DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR for Language Schools: Student Data and Compliance

#gdpr #privacy #education #compliance

GDPR for Language Schools: Student Data and Compliance

Language schools sit at the intersection of education, immigration, and commercial activity. They process some of the most sensitive categories of personal data an organisation can hold — including children's data, visa and immigration documents, and health information — while also running marketing campaigns, using video conferencing platforms, and managing CCTV systems. GDPR compliance for language schools is not optional, and it is not simple.

This guide covers every major data processing activity a language school is likely to undertake, the lawful basis that applies, the obligations that flow from it, and how to stay compliant without burying your administrative staff in paperwork.

Student Enrolment Data

When a student enrolls, you collect a substantial amount of personal data: full name, date of birth, address, nationality, passport details, emergency contacts, language level, previous education history, and payment information. For adult students, the lawful basis for processing this data is typically contract (Article 6(1)(b) GDPR) — you need it to deliver the course the student has signed up for.

For each category of data, ask: do I actually need this to deliver the service? GDPR's data minimisation principle requires that you only collect what is strictly necessary. If you collect emergency contact details, make sure your privacy notice discloses this and explains what you would use them for.

Payment data requires particular care. Card details should never be stored on your systems — use a PCI-DSS compliant payment processor and ensure your contract with them covers GDPR data processing obligations.

Processing Children's Data: Parental Consent for Under-13s

Language schools frequently enrol children — both in junior summer programmes and in year-round classes. Processing children's data requires heightened care.

Under GDPR, children are afforded extra protection because they are less able to understand the consequences of sharing personal data. For online services directed at children, Article 8 requires parental or guardian consent for children under 16 (or under 13 in the UK under UK GDPR). For in-person educational services, the lawful basis is usually contract with the parent or guardian rather than consent — the parent is contracting with you for their child's education.

Key obligations when processing children's data:

  • Privacy notices must be written in age-appropriate language if directed at the child
  • Parental consent must be obtained before sharing any child's data with third parties for non-educational purposes
  • Marketing to children directly is generally not permissible
  • Any photographs or video of children requires explicit parental consent — this is separate from the enrolment contract
  • Data about children should be held securely and accessible only to staff with a legitimate need

For under-13 students in particular, ensure your enrolment forms require a parent or guardian to sign, that they are clearly identified as the contracting party, and that your privacy notice is addressed to them.

CCTV in Classrooms and Premises

Many language schools use CCTV on their premises for security purposes. CCTV systems capture personal data — the images of students, staff, and visitors — and are explicitly covered by GDPR.

The lawful basis for CCTV is typically legitimate interests (Article 6(1)(f)). You must conduct a Legitimate Interests Assessment (LIA) that documents why CCTV is necessary, what alternative measures you considered, and why the security benefit outweighs the privacy impact on individuals.

CCTV in classrooms is particularly sensitive. Students have a reasonable expectation of privacy in a learning environment. If you use CCTV in classrooms — for example, to allow remote observation of teaching quality or to stream lessons — you must:

  • Obtain explicit consent from students (or parents for minors)
  • Display clear signage explaining where cameras are, who operates them, and how long footage is retained
  • Limit access to footage to authorised personnel only
  • Establish a retention period (typically 30 days for security footage, unless needed for an incident)
  • Have a process for responding to subject access requests that include CCTV footage

Student Progress Records: How Long to Keep Them

You will accumulate records over the course of each student's enrolment: assessment results, attendance records, teacher feedback, certificates awarded, and any behavioural or welfare notes. These records are personal data, and GDPR's storage limitation principle requires that you do not keep them longer than necessary.

There is no single legal requirement for how long educational records must be retained, unlike in healthcare or financial services. Your retention schedule should be driven by:

  • Certificates and qualifications: Consider retaining for the life of the institution, as students may request duplicates years later. This is a legitimate purpose.
  • Progress records and assessments: Typically 3–5 years after the student's last enrolment is reasonable.
  • Financial records: 7 years is standard to meet tax and accounting obligations.
  • Welfare or safeguarding records: If your school works with children, welfare records may need to be retained until the child reaches adulthood plus an additional period.
  • Immigration-related records: See below — these may have specific retention requirements.

Document your retention schedule formally and apply it consistently. Deleting data when you no longer need it is not just good practice — it is a legal obligation.

Sharing Data With Parents and Guardians

For adult students (18 and over), parents and guardians have no automatic right to access their child's personal data. The adult student is the data subject, and their personal data belongs to them. You cannot share progress reports, attendance records, or financial information with a student's parents unless the student has explicitly consented to this.

This is a frequent source of confusion for language schools — particularly when parents are paying the fees. Paying for a course does not give a parent access to the adult student's personal data.

Practical steps:

  • Include an optional consent form in your enrolment process allowing adult students to nominate a parent or guardian who may receive updates
  • Ensure staff understand they cannot discuss an adult student's progress with callers claiming to be parents unless consent is on file
  • For under-18 students, the parent or guardian is generally the appropriate contact, but be aware that older teenagers still have privacy rights

Marketing to Prospective Students

Email marketing to prospective students must comply with both GDPR and PECR (the Privacy and Electronic Communications Regulations). To send marketing emails, you need either:

  • Consent: A clear, freely given, specific opt-in — not pre-ticked boxes
  • Soft opt-in: Only applies to existing customers (students who have previously enrolled with you), for marketing of similar services, if they were given an easy opt-out when their details were first collected

Cold email campaigns to purchased lists are generally unlawful. If you collect enquiry forms on your website, ensure the form includes a clear opt-in to marketing communications — separate from the general enquiry.

