APDCAT (Catalonia) - CNS 14/2022

From GDPRhub
Revision as of 11:46, 15 June 2022 by Mw (talk | contribs) (→‎Comment)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
APDCAT - CNS 14/2022
Authority: APDCAT (Catalonia)
Jurisdiction: Spain
Relevant Law: Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 86 GDPR
Law 19/2014, of 29 December, on transparency, access to public information and good governance (LTC)
Law 5/2014, of 4 April, on Private Security
Type: Advisory Opinion
Outcome: n/a
Published: 03.06.2022
Fine: n/a
Parties: n/a
National Case Number/Name: CNS 14/2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Catalan, Valencian
Original Source: APDCAT (in CA)
Initial Contributor: MW

The Catalan DPA responded to a controller's request for guidance, advising that a railway could disclose the ID number of a sub-contracted security guard without their consent but was required to notify the guard prior to processing.

English Summary[edit | edit source]

Facts[edit | edit source]

The controller was a rail service that contracted with third-party security services to guard its facilities. Occasionally, when disagreements arose between customers of the rail service and the third-party security guards, customers would request the identification data of the security guards involved.

The controller's DPO requested guidance from the Catalan DPA (Autoritat Catalana de Protecció de Dades - APDCAT), asking the following questions:

  1. Would it be lawful processing to provide a customer the identifcation data of a third-party security guard without the guard's consent?
  2. What would be the legal basis for such processing under Article 6 GDPR?
  3. If any, what data could be provided?
  4. If a customer is provided a security guard's identification data, should that guard be informed?

Holding[edit | edit source]

The APDCAT answered, advising the controller that the disclosure of a securty guard's identifying data would be lawful processing.

The basis for lawfulness of processing would be Article 6(1)(c) GDPR, necessecity for compliance with a legal obligation. The Spanish national law on transparency, access to public information and good governance (LTC) obligated the controller to disclose information in its possession as a result of the public service it provided, which included the identification data of its security personnel.

The LTC also required the controller to notify any parties affected by the disclosure, in this case any security guard whose data was being disclosed, which the APDCAT said would allow a security guard to exercise the right of opposition provided for in Article 21 GDPR.

Another Spanish national law, law 5/2014, of 4 April, on Private Security, limited the data that could be disclosed to the professional ID number of the security guard in question.

Comment[edit | edit source]

The APDCAT notes in its conclusion that Article 6(1)(c) GDPR provides the lawful basis for processing, but it also mentions the security guards' right of opposition per Article 21 GDPR. Article 21 GDPR grants the right to object to processing based on point Article 6(1)(e) GDPR or Article 6(1)(f) GDPR but does not mention processing based on Article 6(1)(c) GDPR.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.

Ref .: CNS 14/2022
Opinion in relation to the consultation made by the protection delegate of
data of an entity regarding the possibility of providing identifying data
from surveillance personnel to users
An application for an opinion is submitted to the Catalan Data Protection Authority
of the Data Protection Officer (DPD) of an entity regarding the possibility of facilitating
the identification data of the surveillance personnel to users.
The consultation states that the entity has an external monitoring service of its own
stations, trains and facilities to different security companies operating in the market and
that these companies have hired security guards who have theirs
title and qualification to carry out the functions entrusted to them.
As reported, there are sometimes users who disagree with the form
to act as a security guard and submit the corresponding claim to the service
customer service of the entity, requesting the identification data of the security guard in
(name, surname, TIP) for the purpose of taking legal action against him.
Based on this background, the DPD requests a ruling on the
following questions
“A) It would be a lawful data processing to provide the identification data of the watchman
security, which provides service in the facilities of (...) and is contracted by a
third company, to the user who has submitted a claim to the service
customer service of (...), without having obtained the prior and express consent of the security guard
security affected?
b) What would be the legitimate cause of the treatment of those provided for in Article 6 of the RGPD?
In particular, what would be the cause of law other than the explicit consent that could
lend to the person concerned (security guard)?
c) If so, what personal data could be provided (name and
surnames, TIP)?
d) In the event that they can be provided, it should be (...) communicated to the security guard
affected and / or the security company that hired him for the fact that the
your data by a user following a complaint received and provided
to this user? ”
Analyzed the query, which is not accompanied by other documentation, according to the report of
the Legal Adviser, I issue the following opinion:
The issues raised by the Data Protection Officer are related to the
communication of identifying data (name, surname and TIP) of the security guards of
trains, stations and other facilities of the entity, when required by users of the
service that have filed a complaint with the institution’s customer service.
According to the consultation, these security guards are staff hired by the
security companies that provide their services to the entity.
In this context, the first question that arises is whether to provide identifying data
of the security guard, who provides service at the institution’s facilities and is contracted
by a third party company, to the user who has submitted a claim to the service
customer service of the entity, without having obtained the prior and express consent of the watchdog
affected, would be a lawful treatment.
The applicant for this opinion is a public law entity with legal personality
own and independent company that acts as a commercial company and is governed by the
which establishes article 5 of its statutes, “by these statutes, by Law 4/1985, of 29
March, of the Statute of the Catalan Public Company, by the norms of civil, commercial law and
labor, by sectoral regulations governing land transport and, in whatever
applicable, by Legislative Decree 9/1994, of 13 July, approving the revised text of the Law
of public finances of Catalonia, by the Law 11/1981, of 7 December, of patrimony,
as well as other applicable provisions, especially those relating to the exercise of
administrative powers and guardianship relations with the public administration ”.
For the information provided and the contractual documentation published in your profile
contractor, the monitoring service of the entity’s trains, stations and dependencies
provided through external security companies.
As stated in the particular administrative clauses of the contract “Service of
security and surveillance, dependencies and rolling stock of the Metropolitan Lines and Line
Lleida La Pobla de Segur (...) ”(currently in tender):
"The successful bidder will be responsible for the work performed by the people involved
to execute the service and notify (...) all personnel who will provide and perform services
the works in its dependencies, and the variations that take place. “
Therefore, information on security guards providing services in the
dependencies and rolling stock of railway lines is information held by the entity
as a result of the execution of the service contract between it and the companies of
contract security.
Focus the consultation on these terms, in order to answer the questions raised
for the DPD it should be borne in mind that Regulation (EU) 2016/679, of the Parliament and of the
European Council of 27 April 2016 on General Data Protection (hereinafter referred to as