GDPR & Data Protection

We are transparent about how we handle your students' personal data. Here is exactly how Skolsköld meets the GDPR — article by article.

Article 5(1)(f) — Integrity and Confidentiality

“Personal data shall be processed in a manner that ensures appropriate security.”

Skolsköld protects student data with:

  • Encrypted communication (TLS/HTTPS) for all data traffic
  • Encryption of sensitive data in the database
  • Role-based access control — staff only see the students they are authorised to access
  • Automatic session management with inactivity timeout
  • Session hijacking detection that terminates the session on suspected takeover
Article 5(2) — Accountability

“The controller shall be able to demonstrate that processing is performed in accordance with the GDPR.”

Every access to student data is logged automatically. Not as an add-on — it's built into the system's architecture.

Our logging covers:

  • Viewing student records and student lists
  • Changes to student data
  • File access — upload, download, deletion
  • Permission changes
  • Data exports
  • All logins and logouts
Article 25 — Data Protection by Design

“Data protection shall be built into the system from the start, not added afterwards.”

Skolsköld's security works through middleware — transparent layers that automatically protect and log without individual developers having to think about it. This means:

  • Logging cannot be forgotten
  • Access control cannot be bypassed
  • Security rules are applied consistently throughout the system
Article 30 — Records of Processing Activities

“Every controller shall maintain a record of processing activities.”

Skolsköld tracks over 60 different event types — from logins to file access to administrative changes. The register is searchable, filterable and accessible to the school's data protection officer.

Article 32 — Security of Processing

“Appropriate technical and organisational measures shall be implemented to ensure a level of security appropriate to the risk.”

We handle data about children, which requires heightened protection. Skolsköld includes:

Intrusion detection

Automatic risk assessment of every login

Impossible travel

Flags if the same account is used from two locations within a short time

Automatic account lockout

After repeated failed login attempts

VPN and Tor detection

Unusual access methods are flagged

Mass access detection

Warning on unusually large amounts of data access

Geographic access control

Ability to restrict access by country

Article 33 — Incident Reporting within 72 Hours

“In the case of a personal data breach, the supervisory authority shall be notified within 72 hours.”

The 72 hours count from discovery. Without detection, a breach can go on for weeks or months without you knowing.

Skolsköld ensures you can meet the deadline:

  • Security incidents are detected automatically in real time
  • IT staff are notified immediately via email
  • A dedicated security dashboard provides an overview of all active alerts
  • Log data can be exported as supporting material for reporting to IMY
Article 34 — Communication to the Data Subject

“Where the breach is likely to result in a high risk, the data subjects shall be informed.”

During a breach, Skolsköld can show exactly which students' data was affected, what type of access occurred, and from where. This makes it possible to inform the right guardians with accurate information — not a generic mass notification.

Article 5(1)(e) — Storage Limitation

“Personal data shall not be kept longer than necessary.”

Log data is retained for 2 years in accordance with the Education Act, then automatically purged. No manual handling required — the system manages the cleanup.

Data Storage within the EU

All data is stored within the EU. No subprocessors outside the EU/EEA have access to student data.

Datacenter

Helsinki, Finland

Backups

Germany

No US Services

No transatlantic transfers

Your Data, Your Control

The municipality is always the data controller. Skolsköld is your data processor. This means:

You decide what data is processed and why

You have full visibility into all processing via the logs

You can request data export or deletion at any time

We never process data for our own purposes

The fact that data is stored with us as a managed service does not change your ownership. It's a legal status, not a hosting question.

Data Processing Agreement

We sign a data processing agreement (DPA) with every municipality in accordance with GDPR Article 28. The agreement specifies:

  • Which personal data is processed
  • The purpose of the processing
  • Technical and organisational security measures
  • Procedures in case of a personal data breach
  • Terms for subprocessors

Have questions about GDPR?

We're happy to answer questions about how Skolsköld handles personal data.

Contact us