application of the general data protection regulation in...

Application of the General Data Protection Regulation in Schools: A Qualitative Study with Teachers, Professional Associates and Principals

L. Vejmelka*, T. Katulić * M. Jurić* i M. Lakatoš** * University of Zagreb, Faculty of Law, Zagreb, Croatia

** URIHO- Foundation for Vocational rehabilitation and Employment of Disabled Perosns, Zagreb, Croatia [email protected], [email protected], [email protected], [email protected]

Abstract- Current changes in legislation and the GDPR implementation challenges require specific compliance efforts of educational children institutions. The aim of this qualitative research is to find out the opinion of teachers, professional associates and principals on the implementation of the GDPR and issues these institutions face. Data were collected using the focus group method (4 in total) and analyzed with a simple content analysis. The results show that teachers and practitioners generally are not familiar with application of the GDPR in school settings, while the experiences of the principals are different. Some of them are fully or partially informed and part of them are not familiar with the application of the GDPR in schools. A part of the participants expressed the need for additional training in this regard. The findings of the research contribute to the understanding of experts from schools on the application of the Regulation and the national law and provide insight into their experiences in the implementation of the new framework. The results of the research can contribute to the development of educational content for professionals in educational settings that would facilitate the application of the GDPR precisely in its application to children, a vulnerable group with their specific needs. Key Words – qualitative research, GDPR, schools

I. INTRODUCTION Children are a particularly vulnerable group in society

and their well-being in different domains is in the focus of the researchers and professionals of various profiles [1,2]. Special attention is directed towards legal protection of children rights. The Convention on the Rights of the Child, a universal and widely used document on children's rights in the world, in Croatia ratified in 1991, in Article 16 explicitly stipulates that no child shall be subjected to arbitrary or unlawful interference with his or her privacy. Safety and privacy are a universal rights of the child, and these issues should be taken into account especially by those who care for the children on a daily basis as institutions within the educational sector. Article 3 of the

Convention obliges private and public services and institutions to harmonize their activities with the standards of the competent authorities, including the one on security matters [3].

Advent of information society services such as search engines, social networks, content streaming providers and other forms of electronic commerce and online communication has had a profound influence on societal development, allowing the faster closure of the digital divide and access to education and business services and opportunities unheard of even a decade ago. These days, as higher education is becoming a service to be disrupted, even the elementary and secondary levels of education, traditionally a purview of government are feeling the effects of changes information technology is causing in the fabric of the society. [4]

The rise of the postindustrial, information society on the back of the Internet revolution has not been without new and profound challenges and dangers, especially to the most sensitive societal groups – children and the elderly – who are struggling to grasp the rules of the new online environment, an environment which is increasingly relying on collecting and processing personal data both as the resource and as the commodity that fuels the development of new innovative products and services.

Where the traditional model of paying for products and services such as software, processing power or online platform service used to be an online financial transaction, the new Internet economy is increasingly relying on exchanging products and services for users' personal data which is then monetized through various online behavioural marketing schemes. [5]

This transition into a personal data driven economy is especially perilous for the societies' most sensitive groups which by themselves will not be able to recognize and stop harmful practices such as overcollection of personal data or use of data for incompatible secondary purposes. Often these subjects are unable by themselves to seek effective protection of their rights and freedoms through established methods of legal redress. [6]

This research was part of the project “Application of the General Data Protection Regulation in childcare institutions funded by University of Zagreb in 2018, led by Assistant professor Tihomir Katulić.

MIPRO 2020/ICTLAW 1759

The European Union has, to its credit, been steadily paving the way to better, modern legislation and to perception of personal data protection as a fundamental right to begin with. Following the adoption of the Treaty of Lisbon and the Charter of Fundamental Rights which came into effect in 2010 completing the establishment of personal data protection right as a fundamental right in the EU parallel to privacy, the next step in development of the common European legal framework of data protection was to replace the aging Data Protection Directive from 1995 with a modernized law that would take into account all the technological and legal changes and advancements in the past 25 years. [7]

This development became a Regulation, the General Data Protection Regulation (GDPR), that was finally adopted in 2016 and came into effect in 2018. The Regulation holds within its 99 articles and 173 recitals further development of key concepts established in earlier texts such as the roles of data controllers and data processors, the development of explicit data subject rights such as the right to be informed about data processing, the right to access own data, the right to rectify outdated and incorrect personal data, the „right to be forgotten“ or the right of data subjects to demand data controllers remove data they have no longer legal basis to process, but also adopts a more modern approach of ensuring security of processing through information security practices which are now also becoming the matter of EU legislation. [8] GDPR gives special attention to children and how they need particular protection because they may be less aware of the risk of sharing their personal data [9].

