School Sends Student Data to Wrong Parents

The Scenario

At Friedrich-Ebert Comprehensive School in Wuppertal, Germany, school secretary Monika Hartmann is preparing the mid-year progress reports for class 7b at the end of January 2026. Class teacher Dr. Yilmaz has handed her an Excel spreadsheet with current academic standings, intended as preparation material for the upcoming parent-teacher conferences. The spreadsheet contains the following data for all 28 students in the class:

• Full names and dates of birth
• Grades in all subjects for the current semester
• Comments on work habits and social behavior
• Documented absences with distinction between excused and unexcused
• Support recommendations and notes on diagnosed dyslexia and ADHD for four students
• Contact details of parents and legal guardians (phone numbers, email addresses, home addresses)

Mrs. Hartmann needs to send the spreadsheet to the parents of student Maximilian Schaefer, whose mother called the previous day requesting the documents ahead of the parent-teacher conference. In the school's email program, Mrs. Hartmann types "Schaefer" into the recipient field. Autocomplete suggests two entries: "Andrea Schaefer" (Maximilian's mother) and "Andreas Schaefer" (father of a student in class 9a). Mrs. Hartmann accidentally selects the wrong entry and sends the complete class list for 7b — not just Maximilian's data — as an email attachment to Andreas Schaefer.

Andreas Schaefer opens the file that evening, recognizes the error, but does not immediately inform anyone. Instead, he mentions the "interesting information" in the spreadsheet at an informal parent gathering the following weekend. Within days, several parents in the school community know which children have special educational needs, which students have unexcused absences, and which families live at which addresses. One mother, whose son appears in the list with an ADHD diagnosis, learns about the incident from another parent in the schoolyard.

On February 8, 2026, she files a GDPR complaint with the North Rhine-Westphalia Data Protection Commissioner.

The Risks

The misdirected email reveals multiple systemic weaknesses in how schools handle personal data.

Highly sensitive data categories: The spreadsheet contains health data within the meaning of Art. 9 GDPR — specifically the dyslexia and ADHD diagnoses. This data is subject to an elevated level of protection. Its disclosure to unauthorized recipients constitutes a particularly serious data protection violation that can have severe social consequences for the affected children: stigmatization, bullying, and exclusion from peer groups.

Email as an insecure channel: Unencrypted emails offer no protection against misdirected delivery, forwarding, or interception. Once sent, an email cannot be recalled. The school has no way to retroactively restrict or revoke access to the attachment.

Autocomplete as a risk factor: Email address autocomplete is one of the most common causes of misdirected communications in organizations. Without additional confirmation steps, a single click is enough to send confidential data to the wrong recipient.

No access control: The entire class list was sent, even though only one student's data was requested. There is no technical system that restricts access to only the actually required data. The principle of data minimization under Art. 5(1)(c) GDPR was grossly violated.

Uncontrolled further dissemination: Once the data reaches the recipient, the school has no control over its distribution. In this case, the information was shared verbally and potentially digitally with third parties — a domino effect that cannot be stopped.

Legal Consequences

The incident implicates several data protection provisions simultaneously:

Art. 5(1)(c) GDPR — Data minimization: Only the requested student's data should have been transmitted. Sending the complete class list violates the principle that personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

Art. 5(1)(f) GDPR — Integrity and confidentiality: The school has an obligation to process personal data in a manner that ensures appropriate security. Sending unencrypted data via email to a wrong recipient directly violates this principle.

Art. 9 GDPR — Special categories of data: Health data (dyslexia, ADHD) is subject to a strict processing prohibition unless an exception under Art. 9(2) applies. Disclosure to unauthorized persons is not covered by any legal basis.

Art. 32 GDPR — Security of processing: The school failed to implement appropriate technical and organizational measures to ensure the confidentiality of the data. Encryption, access restrictions, and confirmation mechanisms for outgoing communications are all absent.

