Spanish Data Protection Authorities Release Decalogue for Safe Use of Digital Educational Platforms

Spain’s leading data protection authorities jointly published a comprehensive “Decalogue” outlining ten core principles to ensure the responsible procurement and use of digital educational platforms. The guidance aims to strengthen privacy protections for students, teachers, and families in an increasingly digital learning environment.

The document was developed collaboratively by four independent Spanish data protection bodies: the Spanish Data Protection Agency (AEPD), the Catalan Data Protection Authority (APDCAT), the Basque Data Protection Authority (AVPD), and the Andalusian Council for Transparency and Data Protection (CTPDA). It is directed at public educational administrations, private and charter schools, teachers, and the technology companies providing cloud-based educational services.

Protect Spains Childrens Data under EU Law

Digital educational platforms have become essential tools in modern schooling. They allow students, teachers, and families to collaborate, share assignments, track academic progress, and develop digital competencies. However, their widespread adoption involves the large-scale processing of personal data — particularly sensitive information belonging to minors.

The authorities emphasize two key points:

• Data of children and adolescents receives heightened legal protection under Spanish and EU law (GDPR).
• Use of these platforms is often not truly voluntary. For most students and families, these tools are the primary or only means to participate in education, increasing the responsibility of schools and providers to ensure strong privacy safeguards.

The Decalogue promotes a proactive, preventive approach to data protection rather than relying solely on reactive enforcement after issues arise.

The Ten Core Principles (Decalogue)

The document identifies ten fundamental data protection principles that must be considered when selecting, contracting for, and using digital educational platforms:

1. Respect for Rights and Freedoms – All processing must fully respect the fundamental rights and freedoms of students, teachers, and families.
2. Clear Determination of Responsibilities – Roles of controller and processor must be clearly assigned and documented between educational institutions and platform providers.
3. Lawful Basis and Purpose Limitation – Processing must have a valid legal basis and be strictly limited to legitimate educational purposes.
4. Data Protection Impact Assessments (DPIA) and Involvement of the Data Protection Officer (DPO) – High-risk processing requires a prior impact assessment, and schools should involve their DPO from the earliest stages.
5. Transparency and Information – Students, parents, and teachers must receive clear, accessible information about what data is collected, how it is used, and their rights.
6. Processor Contracts and Sub-processors – Contracts with technology providers must include detailed data processing terms, with ongoing oversight of any sub-processors.
7. Safeguards for International Data Transfers – Appropriate guarantees must be in place when personal data leaves the European Economic Area.
8. Data Protection by Design and by Default – Platforms must be designed with privacy in mind from the outset, offering the most privacy-friendly settings by default.
9. Information Security – Robust technical and organizational measures must protect data against breaches, unauthorized access, or loss.
10. Effective Exercise of Data Subject Rights – Easy mechanisms must be available for students and families to access, correct, delete, or object to the processing of their data.

A Preventive and Collaborative Approach

By releasing this Decalogue, the Spanish data protection authorities are encouraging educational institutions and technology companies to embed privacy principles into every stage of the process — from procurement to daily use. The goal is to create a safer, more trustworthy digital learning environment while ensuring compliance with GDPR and Spanish data protection rules.

The guidance applies to public schools as well as private and charter (concertados) schools. Technology providers offering educational platforms in Spain are expected to design their services in line with these principles to meet the needs of educational institutions.

This initiative reflects growing European concern about the privacy risks associated with edtech platforms, especially those that process behavioral data, location information, or use AI-driven analytics on minors. It also highlights the importance of protecting children’s data when platform use is effectively mandatory for participation in education.

Practical Impact

For schools and educational administrations, the Decalogue serves as a practical checklist during the procurement and implementation of digital tools. It encourages asking vendors the right questions, demanding strong contractual protections, and conducting proper risk assessments before adoption.

For technology companies operating in Spain’s education sector, the message is clear: privacy compliance is not optional. Platforms must be built with privacy by design and respect the special vulnerability of child users.

Parents and students stand to benefit from a more secure digital learning environment where their personal data — especially sensitive educational and health-related information — receives appropriate protection.