The control mechanisms the Regulation develops are well known to information security experts, from privacy by design and by default, through requisite use of technical and organizational protection measures and provisions regarding security incident discovery and reporting to national supervisory bodies and data subjects themselves. [10]

COMPLIANCE CHALLENGES IN PUBLIC EDUCATION SYSTEM IN CROATIA

Measures and obligations of data controllers make perfect sense in the context of big data industries, especially communications, financial and health industry. Especially because they are traditionally reliant on collecting and processing huge amounts of personal data and performing detailed profiling on the users of their services. While these measures are welcome in the context of increased tendencies of mass government surveillance, especially with the advent of smart cities and Internet-of-things (IoT) technologies usually performed under public authority or obligations of central and local government bodies under national law, they do create implementation and compliance challenges for smaller controllers such as small business companies, underfunded or underdeveloped public institutions and civil society organizations who usually do not posess adequate resources, knowhow and manpower to address these issues. Among these, especially vulnerable are local health and education facilities, the latter being the object of our research. These organizations, especially in former Eastern

Block and transition societies traditionally suffer from the lack of funding and systematic support from local government that establishes and funds them. Meeting stringent GDPR obligations for them is a significant challenge while they struggle to offer services to especially vulnerable populations.

In these organizations, most of the burden of compliance efforts has been delegated to their management left to figure out how to use their modest resources, usually without any significant support from local government or competent central government institutions.

DATA PROTECTION IN PUBLIC EDUCATION The main activities of public education institutions are

centered around providing education services to different categories of students ranging from nurseries and kindergartens to elementary and secondary education.

The Croatian educational sector for children in numbers shows the coverage of children in primary and secondary education in Croatia. At the beginning of the 2019 school year, 316 104 children were enrolled in 2115 elementary schools in Croatia. [11]. There were 148 466 high school students in 739 secondary schools enrolled the same school year [12].

Schools collects various personal data: Information on active and past students and their family members, information on employees and their family members, information on visitors, co-workers, partners, etc. [9] In school institutions, personal data can be collected directly from respondents or family member, by electronic communication, by access official databases, and may also be submitted by ministries and other organizations through specialized information systems. Personal data in schools are collected, stored and processed on a daily basis, which entails, with knowledge of different regulations, and the handling of digital competencies and specific IT skills. IT support and information security are often not the focus of educational institutions, which poses an additional challenge when implementing the complex requirements of the new General Data Protection Regulation.

In today's world, where information and data are highly valued, group environments like schools, where most children reside on a daily basis, represent the ability to gather a large amount of information relatively quickly and easily in a short time. However, at the same time, there is a risk of inappropriate and illegal use of personal data, which should be minimized in order to protect the safety and well-being of the child.

In this paper, our research focus was centered on the efforts of professionals in the education settings in Split-Dalmatia County in implementing the GDPR in the schools.

RESARCH OVERVIEW The aim of this preliminary qualitative research is to

find out the opinion of teachers, professional associates and principals of the schools in Split-Dalmatia County on the implementation of the GDPR and issues these institutions are experiencing. Research questions for the teachers, professional associates and principals are set up with a purpose of better understanding:

1760 MIPRO 2020/ICTLAW

1. How do they perceive their knowledge about GDPR and did they participate in a formal education? (Table I, Table II) 2. What do they think about process of implementation of GDPR in their institution? (Table III, Table IV, Table V) 3. What specific challenges did they experienced with implementation of the GDPR in their institution? (Table VI, Table VII).

II. METHODS Data were collected in the fall of 2018, using the focus

group method (4 groups in total), lasting a maximum of 30 minutes, respectively. Research was conducted by experienced researcher who participated in short training on GDPR in education prior to the field research. Sample: of the four focus groups, two were conducted with teachers and professional associates (10 participants in total) and two with principals (8 participants in total). All of the participating teachers and professional associates were female, while 7 out of 8 principals were male. To ensure confidentiality, further socio-demographic data about participants was not collected, encouraging honesty in answering questions.

