AEPD Resolution: EXP202407156

On 29th April 2024, a parent filed a complaint with the Spanish Data Protection Agency against Fundación Educativa Santo Domingo, an educational foundation operating a school (***COLEGIO.1) where the complainant's 13-year-old son was enrolled. The complaint raised serious concerns about forced consent for Google Workspace for Education and inadequate data protection information.

The Parental Complaint: The parent alleged two distinct but related GDPR violations:

1. Forced Consent for Google Services

The school provided the parent with a document requesting consent to open a Google Workspace for Education account for their child. The parent argued this consent was not freely given because:

• If consent was withheld, no alternative methods were provided for teaching the child digital competencies
• The refusal to consent would effectively prevent the child from participating in essential parts of the curriculum
• The consent was presented as mandatory for continued education in the enrolled course
• This constituted conditional consent—consent given under duress rather than freely

Article 7.4 RGPD Context: "When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."

The parent's position: Making Google Workspace consent a condition for digital education violates the "freely given" requirement because parents face an impossible choice—either consent to Google's data processing or deprive their child of essential education.

2. Incomplete Data Protection Information

The parent complained that the information provided about data processing was incomplete, specifically:

• The documentation did not adequately explain what Google (the service provider) would do with children's data
• There was insufficient detail about the purposes, legal bases, retention periods, and data subject rights regarding Google's processing
• Parents couldn't make informed decisions without understanding how the third-party platform would handle their children's sensitive personal data

Article 13/14 RGPD Context: When collecting personal data, controllers must provide comprehensive information including purposes, legal bases, recipients, retention periods, rights, and (critically for indirect collection) the source of data and categories of data concerned.

The parent's position: The school's information focused on their own processing but inadequately explained Google's role, purposes, and data practices—leaving parents unable to properly evaluate the consent request.

The AEPD's Initial Response:

20th May 2024: The school (Fundación Educativa Santo Domingo) received notification of the complaint transfer under Article 65.4 LOPDGDD.

20th June 2024: The school submitted a response to the AEPD (content not detailed in this resolution).

24th June 2024: The AEPD rejected the complaint (inadmitió a trámite), declining to investigate further.

The Parent's Appeal:

24th July 2024: The parent filed a recurso de reposición (administrative appeal) against the 24th June rejection, challenging the AEPD's decision not to investigate.

29th October 2024: The AEPD issued a resolution upholding the appeal (resolución estimatoria), reversing the initial rejection and formally admitting the complaint for investigation under Article 65 LOPDGDD.

This meant the investigation was now officially active, triggering the preliminary investigation phase.

The Investigation Phase:

The Subdirectorate-General for Data Inspection began actuaciones previas de investigación (preliminary investigation activities) to clarify the facts, exercising powers under Articles 57.1 and 58.1 RGPD.

The Legal Time Limit Problem:

Article 67.2 LOPDGDD establishes strict timeframes for preliminary investigations:

"Preliminary investigation activities [...] may not have a duration exceeding eighteen months from the date of the agreement to admit the claim for processing or from the date of the agreement to initiate them when the Spanish Data Protection Agency acts on its own initiative..."

Additionally, Article 122.4 of the LOPDGDD Development Regulation (Royal Decree 1720/2007) specifies:

"The expiration of the deadline without a start-of-sanction-procedure agreement having been issued and notified will produce the expiration (caducidad) of the preliminary activities."

The Critical Dates:

• Complaint filed: 29th April 2024
• Initial rejection: 24th June 2024
• Appeal filed: 24th July 2024
• Appeal upheld (formal admission): 29th October 2024
• 18-month deadline from admission: 29th April 2026
• Current date of this resolution: 24th January 2026

Wait—Why Did It Expire?

The resolution states: "In the present case, the calculation of the eighteen months of maximum duration of preliminary activities began on 24th June 2024 and they are currently still pending completion, so they must be declared expired."

The Calculation Confusion:

This appears to reference an earlier admission date from the initial processing (24th June 2024) rather than the appeal resolution date (29th October 2024). Spanish administrative law regarding procedural time limits in cases involving appeals and readmissions can be complex, with different interpretations about when time limits begin.

Most Likely Explanation:

• The AEPD may have calculated the 18-month period from the date they first considered the complaint (even though it was initially rejected)
• Or there may have been an internal procedural decision treating 24th June 2024 as the effective admission date
• The resolution's wording suggests the 18-month period had elapsed (or was about to elapse) without the AEPD issuing a formal initiation of sanction proceedings

The Expiration Declaration:

Under Spanish administrative law, caducidad (expiration/lapse) is a procedural consequence that occurs when an administrative body fails to complete proceedings within legally mandated timeframes. It differs from prescripción (statute of limitations):

Caducidad (Expiration):

• Relates to procedural deadlines during active proceedings
• Caused by administrative inaction
• Results in termination of specific proceedings
• Doesn't necessarily prevent reopening with fresh proceedings

Prescripción (Statute of Limitations):

• Relates to time limits for initiating enforcement action
• Caused by passage of time since violation occurred
• Bars future action on that violation
• More permanent and final

In This Case: The AEPD declared caducidad of the preliminary investigation because the 18-month deadline expired without issuing a formal initiation of sanction proceedings against the school.

