GDPR COMPLIANCE

GDPR Compliance

Last Updated: February 5, 2026

GlobalIDPRO is fully committed to GDPR compliance for EU/EEA schools and institutions. Our platform collects zero biometric data, uses OTP-only authentication, generates ephemeral Runtime QR codes, stores EU school data in Frankfurt (eu-central-1), and operates under a clear school-as-controller / GlobalIDPRO-as-processor architecture — making GDPR compliance straightforward for every school we serve.

Zero Biometric Data

EU Data Residency

Article 8 Children's Protection

Privacy by Design

Full GDPR Rights

What Is GDPR & Why It Matters for Schools

EU General Data Protection Regulation (2018)

The General Data Protection Regulation (GDPR) is the world's strongest privacy law, governing how organizations collect, process, and protect personal data of EU/EEA residents. It grants individuals extensive rights over their personal data and imposes strict obligations on data controllers and processors — with fines up to €20 million or 4% of global turnover.

For schools operating in or serving students from the EU/EEA, GDPR compliance is mandatory. This includes international schools with EU students, schools offering distance learning to EU residents, and any institution processing personal data of children under Article 8. GDPR applies to all digital identity platforms used by these schools — including student records, parent contact data, and visitor management systems.

GlobalIDPRO makes GDPR compliance effortless: our zero-biometric architecture eliminates the highest-risk category of personal data (Article 9 "special categories"), our OTP-only authentication requires no passwords, and our Runtime QR codes are ephemeral — they expire in seconds and store no persistent data. Schools using GlobalIDPRO can demonstrate GDPR compliance through our built-in tools.

Our GDPR Architecture

School = Data Controller

Your school determines what data is collected and why. GlobalIDPRO acts as data processor — processing data only on your instructions, as defined in our Data Processing Agreement (DPA).

GlobalIDPRO = Data Processor

We process personal data solely to provide the services your school has subscribed to. We do not use school data for our own purposes, advertising, or analytics beyond anonymized service improvement.

Zero Article 9 Data

We collect no biometric data (fingerprints, facial recognition, iris scans) — which are "special category" data under GDPR Article 9. This eliminates the strictest GDPR requirements and highest-risk processing.

Lawful Basis: Contract + Consent

Data is processed under GDPR Article 6(1)(b) — performance of a contract (school subscription), and Article 6(1)(a) — consent (for optional features like visitor photo capture and print vendor data sharing).

OTP = No Passwords

OTP-only authentication means we never store passwords. Phone numbers used for OTP are provided by the school — no additional personal data is collected from parents or staff.

Runtime QR = No Stored Data

Runtime QR codes are ephemeral tokens — generated on-demand, validated server-side, expired in seconds. No personal data is encoded in the QR code itself; it contains only an encrypted session token.

EU Data Residency

EU/EEA school data is stored in AWS Frankfurt (eu-central-1). No EU personal data leaves the EU unless the school explicitly requests cross-border functionality with appropriate safeguards.

DPA Provided

Every EU school receives a pre-signed Data Processing Agreement (DPA) covering all GDPR Article 28 requirements — sub-processors, security measures, breach notification, audit rights, and data deletion.

Your GDPR Rights

All rights fully supported for parents, staff, and visitors

Under GDPR, you have the following rights regarding your personal data (and your children's data). GlobalIDPRO enables every right:

Right to Access (Art. 15)

Request a complete copy of all personal data we process about you or your child. Delivered within 30 days in machine-readable format (CSV/JSON).

How: Parents: via app. Staff: via admin dashboard. All: email DPO.

Right to Rectification (Art. 16)

Correct inaccurate or incomplete personal data. School admins can update directly; parents can request corrections through the school or DPO.

How: School admin dashboard or email DPO.

Right to Erasure (Art. 17)

Request deletion of your personal data ("right to be forgotten"). Upon school account termination, all data is permanently deleted within 30 days.

