Question:

my children go to a nursery.

At the reception they have clipboards from each group of children.

It is like a register in that it contains the names of every child who will be present on that day with their date of birth. You can see if the child is already present or not.

Each person who has a key or is admitted to the building can view this list. The person collecting the child is asked to note the time. But can see all info from other children including their birth date.

Is this permitted under the new GDPR? I do not really feel the need to have their birth date on this list because they are in a certain group whose age is approximate. that is, a 3-year-old will not be in the baby room.

Answer:

A number of considerations from the GDPR apply.

• Data minimization: are the data of interest for the purpose? What is the added value of mentioning photo and date of birth on this list? Is it necessary to mention the children in this way? What goes wrong if photo and date of birth would not be shown?
• What is the legal basis for publishing this data? Has permission been given? Does the organization publish this data from the legitimate interest? How did they substantiate this?
• It is possible to derive sensitive personal data from the photographs. For example, children with a disability (medical data) or is it possible to deduce which racial background the children have?
• What is the risk of this list? What if a child is pictured whose father has a ban on coping? What is the risk that the father will find out about the whereabouts of his child in this way?
• Because it concerns children, extra care is mandatory. The GDPR perceives children as a vulnerable data subject, whereby an increased risk is assumed.
• Are the parents informed (in the privacy statement) which personal data are processed and what happens with this data?

What you can do:

1. Inquire about the purpose and on what legal basis this list is used? If the response is that this is based on consent, then the question is whether consent can be demonstrated. That is mandatory.
2. If the legal basis is an contract that you should have signed, then the question is whether this list is necessary for the performance of the contract. That seems difficult to defend including photo and date of birth.
3. If the legal basis is legitimate interest, you can lodge an objection. This objection must be motivated with circumstances specific to your situation, so what negative impact this list has on your interests (“rights and freedoms”). The nursery must then respond to it.
4. If you do not agree with the response of the nursery, you can submit a complaint (after May 25, 2018) to the Supervisory Authority (ICO in UK).

In my opinion, publishing this list, especially the photos and the date of birth, should be based on consent. Particularly from the fact that it concerns children, and that there may be sensitive personal data involved.

The nursery could also display a list with only the first name and the last letter of the surname, without a picture and date of birth. This could be sufficient for the presence and absence notification. If the staff, to identify the children, also need a picture and or birth date of the children (for example for birthdays), they can also keep an internal list that is not visible to visitors.