AEPD (Spain) - E/01090/2021: Difference between revisions
mNo edit summary |
No edit summary |
||
Line 48: | Line 48: | ||
}} | }} | ||
Spanish DPA holds that sharing documents containing personal data with the courts and other parties involved in the context of legal proceedings does not infringe the right to data protection, as in the rights of due process and legal defense have to be balanced against it. | |||
==English Summary== | ==English Summary== | ||
===Facts=== | ===Facts=== | ||
A data subject made a complaint to the Spanish DPA because a party in a legal proceeding against the data subject shared with another counterparty in the same legal proceeding with | A data subject made a complaint to the Spanish DPA because a party in a legal proceeding against the data subject shared with another counterparty in the same legal proceeding with the same data subject a legal document containing personal data of the data subject. | ||
===Dispute=== | ===Dispute=== | ||
Line 62: | Line 62: | ||
==Comment== | ==Comment== | ||
The decision from the Spanish DPA does not analyze in detail the articles of the GDPR but makes a general balancing act between the right of data protection and the right to | The decision from the Spanish DPA does not analyze in detail the articles of the GDPR but makes a general balancing act between the right of data protection and the right to due process and the right to legal defense. It argues that individuals can't use data protection rights to avoid disclosing personal data that is relevant for the legal proceedings. | ||
==Further Resources== | ==Further Resources== |
Revision as of 11:30, 17 March 2021
AEPD - E/01090/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(9) GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | E/01090/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
Spanish DPA holds that sharing documents containing personal data with the courts and other parties involved in the context of legal proceedings does not infringe the right to data protection, as in the rights of due process and legal defense have to be balanced against it.
English Summary
Facts
A data subject made a complaint to the Spanish DPA because a party in a legal proceeding against the data subject shared with another counterparty in the same legal proceeding with the same data subject a legal document containing personal data of the data subject.
Dispute
Can the right of data protection preclude sharing documents containing personal data with the courts and the other parties involved in the context of a legal proceeding?
Holding
The Spanish DPA, based on case-law from the Spanish Constitutional Court, held that in the context of legal proceeding where the data subject is a party, it is not necessary to ask for his consent in order to share documents that are used as evidence in a trial with the court and with the other counterparties in the proceedings.
Comment
The decision from the Spanish DPA does not analyze in detail the articles of the GDPR but makes a general balancing act between the right of data protection and the right to due process and the right to legal defense. It argues that individuals can't use data protection rights to avoid disclosing personal data that is relevant for the legal proceedings.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/5 Procedure Nº: E / 01090/2021 RESOLUTION OF ACTION FILE Of the actions carried out by the Spanish Agency for Data Protection and based on the following ACTS FIRST: A.A.A. (hereinafter, the claimant) on July 4, 2020 filed claim before the Spanish Agency for Data Protection. The claim is directs against WALLNER EUROPA, S.L. with NIF B63809560 (hereinafter, the claimed). The reasons on which the claim is based are that the company WALLNER EUROPA SL or the law firm representing SINDREU ABOGADOS has provided the company ADGEST MANAGER S.L. an auto document of dismissal of precautionary measures requested by the claimant in a dismissal against WALLNER EUROPA S.L. You have filed a labor lawsuit against ADGEST MANAGER S.L. and has had knowledge that the order for the rejection of precautionary measures has been provided in the proceeding against said company. Along with the claim, it provides -Copy of ADGEST document, represented by FMI ABOGADOS Y ECONOMISTAS addressed to the Social Court no. 7 of *** LOCALITY. 1, of June 15, 2020, claim procedure amount *** PROCEDURE.1, and diligence of incorporation into the judicial procedure signed by the Attorney for the administration of Justice of June 18, 2020. The brief explains that “it challenges the request for precautionary measures and preventive seizure of assets because it is understood that the requirements". It indicates that there is no employment relationship with the claimant and "there is no indication any insolvency of the co-defendants that prevented the execution of a eventual conviction… ”It is illustrative for these purposes, signing the thesis of this, is provided as document 1, Writ in piece of precautionary measures, in procedure of the actor himself ... in claim of dismissal, against another entity financial Wallner Europa SL followed before the Social Court 4 of this city, in dismissal orders *** CARS.1. " The aforementioned order that you attached is dated February 5, 2020 with the claimant as plaintiff against Wallner Europa S.L, “in demand for dismissal with request of precautionary measure of preventive seizure of the