AP outlined that educational institutions and the social media platform must determine their role in the processing under question pursuant to the General Data Protection Regulation (GDPR). Whether the third-party social media platform should be regarded as a joint controller or processor depends on the specific circumstances. In the case of joint controllers, the parties must make agreements determining, among other things, how data subject rights are handled. Further, agreements between joint controllers are necessary since joint processing responsibility is provided by the AP not to require equivalent responsibility but conversely does not mean that there is equal responsibility.

In addition, the AP noted that the concept of controller should be interpreted broadly to ensure the protection of data subject rights. The AP detailed that it is up to the educational institution to determine whether subsequent processing, for purposes other than those for which they are responsible, is necessary, and takes place within the framework of the GDPR.

Data transfers

The AP also considered personal data transfers to third countries outside the EEA. Notably, the AP reminded that the mere existence of Standard Contractual Clauses (SCCs) between parties does not mean that any transfer of personal data to a third country that is not subject to an adequacy decision is permitted. SCCs require that the parties guarantee that there is no reason for them to assume that the laws and practices applicable to the data importer do not comply with the SCCs. The AP provided that a Data Transfer Impact Assessment (DTIA) will have to be conducted periodically in such circumstances.

Consent as a legal basis

Finally, the AP stipulated that to use consent as a valid legal basis for processing under the GDPR, the consent must be free, specific, informed, and unambiguous. The AP clarified that consent will not be considered free if there are two unequal parties, and that this is the case in a school and student context, similar to employer and employee relationships. On the request for consent being specific, the AP provided that the controller must ensure:

  • protection against 'function creep;'
  • granularity of permission requests; and
  • a clear distinction between information about obtaining consent for processing activities and information about other matters.

Where there are joint controllers, all organizations must be mentioned in the request for consent. Consent will only be considered unambiguous if the data subject clearly demonstrates it through active behavior, with silence failing to constitute consent.

You can read the press release here and the advice here, both only available in Dutch.