DBEB/AVPD (Basque Country) - CN21-012
DBEB/AVPD - CN21-012 | |
---|---|
Authority: | DBEB/AVPD (Basque Country) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(c) GDPR Article 6(1)(c) GDPR Article 6(1)(e) GDPR |
Type: | Advisory Opinion |
Outcome: | n/a |
Started: | |
Decided: | 07.03.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | CN21-012 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | DBEB/AVPD (in ES) |
Initial Contributor: | n/a |
The Basque DPA held that the Basque Police had a legal basis to include personal data in files sent to the Chief of the Police, the Mayor’s Office, and the Councilman of Citizen Security under Article 6(1)(c) GDPR and under Article 6(1)(e) GDPR. However, it is still assessing whether this practice complies with the data minimisation principle under Article 5(1)(c) GDPR.
English Summary
Facts
The Basque Union of Police and Emergencies asked the Basque DPA for an assessment of its planned processing of personal data. The current practice was that at the end of each work shift, the operator of the coordinating center generated a PDF file containing all the incidents recorded during the shift. Subsequently, the operator generated another PDF document called "News for the Mayor's Office". This second document contained all the incidents but without the personal data of the involved persons. It only included the initials of the persons‘ names. Three copies of this document were then sent to the Chief of the Police, the Mayor’s Office and the Councilman of Citizen Security. Recently, however, the police was ordered to change this practice and to include all the relevant personal data, such as the involved persons‘ full names and ID number, in this second file. The City Council claimed that the practice of only including the involved persons‘ initials hindered the work of the police by not identifying the persons with whom the police had to interact.
Holding
The DPA noted that there was domestic legislation in place that allowed members of local authorities with powers in the field of public security to access information relating to the performance of their duties. Consequently, the DPA held that the police had a legal basis to include the involved persons‘ full names and IDs in the files sent to the Chief of the Police, the Mayor’s Office and the Councilman of Citizen Security under Article 6(1)(c) GDPR, as well as under Article 6(1)(e) GDPR. However, the DPA also noted that it is currently assessing whether this practice is also compliant with the data minimisation principle under Article 5(1)(c) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
CN21-012 OPINION No. D22-005 OPINION REGARDING THE LEGALITY OF INCLUDING DATA OF AFFILIATION IN THE INCIDENTS THAT THE LOCAL POLICE SEND EVERY DAY TO THE COUNCILOR OF PUBLIC SECURITY AND THE MAYOR OF THE TOWN BACKGROUND FIRST: On December 13, 2021, you have an entry in this Basque Agency for Protection of Data written by the Basque Union of Police and Emergencies in which states the following: “For the present and in view of the doubts that are being raised among the components of the Local Police of [...] on daily procedures ordered by the Headquarters of Police and that part of the collective interprets could violate the LOPD 3/2018 of 5 December, a clarification and resolution is requested from your Agency on the matter that then we move them; The Local Police of […] uses as a police tool for internal police management the computer program for police use with an annual license called EUROCOP. With this program all incidents known to this local police are recorded, whatever the form of knowledge of the same, telephone, notice on the road, police action..., including administrative sanctions, accident, criminal offenses... The operator agent of the communications center accesses this program at the beginning of his day through a personalized and private key of which he is the only connoisseur, your professional number being registered as an operating agent of how many incidents are recorded in your session, numbered individually and consecutively through shifts and throughout the year. This access is done daily with the operating agent accepting the terms of the LOPD by "clicking" on the "ACCEPT" tab, being aware of all the terms of the Law, duty of secrecy and treatment of data that in the program is register or are registered. Once the session is started, the operator agent of the communications center generates an incident for each known notice, leaving registered in it in different drop-down tabs; The fact itself, people involved with full affiliation even minors, possible also involved with full affiliation including minors, agents actors, vehicles and result of the incident. These incidents also record proposed administrative and even criminal sanctions (Art 27. 1 a) b) of the LO 3/2018). At the end of each 8-hour work shift, the operator of the coordination center generates a PDF file containing all the incidents recorded on your shift and with these a PDF document called "News for mayor" is generated and these they are saved in the corresponding folder, ordered by shift (Morning/T/Night), day (01 to 31) and month of the year (January to Dec), generating 3 daily for each day of the month. c/ Beato Tomás de Zumárraga, 71, 3º - 01008 Vitoria – Gasteiz - Tel. 945 016 230 - Fax. 945 016 231 avpd@avpd.es - www.avpd.es, This way of proceeding makes it easier for the rest of the agents to be aware of the incidents of a police nature recorded in previous shifts, during their discharge, by reviewing the generated PDFs, which are read throughout the operation by the head of service at the beginning of each work shift in what is known as the "Passe de ready". This generated file format collects in a shorter way, without affiliation data of communicators, involved or witnesses, (Individuals in general) the summary of each known incidence in each shift, the acting agents and