How: Contact school admin or email DPO directly.

Right to Portability (Art. 20)

Receive all your personal data in a structured, commonly used, machine-readable format (CSV/JSON) for transfer to another provider.

How: Admin dashboard export or email DPO.

Right to Restrict (Art. 18)

Request that we limit processing of your personal data while a dispute is resolved or while you exercise other rights.

How: Email DPO with specific restriction request.

Right to Object (Art. 21)

Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.

How: Email DPO with objection details.

Right to Withdraw Consent (Art. 7)

Withdraw consent for any consent-based processing at any time. Withdrawal does not affect lawfulness of prior processing.

How: App settings, admin dashboard, or email DPO.

Right to Lodge Complaint (Art. 77)

File a complaint with your local EU/EEA Data Protection Authority (DPA) if you believe your data rights have been violated.

How: Contact your national DPA directly.

Response Timeline: All GDPR rights requests are acknowledged within 72 hours and completed within 30 days (extendable by 60 days for complex requests, with notification). Contact our DPO at dpo@globalidpro.com

How We Ensure GDPR Compliance

Privacy by Design (Art. 25)

Zero biometric data collection — eliminates highest-risk processing

OTP authentication requires no passwords — minimal data footprint

Runtime QR codes are ephemeral — no persistent data on devices

Data minimization: only data essential for identity verification is collected

Privacy impact assessments (DPIAs) for all new features

Lawful Processing (Art. 6)

Contract: school subscription agreement (Art. 6(1)(b))

Consent: optional features like visitor photos, vendor printing (Art. 6(1)(a))

Legal obligation: compliance reporting for school inspections (Art. 6(1)(c))

Transparent processing notices in-app and on website

Records of Processing Activities (ROPA) maintained per Art. 30

Data Security (Art. 32)

AES-256 encryption for all data at rest

TLS 1.3 for all data in transit

Runtime QR anti-clone, anti-screenshot, server-validated

Role-based access control across all user types

Regular penetration testing and security audits

Third-Party Processors (Art. 28)

DPAs signed with all sub-processors (AWS, SMS gateway, etc.)

Standard Contractual Clauses (SCCs) for non-EU sub-processors

Vendor print partners bound by data deletion after order fulfillment

Regular sub-processor security assessments

Full list of sub-processors available on request

Data Subject Rights (Arts. 15-22)

All 8 GDPR rights fully supported (see above)

School admin dashboard enables direct data access and export

Parent app shows data the school holds about their child

Identity verification for data requests (OTP-based)

Audit trail of all rights requests and responses

Accountability (Art. 5(2))

Designated Data Protection Officer (DPO)

Annual GDPR compliance training for all staff

Documentation of all compliance measures and decisions

Regular internal audits and compliance reviews

Cooperation with supervisory authorities on request

Children's Data Under GDPR

Article 8 — Conditions applicable to child's consent

GDPR Article 8 requires parental consent for processing personal data of children under 16 (or lower age set by member states, minimum 13). GlobalIDPRO's architecture is specifically designed to exceed these requirements:

Zero biometric data from children — eliminates GDPR Article 9 "special category" processing entirely

Student data provided by the school (institutional consent model) — school obtains parental consent per local law before uploading

Children under 16 do not create accounts — parent's phone holds the Digital ID

No direct marketing, profiling, or behavioral tracking of children

Parents can view, correct, and request deletion of their child's data at any time

Data retention is school-controlled — graduated students are purged per school policy

Why Zero Biometric Data Matters Under GDPR

Under GDPR, biometric data (fingerprints, facial recognition) is classified as "special category data" under Article 9 — subject to the strictest processing requirements. For children, this creates compounding compliance burdens:

Article 9(2)(a) requires explicit consent for biometric processing

Article 8 requires parental consent for children under 16

Combined: schools need documented, explicit parental consent for each child's biometric data

DPIA mandatory under Article 35 for large-scale biometric processing of children

Data breach involving children's biometrics = maximum regulatory scrutiny

GlobalIDPRO eliminates ALL of these requirements by collecting zero biometric data. Schools using GlobalIDPRO never need Article 9 consent, never need biometric DPIAs, and face zero risk of biometric data breach.