Ethics: Approval of the principal of the school to conduct the research in their school was mandatory. Informed consent was collected from every participant prior to the research, as well as consent for audio recording of the focus group. Participants were assured that their personal information would not be used and that it would not be possible to relate their answers to their identities. They were also assured that only members of the research team would have access to the collected data, which will be destroyed after the finalization of the project.

Data analysis: Data are analyzed with a simple content analysis, which. included the following steps: 1. Minimal language editing of all open-end question responses 2. Underlining of specific statements of the respondents 3. Extraction of the underlined statements of the respondents 4. Separating statements into different categories 5. Defining sub-categories (if applicable) 6. Assigning a frequency of the respondents’ statements within a category

Content analysis was used for the categorization and classification of answers on open-end questions. The method of simple content analysis enabled the systematic overview of textual information by its frequencies in specific category. The results are expressed in the number of occurrences. Presented participants’ statements in the results section, are chosen to describe the categories in more detail.

III. RESULTS AND DISCUSSION The qualitative content analysis, that enabled the systematic overview of data assigned to specific categories was performed on responses of teachers and principals with purpose of assessing their opinion about GDPR and its implementation in their schools.

TABLE I KNOWLEDGE ABOUT GDPR AND THE DEGREE TO WHICH THEY ARE INFORMED

Content analysis of the first research question produced four categories in the first block of the results: (1) Level of knowledge about GDPR in general, (2) Lack of interest about GDPR, (3) Level of awareness of the risks of data misuse and (4) Level of awareness of internal rules on personal data protection. (Table I) Results shows that only principals have basic (f=6, RSS2: Partly, we are familiar in a way that we are trying to apply the regulation in the everyday functioning of the School.) and in less cases, advanced (f=2) knowledge about GDPR while teachers show lack of knowledge in this field (f=4, NSS1: I am not familiar with the regulation and do not know much about it.). In the same time teachers expressed lack of general interest for the topic of GDPR (f=9, NOS1: I personally am not much but for the reason that I was not very interested… I am more oriented towards teaching, not papers) which was the most frequent category of the first research question. Also, research findings implicate that in school setting there is lack of knowledge about risks of data misuse (f=4), personal data protection (f=6, NO3: if there is, we do not know it exists) and that they are not familiar who is data protection officer in their school (f=2) or they have basic information about risks of data protection (f=6) and internal rules of data protection (f=3). For comparison it is interesting to note that a Eurobarometar research on more than 27000 Eu citizens shows that general population in 67% know about the General Data Protection Regulation and 57% of respondents know about their national data protection authorities [13].

Category Codes Frequency

Level of

knowledge

about GDPR in

general

(12)

Teachers' lack of knowledge

about GDPR

4

Basic knowledge of principals

about GDPR

6

Advanced knowledge of

principals about GDPR

2

Lack of interest

about GDPR

(9)

Lack of teachers' general

interest in GDPR

9

Level of

awareness of

the risks of

data misuse

(10)


about the risks of data misuse

4

Teachers' basic knowledge

about the risks of data misuse

6

Level of

awareness of

internal rules

on personal

data protection

(11)


about the internal rules on

data protection

6

Teachers' basic knowledge

about the internal rules on

data protection

3

Non-familiarity with data

protection officer

2


TABLE II EXPERIENCES WITH FORMAL EDUCATION AND MOTIVATION FOR FURTHER EDUCATION ABOUT GDPR

Table 2 presents experiences with formal education about GDPR in education and their interest for future education in the field. Results shows that teachers generally don’t participate in education about implementation the GDPR in school settings (f=9) as the same as some of data protection officers in the school (f=4) who did not participate in available education. On the other hand, some principals expressed that they’ve participated in formal GDPR education (f=4), as well as some data protection officers (f=4). Part of the teachers (f=3) and principals (f=3) expressed their interest in further education in this field. It is important to enhance that it is not clear whether there was a lack of institutional support in organizing educations within the field or there was a lack of interest from the implementers, in this case principals, teachers and professional associates. Scarce research in the field of data protection in educational sector emphasizes the complexity of issues schools face in the process of GDPR implementation. Rosmaini, Kusumasari, Lubis and Lubis [14] state that this includes competent employees, technology, task and structure, as well as procedure and policy aligned with relevant and related personal data protection act. TABLE III IMPLEMENTATION OF GDPR: CLARITIY OF INSTITUTIONAL GOALS

