You are welcome to use the following sample letter.
Ladies and Gentlemen,
our child (NAME, ADDRESS) is your student.
The reason for our letter is the corona rapid tests carried out on your premises. As part of these quick tests, the students have to carry out one in a class and then show the result to the teacher. This approach comes across massive data protection concerns. In particular, it does not seem necessary for all classmates to know the results of the tests - but this inevitably happens.
As part of these tests, health data are collected and processed. According to Art. 9 Paragraph 1, 4 No. 15 GDPR, such data belong to the special categories of personal data. Art. 9 GDPR lays down special, restrictive admissibility requirements for the processing of selected data categories which, due to their inherent informative content, can already entail particular risks for the data subject during processing. The processing of these categories of personal data (also: sensitive, better: sensitive data), which have been declared as particularly worthy of protection by the regulatory authority, is subject to a strict ban (Paragraph 1) unless one of the exceptions standardized in Paragraph 2 is relevant. The permissions listed in Paragraph 2 set additional requirements for the processing of the data categories mentioned in Paragraph 1 (Gola DS-GVO / Schulz, 2nd edition 2018, DS-GVO Art. 9 Rn. 1).
According to Article 5 (1) (c), personal data must be appropriate, substantial and limited to what is necessary for the purposes of processing; the principle is collectively referred to here as "data minimization".
(Kühling / Buchner / Herbst, 3rd edition 2020, GDPR Art. 5 Rn. 55). This is apparently not the case with the tests carried out in your home.
Such tests in the form you carry out also violate Recital 75 GDPR:
The risks to the rights and freedoms of natural persons - with varying degrees of probability and severity - can arise from the processing of personal data leading to a physical, material or immaterial Schaden could lead, especially if the processing zu a discrimination, identity theft or fraud, financial loss, a Reputation damageng, loss of confidentiality of personal data subject to professional secrecy, unauthorized cancellation of pseudonymization or other significant economic or social disadvantages can lead if the data subjects are deprived of their rights and freedoms or prevented from doing so, to control the personal data concerning themn, if personal data showing racial or ethnic origin, political opinions, religious or ideological beliefs or membership of a trade union, and genetic data, Health data or data relating to sex life or criminal convictions and criminal offenses or related security measures are processed when personal aspects are assessed, in particular when aspects that affect work performance, economic situation, Health, personal preferences or interests relating to reliability or behavior, whereabouts or change of location, analyzed or forecast in order to create or use personal profiles when personal data of vulnerable natural persons, in particular data from children, processed or when the processing involves a large amount of personal data and a large number of data subjects.
We therefore revoke the consent to data collection in the context of such testsas long as you have not submitted a corresponding data protection concept. Simultaneously we request the submission a suitable data protection concept.
Farther we urge you, us the technical and organizational measures on data protection in the context of these tests as well as the Contact details of your data protection officer to name.
To present this information, we have chosen the May 18.05.2021, XNUMX reserved. If a final statement is not available by this time, we will hand over the matter to the state data protection officer and a lawyer.
Mit freundlichen Grüßen