International Data Transfers

GDPR Chapter V restricts transfer of personal data outside the EU/EEA. GlobalIDPRO ensures full compliance:

🇪🇺

EU/EEA Schools

Data stored in AWS Frankfurt (eu-central-1). No personal data leaves the EU by default.

📜

Standard Contractual Clauses

SCCs (EU Commission approved, 2021 version) in place with all non-EU sub-processors.

📋

Transfer Impact Assessments

TIAs conducted for each non-EU sub-processor to evaluate data protection adequacy.

🔍

Sub-Processor Transparency

Full list of sub-processors (AWS, SMS gateway, etc.) available on request. Schools notified of changes.

📍

Data Localization Option

EU schools can contractually require 100% EU data residency — no cross-border processing.

🔒

Encryption in Transit

All cross-border API calls (if any) encrypted with TLS 1.3. No personal data in URL parameters.

Data Breach Procedures

GDPR Articles 33 & 34 — Breach notification

In the unlikely event of a personal data breach, GlobalIDPRO follows a strict incident response procedure aligned with GDPR Articles 33 and 34:

Detect & Contain

< 1 hour

Automated monitoring detects anomalies. Security team contains the breach immediately. Affected systems isolated.

Assess Impact

< 12 hours

Evaluate scope: what data, how many individuals, risk level. Determine GDPR notification obligations.

Notify Authority

< 72 hours

Report to relevant EU/EEA supervisory authority within 72 hours per Article 33 (if risk to individuals).

Notify Affected

Without delay

Inform affected schools and individuals per Article 34 if breach likely results in high risk to rights/freedoms.

Breach risk reduction: GlobalIDPRO's zero-biometric, OTP-only, ephemeral QR architecture dramatically reduces breach impact. Even in a worst-case scenario, no biometric data can be exposed (we don't have any), QR codes are already expired (useless to attackers), and OTP codes are single-use (cannot be replayed). The most sensitive data at risk would be names, photos, and phone numbers — all of which can be changed, unlike biometrics.

Cross-Compliance with Other Regulations

GlobalIDPRO's GDPR-compliant architecture also satisfies requirements of these additional data protection frameworks:

🇮🇳

India DPDP Act 2023

India's comprehensive data protection law. GlobalIDPRO complies with all DPDP requirements including Section 9 (children's data), data principal rights, and data fiduciary obligations.

🇺🇸

US FERPA

Family Educational Rights and Privacy Act. GlobalIDPRO ensures school controls over student education records, parent access rights, and restricted disclosure — all FERPA-aligned.

👶

US COPPA

Children's Online Privacy Protection Act. Our zero-direct-child-account model, parental access, and minimal data collection satisfy COPPA requirements for children under 13.

🔐

Illinois BIPA

Biometric Information Privacy Act. GlobalIDPRO collects zero biometric data — BIPA compliance is inherent. No biometric consent forms, retention schedules, or destruction policies needed.

🎓

CBSE / ICSE Requirements

Indian school board compliance requirements for student identity verification, visitor management, safety audits, and institutional records. Built-in compliance reporting.

🇬🇧

UK GDPR (post-Brexit)

UK's retained version of GDPR. GlobalIDPRO's EU GDPR compliance extends to UK GDPR. UK school data can be stored in Frankfurt or London (on request).

Contact Our Data Protection Officer

For any GDPR-related questions, data subject rights requests, DPA inquiries, or to report a data protection concern — contact our DPO directly.

DPO Email

dpo@globalidpro.com

EU Representative

GlobalIDPRO Europe

EU Address

Frankfurt, Germany

Response Time

Within 72 hours

Contact DPO Read Privacy Policy