Content analysis of the second research question produced four categories regarding/in relation to implementation of the GDPR in schools: (1) Clarity of defined goals of personal data protection in the institution, (2) Existence of data protection guidelines and regulations in the institution, (3) Existence of data protection officer in school and (4) Security and data protection measures (7). Table 3 shows that there are not always clearly defined goals of personal data protection within institution. Some of the participants said that the goals are not defined (f=2, NSS3: We have no clear goals) or that they are familiar with them on a basic level (f=3). Two schools show intermediate level (f=2) and two schools are identified as positive practice example and shows advanced level of clarity of goals of data protection (f=2, ROS1: We are on our way … In practice, this has complicated our lives, but I know that we should work that way. We are in the process of hiring a legal person to take care of this.). In some schools, GDPR implementation started with video surveillance, as a part of security measures (f=4), while one school physically locks the data in a secured space (ROS2: We use physical data lock…cabinets, firebox.). Two schools reporting the lack security data protection measures (f=2). TABLE IV IMPLEMENTATION OF GDPR: SECURITY

Table 5 shows that teacher’s opinion is that there is no data protection guidelines and regulations on school level (f=8, NS5: We are not adequately educated or know that there are some guidelines), which is confirmed by the statements of three principals (f=3). Other principals report that guidelines and regulations exists (f=4), or that this field is partially regulated (f=1, RSS2: Partially, within the regulations governing the protection of archives and records). One institution reports gradual introduction of data protection guidelines in the institution (f=1), and again one school shows advanced level of development of internal data protection regulations within institution. National governments of some European countries prepared detailed guidelines of implementing the GDPR in schools within positive practices and policies regarding personal data security [15]


Experiences

with formal

education

about GDPR

(21)

Non-participation of teachers

and principals in formal

education about GDPR

9

Participation of principals in

formal dana protection

education

4

Non-participation of data

protection officer in further

education about GDPR

4

Participation of data

protection officer in formal

education

4

Interest in

future

educations

about GDPR

(6)

Teachers’ interest in future

education

3

Principals’ interest in future

education

3


Clarity of

defined goals

of personal

data

protection in

the

institution

(8)

Lack of goals of personal data

protection strategy

2

Basic level of clarity of

defined personal data

protection goals

3

Intermediate level of clarity

of defined personal data

protection goals

2

Advanced level of clarity of

personal data protection

goals

1


Security and data protection

measures (7)

Non-existent security data protection measures

2

Security cameras 4

Securing data in a locked room

1


TABLE V IMPLEMENTATION OF GDPR: REGULATION AND DATA PROTECTION OFFICER

Content analysis of the last research question examining challenges of GDPR implementation in school setting produced four interesting categories: (1) Lack of systematic introduction of GDPR in the education, (2) Lack of a universal model of information provision for educational employees, (3) Challenges regarding consent for usage of personal data, (4) Teacher resistance to the introduction of a privacy statement regarding the use of personal data. Experts agree that institutions should adopt internal policies and assure the implementation of the privacy measures in order to demonstrate compliance with Regulation and meet the goals of effective data protection [16]. TABLE VI CHALLENGES: LACK OF SYSTEMATIC PREPARATION

