DBEB/AVPD (Basque Country) - DICTAMEN No D22-013
DBEB/AVPD - DICTAMEN No D22-013 | |
---|---|
Authority: | DBEB/AVPD (Basque Country) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 5 GDPR Article 6(1) GDPR LOPDGDD |
Type: | Advisory Opinion |
Outcome: | n/a |
Started: | |
Decided: | |
Published: | 11.11.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | DICTAMEN No D22-013 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AVPD (in ES) |
Initial Contributor: | Michelle Ayora |
The Basque DPA issued an expert opinion regarding the envisaged processing of personal data by a municipal water supplier. The DPA highlighted the importance of observing the principles under Article 5 GDPR.
English Summary
Facts
Vitoria S.A, a water supplier, consulted the Basque DPA and requested an expert opinion on envisaged processing of personal data. The aim of the consultation was to verify the lawfulness of the potential transfer of personal data collected for the management of contracts for the provision of water service due to the transfer of functions from Vitoria S.A. to a new water supplier, Alava Water Consortium. The latter had requested a transfer of the mentioned data without obtaining prior consent from each of the users of the water supply services (the data subjects). Alava Water Consortium assumed the full execution and management of the water supply and considered it lawful to manage the contracts since the information that they contain allows it to control the consumption, fees, invoicing, and so forth. This competence was transferred to Alava Water Consortium by the municipal entities (the controllers) who owned the consotrium as a public limited company.
Holding
The DPA started by applying the concept of ‘personal data’ in Article 4(1) GDPR, stating that the information contained in the water supply agreements was personal data as long as it referred to identified or identifiable natural persons.
Further, the DPA analysed that the envisaged contract management constituted ‘processing’ in the sense of Article 4(2) GDPR and confirmed that Alava Water Consortium would therefore have to observe the principles of Article 5 GDPR and have a valid legal basis listed in Article 6(1) GDPR. The DPA highlighted that when it comes to the processing carried out by public administration entities, the legal basis usually is public interest and the exercise of a public task. The national legislation (Article 8(2) LOPDGDD) foresees that such basis can only be applied when the competence of the administrative body is established by law.
Next, the DPA looked at the legislation that regulates both local government and the competencies of local bodies in the water supply (Ley 2/2016, de 7 de abril de Instituciones Locales de Euskadi and Ley 7/1985, de 2 de abril, Reguladora de las Bases del Regimen Local, respectively). From this, the DPA concluded that a consortium can have the same competencies as a municipality in the management, supply, and control of the full water supply cycle for urban use, and for doing so, they may do direct management. The DPA held that it was legitimate to substitute the municipalities, which were the component members in carrying out the processing of personal data, as long as the consortium processed only the necessary data for the purpose of managing the public service of water supply.
Additionally, the DPA pointed out the principles to be observed, such as transparency, by informing the data subject at the time of the collection of data as foreseen in Articles 12, 13 and 14 GDPR and Article 11 LOPDGDD. The controller must observe the principles data minimisation under Article 5(1)(c) GDPR and purpose limitation contained in Article 5(1)(b) GDPR. In the case of the principle of integrity and confidentiality of Article 5(1)(f) GDPR, it is mandatory to guarantee the security of the data, including the protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure (Article 32 GDPR) and, also, to take into consideration that processing carried out by public administrations must observe the measures established by the National Security Scheme as foreseen in the LOPDGDD.
Finally, according to the DPA, it is mandatory under Article 30 GDPR to maintain a record of the processing activities which, in the case of public entities, must be made publicly available and accessible through electronic means.
