APDCAT (Catalonia) - CNS 14/2022
|APDCAT - CNS 14/2022|
|Relevant Law:||Article 6(1)(c) GDPR|
Article 6(1)(e) GDPR
Article 86 GDPR
Law 19/2014, of 29 December, on transparency, access to public information and good governance (LTC)
Law 5/2014, of 4 April, on Private Security
|National Case Number/Name:||CNS 14/2022|
|European Case Law Identifier:||n/a|
|Original Language(s):||Catalan, Valencian|
|Original Source:||APDCAT (in CA)|
The Catalan DPA responded to a controller's request for guidance, advising that a railway could disclose the ID number of a sub-contracted security guard without their consent but was required to notify the guard prior to processing.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller was a rail service that contracted with third-party security services to guard its facilities. Occasionally, when disagreements arose between customers of the rail service and the third-party security guards, customers would request the identification data of the security guards involved.
The controller's DPO requested guidance from the Catalan DPA (Autoritat Catalana de Protecció de Dades - APDCAT), asking the following questions:
- Would it be lawful processing to provide a customer the identifcation data of a third-party security guard without the guard's consent?
- What would be the legal basis for such processing under Article 6 GDPR?
- If any, what data could be provided?
- If a customer is provided a security guard's identification data, should that guard be informed?
Holding[edit | edit source]
The APDCAT answered, advising the controller that the disclosure of a securty guard's identifying data would be lawful processing.
The basis for lawfulness of processing would be Article 6(1)(c) GDPR, necessecity for compliance with a legal obligation. The Spanish national law on transparency, access to public information and good governance (LTC) obligated the controller to disclose information in its possession as a result of the public service it provided, which included the identification data of its security personnel.
The LTC also required the controller to notify any parties affected by the disclosure, in this case any security guard whose data was being disclosed, which the APDCAT said would allow a security guard to exercise the right of opposition provided for in Article 21 GDPR.
Another Spanish national law, law 5/2014, of 4 April, on Private Security, limited the data that could be disclosed to the professional ID number of the security guard in question.
Comment[edit | edit source]
The APDCAT notes in its conclusion that Article 6(1)(c) GDPR provides the lawful basis for processing, but it also mentions the security guards' right of opposition per Article 21 GDPR. Article 21 GDPR grants the right to object to processing based on point Article 6(1)(e) GDPR or Article 6(1)(f) GDPR but does not mention processing based on Article 6(1)(c) GDPR.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.
Ref .: CNS 14/2022 1/9 Opinion in relation to the consultation made by the protection delegate of data of an entity regarding the possibility of providing identifying data from surveillance personnel to users An application for an opinion is submitted to the Catalan Data Protection Authority of the Data Protection Officer (DPD) of an entity regarding the possibility of facilitating the identification data of the surveillance personnel to users. The consultation states that the entity has an external monitoring service of its own stations, trains and facilities to different security companies operating in the market and that these companies have hired security guards who have theirs title and qualification to carry out the functions entrusted to them. As reported, there are sometimes users who disagree with the form to act as a security guard and submit the corresponding claim to the service customer service of the entity, requesting the identification data of the security guard in (name, surname, TIP) for the purpose of taking legal action against him. Based on this background, the DPD requests a ruling on the following questions “A) It would be a lawful data processing to provide the identification data of the watchman security, which provides service in the facilities of (...) and is contracted by a third company, to the user who has submitted a claim to the service customer service of (...), without having obtained the prior and express consent of the security guard security affected? b) What would be the legitimate cause of the treatment of those provided for in Article 6 of the RGPD? In particular, what would be the cause of law other than the explicit consent that could lend to the person concerned (security guard)? c) If so, what personal data could be provided (name and surnames, TIP)? d) In the event that they can be provided, it should be (...) communicated to the security guard affected and / or the security company that hired him for the fact that the your data by a user following a complaint received and provided to this user? ” Analyzed the query, which is not accompanied by other documentation, according to the report of the Legal Adviser, I issue the following opinion: 2/9 I (...) II The issues raised by the Data Protection Officer are related to the communication of identifying data (name, surname and TIP) of the security guards of trains, stations and other facilities of the entity, when required by users of the service that have filed a complaint with the institution’s customer service. According to the consultation, these security guards are staff hired by the security companies that provide their services to the entity. In this context, the first question that arises is whether to provide identifying data of the security guard, who provides service at the institution’s facilities and is contracted by a third party company, to the user who has submitted a claim to the service customer service of the entity, without having obtained the prior and express consent of the watchdog affected, would be a lawful treatment. The applicant for this opinion is a public law entity with legal personality own and independent company that acts as a commercial company and is governed by the which establishes article 5 of its statutes, “by these statutes, by Law 4/1985, of 29 March, of the Statute of the Catalan Public Company, by the norms of civil, commercial law and labor, by sectoral regulations governing land transport and, in whatever applicable, by Legislative Decree 9/1994, of 13 July, approving the revised text of the Law of public finances of Catalonia, by the Law 11/1981, of 7 December, of patrimony, as well as other applicable provisions, especially those relating to the exercise of administrative powers and guardianship relations with the public administration ”. For the information provided and the contractual documentation published in your profile contractor, the monitoring service of the entity’s trains, stations and dependencies provided through external security companies. As stated in the particular administrative clauses of the contract “Service of security and surveillance, dependencies and rolling stock of the Metropolitan Lines and Line Lleida La Pobla de Segur (...) ”(currently in tender): "The successful bidder will be responsible for the work performed by the people involved to execute the service and notify (...) all personnel who will provide and perform services the works in its dependencies, and the variations that take place. “ Therefore, information on security guards providing services in the dependencies and rolling stock of railway lines is information held by the entity as a result of the execution of the service contract between it and the companies of contract security. Focus the consultation on these terms, in order to answer the questions raised for the DPD it should be borne in mind that Regulation (EU) 2016/679, of the Parliament and of the European Council of 27 April 2016 on General Data Protection (hereinafter referred to as