The Practical Solution:

The AEPD's resolution included a critical second provision:

"SECOND: OPEN new investigation activities and incorporate into these new activities the documentation that comprises the preliminary activities declared expired by this act."

This means:

• The investigation doesn't end
• A new investigation file is opened
• All documentation from the expired proceedings is transferred to the new file
• The investigation can continue, but under a fresh procedural framework with new time limits

Why This Matters:

This procedural reset:

1. Resets the 18-month clock for preliminary investigations
2. Maintains the complaint's viability despite the procedural lapse
3. Allows the AEPD to complete investigations that require more time
4. Protects complainants from losing their cases due to administrative delays
5. Ensures substantive issues (forced consent, inadequate information) can still be examined

The Underlying Substantive Issues (Still Unresolved):

This resolution addresses only the procedural expiration—it makes no findings about the merits of the parent's complaint. The following substantive questions remain pending in the reopened investigation:

Question 1: Is consent for Google Workspace "freely given"?

Legal Framework:

• Article 4.11 RGPD defines consent as "freely given, specific, informed and unambiguous"
• Article 7.4 RGPD raises red flags when consent is conditional on contract performance
• Recital 43 RGPD: "consent is presumed not to be freely given if [...] the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance"

The School's Likely Arguments:

• Digital competence is part of mandatory curriculum
• Google Workspace is an educational tool, not commercial service
• Alternative tools exist but Google integration is pedagogically superior
• Parental consent protects children (under Article 8 RGPD, children under 16 need parental consent for information society services)

The Parent's Arguments:

• If refusing consent prevents education, it's not "free"
• Schools should offer alternative platforms or methods
• Google's commercial data practices raise concerns for children's privacy
• Educational necessity doesn't justify commercial platform lock-in

Question 2: Was information provision adequate?

Legal Requirements (Articles 13-14 RGPD): Controllers must inform about:

• Identity and contact details of controller and DPO
• Purposes and legal basis for processing
• Recipients or categories of recipients (critically: Google's role and purposes)
• Retention periods or criteria
• Rights (access, rectification, erasure, restriction, portability, objection, complaint)
• Whether provision is required and consequences of refusal
• Source of data if not collected from data subject
• Automated decision-making details

Specific Issue—Third-Party Platforms: When schools use Google Workspace, complex controller relationships exist:

• The school is typically the controller for educational purposes
• Google acts as processor for core services (email, storage, classroom management)
• But Google may be independent controller for certain purposes (service improvement, security, aggregated analytics)

Parents need to understand:

• What data Google collects (beyond what school provides)
• What Google does with student data
• Whether Google uses student data for advertising or profiling
• How long Google retains data after student leaves school
• Students' rights regarding Google's processing

The Broader Context—Google Workspace in Education:

This case touches on ongoing global debates about:

Privacy Concerns:

• Google's data collection practices in educational settings
• Commercial platforms in public education
• Children's digital rights and autonomy
• Parental control vs. children's independence

Educational Technology Tensions:

• Pedagogical benefits of integrated platforms
• Vendor lock-in and dependency
• Digital divide (students without internet/devices)
• Open-source vs. commercial solutions

GDPR Compliance Challenges:

• Article 8 RGPD (children's consent for information society services)
• Article 6.1(f) RGPD (legitimate interests vs. children's special protection)
• Data Protection Impact Assessments for children's data (Article 35 RGPD)
• Accountability obligations when using third-party processors

European Guidance:

• EDPB Guidelines on consent
• National authority guidance on schools and edtech
• ICO (UK) Age-Appropriate Design Code
• Various national investigations into Google/Microsoft in education

Based on Resolution EXP202407156 (though this case remains unresolved), educational institutions using third-party platforms must implement the following protocol:

1. Ensure Consent is Genuinely "Freely Given"

The "freely given" requirement is especially strict for children's data and educational contexts.

Action:
Provide Meaningful Alternatives:

• If requiring Google Workspace consent, offer equivalent educational pathways using different platforms or methods
• Don't make platform consent a prerequisite for curriculum participation
• Document that educational outcomes are achievable without specific commercial platform

Restructure Consent Requests:

• Frame as: "We recommend Google Workspace for [benefits], but you can choose [Alternative A: Microsoft, Alternative B: Open-source, Alternative C: Offline methods]"
• Not as: "Sign this or your child can't participate in digital education"

Legal Shield: Article 7.4 RGPD scrutinizes conditional consent. Courts increasingly hold that "take it or leave it" isn't freely given, especially for essential services like education.

2. Comprehensive Information for Parental Consent

Parents need complete information about ALL controllers and processors, not just the school.