The DPA did not discuss the specific envisaged processing activities of Alava Water Consortium.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
File: CN22-005 OPINION No. D22-013 OPINION RELATED TO THE PROCESSING OF PERSONAL DATA THAT IT INTENDS CREATE THE ÁLAVA WATER CONSORTIUM FOR THE PROVISION OF THE WATER SUPPLY SERVICE IN SECONDARY NETWORK OR SUPPLY "IN DOWN" BACKGROUND FIRST. - The Manager of Municipal Waters of Vitoria S.A. (AMVISA), by writing requests an opinion regarding the legality of the transfer of data collected for the management of the contracts for the provision of the "low" service (storage in warehouses and distribution through pipes to the connections that connect with the facilities private end users, such as homes, businesses, industry and other establishments) upon request by URBIDE Arabako Ur Patzuergoa-Consortium of Aguas de Álava, as the new provider of said service "in decline", without collecting prior consent of each of the users of the supply services of water in the secondary network of the Administrative Boards that adhere to the agreement of the new lender. SECOND. - The aforementioned document states that Aguas Municipales de Vitoria S.A., incorporated in 1970 as a public limited company and which is the exclusive property of the Vitoria-Gasteiz City Council. The purpose of said corporation is to provide the public collection service, purification and distribution of drinking water, as well as the purification of wastewater in the city of Vitoria-Gasteiz, as well as in certain towns within its jurisdiction. This public limited company has an automated subscriber file when water supply contracts are formalized in the secondary network, whose purpose is the management of the relations of users of the service in order to demand the considerations rates. URBIDE Arabako Ur Patzuergoa-Álava Water Consortium, has requested AMVISA the transfer of the data that it has regarding the supply contracts of the users residents of the Administrative Boards attached to the Consortium, in order to proceed with the transfer of supply management “in decline”. THIRD. - In response to the request made by the Basque Agency for Data Protection, URBIDE Arabako Ur Patzuergoa-Álava Water Consortium declares that it has assumed the execution and management of the services related to the cycle of water and therefore considers that it is appropriate that he himself holds the recognition or ownership of the contracts related to the services it provides, c/ Beato Tomás de Zumárraga, 71, 3º - 01008 Vitoria – Gasteiz - Tel. 945 016 230 - Fax. 945 016 231 avpd@avpd.eus - www.avpd.eus such as control of metering equipment, contracting of services, control of consumption, its invoicing and collection and non-payment management, the resolution of claims and the power to impose sanctions derived from said activity, to which requires the disposition of the data that AMVISA currently has. It also states that the Consortium exercises the power to manage the water that corresponds to the local entities themselves, who hold the ownership of the competence which empowers them to perform the function of data controllers. Personal information. FOURTH. - Article 17.1 of Law 2/2004, of February 25, on Data Files of Personal Nature of Public Ownership and Creation of the Basque Protection Agency of Data, in its section n) attributes to the Basque Data Protection Agency the following function: “Attend to queries regarding the protection of personal data formulated by the public administrations, institutions and corporations to which referred to in article 2.1 of this Law, as well as other natural or legal persons, in relation to the processing of personal data included in the scope of application of this Law”. The Basque Data Protection Agency is the control authority for data processing. personal data carried out by the Public Administrations and other public entities of the Country Vasco, as data controllers, or where appropriate, as data processors. In this case, AMVISA is a public limited company, so its performance is not subject to the control of the Basque Agency for Data Protection, in accordance with the provisions of the article 17 in relation to article 2 of Law 2/2004, of February 25, on Files of Personal Data of Public Ownership and Creation of the Basque Agency for Data protection, being the competent authority the Spanish Agency for the Protection of Data. However, it corresponds to this Basque Data Protection Agency, by virtue of the aforementioned regulations, the control of the processing of personal data carried out by URBIDE Arabako Ur Patzuergoa-Álava Water Consortium for being one of the entities referred to in article 2.1 of Law 2/2004, and therefore, the issuance of the this opinion. CONSIDERATIONS Yo This Agency is going to analyze the possible legitimation of URBIDE Arabako Ur Patzuergoa- Consorcio de Aguas de Álava so that it can proceed with the processing of the data personnel involved in the transfer of supply management "in decline" with respect to the data of the neighboring users of the Administrative Boards that the company has municipal AMVISA, that is, personal data of natural persons, sole holders of the fundamental right to data protection regulated in Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to regarding the processing of personal data and the free movement of such data (in Forward GDPR. 2II Prior to the issuance of this opinion, we must proceed to the analysis of concepts core elements of the fundamental right to data protection, such as the definition of data personal