DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR for Online Tutors and Tutoring Platforms

#gdpr #privacy #education #teaching

GDPR for Online Tutors and Tutoring Platforms

Teaching online means processing student data — here's what tutors need to know

Tags: GDPR, Online Tutors, Education, Data Protection

Whether you teach maths to primary school children or business English to professionals, running an online tutoring business means processing personal data every day. Student names, email addresses, session recordings, payment details, and progress notes all fall under GDPR. And if you teach children, there's an additional layer of regulation you cannot afford to ignore.

This guide cuts through the legal complexity and gives online tutors, tutoring agencies, and education platforms a practical compliance roadmap.

1. Why GDPR Applies to Online Tutors

The moment you collect a prospective student's email address, GDPR applies. As an online tutor — whether sole trader, limited company, or marketplace platform — you are a data controller under UK and EU GDPR. That means you determine the purposes and means of processing personal data, and you bear responsibility for doing it lawfully.

The personal data you're likely processing includes:

  • Student names and contact details — emails, phone numbers, home addresses
  • Parent and guardian details — for under-18 students
  • Session recordings — video, audio, or screen captures from Zoom, Teams, or Google Meet
  • Payment information — collected directly or via Stripe, PayPal, or GoCardless
  • Progress notes and assessments — lesson plans, homework feedback, academic performance
  • Booking and scheduling data — timestamps, session history, cancellation records
  • Special category data — if a student has learning difficulties, disabilities, or mental health conditions, that's sensitive data under Article 9 GDPR

Each category needs a lawful basis, a retention period, and appropriate security measures. Ignoring GDPR because you're a solo tutor with five students is not a defence — the regulation applies regardless of business size.

2. Children's Data: The Parental Consent Rules Under Article 8

If you teach children, GDPR's Article 8 creates specific obligations around consent. This is one of the most misunderstood areas of privacy law in education.

The age thresholds:

  • UK GDPR: Children under 13 require parental or guardian consent for processing based on consent
  • EU GDPR: The threshold is 16 by default, though member states can lower it to 13
  • COPPA (US): If you have US students, the Children's Online Privacy Protection Act sets a threshold of 13

What this means in practice:

If you're collecting data from a child under the applicable age limit and your lawful basis is consent, that consent must come from the parent or guardian — not the child. A child clicking "I agree" to your terms of service is legally meaningless.

However, consent isn't always the right lawful basis. If you have a tutoring contract with the parent, contractual necessity (Article 6(1)(b)) often applies more cleanly. Processing a student's name, contact details, and progress notes to deliver the tutoring service you've been hired to provide is necessary for the contract — no separate consent tick-box required.

Where consent IS the basis — such as for marketing emails or optional features — you must:

  1. Verify the parent's age and identity (proportionately)
  2. Store evidence of parental consent
  3. Give parents a clear, easy way to withdraw consent
  4. Not make your service conditional on consenting to optional processing

Practical tip: Build a parent intake form that captures consent clearly, explains what data you collect, why, and how long you keep it. Store that form securely and review it annually.

3. Session Recordings: Legal Basis, Storage, Retention, and Deletion

Recording sessions is common practice for online tutors — playback helps students review material, and recordings protect tutors in case of disputes. But recordings of minors are sensitive. A video of a child is biometric data and, if it reveals health or learning difficulties, special category data.

Choosing your lawful basis for recordings:

  • Consent is the most common approach but requires genuine, freely given consent. If students or parents feel they must agree to be recorded to access your service, that's not free consent.
  • Legitimate interests (Article 6(1)(f)) works if you can demonstrate the recording is genuinely necessary for the tutoring relationship and the student's interests don't override yours. A Legitimate Interests Assessment (LIA) should document this.
  • Contractual necessity can apply if your service is explicitly described as recorded in the contract.

Storage and security:

  • Store recordings in an encrypted, access-controlled environment (not an unprotected Google Drive folder)
  • Limit access to only those who need it — don't share recordings with staff members who weren't part of the session
  • Use cloud storage with a signed Data Processing Agreement (DPA) — Zoom, Google Drive, and Dropbox all offer this

Retention:

Define a retention period and stick to it. Thirty to ninety days is common for most tutoring contexts. If a recording is kept for legitimate educational purposes, document the reason. When the retention period expires, delete the recording — don't let them accumulate indefinitely.

