AEPD (Spain) - E/03690/2020

From GDPRhub
Revision as of 09:10, 12 May 2021 by RRA (talk | contribs)
AEPD (Spain) - E/03690/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 89(1) GDPR
Type: Investigation
Outcome: No Violation Found
Started:
Decided: 20.04.2021
Published:
Fine: None
Parties: Ministerio de Transportes, Movilidad y Agenda Urbana
National Case Number/Name: E/03690/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA found that an impact study carried out by the Spanish Government on daily commuting trends during the COVID-19 pandemic was carried out in compliance with the GDPR.

English Summary

Facts

The Spanish DPA investigated the impact study carried out by the Spanish Ministry of Transport on the daily commuting trends during the first days of COVID pandemic. In particular the investigation focused on whether the data used for the study was appropriately pseudonymised and whether there was any risk of re-using the data for different purposes to the original ones.

Data from individuals' mobile phones belonging to one operator were collected during several days to measure daily commuting trends of people on regular days. This data was pseudonymised by the operator with hash techniques and by grouping the data by areas of origin of at least 5000 people. Then the data was provided to a consultant firm that aggregated such data automatically and then processed it to produce the indicators required by the Ministry of Transport.

All the measures put in place to unlink the data, pseudonymise, aggregate and further group and process it to produce the final indicators are considered enough to make practically impossible the identification of the data subjects that originate it.

Dispute

Has the mobility study of the Spanish Ministry of Transport been conducted in compliance with GDPR in particular with the appropriate pseudonymisation of the data and the impossibility to re-use the data for incompatible purposes?

Holding

The Spanish DPA held that the measures put in place by the Spanish Ministry of Transport to conduct the mobility study were enough to ensure that the data could not be associated to individual people or re-used for purposes incompatible with the original ones.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/9








* Procedure Nº: E / 03690/2020



                   RESOLUTION OF ACTION FILE


Of the actions carried out by the Spanish Agency for Data Protection and
based on the following


                                       FACTS

FIRST: On April 21, 2020, the Director of the Spanish Agency for
Data Protection agrees to initiate investigative actions in relation to the
study and analysis tool of mobility data during the state of

alarm through a study with Big Data technology for which the
Ministry of Transport, Mobility and Urban Agenda (MITMA), NIF S2817040E, with
in order to determine if such facts gave rise to indications of infringement in the
Competence area of the Spanish Agency for Data Protection.

SECOND: The Subdirectorate General for Data Inspection proceeded to carry out

of previous investigative actions to clarify the facts,
having knowledge of the following points:

The MITMA states that "The work called" analysis of mobility in Spain with
big data technology, after the application of Royal Decree 463/2020, of March 14, by
the one that declares the State of Alarm for the management of the health crisis situation
caused by covid-19 ”is part of the set of studies that the
Government is developing on the mobility of the population with the aim of

have data on movements throughout the national territory and contribute
to decision-making in the current scenario derived from the COVID-19 pandemic.
According to Order SND / 297/2020, of March 27, which entrusts the
State Secretariat for Digitalization and Artificial Intelligence, Ministry of Affairs
Economic and Digital Transformation, the development of various actions for the
management of the health crisis caused by COVID-19, in its Second point.

DataCOVID-19: study of mobility applied to the health crisis, the Ministry of
Health entrusts the Secretary of State for Digitization and Intelligence
Artificial, of the Ministry of Economic Affairs and Digital Transformation, following the
model undertaken by the National Institute of Statistics in its mobility study
and through the crossing of data from mobile operators, in an aggregate and

anonymized, the analysis of the mobility of people in the days before and during
confinement.

The conclusion reached, after all the coordination meetings, coincided
clearly in that the work carried out by the INE and the MITMA, were
complementary, to the extent that the MITMA provided general mobility
of all citizens, at all hours for time periods, with ranges of
distances and also quantified the population that did not travel. Meanwhile he
The INE study was more specific, focusing on daily movements by

work or study in the areas of proximity outside your zonal area and for a
limited period of hours in the day (from 10 a.m. to 4 p.m.).