the result of the same. The three daily lists generated (M/T/N) of "News for mayor" are sent the next morning via corporate email (_____@....eus) to the higher-ups, Mr. Chief of Police, as well as Mrs. mayor of […] and the councilor for citizen security. Many components of the police group, faced with the order to carry out this shipment of police incidents, which in its fields does not include personal data, to people outside of the operation only reflect the initials of the name and surname of the people involved in the warning and result fields, in order to avoid violating their privacy and understanding that knowledge of them is not necessary for the functions of mayor or council, beyond specific cases and by means of a report motivated. On the part of the Police Headquarters and at the request of the council, ordered the collective to include complete affiliation data of the citizens, name, surnames and DNI number in the body of the notice and result with which both Mr. councilor and the mayor have access to them, thus avoiding the privacy granted by this PDF file format which, as we explained, are not It includes. This practice, ordered by the leadership as the first task of each morning shift, is understood by the majority of the group as a possible violation of the LOPD and to article 5.1.c) of Regulation (EU) 2016/679, also understanding that the knowledge of these complete police affiliation data are personal data of first order of protection and whose knowledge is limited and its access must motivated. For these reasons, we request clarification from this union on the part of its Agency on the legality and convenience of systematically including complete affiliation data of citizens, even minors, in the incidences that are sent to them every day by email to Mr. Councilor for Citizen Security of the City Council of [...] and to the Mayoress of the municipality of [...] (All those collected by the Local Police). SECOND: On December 20, 2021, the Protection Delegate was requested City Council Data […] report on the matter. Dated January 26, 2022 had a written entry from the City Council of […] that attached a report from the Head of the Local Police stating the following: “I have read the document that has been submitted to the Basque Data Protection Agency in when the preparation of the lists of daily actions, use and referral of the same to different people, clarify: 1º.- There are two types of documents or lists of common use in the preparation and review of incidents created by daily police actions. First. The Notice Reception Sheet. This is a document made for each open incident in the police management "Eurocop", in which all the data included in the 2, action provided that the person operating the system complies with the instructions Headquarters and include the affiliation of every person involved in it (communicating, involved, etc...), vehicles and owners of the same, result of the notice, implication of the acting people, etc... it is essential to document all the data of the program to have the complete file and to be able to carry out consultations police and/or responses to various bodies such as Courts, Prosecutor's Office, others police forces, etc... the usual thing is to occupy two pages with each file if it is print. Second. The List of Daily Incidents. The list is a minimalist report of the police files where the Following data: The call summary text The management of the call The place of the incident and the professional numbers of the acting agents. This document contains less data than the police file, not appearing in it the affiliation of the people or vehicles involved in the incident and is generated in PDF form for each work shift of 8 hours in the morning, afternoon and night filing the same on the police intranet in a police access folder, it is which the request for information calls "News for the Mayor's Office". The document is the one used in the roll call or start of service of the three groups of daily work and serves to facilitate the essential information for your knowledge and performance of road safety prevention tasks and citizen, since it is of interest in terms of prevention to know the people investigated, suspects to be identified, investigated or detained, people with requisitions slopes, vehicles suspected of committing criminal offenses, etc... The usual way is to include in this list the only affiliation that allows its identification to the Police operation (Name and surname) not the rest (DNI, NIE, Passport, etc...). The Headquarters Order refers to incorporating all the complete data of all the people involved and vehicles in the 1st. "Police file" and only identifying data in the 2nd. "List of daily incidents", never the DNI/NIE/Passport (which does not provide nothing since the operative does not know the people by themselves and also if appears in the FILE) when it refers to those involved in criminal offenses, nor is it It is customary to indicate in this record the affiliation of communicating persons, witnesses and involved who do not contribute anything in this document to police prevention, this second type of data is already included in the Notice Reception Form and can be exploit this data before any requirement. The fact of incorporating the initials X.X. of people arrested and investigated, practice carried out by several Agents, hinders the work of the police operation by - not identify the people with whom the Police have to interact. This list of Daily Incidents from the previous day, consisting of three documents generated in PDF (morning, afternoon and evening), is sent the following day to the address Policelocal@....eus email address, from where it is distributed to the following users: The Deputy Commissioner-Chief of Police and the three NCOs 3, Having been extended to the users Mayoralty and Department with Delegation of Police by indication of the Political Headquarters of the Local Police. On a daily basis, the Ertzaintza refers us to the entire police operation through the police address local@....eus with the users mentioned in the paragraph above the daily incidences elaborated in the demarcation or scope of work common to both police forces. This list includes the type of incident, crime, complete affiliation of the people involved, DNI, NIE, etc... vehicles, telephone numbers of the people and photographs of the detained people. This list is presented at the roll call of each turn of work so that this police operation also knows the people with whom that interacts and serves as security prevention. They attached: 1.