The first question to ask regarding question nr. 1 is whether GDPR applies. In other words, is the display of physical pictures of groups (classes?) of school’s past students on corridors and walls covered by the material scope of the GDPR?
GDPR applies by virtue of its material scope (Art. 2 GDPR) where processing of personal data is taking place fully or partly by automated means, or when the processing is part of a filing system (or is intended to be).
The physical pictures displayed on the corridors and walls are not processed by automated means, so it boils down to the following question: Is it part of a filing system?
The definition of a filing system is defined in Art. 4(6) GDPR:
‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
Meaning that any structured set of personal data which is accessible according to specific criteria is a filing system, and thus subject to the GDPR. The question then arises as to whether the pictures displayed on the corridors and walls are structured & personal data.
Photos of groups of past students obviously fit in the definition of personal data (Art. 4(1) GDPR). They are likely either identified or identifiable, if only even because some schools keep records longer than needed.
The question which then needs to be asked is whether the personal data (pictures of groups of students) are displayed in a structured manner. In the judgement of Case C‑25/17 the CJEU addressed this and considered as follows:
- […] the content of a filing system must be structured in order to allow easy access to personal data. Furthermore, although Article 2(c) of that directive does not set out the criteria according to which that filing system must be structured, it is clear from those recitals that those criteria must be ‘relat[ed] to individuals’. Therefore, it appears that the requirement that the set of personal data must be ‘structured according to specific criteria’ is simply intended to enable personal data to be easily retrieved.
- Apart from that requirement, Article 2(c) of Directive 95/46 does not lay down the practical means by which a filing system is be structured or the form in which it is to be presented. In particular, it does not follow from that provision, or from any other provision of that directive, that the personal data at issue must be contained in data sheets or specific lists or in another search method, in order to establish the existence of a filing system within the meaning of that directive.
- Therefore, the answer to Question 2 is that Article 2(c) of Directive 95/46 must be interpreted as meaning that the concept of a ‘filing system’, referred to by that provision, covers a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods.
In summary, the form and criteria of the data collected is irrelevant and the retrievability of the information is the important factor.
You have mentioned elsewhere that pictures are systematically displayed by year and class, and that one of the schools are displaying the names as well, while the others one only show the year and the picture.
Taking that into account, in my opinion, the displaying of those pictures meets all criteria for being a filing system. Pictures of groups (classes?) of students are systematically displayed and ordered by year and class, the information (personal data) is easily retrievable, an individual can search by year and class and subsequently access information related to individuals easily. No one would have difficulty finding individuals in the picture: e.g. John Doe graduated in 2010 from the School, he can then both be found by year, and be found even faster by year. Additionally the displaying of names makes it even easier to retrieve personal data of individuals.
The pictures on the wall are thus subject to GDPR and the principles laid out in Article 5 GDPR should be applied, such as but not limited to, basing the processing (display) of those pictures on a lawful ground.
Regarding the lawfulness of processing (displaying) these pictures and legitimate and public interest.
Public interest requires that it is necessary for some public interest. That interest must be set out in EU or national law. It is obvious to me that there is no public interest in displaying those pictures.
There may be a legitimate interest in displaying those pictures, ideally the way to go about this is informing students in advance (from now on) that if they are on the class picture of this year their picture will be hung on the wall, allowing them the opportunity to opt-out by not going on the picture.
The legitimate interest would be something like what you mentioned, I would recommend that you do a balancing test of your interest and the interest of the students and put everything on paper.
Regarding your second question ‘keeping archives of students and teachers longer than legal retention periods.’
This is absolutely a no-go. You as a controller should define retention periods for keeping student and teacher records, such retention periods should already be set-out in your records of processing activities, keeping records after that is absolutely, without a doubt, illegal.
There may of course be legitimate reasons to keep records longer than the legal obligation to keep certain records, such as your own legitimate interest. But before records are retained there should be an actual legitimate interest, on paper, with a proper balancing test addressing all aspects of the LI.
Keeping records for something like ‘school memory’ or ‘archiving purposes for historical research’ is a big red flag and not in compliance with Data Protection legislation and principles. There’s no such thing as school memory, imagine companies keeping your data forever because of ‘company memory’ or ‘well, we would like to just know everything about you forever’, you get where I am going with here.
Keeping records of historical research may be legitimate provided that you for example anonymize (and actually anonymize) sets of data on which historical research can be preformed. Not keeping the exact records for ever just in case some researches want to look at it a hundred years from now, it probably won’t ever happen, and I doubt the school has done any such research yet as of to date.
Where I am you can request certificates such as your school diploma from the Government and the schools don’t keep such records after a certain period of time. If this is really a thing in Belgium I would just go off on consent and making it the choice of the student. When they leave school ask can we retain this information for 100 years in case you need it or not, if not or if consent is later withdrawn just delete the records. (and if consent is given, only keep records that are relevant for that purpose, not some teacher notes from 20 years ago…)