DBEB/AVPD (Basque Country) - CN21-012

From GDPRhub
DBEB/AVPD - CN21-012
Logo AVPD.png
Authority: DBEB/AVPD (Basque Country)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Type: Advisory Opinion
Outcome: n/a
Decided: 07.03.2022
Fine: n/a
Parties: n/a
National Case Number/Name: CN21-012
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: DBEB/AVPD (in ES)
Initial Contributor: n/a

The Basque DPA held that Articles 6(1)(c) and 6(1)(e) GDPR supplied a legal basis for a local police force to include personal data in files sent to the Chief of the Police, the Mayor’s Office, and the Councilman of Citizen Security. It is still assessing whether this practice complies with the principle of data minimisation.

English Summary


The Basque Union of Police and Emergencies asked the Basque DPA for an assessment of the processing of personal data by a local police force.

The normal practice used to be that at the end of each work shift, the operator of the coordinating center generated a PDF file containing all the incidents recorded during the shift. Subsequently, the operator generated another PDF document called "News for the Mayor's Office". This second document contained all the incidents but without the personal data of the involved persons. It only included the initials of the persons‘ names. Three copies of this document were then sent to the Chief of the Police, the Mayor’s Office and the Councilman of Citizen Security.

Recently, however, the local police was ordered by the Police Headquarters to change this practice and to include all the relevant personal data, such as the involved persons‘ full names and ID number, in this second file. The Chief of the Police and the City Council claimed that the practice of only including the involved persons‘ initials hindered the work of the police by not identifying the persons with whom the police had to interact.


The DPA noted that there was domestic legislation in place that allowed members of local authorities with powers in the field of public security to access information relating to the performance of their duties. Consequently, the DPA held that the police had a legal basis to include the involved persons‘ full names and IDs in the files sent to the Chief of the Police, the Mayor’s Office and the Councilman of Citizen Security under Article 6(1)(c) GDPR, as well as under Article 6(1)(e) GDPR.

However, the DPA also noted that it is currently assessing whether this practice is also compliant with the data minimisation principle under Article 5(1)(c) GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


OPINION No. D22-005




FIRST: On December 13, 2021, you have an entry in this Basque Agency for

Protection of Data written by the Basque Union of Police and Emergencies in which
states the following:
       “For the present and in view of the doubts that are being raised among the components of

       the Local Police of [...] on daily procedures ordered by the Headquarters of
       Police and that part of the collective interprets could violate the LOPD 3/2018 of 5
       December, a clarification and resolution is requested from your Agency on the matter that
       then we move them;

       The Local Police of […] uses as a police tool for internal police management the
       computer program for police use with an annual license called EUROCOP. With this
       program all incidents known to this local police are recorded,
       whatever the form of knowledge of the same, telephone, notice on the road,
       police action..., including administrative sanctions, accident, criminal offenses...
       The operator agent of the communications center accesses this program at the beginning of
       his day through a personalized and private key of which he is the only connoisseur,

       your professional number being registered as an operating agent of how many
       incidents are recorded in your session, numbered individually and consecutively through
       shifts and throughout the year.
       This access is done daily with the operating agent accepting the terms of the LOPD

       by "clicking" on the "ACCEPT" tab, being aware of all the
       terms of the Law, duty of secrecy and treatment of data that in the program is
       register or are registered. Once the session is started, the operator agent of the
       communications center generates an incident for each known notice, leaving
       registered in it in different drop-down tabs; The fact itself,
       people involved with full affiliation even minors, possible
       also involved with full affiliation including minors, agents
       actors, vehicles and result of the incident. These incidents also record

       proposed administrative and even criminal sanctions (Art 27. 1 a) b) of the LO
       At the end of each 8-hour work shift, the operator of the coordination center generates
       a PDF file containing all the incidents recorded on your shift

       and with these a PDF document called "News for mayor" is generated and these
       they are saved in the corresponding folder, ordered by shift (Morning/T/Night),
       day (01 to 31) and month of the year (January to Dec), generating 3 daily for each day of the

 c/ Beato Tomás de Zumárraga, 71, 3º - 01008 Vitoria – Gasteiz - Tel. 945 016 230 - Fax. 945 016 231 avpd@avpd.es - www.avpd.es, This way of proceeding makes it easier for the rest of the agents to be aware of the

       incidents of a police nature recorded in previous shifts, during their discharge,
       by reviewing the generated PDFs, which are read throughout the operation
       by the head of service at the beginning of each work shift in what is known as the "Passe de