and data processing. The RGPD defines in its article 4.1 personal data as: All information about a identified or identifiable natural person ("the interested party"); will be considered a natural person identifiable person any person whose identity can be determined, directly or indirectly, in by an identifier, such as a name, phone number, identification, location data, an online identifier, or one or more elements inherent to the physical, physiological, genetic, mental, economic, cultural or social identity of said person”. In this case, the personal data contained in the contracts for the provision of the "unsubscribed" service will be personal data insofar as they refer to natural persons identified or identifiable. With regard to data processing, it is defined in article 4.2 of the RGPD as “Any operation or set of operations carried out on personal data or sets of personal data, whether by automated procedures or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of authorization of access, collation or interconnection, limitation, suppression or destruction”. The management of the contracts for the provision of the canceled service sought by URBIDE Arabako Ur Patzuergoa-Álava Water Consortium, involves data processing personal, so it will be subject to compliance with the obligations contained in the regulations on data protection. The processing of personal data must necessarily respect the principles proclaimed in article 5 of the RGPD, among them the principle of legality, loyalty and transparency [art. 5.1.a) of the RGPD]. In compliance with this principle, these treatments must be covered by one of the the legal bases of the treatment included in article 6.1 of the RGPD: consent, contract, legal obligation, public interest or exercise of public powers, legitimate interest and vital interest of the affected party. In the case of Public Administrations, it is the fulfillment of a mission carried out in public interest and the exercise of public powers the most common legitimating basis. In In relation to it, Organic Law 3/2018 of December 5, on Data Protection Personal and guarantee of digital rights in its article 8.2 provides: "two. The processing of personal data can only be considered based on the fulfillment of a mission carried out in the public interest or in the exercise of powers data conferred on the controller, under the terms provided in article 6.1 e) of the Regulation (EU) 2016/679, when it derives from a competence attributed by a norm with the force of law”. 3In the case at hand, it is appropriate to analyze the regulations that regulate the local regime and the competences of local entities in the provision of the public supply service of water. Law 2/2016, of April 7, on Local Institutions of the Basque Country (hereinafter LILE) in its Article 17 provides that the municipalities within the framework of the provisions of the same Law and in the legislation that is applicable, they may exercise their own powers in the organization, management, provision and control of services in the integral cycle of water for urban use, which includes the supply of water in high or adduction, supply of water in low, Sanitation or collection of urban wastewater and rainwater from the nuclei of population and purification of urban wastewater. Article 2.1.b) of the LILE stipulates that they will be considered local entities the councils and any other local territorial entities of less than municipality, in accordance with the existing regional regulations in each territory and the provisions of the basic legislation of local regime. Article 2.5 of the LILE states that councils, associations, gangs... All the powers provided for in the basic legislation of the local regime will correspond to them (Law 7/1985, of April 2, Regulating the Bases of the Local Regime, hereinafter LBRL). In the indicated section in fine it is provided that "in the case of the Historical Territory of Álava, the councils have the powers recognized by the laws or regulations forales”. Likewise, article 2.2 of the LILE provides that local public services will be provided, preferably by the municipality, and when this is not feasible or converge reasons of efficiency or effectiveness, by local entities constituted by the municipalities (associations, consortiums...). The aforementioned article 2 in its third section continues to say that public services local entities may also be provided by other local entities, including by entities supramunicipal, in which case the will and request of the different municipalities that will be part of them. For its part, section 3 of article 10 provides that the power of self-organization is projected in the right to agree on associative formulas for the provision of services local public, especially the provision of services by associations and consortiums Thus, article 19 in its second paragraph establishes that the exercise of its own powers may be carried out by the same municipality or through municipal associative formulas that facilitate, where appropriate, the management or provision derived from their powers, in the terms determined by the affected municipalities themselves. In this sense, article 104 of the LILE provides that municipalities and other entities Local authorities may form consortiums with other public administrations for purposes of common interest whose purpose is economic, technical and administrative cooperation for the provision of local public services. Said article in its third section indicates that, for the management of the services of your competition, consortiums may use direct management, by the consortium itself, as results in the matter sent for consultation, or indirect management through the forms in the public service management contract. 