Zoom
Legal Spanish data protection authority fines private university for breaching data protection lawThe complaint of a Master's degree student who was refused his diploma after deciding not to provide a full copy of his ID card prompted the proceedings
Susana Zamora
Tuesday, 31 March 2026, 15:37
The right to personal data protection has once again clashed with the administrative practices of academic institutions. The Spanish data protection agency (AEPD) has fined private institution Universitas Nebrissensis 20,000 euros after concluding that requiring a complete, scanned copy of the national identity card (DNI) for the issuance of an official degree violates current regulations.
The conflict arose when a Master's degree student refused to submit the document without pixelating the information he considered irrelevant.
The AEPD bases its decision on the breach of the principle of data minimisation, enshrined in Article 5.1.c) of the GDPR. According to the resolution, the university made the processing of the degree conditional upon the submission of the complete document, ignoring the student's warnings that certain data were unnecessary.
In its defense, Nebrija University stated that, as a private institution, it lacks access to the data intermediation platform, which obliges it to manually verify the graduate's identity to comply with the law. AEPD, however, says that this obligation is not a blank check for collecting excessive information. "Requesting a national identity document (DNI) and taking a copy of it would, in principle, constitute excessive processing and cannot be implemented systematically."
AEPD reminds the public that data processing must be "adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed". Details such as photographs, handwritten signatures or machine-readable codes on the back are not essential to confirm the identity of a student whose file is already held by the institution.
The university, however, states that current regulations require them to be able to verify the applicant's identity. "This verification cannot be effective if a pixelated ID card is submitted, since it is clearly a manipulated photocopy, edited after scanning, which could lead to identity fraud or inaccuracies in the data that will appear on an official degree with academic and professional validity throughout the country."
The AEPD acknowledges that the law stipulates that official university degrees must include on their front, among other information, the name and surnames of the student, exactly as they appear on their valid national identity document, passport or another valid identity document accepted for this purpose in the corresponding member state. The AEPD, however, states that the university already had the necessary student information available.
The disciplinary proceedings also highlight deficiencies in security protocols. The university requested that the document be sent via standard email, a practice that, in the authority's opinion, "lacked the required security measures appropriate to the level of risk arising from the processing". Although the institution claimed to have secure platforms, the investigation proved that, in this case, the student was instructed to use an unprotected method to transmit personal data.
The ruling rejects the university's argument that there was no infringement because the unpixelated image was not processed. The AEPD states that "the request for personal data is a phase of processing and constitutes the beginning of data collection", so the mere administrative requirement already constitutes a legal transgression.
In addition to the financial penalty, the AEPD has imposed a corrective measure requiring Nebrija University to demonstrate, within two months, the "adoption of appropriate measures to adapt the requested documentation (...) to the provisions of the principle of data minimisation".