Home » Blog » GDPR Educational establishments » How to make your school’s website GDPR and ePrivacy compliant ?

How to make your school’s website GDPR and ePrivacy compliant ?

Publié le

Make your website GDPR compliant in the education sector

Is it important for your school to have a website that complies with the various regulations in force (GDPR, ePrivacy, etc.) ?

Nowadays, your school’s website is probably the first thing that the parents of your future students or teacher candidates will encounter.

You don’t want to miss the opportunity to make a good impression!

In this article, we will review the different points you should take into consideration to have a compliant website.

Thanks to the Admeet GDPR tool for schools, simplify your website’s compliance: we have pre-encoded for you the data processing purposes specific to the education industry.

Creating or revising your school’s website

Thinking about the structure and your goals

If you decide to create or modify your school’s website, it is important that you think about the following points:

Who will use your website?

  • Students (future, current or former)
  • Parents of students
  • Teachers (prospective, current or former)

Why will they come to your site?

  • To find information about your school
  • To access a specific platform/content (requiring a user account)
  • To communicate with you (via an online form)
  • To be kept informed of your school’s news (via a newsletter or rss feed)
  • To sign-up for activities (school-related or not)
  • To apply / register

Once this is clear, you will have a better understanding of the features you will need on your site.

These features will most likely require you to collect personal information, also known as “personal data” from individual users when they visit your site.

Impact of legislation and practices

Some personal data will be collected via cookies and other technologies that track the user on your site => Go to “Your school’s website and cookies”.

For all other personal data = > Go to “Your school’s website and personal data”.

Your website, like all websites, also requires you to respect obligations or good practices not specifically related to personal data => Go to “The essentials for all websites”.

Your school’s website and cookies (ePrivacy)

Cookies and other trackers

Cookies are small text files that access the website visitor’s computer, smartphone, etc. and collect information.

Traditionally, cookies are classified into families which :

  • helps your visitors to quickly understand the overall purpose of the cookie  ;
  • helps you determine if you need to ask for your visitor’s consent before setting or reading the cookie.

Essential / Necessary Cookies: Enable the site to function or allow the site visitor to use the features they have requested, e.g., site security, cookie consent management. This is the only type of cookie for which no consent is required.

Functional cookies: Enable a user-friendly and personalized experience (e.g., improving site navigation).

Analytical cookies: Measure and analyze the site’s audience, e.g. number of visits to the site, most visited pages

Marketing cookies: Present targeted advertisements based on presumed interests or try to understand your visitor’s interests .

Other technologies (trackers) can achieve the same results and therefore must follow the same rules.

Learn more about cookies and trackers:

* on the site of the DPA (Belgian data protection authority)

* on the site of the CNIL (French data protection authority)

What do you need to implement in relation to cookies and trackers (ePrivacy)?

In order to fulfill your obligation to inform the visitors of your site of the presence of these technologies as well as obtain their consent when necessary, you have to implement several tools:

The cookie banner

This banner appears on the website visitor’s screen  and allows you to:

  • communicate a first level of information on the presence of cookies and other trackers on your site;
  • collect consent if necessary via buttons to be activated (the banner being linked to your consent management platform).

If your banner provider offers consent buttons which are activated by default, be aware that this is no longer an authorized practice. You must also avoid graphics and other techniques that misleadingly urge the visitor to accept all cookies.

Ideally, this banner includes a link to a cookie policy (or even to the data protection policy – GDPR) and is easily accessible from any page of the website without being intrusive.

The cookie policy

This cookie policy is the second level of information, in which you should address the following topics:

  • Your identity (as the organization responsible for the site and therefore for the deposit of cookies / use of trackers);
  • For each cookie / tracker
  • – its name
  • – its category / family
  • – is it essential or not (consent required if not essential)
  • – the purpose(s) / objective(s) of the deposit of cookies / trackers
  • – how long it remains on the terminal (session, precise duration)

The consent management platform

The consent management platform is the tool that allows you to follow up on the consents that you have or haven’t obtained.

It allows you, for example, to demonstrate that you have obtained the consent of a particular visitor at a given time for the use of certain cookies.

Your school’s website and personal data (GDPR)

Personal data and GDPR

Personal data is any information that directly or indirectly identifies a human being. It can, for example, be collected via cookies, observed via trackers or directly collected via forms that you ask visitors to your site to complete..

Since 2018, the General Data Protection Regulation (or GDPR) has strengthened obligations and rights related to the use of personal data. It is therefore crucial to modify your site in accordance with your obligations in this area, if it is not already compliant.t t.

Indeed, a website showing violations of the GDPR is very easily audited by the local data protection authority (the competent administration) or by other interested parties (consumer rights associations, activists, etc.).

Taking an interest in the GDPR is therefore essential if you want to avoid sanctions (including heavy fines) and contribute to protecting the privacy of your site’s visitors (through the compliant use of their personal data).