4In the case at hand, URBIDE Arabako Ur Patzuergoa-Álava Water Consortium, as stated in its statutes, in force from its publication in the Official Gazette of Historical Territory of Álava, on January 4, 2019, is a public law entity, of an associative and voluntary nature made up of public administrations and, where appropriate, by private non-profit entities, which pursue purposes of public interest, concurrent with those of those. The consortium has its own legal personality, differentiated and full capacity to the fulfillment of its purposes, which are none other than the establishment and exploitation of the infrastructures of public water supply and sanitation services in accordance with current regulations. Specifically, the Consortium will provide the services directly related to the water cycle in terms of: a.-To the water supply that includes adduction services (or supply in the primary network: supply in discharge) and distribution (supply of water in network secondary or low supply). b.-To the sanitation, those of "interception/purification" and to the "sewerage". The consortium entities exercise their competence through the consortium, remaining in In any case, the ownership of the competition in those. The consortium will replace the entities premises that comprise it for the fulfillment of its purposes for which it will count, among other with the power to manage supply and sanitation services. In accordance with the aforementioned regulations, we can conclude that URBIDE Arabako Ur Partzuergoa-Aguas de Álava Consortium, as a substitute for the consortium entities, will have a legal basis to process personal data to the extent that they are strictly necessary for the management of the public electricity supply service water supply in secondary network. In addition, in this data processing, the Consortium must comply with the rest of the principles contained in article 5 of the General Data Protection Regulation. Thus, by virtue of the principle of transparency, it must comply with the duty to inform the interested in the collection of personal data, observance that will be adjusted to the prescribed in articles 12, 13 and 14 of the RGPD and in article 11 of the LOPDGDD. In In this case, you must pay special attention to the provisions of article 14, so You must inform the interested parties of the source from which you have received the data. For its part, the principle of data minimization proclaimed in article 5.1.c) requires that only those data that are relevant, adequate and limited to what is necessary in relation to the intended purpose. The purpose limitation principle [art. 5.1.b)] requires that the data be collected for specific, explicit and legitimate purposes, without being able to be processed further manner incompatible with those purposes; only deviation from the purpose is allowed in the cases provided for in article 89, section 1, that is, archiving purposes in the interest public, scientific and historical research purposes or statistical purposes. The fulfillment of the purpose also affects the period of conservation of the information, being the limitation of the term of conservation another of the principles that the RGPD proclaims in its article 5.1.d). Under this principle, the data must be kept in a that the identification of the interested parties is allowed for no longer than necessary 5for the purposes of processing personal data, although they may be kept for longer periods as long as they are treated exclusively for archival purposes in the interest public, scientific or historical research purposes or statistical purposes, in accordance with Article 89, paragraph 1, without prejudice to the application of technical measures and appropriate organizational measures imposed by the Regulation in order to protect the rights and liberties of the interested party. The RGPD also includes among the principles applicable to data processing personal data the principle of integrity and confidentiality [art. 5 f)] which requires that the data personal data are treated in such a way as to ensure their safety, including the protection against unauthorized or unlawful processing and against loss, destruction or accidental damage, through the application of appropriate technical or organizational measures (article 32). In this sense, it should be taken into account that when those responsible for the treatment, as is the case, whether they are Public Administrations, they must apply to the processing of personal data the security measures that correspond to those provided in the National Security Scheme (First Additional Provision section 2 of the LOPDGDD) Finally, it should be noted that the RGPD eliminates the obligation to create and declare of files and replaces it with the so-called "registry of treatment activities", regulating its content in article 30. Thus, each data controller is obliged to keep a record of the treatment activities carried out under your responsibility (art. 30 RGPD), and of In accordance with article 31.2 of the LOPDGDD, the Administrations must make public an inventory of your processing activities, accessible by electronic means, in the stating the information required in the aforementioned article 30 RGPD and its legal basis These are the considerations made by the Basque Data Protection Agency in relation to the query. Vitoria-Gasteiz, July 11, 2022 6