For social media advertising, ensure your custom audience uploads comply with the platforms' data use terms and that you have a lawful basis for uploading student or enquirer contact details. Custodia's scanner can detect third-party tracking pixels on your website that may be collecting visitor data for retargeting without adequate disclosure.

Visa and Immigration Data Handling

Language schools that sponsor visa applications or that need to verify visa status — including UK Tier 4 (Student) sponsors and EU equivalents — process some of the most sensitive personal data an organisation can hold. Passport details, visa documentation, biometric residence permits, and immigration status are all personal data under GDPR. Some of this overlaps with special category data (e.g., nationality as a proxy for racial or ethnic origin).

Obligations specific to immigration data:

  • Process only the data actually required to verify study eligibility or meet sponsor obligations
  • Store immigration documents securely — encrypted storage, restricted access
  • Do not retain copies of passports or visas beyond what is required for the specific compliance purpose
  • Be explicit in your privacy notice about what immigration data you collect, why, and who you share it with (e.g., UK Visas and Immigration)
  • If you are a licensed sponsor, you have additional reporting obligations to the Home Office — these are separate from GDPR but must be conducted lawfully

Third-Party Platforms: LMS and Video Conferencing

Modern language schools rely on a range of third-party platforms: Learning Management Systems (LMS) like Moodle, Canvas, or Google Classroom; video conferencing tools like Zoom or Microsoft Teams; and homework or assessment tools. Each of these platforms receives personal data about your students.

Under GDPR, these platforms are data processors, and you are the data controller. You must have a Data Processing Agreement (DPA) in place with each one. Most major platforms provide standard DPAs — check that you have actually signed or accepted them, rather than assuming they exist.

Key due diligence steps:

  • Review where each platform stores data — is it within the EU/UK, or is data transferred to third countries?
  • If data is transferred outside the UK or EEA (for example, to a US-based platform), you need an appropriate transfer mechanism: Standard Contractual Clauses (SCCs), UK IDTA, or adequacy decision
  • Check whether the platform uses student data for its own purposes (e.g., product improvement, advertising) — this is often prohibited in educational contexts
  • Ensure your privacy notice discloses which platforms you use and why

Staff and Teacher Data

Your GDPR obligations extend to employees and contractors. Teacher data — CVs, DBS check results, employment contracts, payroll information, training records, and performance reviews — is all personal data.

The lawful basis for processing employee data is typically a combination of:

  • Contract (to fulfil the employment contract)
  • Legal obligation (payroll, right to work checks, DBS checks where required)
  • Legitimate interests (performance management, internal communications)

DBS check certificates deserve special mention: these are criminal records data, which is special category data under UK GDPR. You must have a policy in place for processing this data, and you cannot retain DBS certificates beyond what is necessary — typically you should record the date of the check, the certificate number, and the outcome, not retain a copy of the full certificate.

DSARs from Students and Parents

Students (or parents of minor students) have the right to submit a Data Subject Access Request (DSAR) asking for all personal data you hold on them. You have one calendar month to respond, and you cannot charge a fee for most requests.

For a language school, a DSAR response may need to include: enrolment records, progress assessments, attendance records, email correspondence, financial records, any notes held by teachers or welfare staff, CCTV footage that features the individual, and records of any third-party disclosures.

Practical preparation:

  • Designate a named person responsible for handling DSARs
  • Map your data so you know where all student data is stored — across systems, email, shared drives, and third-party platforms
  • Establish a process for retrieving and reviewing data within the one-month window
  • Train staff not to delete or alter records after receiving a DSAR

Custodia can help you understand what data your website and systems are collecting, making the DSAR response process significantly more manageable.

Your Website and Cookie Compliance

Language school websites typically include enquiry forms, chat widgets, social media pixels, and analytics tools — all of which may collect personal data from site visitors before they ever become students. Your cookie consent banner must give visitors a genuine choice, and analytics or advertising cookies must not be loaded until consent is given.

Run a free scan of your website at https://app.custodia-privacy.com/scan to identify all third-party trackers and cookies your website is setting — including any that may be loading without consent. The scan takes 60 seconds and gives you a full breakdown of what is being collected and whether your current setup is compliant.

Building a GDPR Compliance Programme for Your Language School

GDPR compliance for a language school is achievable with the right foundations:

  1. Data mapping: Document every category of personal data you collect, the lawful basis, the retention period, and who you share it with
  2. Privacy notice: Update it to cover all the categories above — enrolment data, children's data, CCTV, immigration documents, staff data, and third-party platforms
  3. Data Processing Agreements: Confirm DPAs are in place with every platform you use
  4. Retention schedule: Set and apply specific retention periods for every document type
  5. DSAR procedure: Designate a responsible person and document the process
  6. Consent records: Ensure marketing consents, parental consents for children's photos, and adult student data-sharing consents are recorded and retrievable
  7. Staff training: Ensure all staff who handle personal data understand their obligations

Language schools are trusted with sensitive data by students and families who rely on them. A robust GDPR programme is not just a regulatory obligation — it is part of being a trustworthy institution.

Ready to check your language school's website for compliance gaps? Scan your website free at Custodia — results in 60 seconds, no signup required.

Last updated: March 2026

Top comments (0)