When a student starts an internship, personal data is shared between student, school, and company. This guide explains how GDPR affects internship management and what schools and companies need to do to handle data correctly.
GDPR applies to all processing of personal data, including during internships. The school and the company are usually separate data controllers for their respective parts of the process, which means both parties must have a legal basis, clear information, and reasonable security measures.
Why GDPR Matters During Internships#
During an internship period, organizations typically handle names, contact details, personal identity numbers, grades, attendance, evaluations, and sometimes sensitive data such as health information or accommodation needs. Mishandling can lead to fines from the Swedish Authority for Privacy Protection and, more importantly, damaged trust from students and parents.
Who Is the Data Controller?#
In internship contexts, there are usually two separate data controllers:
- The school or education provider is responsible for data tied to the education, such as matching, attendance, and assessment.
- The company is responsible for data tied to the workplace, such as access cards, work environment records, and internal communication.
This is rarely a pure processor relationship. Both parties should therefore have their own routines and not rely on the other.
Legal Basis#
Processing personal data requires a legal basis under GDPR Article 6. Common bases in internship contexts:
| Actor | Common basis |
|---|---|
| Municipal school | Legal obligation or public task |
| Independent school | Legal obligation, contract, or legitimate interest |
| Company | Legitimate interest or contract with the school |
Consent is rarely the right basis in internships because it requires a free choice, which is difficult for a student in relation to their school or workplace.
What Should the Student Be Informed About?#
Under Articles 13 and 14, the student should receive clear information about:
- which data is processed
- the purpose of the processing
- the legal basis
- the retention period
- recipients of the data
- their rights, including access and rectification
The information should be provided before the internship starts and written in plain language.
Common Problems in Internship Management#
Personal identity numbers in email. Identity numbers are often sent in Excel attachments between school and company. This is rarely necessary and creates a risk if anything is misrouted or leaked.
Long retention periods. Many schools keep internship-related documentation for years without a clear purpose. GDPR requires data to be erased when it is no longer needed.
Unclear responsibility. When both school and company assume the other is responsible for security, gaps appear.
Subjective free-text assessments. Personal opinions about a student can be sensitive. Keep assessments factual and relevant.
Checklist for Schools#
- Map which data is actually needed to administer the internship
- Document the legal basis for each processing activity
- Inform the student and guardians before the internship starts
- Minimize the use of identity numbers in communication with companies
- Set clear retention periods per data type
- Use secure document sharing instead of regular email
- Train coordinators and teachers in GDPR basics
Checklist for Companies#
- Appoint a contact person for intern privacy matters
- Limit access to the intern's data to relevant colleagues
- Handle access cards, IT accounts, and similar items as you would for a fixed-term employee
- Do not retain CVs, grades, or assessments longer than necessary
- Make sure photos and quotes from the intern are used only with clear consent if published externally
- Handle sensitive data such as health or accommodation needs separately and with extra security
How Prakto Can Help#
A digital internship platform like Prakto gathers matching, agreements, follow-up, and documentation in one system. This reduces the need for loose Excel files and emails, makes permissions clearer, and simplifies both erasure and access requests when they come in.
Frequently Asked Questions#
Is an intern an employee under GDPR?#
Usually not. The intern has an educational relationship with the school and a work-related relationship with the company without being employed.
May the company retain CVs and grades after the internship?#
Only if there is a clear purpose, such as an ongoing recruitment process. Otherwise the data must be erased.
Is a data processing agreement needed between school and company?#
Usually not, since both are independent data controllers. Agreements may, however, be needed between the school and any system supplier.
May the company film or photograph the intern?#
Photographs of identifiable people require a legal basis. For external publication, consent is most common, and it must be voluntary.
What applies to sensitive data such as health?#
Sensitive data under Article 9 requires additional grounds, such as explicit consent or grounds related to work environment law. Handle such data separately and restrict access.
Sources#
- Swedish Authority for Privacy Protection, guidance on personal data in schools and education
- General Data Protection Regulation (EU) 2016/679, Articles 5, 6, 9, 13, and 14
Conclusion#
GDPR is not a barrier to good internship collaboration, but it requires schools and companies to share responsibility clearly. Document the legal basis, minimize the data, and inform the student in advance. Then the internship becomes both lawful and trustworthy.
