Software for creating the routes for the school buses

You should pay attention to Google Maps API privacy notice, you should inform your user (school bus drivers) about geo-localization data and, of course, keep security measures about student’s address which are data (they may be considered as sensitive data under Article 9 GDPR in case they refer to minors). Pseudonymization or anonymization technique could help to increase security.

You should consider privacy from the earlier stage of designing the software following the principle of privacy by design as stated in Article 25 GDPR. ENISA the European Agency for Cybersecurity developed a recommendation on shaping technology according to GDPR provisions: https://www.enisa.europa.eu/publications/recommendations-on-shaping-technology-according-to-gdpr-provisions-part-2

I would recommend doing a Data Protection Impact Assessment (DPIA) under Article 35 GDPR in order to verify how the software will impact personal data and whether there is any risk for the freedom and rights of individuals involved arising from the processing of their data (bus drivers and students).

The Article 29 Working Party is a group of experts issued by the EU Commission in order to help controllers to comply with GDPR in the early stage. Now its functions have been transferred to the European Data Protection Board (EDPB). The Article 29 Working Party developed in 2018 Guidelines on Data Protection Impact Assessment (DPIA) https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611236

Here you can find more information

• Article 25 GDPR https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/
• Article 35 GDPR https://advisera.com/eugdpracademy/gdpr/data-protection-impact-assessment/
• What is privacy by design & default according to GDPR? https://advisera.com/eugdpracademy/blog/2018/04/17/what-is-privacy-by-design-and-default-according-to-gdpr/
• 5 phases of the EU GDPR Data Protection Impact Assessment https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
• Free webinar – Seven steps of Data Protection Impact Assessment (DPIA) according to EU GDPR https://advisera.com/eugdpracademy/webinar/seven-steps-of-data-protection-impact-assessment-dpia-according-to-eu-gdpr-free-webinar-on-demand/<

You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Hello Alessandra, thank yoy very mutch for your reply! Could you please explaine how can we apply pseudonymization or anonymization to adresses without names? Thank in advance, kind regards, Denis

Hello Alessandra, thank yoy very mutch for your reply! Could you please explaine how can we apply pseudonymization or anonymization to adresses without names? Thank in advance, kind regards, Denis