Data Protection Certification for Educational Information Systems (DIRECTIONS)

The COVID-19 pandemic and the resulting switch to distance learning in schools has brought the question of the use of educational information systems (e.g. learning apps, infrastructure apps, learning platforms) into focus. The wide range of offerings and in particular the requirements that the General Data Protection Regulation (GDPR) places on the operation of these information systems lead to a variety of legal uncertainties in everyday school life. Teachers as well as parents and pupils are often informed insufficiently when assessing whether an application complies with data protection requirements. Developers are also uncertain about the legal requirements that their product must meet. Overall, there has been a lack of clear recognizability of applications that comply with the complex data protection requirements.

In order to address this problem, the joint project "Data Protection Certification for Educational Information Systems" ("DIRECTIONS") funded by the Federal Ministry of Education and Research (Bundesministerium für Bildung und Forschung) is developing a national data protection certification scheme for educational information systems. Two expansion stages are planned: First, a seal of approval will be designed that can be awarded for compliance with certain data protection criteria. In a second step, this seal of approval will be developed into a fully adequate data protection certification in accordance with Art. 42 GDPR.

The University of Kassel, Chair for Public Law, IT Law and Environmental Law (Prof. Dr. Gerrit Hornung, LL.M.), is working on the legal requirements for certification criteria and evaluation programs. The Universtiy of Kassel is therefore involved in the detailed definition of the subject of certification and the development of the certification catalog criteria. Among other things, the provisions of the GDPR, the Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, TTDSG), the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), the States Data Protection Acts (Landesdatenschutzgesetze), the States School Acts (Landesschulgesetze) and the planned e-Privacy Regulation will be taken into account. Based on this, a seal of approval will initially be designed, tested and awarded, which will then be further developed into a certification in accordance with Art. 42 GDPR. In this context, the University of Kassel is involved in the development of a conformity assessment program as well as concepts for modularization and protection classes that take into account the different risks of different processing operations and the needs of small and medium-sized enterprises (SMEs).

DIRECTIONS is coordinated by the Karlsruhe Institute of Technology (Prof. Dr. Ali Sunyaev). Other partners are the University of Kassel (Prof. Dr. Gerrit Hornung, LL.M.) and the datenschutz cert GmbH. The project is also supported by a expert advisory board, various associated partners and a committee of data protection supervisory authorities.

For more information, see the DIRECTIONS website.

Project information

Federal Ministry of Education and Research

December 2021 - November 2027

Project leader:
Prof. Dr. Gerrit Hornung, LL.M.

Jan Torben Helmke
Marcel Kohpeiß
Hendrik Link
Hans-Hermann Schild