Deletion:

Have a clear process for deleting recordings on request or at end of engagement. If a parent or student submits a data erasure request, you should be able to delete recordings within 30 days (the GDPR response deadline).

4. Booking Platforms and Scheduling Tools as Data Processors

Calendly, Acuity Scheduling, SimplyBook.me, and similar tools process personal data on your behalf. Under GDPR, that makes them data processors — and you need a Data Processing Agreement (DPA) in place.

What a DPA requires:

  • The processor only processes data on your documented instructions
  • They implement appropriate security measures
  • They don't subcontract without your permission (or tell you when they do)
  • They help you respond to data subject requests
  • They delete or return data when the contract ends

In practice:

Most major scheduling platforms offer DPAs in their Terms of Service or on request. Calendly, for example, includes standard contractual clauses in its DPA for EU data transfers. Download and store these agreements — if you're ever investigated by a data protection authority, you'll need to show them.

Check where your booking platform stores data. If it's US-based and you have EU students, you need to ensure there's a valid legal mechanism for international data transfers (see Section 6 on video conferencing tools for more on this).

5. Video Conferencing Tools: Zoom, Teams, Google Meet

Zoom, Microsoft Teams, and Google Meet are the backbone of online tutoring — and all three are US-based companies with complex data flows.

Zoom: Processes video, audio, chat, and participant metadata. Zoom offers a DPA for Business accounts and above. Under standard terms, Zoom may retain some session data for service improvement. For child safety, enable Waiting Rooms, disable Join Before Host, and restrict screen sharing.

Microsoft Teams: Part of Microsoft 365, which has robust GDPR documentation and DPAs available via the Microsoft Products and Services Data Protection Addendum. Teams stores data in data centres aligned to your tenant's geographic region — good for EU data sovereignty.

Google Meet: Covered by Google Workspace's DPA. Google commits not to use Workspace data for advertising. Check your Google Workspace edition — free Gmail accounts don't carry the same DPA protections as paid Workspace accounts.

International transfer concerns:

All three are US companies. Post-Schrems II, transfers to the US require either Standard Contractual Clauses (SCCs) or reliance on the EU-US Data Privacy Framework (for certified companies). Zoom, Microsoft, and Google are all certified — but you should document this in your records of processing activities (ROPA).

6. Learning Management Systems: DPA Requirements

If you use Moodle, Teachable, Thinkific, Kajabi, or similar LMS platforms to host course content, assessments, and student progress data, the same processor rules apply.

Moodle (self-hosted): You control the data. But your hosting provider is a processor — get a DPA from them.

Teachable, Thinkific, Kajabi: All US-based SaaS platforms. Check their DPA availability (Teachable offers one; Thinkific does too). These platforms store student enrollment data, quiz results, completion rates, and sometimes payment information — significant data holdings that need proper agreements.

What to look for in an LMS DPA:

  • Data residency options (can you keep EU student data in the EU?)
  • Sub-processor lists (who else does the LMS share data with?)
  • Breach notification timelines (GDPR requires 72-hour notification to your supervisory authority)
  • Data deletion on termination of the contract

Run a free Custodia scan at https://app.custodia-privacy.com/scan to see which third-party tools your tutoring website is loading — you may be surprised how many processors you're already working with without formal agreements.

7. Email Marketing to Past Students and Parents

When a tutoring engagement ends, many tutors keep former students on their mailing list for newsletters, promotions, or re-enrollment campaigns. This is where GDPR bites hardest.

Consent vs. legitimate interests:

  • Consent is the cleaner basis for direct marketing. You need an explicit opt-in at the point of collection — pre-ticked boxes don't count.
  • Legitimate interests can support marketing to existing customers (the "soft opt-in" rule in the UK's PECR regulations), but this requires:
    • The contact was a customer of similar services
    • You gave them a clear opt-out when you collected their details
    • You offer an easy opt-out in every email

Practical rules:

  1. Use a proper email marketing platform (Mailchimp, ConvertKit, ActiveCampaign) with a DPA — never send marketing from a personal Gmail account with a BCC list
  2. Segment your list: parents of current students, parents of former students, adult students, prospective students — each may have different legal bases
  3. Keep suppression lists: if someone unsubscribes, they stay off your list permanently
  4. For child-related marketing, always target the parent — never the child

8. Privacy Notices for Students and Parents

Under GDPR Articles 13 and 14, you must provide a privacy notice at the point of data collection. For online tutors, this typically means a privacy notice on your website and a more detailed intake document shared when a new student enrols.

