AEPD (Spain) - EXP202102056
AEPD - EXP202102056 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 30 GDPR Article 32 GDPR Article 58(2) GDPR Article 83 GDPR Article 99 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 06.01.2023 |
Published: | 06.01.2023 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | EXP202102056 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEDP (in ES) |
Initial Contributor: | ANASTASIA TSERMENIDOU |
The AEPDP stated measures are required to adapt personal data processing to the requirements of the GDPR.
English Summary
Facts
The defendant claimed against the Cabildo de El Hierro for violating articles 5 and 32 of the GDPR. Cabildo certified that on October 18, 2006, the necessary procedures were initiated in the different administrations for the start of the segregation and constitution of the new municipality of El Pinar, on the Island of El Hierro, in accordance with Royal Decree 1690/1986 , of July 11, which approves the Regulation of Population and Territorial Demarcation of Local Entities. Cabildo also indicated sensitive personal data was never published and no consent as a legal basis was needed, since the processing of personal data that took place was for statistical purposes, for a matter of public interest. That time there was not a regulation, regarding the protection of personal data.
Holding
The AEPD noted that the purpose of the transparency portal is to promote the transparency of public activity, ensure compliance with publicity obligations, safeguard the exercise of the right of access to public information and guarantee compliance with good governance provisions; Once these purposes have been fulfilled, action should have been taken on the personal data published in order to minimise them and that they only remain accessible for the time necessary for the purposes of article 5 of the GDPR. Also, according to the AEPD the Recital 171 of the GDPR establishes the obligation that all processing activities should be compliant within a period of two years from the date of its entry into force.Therefore, the Cabildo had to adapt, in the aforementioned period, the treatment that the publication of its acts implies in its transparency profile, to the new data protection regulations, foreseeing a period for the deletion or periodic review of the published data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Get to know our institutional, organizational, planning, legal, budgetary and statistical information