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/9








On the other hand, mobility and the transport of people and goods are a
direct competence of the Ministry of Transport, Mobility and Urban Agenda. On
In this sense, the realization of this work also responds, within the framework of the

COVID-19 pandemic, to the need to know the existing reality and its
evolution during the State of Alarm in terms of the mobility of citizens,
trips made, their radius of action, their origin or destination, what time they occur ...,
with the aim of being able to attend and dimension public transport services,
dimension the extra-peninsular services with the islands and autonomous cities, avoid
crowds in the terminals, maintain social distance on trains, buses,

airplanes, vehicles and other means.
The work provides, in short, a tool that allows characterizing the

mobility at the national, autonomous community, provincial and local level which, in addition
It also allows to support the work of monitoring the evolution of the disease,
to evaluate the effectiveness of the mobility restriction measures adopted,
as well as supporting decision-making during the de-escalation period. "

According to the MITMA press release on the publication of the tool
of mobility analysis, the mobility analyzed starts from March 1 and measures its
evolution throughout the alarm and de-escalation period of the
measures to control the pandemic. It also specifies that, as part of the

analysis, daily mobility is compared with that of a typical week equivalent to prior to
the crisis, having chosen the week of February 14-20, 2020.

MITMA states that the work uses as its main source of data, the
provided by the positioning of mobile phones in telephony cells
defined by the terrestrial antennas of the companies. At work you use the
positioning of terminals of the Operadora company *** COMPANY.1

Said operator has indicated to the Ministry, in an email sent to it,
that provides this service, guaranteeing that the statistical indicators supplied to
*** COMPANY. 2 have all the appropriate measures in place to prevent the
identification of any user, not only anonymizing the information with character

prior to its analysis, but also by applying aggregation rules that prevent
any data referring to a single person or a small group of people
potentially identifiable are displayed as statistical value. The information is
aggregated, according to the specifications of the Ministry, by administrative units
(districts, municipalities or groupings of municipalities, depending on the case) with a

general population greater than 5,000 inhabitants, and in no case less than 1,000.
This already added and anonymous information is post-processed by the consultant
*** COMPANY. 2 to generate different indicators that are also aggregated, and that, in addition,

are raised to the total population universe, depending on the degree of penetration of the
operator by territories, which introduces a new barrier between the original data and
the result of the work. These already high mobility indicators are the
objective results of the work that, finally, in various manageable formats are
referred to the Ministry. In other words, the only information received by the Ministry is

made up of inter-zone mobility indicators that do not allow reconstruction
of any personal information.

Finally, the MITMA with the mobility results obtained at work, has
created an ad hoc tool on its website, open to all citizens, that
allows analysis and visualization of work results

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/9








Regarding the guarantees that the data will not be used for purposes
different from the object of the study, it is stated that the pseudonymized data
initially provided by the operator, are processed for aggregation in

a secure infrastructure managed by the telephone operator itself. It's a
automatic process in which no consultant worker has read access to
the registers. Once processed to generate the aggregated information, the records
Initially, which were already pseudonymised, they are eliminated from the infrastructure
operator managed insurance. That is, the original data never leaves the
custody of the operator. The consultant can only work with data already anonymized and

grouped and the Ministry receives mobility indicators that come from the process
of pooled, anonymized and expanded data. Ultimately, the original data does not
are known or never leave the telephone operator, therefore, it is difficult
They can be used for purposes other than the object of the study.

Regarding the processes and guarantees of personal data protection applied, in
particular in relation to the processes involved in anonymization: (aggregation,
summary or hash functions, etc.). The following is exposed:

to. The telephone operator pseudonymizes the mobile telephone records by eliminating
any information that allows to uniquely identify the users of the
net. In this operation, it uses a cryptographic hash-type function, of the SHA- family.

2, which breaks any association between the original values of the processed fields and
those that are used during the analysis, maintaining only the relationships
between the records that are relevant to the purpose of the analysis.

 b. Pseudonymised records are stored in a secure infrastructure
managed by the telephone operator in which the specialized software is installed
developed by *** EMPRESA.2 for the processing and anonymization of the data.
During this process, no employee of *** COMPANY.2 has read access to
the starting records. Once processed to generate the aggregated information,

these departure records are removed from the secure infrastructure enabled for the
analysis. *** COMPANY.2 software processes these records on a daily basis, to
generate the aggregate mobility information that is delivered to MITMA as well
daily. The data analysis and aggregation process lasts
approximately 3 days: thus, the mobility information corresponding to day N is

delivery to MITMA on day N + 3 ”. Departure records are kept in the
*** COMPANY.1 secure infrastructure for a maximum period of 30 days, in case
it is necessary to reprocess them (for example, to correct any errors that may
detected in the output results). After that time, the departure records
that have already been processed are removed.

c. The result of the processing is information already added according to the
specifications made by the Ministry, extrapolated to the total population and
completely anonymous. The information is aggregated by administrative units

(districts, municipalities or groupings of municipalities, depending on the case) with a
general population greater than 5,000 inhabitants, and in no case less than 1,000
population.