       This generated file format collects in a shorter way, without affiliation data
       of communicators, involved or witnesses, (Individuals in general) the summary of each
       known incidence in each shift, the acting agents and the result of the same.
       The three daily lists generated (M/T/N) of "News for mayor" are sent
       the next morning via corporate email
       (_____@....eus) to the higher-ups, Mr. Chief of Police, as well as Mrs.

       mayor of […] and the councilor for citizen security.
       Many components of the police group, faced with the order to carry out this shipment of
       police incidents, which in its fields does not include personal data, to

       people outside of the operation only reflect the initials of the name and surname of the
       people involved in the warning and result fields, in order to avoid violating their
       privacy and understanding that knowledge of them is not necessary for the
       functions of mayor or council, beyond specific cases and by means of a report
       motivated. On the part of the Police Headquarters and at the request of the council,
       ordered the collective to include complete affiliation data of the citizens,
       name, surnames and DNI number in the body of the notice and result with which both Mr.

       councilor and the mayor have access to them, thus avoiding the
       privacy granted by this PDF file format which, as we explained, are not
       It includes.
       This practice, ordered by the leadership as the first task of each morning shift,

       is understood by the majority of the group as a possible violation of the LOPD and
       to article 5.1.c) of Regulation (EU) 2016/679, also understanding that the
       knowledge of these complete police affiliation data are personal data
       of first order of protection and whose knowledge is limited and its access must

       For these reasons, we request clarification from this union on the part of its Agency on
       the legality and convenience of systematically including complete affiliation data of
       citizens, even minors, in the incidences that are sent to them every day by
       email to Mr. Councilor for Citizen Security of the City Council of [...] and
       to the Mayoress of the municipality of [...] (All those collected by the Local Police).

SECOND: On December 20, 2021, the Protection Delegate was requested
City Council Data […] report on the matter. Dated January 26,

2022 had a written entry from the City Council of […] that attached a report from the Head of the
Local Police stating the following:

       “I have read the document that has been submitted to the Basque Data Protection Agency in
       when the preparation of the lists of daily actions, use and referral of the
       same to different people, clarify:

       1º.- There are two types of documents or lists of common use in the preparation and
       review of incidents created by daily police actions.
       First. The Notice Reception Sheet.

       This is a document made for each open incident in the
       police management "Eurocop", in which all the data included in the

                                                                                                   2, action provided that the person operating the system complies with the instructions

Headquarters and include the affiliation of every person involved in it
(communicating, involved, etc...), vehicles and owners of the same, result of the
notice, implication of the acting people, etc... it is essential to document
all the data of the program to have the complete file and to be able to carry out consultations
police and/or responses to various bodies such as Courts, Prosecutor's Office, others
police forces, etc... the usual thing is to occupy two pages with each file if it is

Second. The List of Daily Incidents.

The list is a minimalist report of the police files where the
Following data:

The call summary text
The management of the call

The place of the incident and the professional numbers of the acting agents.

This document contains less data than the police file, not appearing in it
the affiliation of the people or vehicles involved in the incident and is generated in
PDF form for each work shift of 8 hours in the morning, afternoon and night
filing the same on the police intranet in a police access folder, it is
which the request for information calls "News for the Mayor's Office".

The document is the one used in the roll call or start of service of the three groups
of daily work and serves to facilitate the essential information for your
knowledge and performance of road safety prevention tasks and
citizen, since it is of interest in terms of prevention to know the people
investigated, suspects to be identified, investigated or detained, people with requisitions

slopes, vehicles suspected of committing criminal offenses, etc...
The usual way is to include in this list the only affiliation that allows its
identification to the Police operation (Name and surname) not the rest (DNI, NIE, Passport,

The Headquarters Order refers to incorporating all the complete data of all the
people involved and vehicles in the 1st. "Police file" and only identifying data

in the 2nd. "List of daily incidents", never the DNI/NIE/Passport (which does not provide
nothing since the operative does not know the people by themselves and also if
appears in the FILE) when it refers to those involved in criminal offenses, nor is it
It is customary to indicate in this record the affiliation of communicating persons, witnesses and
involved who do not contribute anything in this document to police prevention, this
second type of data is already included in the Notice Reception Form and can be
exploit this data before any requirement.

