The Spanish Data Protection Agency, the Catalan Data Protection Authority, the Basque Data Protection Authority and the Council of Transparency and Data Protection of Andalusia published on March 23, 2026 a decalogue of basic principles for the contracting and use of digital educational platforms. The document establishes common criteria for the processing of personal data in the educational field and focuses on the protection of minors.
The text has been jointly prepared by the four organizations and is addressed to the different agents and operators who, through technological platforms, process personal data in education. Among its recipients are educational administrations, companies that offer cloud-based educational service platforms, and also public, subsidized, and private centers.
A common framework for educational platforms
The data protection authorities warn that the use of these digital tools presents specific risks and challenges. They underline that their implementation implies a massive processing of personal data and specially highlights information related to minors, which requires specific protection.
The document also recalls that the use of these platforms is not voluntary for students or their families, since it is the institutional tool provided to carry out the educational function. In that context, the authorities maintain that the objective is to promote proactive compliance with regulations and reinforce an environment of trust and legal certainty for users.
The ten principles collected in the document
The decalogue gathers ten basic axes that must guide the contracting and the use of these digital platforms in the centers and in the educational administration.
- Respect for rights and freedoms in the processing of personal data
- Determination of processing responsibility
- Legitimation and limitation of purposes
- Impact assessment and participation of the data protection officer
- Transparency and information
- Processing agreement and control of sub-processors
- Guarantees in international transfers
- Data protection by design and by default
- Information security
- Guarantee of individuals' rights
Protection of minors and obligations of each actor
The authorities emphasize that these platforms allow students, teachers, and families to interact and collaborate for educational purposes. They also facilitate the teaching function and contribute to the development of digital competencies. At the same time, they understand that this intensive use requires clearly defining the responsibilities and obligations of each participant.
The decalogue opts for a preventive approach so that educational administrations, public, subsidized and private centers, and companies that offer educational platforms in the cloud act with homogeneous criteria. The publication of the document seeks that each actor be aware of their role in data processing and the guarantees they must apply to preserve the rights of students, families, and teaching staff.
The new framework is also applicable to public, subsidized, and private educational centers, with the intention of extending common guidelines throughout the entire digital educational environment and reinforcing the protection of personal information in a particularly sensitive area.