APDCAT (Catalonia) - PS 28/2021
|APDCAT (Catalonia) - PS 28/2021|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 13 GDPR
Article 25(1) GDPR
|Parties:||Ajuntament de Tiana|
|National Case Number/Name:||PS 28/2021|
|European Case Law Identifier:||n/a|
|Original Language(s):||Catalan, Valencian|
|Original Source:||APDCAT (in CA)|
|Initial Contributor:||Carmen Villarroel|
The Catalan DPA issued a reprimand to a city council for creating a WhatsApp group that allowed participants to see the names, phone numbers and profile pictures of other participants, without taking into account the data protection by design principle and without properly providing the information required by Article 13 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject had joined the group via a link that was shared through WhatsApp with a text that indicated that people would receive information related to the city council and that anyone could access the group through the following link if they wanted to join.
The APDCAT verified that, when joining the group, the participants were offered information about the identity of the controller, the legal basis fro the processing, the data retention period, the possibility of exercising the data subject's rights, and a link to the city council's web, where one could exercise their rights or contact the DPO (although not about the possibility of filing a complaint with the APDCAT).
This information was also included on the description of the group and on the information of the group. On the information of the group, the names, phone numbers and profile pictures of the participants could also be seen.
The city council claimed that they were using as a legal basis Article 6(1)(e) GDPR, i.e. processing is necessary for the performance of a task carried out in the public interest, since Article 25 of the Law regulating the Bases of the Local Administration Regime (Ley reguladora de las Bases del Régimen Local - LBRL), that allows city council to engage in institutional communication with their citizens. According to the city council, participants were informed that participants in the group could see names, phone numbers and profile pictures of other participants. However, the city council had already decided to continue informing their citizens rather via a WhatsApp broadcast list, instead of a group.
The APDCAT considered Article 6(1)(e) GDPR as a valid legal basis, as well as Article 6(1)(a) GDPR, since participants had consented.
Holding[edit | edit source]
Firstly, the APDCAT determined that, when the group was created, the information required by Article 13 GDPR had not been provided.
When such information was provided, two days after the creation of the group, some information required by Article 13(2)(d) GDPR was still missing, specifically the the right to lodge a complaint with a supervisory authority, which in this case would be the APDCAT.
Additionally, the information provided could not be considered to be provided in a concise, transparent, intelligible and easily accessible form, as required by Article 12(1) GDPR. The information was also not provided in an immediate manner as required by Article 11 LOPDGDD (the Spanish Data Protection Act), since the data subjects should not need to look for the information, but rather be able to know how and where to access it immediately. This was not the case, since data subjects were referred to the city council's website, without specifying where they could access the information. Also, some information was missing in the first layer of information.
Also, when creating the group, the city council had not implemented appropriate technical or organisational measures to ensure the confidentiality of personal data, since all the participants could see the names, phone numbers and profile pictures of other participants.
During the allegations process, the city council admitted that they had created the group without foreseeing any measures in order to prevent the participants from seeing the names, phone numbers and profile pictures of other participants.
According to the APDCAT, the city council should have considered the data protection by design principle from Article 25(1) GDPR, and should have realised that, since they should have prevented the participants from seeing the names, phone numbers and profile pictures of other participants, they should have refrained from using a WhatsApp group as an appropriate tool for these purposes.
The city council claimed that they had stop using the group, but the APDCAT verified that although the group was not active anymore, it still existed, and personal data could still be accessed.
Therefore, according to the APDCAT, the city council had violated Article 13 GDPR and Article 25(1) GDPR.
However, since the deficiencies regarding Article 13 GDPR were corrected before the end of the procedure, the APDCAT considered that no further action had to be taken in this respect.
On the other hand, the APDCAT ordered the city council to delete the WhatsApp group and issued a reprimand for the violation of Article 13 GDPR and Article 25(1) GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.