The fact of incorporating the initials X.X. of people arrested and investigated,
practice carried out by several Agents, hinders the work of the police operation by - not
identify the people with whom the Police have to interact.

This list of Daily Incidents from the previous day, consisting of three documents
generated in PDF (morning, afternoon and evening), is sent the following day to the address
Policelocal@....eus email address, from where it is distributed to the following users:

The Deputy Commissioner-Chief of Police and the three NCOs

                                                                                             3, Having been extended to the users Mayoralty and Department with Delegation of
              Police by indication of the Political Headquarters of the Local Police.

       On a daily basis, the Ertzaintza refers us to the entire police operation through the
       police address local@....eus with the users mentioned in the paragraph
       above the daily incidences elaborated in the demarcation or scope of work
       common to both police forces.

       This list includes the type of incident, crime, complete affiliation of the people
       involved, DNI, NIE, etc... vehicles, telephone numbers of the people and photographs of the
       detained people. This list is presented at the roll call of each turn of
       work so that this police operation also knows the people with whom
       that interacts and serves as security prevention.

       They attached:
       1.- An example of the Notice Reception Sheet

       2.- List of incidents that are presented at roll calls with initials
       3.- List of incidents presented with name and surname

       4.- Order of Headquarters to fill in the complete affiliation (name and surnames...
              no more unnecessary data)

       5.- Incidents sent daily from the Ertzaintza”.
THIRD: Article 17.1 of Law 2/2004, of February 25, on Data Files of

Personal Nature of Public Ownership and Creation of the Basque Protection Agency
of Data, in its section n) attributes to the Basque Data Protection Agency the following

       “Attend to queries regarding the protection of personal data
       formulated by the public administrations, institutions and corporations to which
       referred to in article 2.1 of this Law, as well as other natural or legal persons, in
       relation to the processing of personal data included in the scope of
       application of this Law”.

It corresponds to this Basque Data Protection Agency, by virtue of the most
cited above, the issuance of the report in response to the query formulated.



The current regulatory framework regarding the protection of personal data is contained in the
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016,
on the protection of natural persons with regard to data processing

data and the free movement of these data and by which the Directive is repealed
95/46/CE (General Data Protection Regulation), directly applicable in the
Member States since May 25, 2018, and in Organic Law 3/2018, of May 5,
December, Protection of Personal Data and guarantee of digital rights
(LOPDGDD), in force since December 7, 2018.

                                                                                                 4, The RGPD defines in its article 4.1 personal data as "all information about a
identified or identifiable natural person ("the interested party"); will be considered a natural person
identifiable person any person whose identity can be determined, directly or indirectly, in
by an identifier, such as a name, phone number,
identification, location data, an online identifier, or one or more elements
inherent to the physical, physiological, genetic, mental, economic, cultural or social identity of
said person”.

With regard to data processing, it is defined in article 4.2 of the RGPD,
as “any operation or set of operations carried out on personal data or
sets of personal data, whether by automated procedures or not, such as the
collection, registration, organization, structuring, conservation, adaptation or modification,

extraction, consultation, use, communication by transmission, diffusion or any other
form of authorization of access, collation or interconnection, limitation, suppression or destruction
Therefore, to the extent that personal data is processed, it will be
obliged to comply with the regulations on data protection.

Article 5 of the RGPD establishes the principles related to data processing
personal. In accordance with these principles, the data must be processed lawfully,
fair and transparent. Likewise, once collected, they must be applied for purposes
previously determined, explicit and legitimate, not being able to be used later
in a manner incompatible with those purposes. In addition, the processing of personal data must
observe the principle of data minimization, these must be adequate, pertinent

and limited to the objective pursued, applying the technical and organizational measures that
guarantee it.


The query raised by the Basque Union of Police and Emergencies refers to the legality
to include affiliation data in the incidents that are sent every day to the councilor of
citizen security and the mayor of the town. In this regard, we must emphasize that the

RGPD establishes in its article 6.1 the assumptions that legitimize the processing of data
personal, are as follows:
       a) the interested party gave their consent for the processing of their personal data
       for one or more specific purposes;

       b) the treatment is necessary for the execution of a contract in which the interested party
       is part of or for the application at the request of the latter of pre-contractual measures;

       c) the treatment is necessary for the fulfillment of an applicable legal obligation
       to the data controller;

       d) the treatment is necessary to protect the vital interests of the interested party or another
       Physical person;
       e) the treatment is necessary for the fulfillment of a mission carried out in

       public interest or in the exercise of public powers vested in the person responsible for the
       f) the treatment is necessary for the satisfaction of legitimate interests pursued

       by the person in charge of the treatment or by a third party, provided that on said

                                                                                             5, interests do not override the interests or the fundamental rights and freedoms of the
       interested party that require the protection of personal data, in particular when the
       interested is a child.