defendant's assets, indicating that Since they were part of a Business Group with only one partner, they could transfer the assets or rights and divert funds from the entity to other companies of the group frustrating the possibilities of collection of the amounts requested. " At reasoning, the car analyzes the documentation provided by WALLNER: balance of situation and provisional operating account for the year 2019, annual accounts C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/5 of the 2018 financial year, as well as certificates of being up-to-date with Social Security or up to date with tax obligations for the purposes of contracts with the public sector. The order dismisses the request for precautionary measures presented by the claimant, indicating that the existence of circumstance any that lead to your request being considered. The operative part contains the rejection of the petition filed, with the name of the claimant, as well as in the header. The document on its left margin horizontally, along the folios, it contains a literal that warns: "The dissemination of the text of this resolution to parties not interested in the process in which it has been issued may only be carried out carried out prior dissociation of the personal data that they contain and with full respect for the right to privacy, the rights of the people who require a special duty of guardianship or the guarantee of the anonymity of the victims or harmed where appropriate. The personal data included in this resolution does not they may be transferred or communicated for purposes contrary to the law "- -Copy of order of the Judge of the Social Court 7, subject: defendant ADGEST in which the day after its presentation, June 16, 2020, gives transfer of the brief submitted by ADGEST to the complaining party, in order for them to allege what is convenient for you. SECOND: In view of the facts denounced in the claim and the documents provided by the claimant to the General Subdirectorate of Inspection of Data proceeded on July 23, 2020 to transfer the claim of in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). On August 6, 2020, the respondent responds: -The claimant throughout 2019 has filed on his own behalf and in representing his mother a total of seven legal proceedings in the matter of dismissal, claim for quantity, illegal assignment, violation of rights fundamentals against WALLNER EUROPA S.L. Indicates the number of procedures and the subject of each one of them. He states that upon receiving the first claim, he entrusted DURÁN SINDREU S.L. defense and representation in all proceedings, and that “El 9 June 2020, Wallner receives a call from lawyer B.B.B., from the IMF firm ABOGADOS Y ECONOMISTAS S.L., “who tells us that his client the company ADGEST MANAGERS, a competitor of WALLNER, has received demand from the claimant with identical motions of merits to those received by WALLNER. WALLNER forwarded said call to the lawyer of DURÁN SINDREU's office, C.C.C. to get in touch with attorney B.B.B. since the claimant had submitted identical claims to WALLNER and ADGEST and had requested against both precautionary measures. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/5 From the various conversations that took place between the lawyers and for the sake of the defense of our companies against claims with identical motions, the attorney C.C.C. provided the ADGEST attorney with the order dismissing precautionary measures issued. " It considers that the communication between lawyers of the aforementioned dismissal order "is It is part of the confidentiality and professional secrecy established in article 5 of the code of ethics of the Spanish Lawyers, not having violated the right any relation to Data Protection " On October 20, 2020, the claim is admitted for processing. FOUNDATIONS OF LAW I In accordance with the investigative and corrective powers that article 58 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) grants each control authority, and according to the provisions of article 47 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), is competent to resolve these investigative actions by the Director of the Spanish Agency for Data Protection. II The RGPD defines in its article 4: "1)" personal data ": any information about an identified natural person or identifiable ("the interested party"); an identifiable natural person shall be considered any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, data from location, an online identifier or one or more elements of the identity physical, physiological, genetic, psychic, economic, cultural or social of said person; " 2) "treatment": any operation or set of operations carried out on personal data or personal data sets, whether by procedures automated or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of authorization of access, collation or interconnection, limitation, deletion or destruction; 4) "file": any structured set of personal data, accessible in accordance with to certain criteria, whether centralized, decentralized or distributed in a functional or geographic; 7) "controller" or "controller": the natural or legal person, authority, service or other body that, alone or together with others, determines the purposes and means of treatment; whether the law of the Union or of the Member States determines the purposes and means of the treatment, the person responsible for the treatment or Specific criteria for their appointment may be established by Union law. or the Member States]. