Educational institutions carry out child recruitment processes each year. With the launch of recruitment procedures in primary schools, preschool departments, kindergartens, and the upcoming opening of online enrollment for secondary schools, it is worth revisiting the key data protection obligations applicable in this context.

The rules for conducting recruitment are governed by the Education Law Act of 14 December 2016 and its implementing regulations. The basis for the recruitment procedure is the assessment of whether a candidate meets the criteria specified in the aforementioned Act, followed by the submission of an application to the head of the institution. The personal data included in such an application covers basic identifying information of the candidate as well as their parents or legal guardians, along with additional data provided in attached documents and declarations.

At the same time, educational institutions are also permitted to process other personal data not explicitly listed in legal provisions—if such information is considered by a parent or legal guardian to be relevant and is therefore voluntarily provided. This may include health-related data, dietary requirements, or information on psychophysical development, submitted in order to ensure appropriate care, nutrition, and adjustment of educational and childcare methods.

The legal basis for processing personal data in this context is not consent. Depending on the type of data and applicable legal regulations, the lawful basis will either be a legal obligation or the performance of a task carried out in the public interest or in the exercise of official authority. Additionally, all individuals holding functions or employed within educational institutions are required to maintain confidentiality regarding information obtained in the course of their duties or work.

The data controller responsible for personal data collected during the recruitment process may vary depending on the stage of the recruitment. For electronic recruitment systems, the data controller is the municipality or city—specifically, the governing body in the form of the Mayor or Commune Head. However, once the application is submitted directly to the institution’s headmaster, the educational institution itself becomes a separate data controller (note: not the headmaster personally).

From a data protection perspective, it is essential to clearly identify the responsibilities of each of the controllers mentioned above. This means that both the municipality/city and the educational institution are obligated to fulfill the information obligation regarding the processing of personal data at each recruitment stage. Providing an information clause by the municipality does not exempt the educational institution from issuing its own clause independently.

The declaration of a state of epidemiological threat significantly altered the way educational institutions operate—pursuant to the Regulation of the Minister of National Education of 11 March 2020 on the temporary limitation of the functioning of education system units in connection with the prevention, counteraction, and combating of COVID-19. Changes in the organization of work have also impacted recruitment procedures. Currently, to minimize the risk of COVID-19 transmission, certain documents required in the recruitment process may be temporarily replaced with declarations, scanned copies, or confirmation emails from entities responsible for issuing such documents (e.g., employment certificates, referrals for special education needs). Once the state of epidemiological threat is lifted, it is likely that the submission of original documents or certified copies will again become mandatory.