- An example of the Notice Reception Sheet 2.- List of incidents that are presented at roll calls with initials 3.- List of incidents presented with name and surname 4.- Order of Headquarters to fill in the complete affiliation (name and surnames... no more unnecessary data) 5.- Incidents sent daily from the Ertzaintza”. THIRD: Article 17.1 of Law 2/2004, of February 25, on Data Files of Personal Nature of Public Ownership and Creation of the Basque Protection Agency of Data, in its section n) attributes to the Basque Data Protection Agency the following function: “Attend to queries regarding the protection of personal data formulated by the public administrations, institutions and corporations to which referred to in article 2.1 of this Law, as well as other natural or legal persons, in relation to the processing of personal data included in the scope of application of this Law”. It corresponds to this Basque Data Protection Agency, by virtue of the most cited above, the issuance of the report in response to the query formulated. CONSIDERATIONS Yo The current regulatory framework regarding the protection of personal data is contained in the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to data processing data and the free movement of these data and by which the Directive is repealed 95/46/CE (General Data Protection Regulation), directly applicable in the Member States since May 25, 2018, and in Organic Law 3/2018, of May 5, December, Protection of Personal Data and guarantee of digital rights (LOPDGDD), in force since December 7, 2018. 4, The RGPD defines in its article 4.1 personal data as "all information about a identified or identifiable natural person ("the interested party"); will be considered a natural person identifiable person any person whose identity can be determined, directly or indirectly, in by an identifier, such as a name, phone number, identification, location data, an online identifier, or one or more elements inherent to the physical, physiological, genetic, mental, economic, cultural or social identity of said person”. With regard to data processing, it is defined in article 4.2 of the RGPD, as “any operation or set of operations carried out on personal data or sets of personal data, whether by automated procedures or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of authorization of access, collation or interconnection, limitation, suppression or destruction Therefore, to the extent that personal data is processed, it will be obliged to comply with the regulations on data protection. Article 5 of the RGPD establishes the principles related to data processing personal. In accordance with these principles, the data must be processed lawfully, fair and transparent. Likewise, once collected, they must be applied for purposes previously determined, explicit and legitimate, not being able to be used later in a manner incompatible with those purposes. In addition, the processing of personal data must observe the principle of data minimization, these must be adequate, pertinent and limited to the objective pursued, applying the technical and organizational measures that guarantee it. II The query raised by the Basque Union of Police and Emergencies refers to the legality to include affiliation data in the incidents that are sent every day to the councilor of citizen security and the mayor of the town. In this regard, we must emphasize that the RGPD establishes in its article 6.1 the assumptions that legitimize the processing of data personal, are as follows: a) the interested party gave their consent for the processing of their personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at the request of the latter of pre-contractual measures; c) the treatment is necessary for the fulfillment of an applicable legal obligation to the data controller; d) the treatment is necessary to protect the vital interests of the interested party or another Physical person; e) the treatment is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers vested in the person responsible for the treatment; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the person in charge of the treatment or by a third party, provided that on said 5, interests do not override the interests or the fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested is a child. Article 6.3 of the RGPD establishes that “the basis of the treatment indicated in section 1, letters c) and e), must be established by the Law of the Union, or the Law of the Member States that applies to the data controller. In this sense, Organic Law 3/2018, of December 5, on Data Protection Personal and guarantee of digital rights (LOPDGDD), in its article 8, regarding the data processing due to legal obligation, public interest or exercise of public powers, establishes: "1. The processing of personal data can only be considered based on the compliance with a legal obligation required of the person in charge, in the terms provided in article 6.1 c) of Regulation (EU) 2016/679, when so provided by a standard of European Union Law or a rule with the force of law, which may determine the general conditions of the treatment and the types of data object of the same as well as well as the transfers that proceed as a result of the fulfillment of the obligation