Art. 33/34 GDPR — Breach notification: The incident must be reported to the competent supervisory authority within 72 hours. Since there is a high risk to the rights of the affected children and families, all 28 families in class 7b must also be individually notified.

State education laws: In addition, the data protection provisions of the respective state education laws apply, which regulate the handling of student data with particular strictness and may provide for independent sanctions.

Financial Impact

Cost Item	Estimated Amount
Fine from data protection authority (Art. 9, Art. 32 GDPR violation)	5,000 – 25,000 €
External data protection officer (immediate consultation)	2,000 – 5,000 €
Notification of all 28 families pursuant to Art. 34 GDPR	500 – 1,500 €
Compensation claims from affected parents (Art. 82 GDPR)	3,000 – 15,000 €
Data protection training for school staff	1,500 – 3,000 €
Implementation of secure communication solution	1,000 – 3,000 €
Reputational damage and loss of trust	5,000 – 20,000 €
Total estimated cost	18,000 – 72,500 €

Fines for public schools are often lower than those imposed on private companies. However, the intangible harm — particularly for the affected children whose diagnoses are now known among the parent community — is difficult to quantify and can have lasting social consequences.

How to Prevent This

SendMeSafe provides schools and educational institutions with a GDPR-compliant alternative to sending sensitive student data by email.

Individual upload links instead of email attachments: Rather than sending documents as email attachments, the school creates a separate, password-protected upload link for each family. Parents receive access exclusively to their own child's data. A misdirected delivery in the sense of wrong recipient assignment is technically impossible, since each link contains only the specifically authorized documents.

Password protection and expiration dates: Each link can be configured with an individual password and an expiration date. After the parent-teacher conference, access is automatically deactivated. Data remains accessible only for as long as is necessary for the stated purpose.

EU server location: All data is stored on Hetzner servers in Germany and encrypted with AES-256. No transfer to third countries takes place.

Audit trail for accountability requirements: Every access event is logged. The school can demonstrate at any time during a regulatory inquiry which data was made available to whom and when access occurred.

Revocation at any time: Unlike sent emails, a shared link can be deactivated at any moment. If a link was accidentally sent to the wrong person, a single click is sufficient to immediately block access.

No technical expertise required: The interface is intuitive for both school staff and parents. Parents click the link, enter the password, and see exclusively the documents intended for them.

Learn more about the security measures implemented by SendMeSafe and how educational institutions benefit from GDPR-compliant document delivery.

Frequently Asked Questions

Are schools allowed to send student data by email at all?

In principle, sending personal data via unencrypted email is problematic and is classified as insufficiently secure by most data protection authorities. This is especially true for special categories of personal data — such as health information or details about learning disabilities. Supervisory authorities require encrypted transmission channels for such data. Schools should therefore use secure delivery methods such as password-protected upload portals instead of conventional email.

What must a school do immediately after a misdirected email?

Immediately upon discovering the misdirected email, the school must contact the wrong recipient and request deletion of the data. In parallel, a notification to the competent data protection authority must be filed within 72 hours (Art. 33 GDPR). If there is a high risk to the data subjects, all individuals whose data was disclosed must also be informed without undue delay (Art. 34 GDPR). All steps should be documented to fulfill the accountability obligation.

Can parents claim compensation if their child's data was disclosed?

Yes. Art. 82 GDPR grants every person who has suffered material or non-material damage as a result of a data protection violation a right to compensation against the controller. German courts have awarded non-material compensation amounts between 500 and 5,000 euros per affected data record in comparable cases. For particularly sensitive data such as children's health information, the amounts may be higher.

Are there specific data protection requirements for schools?

In addition to the GDPR, schools are subject to the data protection provisions of the respective state education laws. These frequently contain stricter regulations for handling student data than the GDPR itself. Many German states have also issued specific administrative regulations governing the use of digital tools in schools. Schools are generally required to appoint a data protection officer who monitors compliance with these provisions. Using a GDPR-compliant platform like SendMeSafe significantly simplifies compliance with all applicable regulations.