The areas used for the study generally correspond to census tracts,
except in the case of census tracts with a population of less than 5,000 inhabitants
which are added to other adjacent census tracts to build zones that,
in general they have a population equal to or greater than 5,000 inhabitants.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/9








The mobility analysis that corresponds to the
movements and displacements produced four days before. *** COMPANY. 2 delivery
to MITMA three master matrices from which it is elaborated, by means of the

application of an aggregation software, the rest of the mobility matrices
predicted that are obtained by aggregation to municipality, province, community
autonomous or at the national level.

The master matrices are as follows:
1. “Teacher1_mitma_district. It is the mobility matrix between the defined areas. The

Mobility is measured in travelers and traveler-km and other attributes of the trip are provided, such as
the distance (measured by Km intervals), the time period of the start of the trip (measured
at intervals of one hour), the province of residence (induced from the
observations) and activity at origin or destination (induced from the continuous time
stay in the same place at night or during the day). There is also a
age field, which does not contain results (NA = not applicable). According to the sample provided,

the fields in this table would be: Date (day in “YYYYMMDD” format); Source
(identifier of the area where the trip originates); Destination (zone identifier
where the trip ends); Activity at source (home | work | others); Activity at destination
(home | work | others); Residence (province of residence of travelers); Age, the
value recorded in the sample in any case is "NA"; Period (time identifier

in which the trip originates in “HH” format); Distance (distance range of the trip).
It can take the following values: 0005-002, for trips between 500
meters and 2 kilometers; 002-005, for trips between 2 and 5 km; 005-010,
for trips between 5 and 10 km; 010-050, for trips included
between 10 and 50 km; 050-100, for trips between 50 and 100 km; 100+,

for trips of more than 100 km .; Trips (number of trips); Travel_km (number of
travelers * kilometer).
 2. “Teacher2_mitma_district. It is the matrix of daily movements of citizens

by zone. 4 blocks of movements are established in fusion of the number of trips (0,
1, 2, +2) ". According to the sample provided, the fields in this table would be: Date (day on
format "YYYYMMDD"); District; Number of trips (0; 1; 2; 2+); People (number of
people)

3. “Maestra3_mitma_municipality. It is the matrix of overnight stays. Indicates by zone the
overnight stays made by residents or non-residents in said area. The degree of
The zoning of this matrix is superior to that of the other two, given that the purpose of the

contained fields is linked to residence and overnight stays at a minimum level of
municipality". According to the sample provided, the fields in this table would be: Date (day on
format "YYYYMMDD"); Municipality; Province Residence; Residence in municipality (SI |
NOT); People (number of people)

Regarding the possibilities of “re-identification” it is pointed out that “since all the
information generated is aggregate information, the only risk identified lies in
the possibility that the level of aggregation was insufficient to eliminate
completely the risk of re-identification of users. The impact of bliss

re-identification would be to be able to infer some of the trips made by the person
re-identified. Given the spatial aggregation used for the study, this impact is
It would limit to knowing the areas of origin and destination of the trip and never the specific points
of origin and destination. It is considered that the level of aggregation used for the study,
with population units always greater than 1,000 inhabitants, it eliminates

completely any risk of re-identification of individual users. "
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/9








It also points out in this regard that “The main measure to eliminate the risk of
reidentification (…) is to use a zoning made up of zones whose population
it is generally greater than 5,000 inhabitants, and in no case less than 1,000

population. The population size of the areas considered is considered to be
sufficient so that the risk of re-identification is negligible. Refering to
measure taken by the INE to censor the result provided that the number of
observations is less than ten in a mobility cell for an operator, it is possible
note that the MITMA project design de facto incorporates a similar measure: 