legal. Said rule may also impose special conditions on the processing, such as the adoption of additional security measures or others established in Chapter IV of Regulation (EU) 2016/67”. Likewise, article 10 of the LOPDGDD regarding the treatment of data of a criminal, establishes that the processing of personal data related to convictions and infractions criminal proceedings, as well as related precautionary and security procedures and measures, to purposes other than those of prevention, investigation, detection or prosecution of criminal offenses or execution of criminal sanctions, can only be carried out when it is protected by a rule of Union Law, in this organic law or in other regulations of legal rank. Therefore, to determine the legality of the treatment consulted, it will be necessary to analyze the legal regime applicable to access by members of a local corporation to personal information held in a EUROCOOP database. About, We must start by noting that art. 77 of Law 7/1985, of April 2, Regulating the Bases of the Local Regime (hereinafter LRBRL), establishes that all the members of Local Corporations have the right to obtain from the Mayor or President or from the Government Commission whatever background, data or information is in the possession of the services of the Corporation and are necessary for the development of its function. The Law of bases of the local regime does not foresee, therefore, an indiscriminate access to the municipal information, but rather introduces a criterion of prudence both when stating the right, as when articulating its exercise procedure. We can reach the same conclusion If we analyze the development of said article contained in Royal Decree 2568/1986, of November 28, which approves the Organization Regulations, Functioning and Legal Regime of Local Entities (ROF), specifically in the Articles 14 to 16. Article 15 establishes the obligation to provide the information to the councilors in the case of corporations that hold delegations or responsibilities management, and the information is specific to the corresponding areas; is also required to give the councilors the information and documentation corresponding to the matters that have to be treated by the collegiate bodies of which they are a part, as well as the 6, resolutions or agreements adopted by any municipal body and, finally, that information that is freely accessible to citizens. In this regard, the Supreme Court (among other STS 1541/2016, of June 27) has recognized that the right of the members of the Local Corporations to the necessary information for the performance of their duties that, with a basic character, recognizes article 77, it is essential for the democratic functioning of said Corporations, as well as for the fundamental right of participation in public affairs arising from article 23.1 of the Constitution. Adequate information is an unavoidable budget to participate in the deliberations and votes of the Plenary and of the other collegiate bodies, for a correct work of control and supervision or for the exercise of the responsibilities of management that, where appropriate, holds the Councilor who, in short, must respond civilly and criminally for the acts and omissions carried out in the exercise of their position (article 78 LRBRL). By Therefore, the jurisprudence has always rigorously examined the assumptions of limitation or restriction of this right (judgments, among many others, of February 9, 1995, 27 December 1994 and November 24, 1993). In accordance with this legal regime, the right to information of the councilors appears closely and directly related to the development of its function, which in this case is specifically in the exercise of powers related to citizen security. In this meaning, art. 21 of the LRBRL to regulate the powers of the Mayor, establishes in the section i) that corresponds to exercise the leadership of the Municipal Police. In the same In this sense, Law 2/2016, of April 7, on Local Institutions in the Basque Country, regulates in art. 17 the powers of the municipalities, highlighting the planning and management of the local police, traffic management, road safety, vehicle parking and collaboration in citizen security. On the other hand, Law 15/2012, of June 28, on the Organization of the Security System Public of Euskadi, regulates the public authorities in matters of security (art. 4), and establishes that they participate in the public security system as authorities in the the Mayors, and other holders of municipal bodies in the framework of its powers. Therefore, based on the exposed legal framework, it can be concluded that the members of local corporations that have powers in matters of citizen security may access information related to the performance of their duties, under of the provisions of article 6.1 c) of the RGPD, as well as when the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller established by art. 6.1 e) of the GDPR. In any case, the central role that for a correct guarantee of the fundamental right to data protection have the principle of minimization collected in art. 5.1 c) of the RGPD, in accordance with which the personal data processed will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are treated. This principle attempts to include a criterion of reasonableness and proportionality in the handling of the information, in view of the purpose pursued by the treatment. In the present case, the legality of including affiliation data in the incidents that Every day, the local police send the councilor for citizen security and the mayor of the locality, so that according to the established legal framework, access must be allowed 7, treating the data strictly necessary for the intended purpose in each case, thus avoiding illegitimate interference in the right to privacy of the people of accordance with the principle of minimization. In Vitoria-Gasteiz, on March 7, 2022 8