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/5 9) "addressee": the natural or legal person, public authority, service or other body to which personal data is communicated, whether or not it is a third party. Do not However, public authorities that may receive personal data in the framework of a specific investigation in accordance with the Union or Member State law; the treatment of such data by said public authorities will be in accordance with the rules on protection of data applicable to the purposes of the treatment; 10) "third party": natural or legal person, public authority, service or body other than the interested party, the person responsible for the treatment, the person in charge of the treatment and of the persons authorized to process personal data under the authority direct from the person in charge or the person in charge; " III The Constitutional Court has declared, in its Sentence 292/2000, of November 30, Regarding the fundamental right to data protection, “that the right to Data protection is not unlimited, and although the Constitution does not impose express- specific limits, nor refer to the Public Powers for their determination As it has done with other fundamental rights, there is no doubt that they must contradict them in the remaining fundamental rights and constitutional legal rights protected, as it is required by the principle of unity of the Constitution ”. The enforceability of the consent of the parties in the judicial processes for the contribution tation of documents in which the data of the counterparty appears would mean leaving the disposition of the former, the will to use it, which would result in the impossibility of to fully exercise their right to effective judicial protection, producing defenselessness Zion. Thus, the lack of these data or their communication to the counterparty may imply, lo- gically, a reduction in the possibility of contribution by the interested party of "the media pertinent evidence for his defense ", violating another of the guarantees derived of the aforementioned right to effective guardianship and restricting the possibility of obtaining the full development of this right. In view of this, the legislator has created a system in which the right to protection of personal data yields in those cases in which the legislator himself (constitutional or ordinary) has considered the existence of reasoned and fundamental reasons given that justify the need for data processing, incorporating said supposed to norms of, at least, the same rank as the one that regulates the gida. As stated by the reiterated jurisprudence of the Constitutional Court (for all, STC 186/2000, dated 07/10, with the citation of many others) "the right to privacy is not absolute, as none of the fundamental rights is, being able to yield to constitutionally relevant interests, provided that the cut that it has to experience is revealed as necessary to achieve the legitimate purpose envisaged, proportionate to in order to achieve it and, in any case, be respectful of the essential content of the right ". Therefore, the acceptance or knowledge of the affected party is not required for the transfer of personal data, when the communication is for judicial defense and as C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/5 recipients to the Judges or Courts within the exercise of their powers, including the cases in which it is evidence that, although it has not been Requested by the Judge or Court, they are provided by the parties. The action is subsumed in the right of all citizens to use all means of relevant evidence for your defense, in the exercise of your rights and interests legitimate, without, in any case, being defenseless, as indicated in the Article 24.2 of the Constitutional text that prevails in this case, also considering that the personal data of the claimant was already known by the defendant because it was the counterpart of a demand for quantity against them, and the document contained the reasons for the denial of the precautionary measures that he requested, so that with his transfer does not reveal intimate data of the claimant nor was his identity unknown to ADGEST. In the present case, the analysis carried out on the documents provided and the concurrent circumstances, there are no indications of infringement in the field competence of this AEPD. Therefore, in accordance with the provisions, by the Director of the Spanish Agency for Data Protection, IT IS AGREED: FIRST: PROCEED WITH THE FILING of these actions. SECOND: NOTIFY this resolution to the claimant and claimed. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of 1/10, of the Common Administrative Procedure of the Public Administrations, (LPCAP) and in accordance with the provisions of the arts. 112 and 123 of the same Law, the interested parties may file, optionally, appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from the day following notification of this resolution or directly administrative contentious appeal before the Chamber of Contentious-administrative of the National Court, in accordance with the provisions of the Article 25 and in section 5 of the fourth additional provision of Law 29/1998, of 07/13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the aforementioned Law. 940-0419 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es