Back to Blog
GDPR & Compliance • 7 min read

GDPR Requirements for Online Teaching Platforms

GDPR isn't just for big tech companies. If you process student data in Europe — and you do — here's what compliance actually means for your tutoring business.

SC

Simpleclass Team

Simpleclass

The General Data Protection Regulation (GDPR) — known as AVG in the Netherlands — applies to any organization processing personal data of EU residents. That includes tutoring institutions, language schools, and individual tutors.

If you teach students online in Europe, you're handling personal data: names, email addresses, video recordings, chat messages. GDPR governs how you must handle this information.

What Counts as Personal Data?

In online teaching, you're likely processing more personal data than you realize:

  • Identity information: Names, email addresses, account details
  • Visual data: Video feeds showing faces
  • Audio data: Voice recordings
  • Behavioral data: Attendance records, participation patterns
  • Academic data: Progress, assessments, notes
  • Communications: Chat messages, files shared

When you record sessions, you're creating a permanent record of students' images, voices, and potentially their mistakes and struggles. This is sensitive data that requires careful handling.

Special Considerations for Minors

If you teach children (under 16 in the Netherlands, varies by country), additional requirements apply:

Parental consent: For children below a certain age, you need verifiable parental consent before processing their data. This includes consent for video recording.

Higher duty of care: Data protection authorities expect stronger protections when children's data is involved. Security measures should be robust.

Clear communication: Privacy information should be understandable by both children and parents.

Key GDPR Requirements

Lawful basis: You need a legal justification for processing data. For tutoring, this is typically contractual necessity (you need student information to provide the service) or consent.

Purpose limitation: Only collect data you actually need for teaching. Don't gather information "just in case" it might be useful someday.

Data minimization: Keep only what's necessary, for as long as necessary. Old session recordings don't need to be stored indefinitely.

Security: Implement appropriate technical measures to protect data. This includes secure platforms, access controls, and encryption where appropriate.

Transparency: Tell students (and parents) what data you collect, why, how long you keep it, and who can access it. This typically means having a privacy policy.

Data subject rights: Students (or parents for minors) have rights to access their data, request corrections, and in some cases request deletion.

Platform Considerations

Your video platform processes data on your behalf, making them a "data processor" under GDPR. This creates obligations for both of you:

Data Processing Agreement (DPA): You need a formal agreement with your platform specifying how they handle data.

Data location: Where is data stored? EU-hosted platforms simplify compliance significantly. US-hosted platforms require additional safeguards.

Sub-processors: Does your platform use other services that also access data? You need to know who's in the chain.

Security measures: What protections does the platform provide? Encryption, access controls, audit logs?

Practical Steps for Compliance

  1. Audit your data: What personal data do you collect? Where is it stored? Who can access it?
  2. Document your practices: Create a privacy policy describing your data handling. Keep records of consent.
  3. Review your platform: Understand where your platform stores data and what agreements are in place.
  4. Implement retention limits: Don't keep data longer than necessary. Delete old recordings, remove former students from active systems.
  5. Secure access: Use strong passwords, limit who can access student data, review permissions regularly.
  6. Plan for requests: Know how you'd respond if a parent requests access to their child's data or asks for deletion.

Choosing a Compliant Platform

When evaluating platforms, ask specific questions:

  • Where are servers located?
  • Is a Data Processing Agreement available?
  • How is data encrypted?
  • What happens to data when an account is deleted?
  • How are session recordings stored and accessed?

Simpleclass is a Dutch company with EU data hosting. Data stays in the Netherlands and France. We provide DPAs for institutional customers, and our recording system is designed with privacy in mind — preset at scheduling, controlled access, easy deletion.

The Bottom Line

GDPR compliance isn't optional, but it doesn't have to be overwhelming. The core principles are sensible: only collect what you need, protect it properly, be transparent about what you do, and respect people's rights over their own data.

For tutoring institutions, choosing platforms designed with European data protection in mind makes compliance significantly simpler than retrofitting compliance onto tools designed for different regulatory environments.

Ready to transform your breakout rooms?

7-day free trial. 10 users included. No credit card required.

Start Free Trial

Related Posts

Why EU Data Hosting Matters for Schools

Best Platforms for Running a Tutoring Institution Online in 2026

How to Record Online Lessons (And Should You?)
Features →
Who is it for? →
Compare →

Resources