The privacy policy, an expression of your obligation to inform

One of your obligations, as a “data controller”, is to inform the visitors of your website about your intention to collect and use some of their personal data.

To do this, you will need to create and maintain a document called a privacy policy. Actually,  you can give it any name that will be  evocative for your visitors as there is no legal obligation on this subject.

The privacy policy, its content

Here are the topics you should address in this document:

If the personal data was not received directly from the person: categories of personal data and how it was collected.

For all personal data (whether collected directly or not):

  • Identity and contact details of the data controller (your institution)
  • Contact details of the data protection officer / DPO (if you have one)
  • What rights can the individual exercise to control your use of their personal data? How can they exercise these rights?
  • Specifically, the right for the person to make a complaint to the data protection authority (in Belgium via www.autoriteprotectiondonnees.be)
  • For each purpose (the reason why you are using their data):
  • What is the lawful/legal basis that you believe justifies your use of the personal data?
  • Is the person obligated to provide the data? If they do not provide the data, what are the consequences?
  • Who will receive the personal data within your organization (which department/function) and elsewhere (what other organization/administration would be controller or a processoror), in order to do what?
  • How long will you keep the personal data (a specific period of time or an objective criterion to assess this period of time)?
  • Is the data transferred to / accessed from countries outside the EU?
  • Do you use profiling or fully automated decision making based on the personal data you collect?

Privacy policy, for what usage of personal data?

At a minimum, you should address the collection and use of personal data that takes place through your site, but there is nothing stopping you from including data processing/uses that take place at other times in the life of your institution.

You can easily refer to the data processing/usage that takes place on your site if, for example, students use online platforms or applications as part of their education,  appear in photos that may be taken as part of your activities, etc., .

You can then easily link people to the website to inform them about these other uses of their data.

This document should be accessible from any page of your website.

To simplify this exercise, we at Admeet have decided to include a list of processing purposes pre-encoded according to your industry (including education) based on the recommendations (industry guidelines) of the data protection authorities in our privacy policy solution.

All you have to do is select the purposes that apply to you and continue to fill in the document!

The privacy policy is only the gateway

The obligation to inform is only one of the obligations you must respect to be compliant with the GDPR.

Other obligations consist of:

  • monitoring principles to be followed (allowing you to determine whether or not the use you decide to implement is compliant);
  • granting rights to individuals whose data you wish to use (rights they may choose to exercise and to which you must respond within 30 days);
  • -implementating tools and procedures (multiple registers, mandatory documentation including the privacy policy, security measures adapted to the risks incurred by individuals, assessed by a data protection impact analysis).

These obligations apply to all your uses of personal data, not only those made on your site.

So don’t forget to identify and assess each use of personal data you make on a daily basis during the different activities of your institution. e.g.: management of teaching staff files, use of online platform for distance learning, etc.

To help you, the Belgian DPA has created a site with a wealth of information (not available in English) on the uses of data that can take place in your school, as well as pedagogical tools to address the subject with your students.

Must-haves for all websites

Here are some other topics to keep in mind when working on your website (this list is not comprehensive):

The “legal notices”

The objective of these “notices” is to allow your visitor to clearly identify who the editor responsible for the content put online on the site is and how they can contact this editor in case of questions or problems (in a more general way).

These mentions are :

  • Name of the editor responsible for the site
  • (Name / form of the legal entity)
  • Head office address
  • Contact email address
  • (Company number “BE…” + RPM (city of registration) if legal entity)
  • Coordinates of the host of the site.

You can also add (not mandatory):

  • links to your general terms of use which may include:
  • a clause reminding the visitor that the contents published on the site are protected by copyright and possibly granting them a (conditional) license of use ;
  • a clause limiting your institution’s liability in the event of errors in content or referrals to other sites;
  • a reminder of the links to the privacy and cookie management policies.

Security of your site

You must also ensure that technical measures are in place to protect your site and the personal data of visitors who pass through it.

For more details, we refer you to our article on e-commerce sites.

The recommendations mentioned there are provided by the CNIL (France) but are quite relevant for Belgium.

Start preparing today for your new school year with a compliant website

As you can see, building and maintaining a “compliant” website (especially for the ePrivacy directive and the GDPR) is not a project that can be taken lightly.

The stakes are high (especially with the recent news about cookies and the use of new technologies in schools) both:

– for your school, in order to to avoid sanctions and to position yourself as a school that takes care of the privacy of its students and teachers;

– for the users of your site who could be negatively impacted in case of a personal data breach, the famous data “leakage”.

We hope that this article has helped you to better understand the different issues requiring your attention regarding your website.

And if you’re looking for a trusted partner to help you with this project, at Admeet we offer cookie management and privacy policy tools that are specifically adapted to the educational industry, easy to use, and guaranteed to provide 100% transparency and compliance!