The Czech website for submitting high school applications experienced problems right from its launch, and evidence is now emerging that it is in violation of the GDPR. The website processes a significant amount of data on prospective high school students and their parents, which could be a problem if it does not comply with the GDPR.
Cermat (Center for the Assessment of Educational Results) is a Czech organization established by the Czech Ministry of Education. Its mission is to administer high school graduation and final exams, publish materials, analyze educational outcomes in the Czech Republic, propose measures to improve education, and much more. Under its auspices, the website Dipsy.cz was created, which facilitates the electronic submission of applications to secondary schools. This website was intended to significantly simplify and speed up the entire application process, but minor complications arose as soon as it went live. It was launched one day later than planned; initially, it was not possible to upload attachments or verify security. However, these complications were resolved, and the website became operational.
The Association for the Protection of Personal Data also reviewed the website’s operation from a GDPR perspective. Based on their findings, doubts arose regarding the website’s proper functioning from a personal data protection standpoint. First and foremost, the website collects personal data from students and their legal guardians, as well as information about their previous education and any special needs the child may have. From the moment this data is provided to the website, individuals (students and parents) should have access to their data. They should be able to understand why their data is being processed to the extent that it is, for how long, and who has access to it. All of this information should be easily and quickly accessible on the website. According to the GDPR, this is the principle of transparency, which was violated in this case. The legislation describes this principle as the right of individuals to have control over their data, to know what data is collected about them and why, how it is handled, and who has access to it. Regulation (EU) 2018/1725 of the European Parliament and of the Council states: “The principle of transparency requires that all information and communications relating to the processing of such personal data be easily accessible and easily understandable, and be formulated in clear and plain language.”
This information may be available on the website—the Association did not rule this out—but it is not easily and quickly accessible, which is also considered a violation of the principle. If the information is buried deep within the website and there is no straightforward “path” to it, this is a major problem. At the same time, it is not available on the Cermat website (as the operator) or the Ministry of Education’s website. The association also stated that this is not the first violation committed by a public institution. The association expects Cermat to rectify this violation in the near future.