On the one hand, the population size of the areas considered is generally
more than 5,000 people (exceptionally 1,000).  On the other hand, when in a
area, there is a sample of users of less than 2% of the population, it is
considers that the results may not be reliable enough and the
data of the trips with origin and / or destination in said area. Also, taking into account

this criterion for limiting the sample elevation factors, when for a
determined area defined by aggregation, districts that
accounted for more than 25% of the sampling frame, the indicators are not provided
corresponding to that area. The reason for adopting this measure is twofold, for a
On the other hand, the need to avoid too high sample elevation factors that

may affect the reliability of the results; and on the other, this measure supposes
also that the number of users observed for each study area is
always higher than 2%. This means, in the exceptional case of an area of 1,000
inhabitants, a minimum lower limit of 20 users, since otherwise it will not be
provide the results for that zone. In practice, therefore, the
measure is equivalent to that adopted by the INE, but marking a threshold of 20

observations instead of 10. "


                            FOUNDATIONS OF LAW

                                            I

       In accordance with the investigative and corrective powers that article 58 of the

Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
RGPD) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions by the Director of the Spanish Agency for
Data Protection.


                                            II

In accordance with the provisions of article 55 of the RGPD, the Spanish Agency for
Data Protection is competent to perform the functions assigned to it

in its article 57, including that of enforcing the Regulations and promoting the
sensitization of those responsible and those in charge of the treatment about the
obligations incumbent upon them, as well as dealing with claims submitted by a
interested and investigate the reason for them.

It is also the responsibility of the Spanish Data Protection Agency to exercise the

investigative powers regulated in article 58.1 of the same legal text, among the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/9








which includes the power to order the controller and the person in charge of the treatment that
provide any information required for the performance of their duties.


Correlatively, article 31 of the RGPD establishes the obligation of those responsible
and those in charge of the treatment to cooperate with the control authority that requests it in
the performance of their duties. In the event that they have designated a
data protection officer, article 39 of the RGPD attributes to him the function of
cooperate with said authority.


Similarly, the domestic legal system also provides for the possibility of opening
a period of information or previous actions. In this sense, article 55 of the
Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations, grants this power to the competent body in order to
know the circumstances of the specific case and the advisability or not of initiating the

process.

                                            III




Article 2 of the RGPD, regarding its scope of material application, provides in its
number first that “This Regulation applies to the total treatment or
partially automated personal data, as well as non-processing
automated personal data contained or intended to be included in a
file."


Article 4 of the RGPD defines in its number 1, personal data as “all
information about an identified or identifiable natural person ("the data subject"); I know
Any person whose identity can be considered identifiable
be determined, directly or indirectly, in particular by an identifier, such as

for example a name, an identification number, location data, a
online identifier or one or more elements of physical identity,
physiological, genetic, psychic, economic, cultural or social of said person "

Recital 26 of the RGPD clarifies in this regard that “The principles of the
data protection must apply to all information relating to a natural person

identified or identifiable. The pseudonymised personal data, which could be attributed to
a natural person through the use of additional information, they must
be considered information about an identifiable natural person. To determine if
a natural person is identifiable, all means must be taken into account, such as
singularization, which can reasonably be used by the person responsible for the treatment or

any other person to directly or indirectly identify the natural person.
To determine whether there is a reasonable probability that means will be used to
identify a natural person, all objective factors must be taken into account,
as well as the costs and time required for identification, taking into account both
the technology available at the time of treatment as advances

technological. Therefore data protection principles should not apply to the
anonymous information, that is, information that is not related to a person
identifiable or identifiable physical data, or data made anonymous in such a way that
the interested party is not identifiable, or ceases to be so. Consequently, the present

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/9








Regulation does not affect the treatment of said anonymous information, including for purposes
statistics or research. "


In this same sense, the RGPD provides in its article 89.1 “Treatment for purposes
archival in the public interest, scientific or historical research purposes or purposes
statistics will be subject to the appropriate guarantees, in accordance with this
Regulation, for the rights and freedoms of the interested parties. Said guarantees
will make technical and organizational measures available, in particular for
guarantee the respect of the principle of minimization of personal data. Such

measures may include pseudonymisation, provided that in this way they can
these ends be achieved. Provided that these ends can be achieved through a
subsequent treatment that does not allow or no longer allows the identification of the interested parties,
those ends will be achieved in that way. "


In the present case, MITMA states that the work uses as a source
main data, those provided by the positioning of mobile phones in
telephone cells defined by the terrestrial antennas of the companies. At work
the positioning of terminals of a single operating company is used.
On a daily basis, the analysis of mobility is delivered to MITMA that corresponds to
movements and displacements produced four days before.