Table 6 shows categories that identify a lack of systematic preparation for the implementation of GDPR in schools. Participants report a lack of clear information on how the GDPR is implemented in their school (f=3), as well as a lack of protocol for implementation (f=6, NSS2: I know there should be a person in charge of taking care of that information, but we don't have that person). At the same time, educational employees are being informed about GDPR through various “ad hoc” models of information/ means, including teacher council (f=2), principals meeting (f=1), school information panels (f=2), available online documents (f=1), media (f=1) and some of them mention other unofficial sources of information, such as tv and other media and professional conferences (f=2). Results of the last research question regarding specific challenges participants experienced during GDPR implementation were particularly interesting. Table 7 shows that teachers and principals experience challenges regarding consent for personal data use. Some of them believe that they have a general knowledge of needing to collect the consent in certain situations (f=4), while others identify a lack of uniform procedure within and between schools as the challenging part of the collection of the consent (f=5, NOS5: One school works like this - another school works differently). A number of participants’ experience ambiguities in the implementation of specific provisions about consent for personal data usage (f=4, NOS1: I wish that the law resolves that we do not need to collect signatures). Furthermore, they are resistant about implementation of privacy statement for teachers and disliked this procedure (f=5., NO3: Before (the GDPR) we didn't need to sign with a signature that I would not talk about children from school either at home or outside school or anywhere). TABLE VII CHALLENGES: CONSENT AND PRIVACY STATEMENTS

Category Codes Frequenc

y

Existence of data protection guidelines and regulations in the institution

(20)

Lack of data protection guidelines in the institution – Teacher perspective

8

Guidelines and regulations exist- Principal perspective

4

Gradual introduction of data protection guidelines in the institution- principal perspective

1

Lack of internal data protection regulations- principal perspective

3

Internal data protection is partially regulated

1

Advanced level of internal data protection regulations within the institution

1

Existence of data protection officer in school

(13)

Administrative staff 10

External expert 1

Data protection officer is assigned in the institution

3


Lack of

systematic

introduction of

GDPR in the

educational

sector

(9)

Lack of clear information how

the GDPR is implemented in

their school

3

Lack of a clear procedure for

implementing GDPR at school

6

Lack of a

universal model

of information

provision for

education

sector

employees

(9)

Basic information of teacher

on teacher council

2

Basic information of principals

on principals meeting

1

Information available on

school information panel

2

Online documents available 1

Information on media 1

Other sources of information 2


Challenges with consent for

usage of personal data

(17)

General knowledge of the specific situations of consent for the use of personal data

4

Lack of uniform procedure about collecting consents for the use of personal data

5

Resistance to collection of consent for the use of personal data

5

Ambiguities in the implementation of specific provisions about consent for personal data usage

4

Teacher resistance to

the introduction of

a privacy statement

(5)

Teacher resistance to the introduction of a privacy statement regarding the use of personal data

5


Informed consent and strong ethical and legal standards are highly important, especially for the children population, considering their age and possibility to understands the risks and responsibilities. Informed consent of the child and parent is obligatory in a number of situations where institutions are obliged to pre-collect personal data, but some of the public activities planned in the school year program could resolve easily with the parent consent for planned activities on the beginning of the school year. Authors of this manuscript strictly oppose asking parents to sign blank consent forms for the child without actually informing them on the subject of the consent, as is the practice in some institutions (NO3: in some schools they all sign up at the beginning of the school year).

IV. RESEARCH IMPLICATIONS AND LIMITATIONS

This preliminary qualitative research is significant considering the lack of the research in the field of implementation of GDPR in education. Preliminary results indicate the need for further research that will explore in detail the opportunities and challenges of implementing GDPR in educational settings. There is also an indisputable need to improve the systematic and professional introduction of new regulations in educational institutions. It is certain that both teachers and principals need better support, as well as systematic access to information and training in the field of data protection.

Furthermore, the findings of this research may direct future research in this field, as well as be useful to experts planning and implementing educational content in the education sector.

Although the research design planned more complex qualitative analysis predicting that the participants answers would be sufficiently informative and meaningful to be appropriate for thematic analysis, this did not turn out to be correct. Given the very modest and simple responses of the research participants, it was decided to carry out a simple content analysis. These preliminary research results can be a starting point for planning future qualitative research in the field of GDPR application in school settings. Although the authors of this paper are aware that the response frequencies in the categories are too low to allow any statistical data handling, they nevertheless point to a need for more detailed planning of research in this field. Research findings, but also general and very restrained and short responses from research participants indicate that there is a significant need to inform, educate and support school staff in GDPR implementation in their professional practice.

