AEPD (Spain) - EXP202102056: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP20...")
 
(I changed the description of the facts to put them in chronological order. Replaced 'complainant' with 'data subject'.Elaborated further on the DPA decision to better describe its line of reasoning. Changed the headline to better describe the legal issue addressed.)
Line 69: Line 69:
}}
}}


The AEPDP stated measures are required to adapt personal data processing to the requirements of the GDPR.
The AEPD issued a reprimand and determined that the Island Council of El Hierro adjust the publications on its transparency portal, reconciling its obligation to publish acts of public interest with the protection of personal data.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The defendant claimed against the Cabildo de El Hierro for violating articles 5 and 32 of the GDPR. Cabildo certified that on October 18, 2006, the necessary procedures were initiated in the different administrations for the start of the segregation and constitution of the new municipality of El Pinar, on the Island of El Hierro, in accordance with Royal Decree 1690/1986 , of July 11, which approves the Regulation of Population and Territorial Demarcation of Local Entities. Cabildo also indicated sensitive personal data was never published and no consent as a legal basis was needed, since the processing of personal data that took place was for statistical purposes, for a matter of public interest. That time there was not a regulation, regarding the protection of personal data.
A Google search of the data subject's name brought as a first result the transparency page of the Island Council of El Hierro. On this webpage, there were records of a plenary session held during the administrative procedures to segregate and establish the municipality of El Pinar. These records contained personal data of 3.996 individuals. Upon becoming aware of the fact, the data subject filed a complaint with the Spanish DPA claiming that they did not consent with the publication of their data. In response, the Island Council (data controller) sustained that the publication did not require consent as the data were necessary to build public opinion and reach a consensus on the topic among the population. For this reason, it alleged that the purposes of the processing were statistical and of public interest. While conceding that it violated GDPR principles, the controller argued that the regulation was not yet in place at the time of the publication.


=== Holding ===
=== Holding ===
The AEPD noted that the purpose of the transparency portal is to promote the transparency of public activity, ensure compliance with publicity obligations, safeguard the exercise of the right of access to public information and guarantee compliance with good governance provisions; Once these purposes have been fulfilled, action should have been taken on the personal data published in order to minimise them and that they only remain accessible for the time necessary for the purposes of article 5 of the GDPR. Also, according to the AEPD the Recital 171 of the GDPR establishes the obligation that all processing activities should be compliant within a period of two years from the date of its entry into force.Therefore, the Cabildo had to adapt, in the aforementioned period, the treatment that the publication of its acts implies in its transparency profile, to the new data protection regulations, foreseeing a period for the deletion or periodic review of the published data.
The AEPD recognized that the website aimed to promote transparency in public activity, ensuring compliance with public disclosure obligations and safeguarding the right to access public information. However, it highlighted that these purposes shall be fulfilled in accordance with the principles of data minimization and storage limitation provided for by Articles 5(c) and (e) GDPR. The AEPD also acknowledged that the disclosure of personal data to third-parties took place in the absence of an effective personal data protection regulation, but stated that the data controller should have adapted its practices to the GDPR within a period of two years after its entry into force as provided for by Recital 171. It considered the removal of personal data from the publication as a positive measure, but emphasized that the controller needs to implement technical and organisational measures to ensure an appropriate level of security as required by 32 GDPR. In the understanding of the AEDP, the failures of the controller constituted a violation of its duty of integrity, confidentiality and security in the processing of personal data. For this reason, it issued a reprimand on the controller for infringing Articles 5(1)(f) and 32 GDPR. .


== Comment ==
== Comment ==

Revision as of 09:45, 6 April 2023

AEPD - EXP202102056
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 30 GDPR
Article 32 GDPR
Article 58(2) GDPR
Article 83 GDPR
Article 99 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 06.01.2023
Published: 06.01.2023
Fine: n/a
Parties: n/a
National Case Number/Name: EXP202102056
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEDP (in ES)
Initial Contributor: ANASTASIA TSERMENIDOU

The AEPD issued a reprimand and determined that the Island Council of El Hierro adjust the publications on its transparency portal, reconciling its obligation to publish acts of public interest with the protection of personal data.

English Summary

Facts

A Google search of the data subject's name brought as a first result the transparency page of the Island Council of El Hierro. On this webpage, there were records of a plenary session held during the administrative procedures to segregate and establish the municipality of El Pinar. These records contained personal data of 3.996 individuals. Upon becoming aware of the fact, the data subject filed a complaint with the Spanish DPA claiming that they did not consent with the publication of their data. In response, the Island Council (data controller) sustained that the publication did not require consent as the data were necessary to build public opinion and reach a consensus on the topic among the population. For this reason, it alleged that the purposes of the processing were statistical and of public interest. While conceding that it violated GDPR principles, the controller argued that the regulation was not yet in place at the time of the publication.

Holding

The AEPD recognized that the website aimed to promote transparency in public activity, ensuring compliance with public disclosure obligations and safeguarding the right to access public information. However, it highlighted that these purposes shall be fulfilled in accordance with the principles of data minimization and storage limitation provided for by Articles 5(c) and (e) GDPR. The AEPD also acknowledged that the disclosure of personal data to third-parties took place in the absence of an effective personal data protection regulation, but stated that the data controller should have adapted its practices to the GDPR within a period of two years after its entry into force as provided for by Recital 171. It considered the removal of personal data from the publication as a positive measure, but emphasized that the controller needs to implement technical and organisational measures to ensure an appropriate level of security as required by 32 GDPR. In the understanding of the AEDP, the failures of the controller constituted a violation of its duty of integrity, confidentiality and security in the processing of personal data. For this reason, it issued a reprimand on the controller for infringing Articles 5(1)(f) and 32 GDPR. .

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Get to know our institutional, organizational, planning, legal, budgetary and statistical information