Mandatory Disclosures (Articles 13-14 RGPD):

About the School's Processing:

• What student data the school collects
• Why (educational administration, safety, curriculum delivery)
• Legal basis (usually public task under Article 6.1(e) or legitimate interests under 6.1(f))
• Retention periods
• Rights

About Google's Processing:

• Google's role (processor for some purposes, independent controller for others)
• What data Google receives (from school and directly from students)
• What Google does with it (service provision, security, analytics, service improvement)
• Whether Google uses student data for advertising (must be "no" under most education agreements)
• Whether Google creates student profiles for non-educational purposes
• How long Google retains data
• Students' rights regarding Google's processing
• How to exercise rights against Google

Transparency Framework: Create layered information:

• Layer 1 (Short notice at consent point): "Your child will use Google Workspace. Google will access [types of data] for [purposes]. Full details: [link]"
• Layer 2 (Detailed privacy notice): Complete Article 13/14 information for both school and Google
• Layer 3 (FAQs): Common parental questions about data security, commercial use, long-term retention

3. Understand Controller vs. Processor Relationships

Many schools mistakenly believe: "Google is our processor, so we don't need to explain their processing."

Critical Distinction:

Google as Processor (Article 28 RGPD):

• For core educational services (email, document storage, Classroom)
• Processes on school's behalf and instructions
• Covered by Data Processing Agreement between school and Google
• School remains primarily responsible

Google as Independent Controller:

• For security, service improvement, aggregated analytics
• For certain AI/ML features
• For compliance with legal obligations
• Google determines purposes/means independently

Compliance Requirement:

• Parents must be informed about BOTH roles
• Can't hide behind "it's just our processor" when Google also acts as controller for some purposes
• Must explain the dual relationship clearly

4. Article 8 RGPD Compliance for Children Under 16

Spain sets the age of digital consent at 14 years (Article 7 LOPDGDD).

The 13-Year-Old in This Case:

• Requires parental consent for Google Workspace (information society service)
• Cannot validly consent themselves
• Parents must receive complete information to consent on child's behalf

Compliance Protocol:

• Verify student age before allowing platform access
• Obtain verifiable parental consent (not just tick-box)
• Provide parents with comprehensive information
• Implement age-appropriate safeguards (restricted features for younger users)
• Review consent annually or when students reach age of digital majority

5. Conduct Data Protection Impact Assessments

Article 35 RGPD requires DPIAs for processing likely to result in high risk, including:

• Large-scale processing of special categories of data
• Systematic monitoring
• Processing children's data at scale

Educational Platforms + Children = Mandatory DPIA:

Assessment Must Cover:

• Necessity and proportionality of platform choice
• Risks to children's rights and freedoms
• Whether less intrusive alternatives exist
• Security measures and safeguards
• Consultation with Data Protection Officer
• If high risk remains, consultation with AEPD before proceeding

6. Leverage Educational Data Processing Agreements

Google offers specific agreements for education:

• Google Workspace for Education Agreement
• Data Processing Amendment
• Student Privacy Pledge (in some jurisdictions)

School Must:

• Execute proper contractual arrangements
• Understand exactly what Google can/cannot do with student data
• Configure platform to maximize privacy (disable commercial features)
• Audit compliance regularly
• Maintain documentation proving Google acts as compliant processor

7. Parental Rights Management

Parents retain GDPR rights regarding their children's data.

Must Facilitate:

• Access: Parents can request copies of child's data held by school and Google
• Rectification: Correct inaccurate information
• Erasure: Delete data when no longer necessary (subject to legal retention requirements)
• Restriction: Limit processing in certain circumstances
• Portability: Provide data in structured, machine-readable format
• Objection: Object to certain types of processing

Implementation:

• Clear procedures for parental rights requests
• Coordinate with Google for data held by them
• Response within one month (Article 12.3 RGPD)
• Document all requests and responses

8. Alternative Education Pathways

To ensure consent is "freely given," provide genuine alternatives:

Digital Competence Without Google:

• Open-source alternatives (Moodle, Nextcloud, LibreOffice Online)
• Microsoft 365 Education (different platform, similar features)
• Hybrid approach (some digital, some traditional methods)
• Device-agnostic curriculum (works on any platform)

Document Equivalence:

• Demonstrate students achieve same learning outcomes regardless of platform choice
• Provide teachers with training on multiple platforms
• Ensure assessment methods don't depend on specific tools

9. Ongoing Monitoring and Review

GDPR compliance isn't one-time.

Annual Reviews:

• Review privacy notices for accuracy
• Update information about platform changes
• Re-assess necessity of third-party platforms
• Conduct spot-checks on consent forms
• Audit Google's compliance with agreements
• Survey parents about information clarity

Trigger Reviews When:

• Platform provider changes terms
• New features added to platform
• Data breaches or security incidents
• Regulatory guidance updates
• Complaints received

10. Learn from Procedural Deadlines

Whilst this case involves AEPD internal time limits, businesses facing investigations should understand:

Your Timeline Obligations:

• Respond to AEPD information requests within specified deadlines
• Provide complete, accurate information promptly
• Don't assume investigations will simply expire
• Cooperate fully even if you believe complaint is unfounded

AEPD's Timeline:

• Preliminary investigations: 18 months maximum
• Can reopen with new file if expired (as happened here)
• Statute of limitations: 3 years for very serious infractions from when AEPD becomes aware