V. CONCLUSION The results show that teachers and professional

associates are generally not familiar with the application of the GDPR in school settings, while the experiences of principals are different. Some of them are fully or partially informed and part of them are not familiar with the application of the GDPR in schools. This research confirms a lack of the systematic preparation for the

implementation of the GDPR in some Croatian schools. Motivation for further education and personal responsibility for continuous professional growth, especially in the field of protection of rights and data protection is inevitable part of the ethical and effective practices. At the same time, it is the responsibility of the system to make lifelong education available to the educational employees and to ensure investment in these sectors so that they can properly and adequately collect, handle and store personal data, within the framework of GDPR in educational institutions.

Although they work with children and young people, a group that is particularly sensitive when it comes to data security, this research shows that they do not have enough knowledge, experience and skills required in the specific situations in their public action.

It should be emphasized that this paper contributes to the understanding of the implementation of the Regulation in the school context in Croatia, which is especially significant given the lack of sources of literature in the domestic context in this field. Based on these results, it seems necessary to develop accessible educational content for educational employees to ensure an adequate application of GDPR in relation to children. Particular recommendations for developing educational content for employees in school setting are:

- Educations should address the needs of the employees in school setting meaning that content should be applicable in their everyday professional practice

- Educations should be accessible to different categories of employees (teachers, principals, professional associates) with specific content related to their different professional roles within schools

- Guidelines and standards for the implementation of GDPR in school settings should be clear and accessible - all the actors should be informed about their content.

Preliminary results of the presented research can be useful in planning and conducting research in this field, especially since there is an unquestionable need for evidence-based practice in the field of GDPR implementation in the school context.

REFERENCES v[1] M. Ajduković and M. Šalinović (ur). Indikatori dobrobiti djece. Zagreb: UNICEF ured za Hrvatsku i Ministarstvo za demografiju, obitelj, mlade i socijalnu politiku, 2016. [2] J. Bradshaw, A. Keung, G. Rees and H. Goswami. “Children's subjective well-being: International comparative perspectives”. Children and Youth Services Review, 33, 2011. 548–556. [3] United Nations. Convention on the Rights of the Child, 1989. available at https://www.ohchr.org/en/professionalinterest/pages/crc.aspx [4] S. Audsley, F. Kalyani, M. Bronwen, B. Robinson and K. Varney. An Examination of Coursera as an Information


Environment: Does Coursera Fulfill its Mission to Provide Open Education to All?, The Serials Librarian: From the Printed Page to the Digital Age, 2013. 65:2, 136-166, p. 157. [5] N. Parlov, Ž. Sičaja and T. Katulić.: GDPR – Impact of General Data Protection Regulation on Digital Marketing. Annals of disaster risk sciences. 1, 2, 2018., 105-116 [6] Information Commissioner's Office Guide to Data Protection, available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/ [7] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal L 281 , 23/11/1995 P. 0031 - 0050 [8] T. Katulić. “Transposition of EU Network and Information Security Directive into National Law”, MIPRO 2018 41st International Convention Proceedings Skala, Karolj (ur.). Rijeka : MIPRO, 2018. 1328-1333 [9] A. Calder. EU GDPR: A Pocket Guide, School's edition. IT Governance Publishing Ltd. 2018. [10] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal of the European Union, L 119/1 [11] Croatian Bureau of Statistic. Basic schools end of 2017/2018 school year and beginning of 2018/2019 school year. First release. 2019. Available at https://www.dzs.hr/ [12] Croatian Bureau of Statistic. Upper secondary schools end of 2017/2018 school year and beginning of 2018/2019

school year. First release. 2019. Available at https://www.dzs.hr/ [13] EU. Special Eurobarometer 487: Charter of fundamental rights and General Data Protection Regulation. Available at https://data.europa.eu/euodp/en/data/dataset/S2222_91_2_487_ENG [14] E. Rosmaini, T.F. Kusumasari, M. Lubis and A.R. Lubis, 2018, J. Phys.: Conf. Ser. 978 012037. doi :10.1088/1742-6596/978/1/012037 [15] IT Governance Privacy Team, EU General Data Protection Regulation (GDPR) - An Implementation and Compliance Guide, Third edition, 2019, ITGP. [16] Data protection: toolkit for schools Guidance to support schools with data protection activity, including compliance with the General Data Protection Regulation (GDPR), 2018., Department for Education. Available at https://www.gov.uk/government/publications/data-protection-toolkit-for-schools


application of the general data protection regulation in...

Documents