Netherlands DPA Issues Guidance on Social Media Use in Education

On 13 June 2024, the Dutch Data Protection Authority (AP) issued detailed guidance for educational institutions on the responsible use of social media platforms. This guidance was prompted by a specific request from an educational institution seeking to utilize social media for marketing and communication purposes, involving the posting of photos and stories of students and teachers.

Key Points

1. Significant Risks:
   • AP Chairman Aleid Wolfsen highlighted substantial risks associated with social media, as these companies often have commercial interests such as selling ads based on detailed user profiles, including sensitive information like health or political views.
   • Schools must ensure that students and teachers understand and consent to how their data is used by social media companies.
   • Without clear agreements, the use of social media platforms is discouraged to avoid potential legal violations.
     
     
2. Responsibilities and Compliance:
   • Clear responsibilities must be defined regarding compliance with the GDPR.
   • Schools must have mechanisms to delete photos upon request and prevent misuse of the images.
   • Transparency about who to contact for exercising data protection rights is essential – whether it is the school or the social media company.
     
     
3. Data Security:
   • Secure storage of personal data is crucial, especially if stored outside the European Economic Area (EEA).
   • Data protection levels must be equivalent to GDPR standards, and agreements must ensure data security.
   • In countries where the rule of law is not adequately guaranteed, the legality of storing EU citizens’ data is highly questionable.
     
     
4. Consent:
   • Educational institutions must seek proper consent from students and teachers.
   • Consent must be specific, informed, and documented, detailing any use of data for profiling or advertising purposes by the social media company.
     
     
5. Broader Impact:
   • The AP’s advice is intended for all educational institutions in the Netherlands to review and potentially revise their social media usage policies.
   • Institutions should ensure they meet GDPR requirements and effectively protect the personal data of students and staff.
   • While the guidance initially addressed a specific case, it aims to inform broader practices across the educational sector, promoting rigorous data protection standards amidst increasing digitalization.

👉 Read the press release and the guideline here.