Of the information provided regarding the treatments so that the original information
becomes anonymous so that the interested party is not identifiable, it follows
that the operator initially provides pseudonymized data, which is
processed to generate aggregated and anonymous information, which in turn is

processes to generate different indicators that are also aggregated, noting that,
In addition, they are raised to the total population universe, depending on the degree of
penetration of the operator by territories, which introduces a new barrier between
original data and the result of the work. These already high mobility indicators,
are the objective results of the work that, finally, in various formats

manageable are referred to MITMA.

As guarantees that the data will not be used for other purposes, it is exposed
that the telephone operator pseudonymizes the mobile telephone records by eliminating
any information that allows to uniquely identify the users of the
network, for this it uses a cryptographic hash-type function, of the SHA-2 family, which

breaks any association between the original values of the processed fields and
those that are used during the analysis, maintaining only the relationships
between the records that are relevant to the purpose of the analysis. The registers
pseudonymised are stored in a secure infrastructure managed by the
telephone operator in which the specialized software developed by

*** COMPANY.2 for the processing and anonymization of the data. One time
processed to generate the aggregated information, these starting records are
removed from the secure infrastructure enabled by the operator. Specifies that
original data, never leave the custody of the operator and are deleted after being
processed, without prejudice to the fact that they can be kept for a maximum of 30 days

in the safe infrastructure of the operator in case it is necessary to reprocess them (for
For example, to correct any errors that may be detected in the output results).
The result of the processing is information already added according to the
specifications made by the Ministry, extrapolated to the total population and

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/9








completely anonymous. The information is aggregated by administrative units
(districts, municipalities or groupings of municipalities, depending on the case) with a
general population greater than 5,000 inhabitants, and in no case less than 1,000
population.


Regarding the possibilities of “re-identification, it is stated that“ The main measure to
to eliminate the risk of re-identification (…) is to use a zoning composed of
areas whose population is generally greater than 5,000 inhabitants, and in no case
less than 1,000 inhabitants. Regarding the measure adopted by the INE to censor the
result whenever the number of observations is less than ten in a cell of
mobility for an operator, it should be noted that the MITMA project design

de facto incorporates a similar measure: On the one hand, the population size of the
areas considered is generally more than 5,000 people
(exceptionally 1,000). On the other hand, when an area has a
sample of users less than 2% of the population, it is considered that the results
may not be reliable enough and travel data is deleted with

origin and / or destination in said area. In addition, taking into account this criterion of
limitation of the sample elevation factors, when for a certain area
defined by aggregation, districts representing more than 25% would have been discarded
of the sampling frame, the corresponding indicators are not provided
zone. The reason for adopting this measure is twofold, on the one hand, the need to avoid
too high sample elevation factors that may affect the reliability of

the results; and on the other, this measure also assumes that the number of users
observed for each study area is always greater than 2%. This means, in the
exceptional case of an area of 1,000 inhabitants, a minimum lower limit of 20
users, as otherwise the results corresponding to
said area.


In accordance with the definition of “personal data” contained in article 4.1 of the RGPD, the
information that is communicated to MITMA, insofar as they have been subjected to a prior
anonymization and aggregation process that does not allow the re-identification of the
interested in such information, would be outside the scope of the
RGPD, in accordance with the provisions of its article 2. In this sense, it specifies the
Considering 26 of the RGPD in its last paragraph “Therefore the principles of

data protection should not apply to anonymous information, that is, information
that is not related to an identified or identifiable natural person, or to the
data made anonymous so that the interested party is not identifiable, or leaves
to be. Consequently, this Regulation does not affect the treatment of said
anonymous information, including for statistical or research purposes. "


Therefore, the documentation analyzed in the previous paragraphs does not
they give off rational indications of infringement by the MITMA of the regulations
on data protection.

       Therefore, in accordance with what was stated, by the director of the Agency
Spanish Data Protection,

HE REMEMBERS:


FIRST: PROCEED WITH THE FILING of these actions.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/9








SECOND: NOTIFY this resolution to the MINISTRY OF TRANSPORTATION,

MOBILITY AND URBAN AGENDA.

       In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.


       Against this resolution, which puts an end to the administrative procedure according to
prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations, and in accordance with the

established in arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the

National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the

referred Law.

Mar Spain Martí
Director of the Spanish Agency for Data Protection




































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es