AEPD (Spain) - EXP202102056

From GDPRhub
Revision as of 08:35, 12 April 2023 by Mg (talk | contribs)
AEPD - EXP202102056
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 30 GDPR
Article 32 GDPR
Article 58(2) GDPR
Article 83 GDPR
Article 99 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 06.01.2023
Published: 06.01.2023
Fine: n/a
Parties: n/a
National Case Number/Name: EXP202102056
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEDP (in ES)
Initial Contributor: ANASTASIA TSERMENIDOU

The Spanish DPA issued a reprimand and determined that the Island Council of El Hierro adjust the publications on its transparency portal, reconciling its obligation to publish acts of public interest with the protection of personal data.

English Summary

Facts

A Google search of the data subject's name brought as a first result the transparency page of the Island Council of El Hierro. On this webpage, there were records of a plenary session held during the administrative procedures to segregate and establish the municipality of El Pinar. These records contained personal data of 3,996 individuals. Upon becoming aware of the fact, the data subject filed a complaint with the Spanish DPA claiming that they did not consent with the publication of their data. In response, the Island Council (data controller) sustained that the publication did not require consent as the data were necessary to build public opinion and reach a consensus on the topic among the population. For this reason, it alleged that the purposes of the processing were statistical and of public interest. While conceding that it violated GDPR principles, the controller argued that the regulation was not yet in place at the time of the publication.

Holding

The Spanish DPA recognized that the website aimed to promote transparency in public activity, ensuring compliance with public disclosure obligations and safeguarding the right to access public information. However, it highlighted that these purposes shall be fulfilled in accordance with the principles of data minimization and storage limitation provided for by Articles 5(c) and (e) GDPR. The DPA also acknowledged that the disclosure of personal data to third-parties took place in the absence of an effective personal data protection regulation, but stated that the data controller should have adapted its practices to the GDPR within a period of two years after its entry into force as provided for by Recital 171. It considered the removal of personal data from the publication as a positive measure, but emphasized that the controller needs to implement technical and organisational measures to ensure an appropriate level of security as required by Article 32 GDPR. In the understanding of the AEDP, the failures of the controller constituted a violation of its duty of integrity, confidentiality and security in the processing of personal data. For this reason, it issued a reprimand on the controller for infringing Articles 5(1)(f) and 32 GDPR. .

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Get to know our institutional, organizational, planning, legal, budgetary and statistical information