directions – Data Protection Certification for Educational Information Systems
Learning made simple and secure: with certified data protection
About the project
With the growing use of digital tools in schools, increasing amounts of personal data are being processed, predominantly data of underage students. Whether these tools comply with data protection law is difficult to verify and even harder to demonstrate. In the research project directions, an interdisciplinary consortium from academia and industry is therefore developing a data protection certification in accordance with Article 42 of the General Data Protection Regulation (GDPR) for digital tools (educational information systems).
The project is funded by the German Federal Ministry of Education, Family Affairs, Senior Citizens, Women and Youth and runs from 1 December 2021 to 30 November 2027.
Project goals
The project pursues three goals: the development of a data protection certification for digital tools in education, such as learning platforms or learning apps; enabling providers of educational information systems to demonstrate conformity with the requirements of the GDPR; and making it easier for schools to select systems with secure data processing for everyday teaching.
Why is a data protection certification needed?
The GDPR establishes uniform rules for the processing of personal data and explicitly provides for certification as an instrument of self-regulation. At the same time, the use of learning applications and content platforms in schools involves the processing of personal data in legally complex settings, while data protection expertise is often lacking on the ground. Providers, schools, and supervisory authorities therefore share a common interest in a reliable data protection certification.
Minors enjoy particular protection under the GDPR (Art. 8, Recital 38 GDPR). The certification accordingly focuses on the data of students, but also covers data of teachers, educators, and legal guardians. The relevant legal requirements span three levels, connected through the GDPR’s opening clauses: the GDPR at the European level, the Federal Data Protection Act (BDSG) at the national level, and the school acts of the individual German states, which contain specific provisions, for example on video conferencing systems.
What is certified?
The object of certification is data processing operations, not software code as such. In practice, this means that services provided by vendors as well as software in operation (including open-source software deployed by school authorities) can be certified, whereas pure software code cannot. Certification is open to providers of educational information systems, including learning applications, content platforms, learning management systems, and infrastructure systems.
A two-step approach to data protection.
directions pursues a practical solution for the education market through two consecutive instruments, both administered by the Trusted Cloud competence network:
Self-declaration of conformity (available now): Providers signal data-protection-friendly conduct for digital tools in education based on a structured self-assessment. While the underlying criteria are comprehensive, the self-declaration does not constitute legally reliable proof of GDPR conformity.
Data protection certification (from 2027): The certification creates transparency through uniform, school-specific audit criteria applied across Germany, with continuous auditing by an accredited certification body. It provides legally reliable proof of GDPR conformity.
Benefits for all!
The certification protects students, whose personal data is safeguarded; supports parents and legal guardians, who can understand how their children’s data is processed; helps schools, school authorities, and teachers select demonstrably GDPR-compliant digital tools; and enables providers to prove their GDPR conformity to customers.
How does directions relate to eduCheck digital and VIDIS?
directions complements other projects of the DigitalPakt Schule that improve the educational media infrastructure, offer support and orientation for teachers and school authorities, and address questions of data protection. The three initiatives serve distinct purposes. eduCheck digital provides a quality label for educational media, assessing and assuring the quality of digital educational media with regard to technology, law, usability, and accessibility. VIDIS provides single sign-on for educational services, acting as an intermediary between identity providers and educational services with a uniform interface for data transmission and secure access to service providers. directions, in contrast, provides a data protection certificate for schools: the certification of the services‘ data processing, audited by an external body, resulting in legally reliable proof of GDPR conformity. The projects are in active exchange and plan mutual partial recognition of audit results to avoid duplicate assessments.
Project structure
The project proceeds in three phases, accompanied by continuous exchange with stakeholders. In the planning and development phase, the legal requirements, including specifications by the German Data Protection Conference (DSK) and the European Data Protection Board (EDPB) as well as standards such as ISO norms, are systematized, and the certification criteria and procedures are developed. In the testing and program review phase, the certification is piloted with practice partners and reviewed by the German accreditation body (DAkkS) and the data protection supervisory authorities. In the final phase, certification bodies are accredited and certificates are issued, marking the certification’s entry into the market.
Who is involved?
directions is carried out by a consortium consisting of the Karlsruhe Institute of Technology (KIT), the University of Kassel, datenschutz cert GmbH, and the Trusted Cloud competence network. The consortium is supported by an expert advisory board comprising multipliers and interest groups, among them education associations, trade unions, the education industry, and data protection experts; a network of more than 40 associated partners from business and education; and governmental and political bodies, including data protection supervisory authorities, ministries, representatives of the German states, and the German accreditation body (DAkkS).