Your privacy notice should include:

  • Your identity and contact details (and your DPA's contact details if you've appointed one)
  • What personal data you collect and why
  • The lawful basis for each processing activity
  • How long you retain data
  • Who you share data with (Zoom, your booking platform, your email provider, payment processors)
  • Data subjects' rights (access, erasure, rectification, portability, objection)
  • How to complain to the ICO (UK) or relevant supervisory authority (EU)
  • Whether data is transferred outside the UK/EU and what safeguards are in place

Keep it plain English. A privacy notice full of legal jargon that parents can't understand doesn't discharge your obligations effectively. Write it as if explaining to a sensible parent who has never heard of GDPR.

9. DSAR Handling: Student or Parent Requesting Their Data

A Data Subject Access Request (DSAR) is a legal right. Any student (or parent, on behalf of a child) can ask you to provide all personal data you hold about them. You have one calendar month to respond, and you cannot charge a fee for most requests.

What you need to be able to produce:

  • Contact details and intake forms
  • Session notes and progress records
  • Payment history
  • Email correspondence
  • Session recordings (if retained)
  • Any notes in scheduling or booking systems

Common tutoring DSAR mistakes:

  • Forgetting recordings held in Zoom or Google Drive
  • Thinking WhatsApp messages don't count — they do
  • Sending data via unencrypted email (use a secure file transfer or password-protected document)
  • Missing the one-month deadline (you can extend by two months for complex requests, but must notify the requester within the first month)

Build a simple DSAR log. When you receive a request, note the date, the requester's identity, what data you provided, and when. If you use Custodia, the platform can help you manage DSAR workflows and generate compliant responses.

10. Compliance Checklist

Solo Tutor

  • [ ] Register with the ICO (UK tutors: registration is mandatory for most controllers, fee applies)
  • [ ] Create a privacy notice and publish it on your website
  • [ ] Identify the lawful basis for each type of data processing
  • [ ] Sign DPAs with Zoom/Teams/Meet, your booking platform, and your email provider
  • [ ] Set a session recording retention period and delete recordings on schedule
  • [ ] Create a parental consent form for students under 13 (UK) or 16 (EU default)
  • [ ] Set up a DSAR process — even if it's just a dedicated email address and a checklist
  • [ ] Run a Custodia scan to check what your website is loading: https://app.custodia-privacy.com/scan

Tutoring Agency

Everything above, plus:

  • [ ] Maintain Records of Processing Activities (ROPA) under Article 30
  • [ ] Sign DPAs with tutors who process data on your behalf (if applicable)
  • [ ] Implement a data breach response plan (72-hour notification to ICO/supervisory authority)
  • [ ] Conduct a Legitimate Interests Assessment if using LI as a lawful basis
  • [ ] Consider appointing a Data Protection Officer if you process children's data at scale
  • [ ] Review contracts with schools or institutional clients — they may require specific GDPR commitments from you

Tutoring Platform (marketplace or LMS)

Everything above, plus:

  • [ ] Determine whether you're a controller or processor for tutor-uploaded content
  • [ ] Implement age verification or parental consent mechanisms at registration
  • [ ] Publish a transparency report on sub-processors
  • [ ] Conduct Privacy Impact Assessments (PIAs) for new features involving personal data
  • [ ] Build DSAR automation — manual responses don't scale
  • [ ] Implement data minimisation by design — collect only what you need
  • [ ] Consider a Cookie Consent Management Platform (CMP) for your website

Getting Started

GDPR compliance for online tutors doesn't have to be expensive or complicated. Most of it comes down to knowing what data you hold, why you hold it, and having the right agreements in place with your technology providers.

Start with a free website scan from Custodia — it identifies every tracker and third-party tool your site is loading, so you know exactly which processors you need to address: https://app.custodia-privacy.com/scan

From there, you can generate a privacy policy that actually reflects your setup, set up a cookie consent banner that's legally compliant, and work through the processor agreement checklist systematically.

This article provides general guidance on GDPR obligations for online tutors and tutoring platforms. It does not constitute legal advice. Your specific obligations depend on your jurisdiction, the ages of your students, and the tools you use. Consult a qualified data protection advisor for advice tailored to your situation.

Top comments (0)