AEPD (Spain) - EXP202102056
AEPD - EXP202102056 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 30 GDPR Article 32 GDPR Article 58(2) GDPR Article 83 GDPR Article 99 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 06.01.2023 |
Published: | 06.01.2023 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | EXP202102056 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEDP (in ES) |
Initial Contributor: | ANASTASIA TSERMENIDOU |
The AEPD issued a reprimand and determined that the Island Council of El Hierro adjust the publications on its transparency portal, reconciling its obligation to publish acts of public interest with the protection of personal data.
English Summary
Facts
A Google search of the data subject's name brought as a first result the transparency page of the Island Council of El Hierro. On this webpage, there were records of a plenary session held during the administrative procedures to segregate and establish the municipality of El Pinar. These records contained personal data of 3.996 individuals. Upon becoming aware of the fact, the data subject filed a complaint with the Spanish DPA claiming that they did not consent with the publication of their data. In response, the Island Council (data controller) sustained that the publication did not require consent as the data were necessary to build public opinion and reach a consensus on the topic among the population. For this reason, it alleged that the purposes of the processing were statistical and of public interest. While conceding that it violated GDPR principles, the controller argued that the regulation was not yet in place at the time of the publication.
Holding
The AEPD recognized that the website aimed to promote transparency in public activity, ensuring compliance with public disclosure obligations and safeguarding the right to access public information. However, it highlighted that these purposes shall be fulfilled in accordance with the principles of data minimization and storage limitation provided for by Articles 5(c) and (e) GDPR. The AEPD also acknowledged that the disclosure of personal data to third-parties took place in the absence of an effective personal data protection regulation, but stated that the data controller should have adapted its practices to the GDPR within a period of two years after its entry into force as provided for by Recital 171. It considered the removal of personal data from the publication as a positive measure, but emphasized that the controller needs to implement technical and organisational measures to ensure an appropriate level of security as required by 32 GDPR. In the understanding of the AEDP, the failures of the controller constituted a violation of its duty of integrity, confidentiality and security in the processing of personal data. For this reason, it issued a reprimand on the controller for infringing Articles 5(1)(f) and 32 GDPR. .
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Get to know our institutional, organizational, planning, legal, budgetary and statistical information