Article 6.3 of the RGPD establishes that “the basis of the treatment indicated in section 1,
letters c) and e), must be established by the Law of the Union, or the Law of the
Member States that applies to the data controller.

In this sense, Organic Law 3/2018, of December 5, on Data Protection
Personal and guarantee of digital rights (LOPDGDD), in its article 8, regarding the
data processing due to legal obligation, public interest or exercise of public powers,

       "1. The processing of personal data can only be considered based on the
       compliance with a legal obligation required of the person in charge, in the terms provided
       in article 6.1 c) of Regulation (EU) 2016/679, when so provided by a standard
       of European Union Law or a rule with the force of law, which may determine
       the general conditions of the treatment and the types of data object of the same as well
       as well as the transfers that proceed as a result of the fulfillment of the obligation
       legal. Said rule may also impose special conditions on the processing,
       such as the adoption of additional security measures or others established in
       Chapter IV of Regulation (EU) 2016/67”.

Likewise, article 10 of the LOPDGDD regarding the treatment of data of a
criminal, establishes that the processing of personal data related to convictions and infractions
criminal proceedings, as well as related precautionary and security procedures and measures, to

purposes other than those of prevention, investigation, detection or prosecution of
criminal offenses or execution of criminal sanctions, can only be carried out
when it is protected by a rule of Union Law, in this organic law
or in other regulations of legal rank.

Therefore, to determine the legality of the treatment consulted, it will be necessary to analyze the
legal regime applicable to access by members of a local corporation to
personal information held in a EUROCOOP database. About,
We must start by noting that art. 77 of Law 7/1985, of April 2, Regulating
the Bases of the Local Regime (hereinafter LRBRL), establishes that all the members of

Local Corporations have the right to obtain from the Mayor or President or from the
Government Commission whatever background, data or information is in the possession of the
services of the Corporation and are necessary for the development of its function.

The Law of bases of the local regime does not foresee, therefore, an indiscriminate access to the
municipal information, but rather introduces a criterion of prudence both when stating the
right, as when articulating its exercise procedure. We can reach the same conclusion
If we analyze the development of said article contained in Royal Decree 2568/1986,
of November 28, which approves the Organization Regulations,
Functioning and Legal Regime of Local Entities (ROF), specifically in the

Articles 14 to 16. Article 15 establishes the obligation to provide the information to the
councilors in the case of corporations that hold delegations or responsibilities
management, and the information is specific to the corresponding areas; is also required to
give the councilors the information and documentation corresponding to the matters that
have to be treated by the collegiate bodies of which they are a part, as well as the

                                                                                           6, resolutions or agreements adopted by any municipal body and, finally, that
information that is freely accessible to citizens.
In this regard, the Supreme Court (among other STS 1541/2016, of June 27) has recognized
that the right of the members of the Local Corporations to the necessary information

for the performance of their duties that, with a basic character, recognizes article 77, it is
essential for the democratic functioning of said Corporations, as well as for the
fundamental right of participation in public affairs arising from article 23.1
of the Constitution. Adequate information is an unavoidable budget to participate in
the deliberations and votes of the Plenary and of the other collegiate bodies, for a
correct work of control and supervision or for the exercise of the responsibilities of

management that, where appropriate, holds the Councilor who, in short, must respond civilly and criminally
for the acts and omissions carried out in the exercise of their position (article 78 LRBRL). By
Therefore, the jurisprudence has always rigorously examined the assumptions of limitation or
restriction of this right (judgments, among many others, of February 9, 1995, 27
December 1994 and November 24, 1993).

In accordance with this legal regime, the right to information of the councilors appears
closely and directly related to the development of its function, which in this case is
specifically in the exercise of powers related to citizen security. In this
meaning, art. 21 of the LRBRL to regulate the powers of the Mayor, establishes in the
section i) that corresponds to exercise the leadership of the Municipal Police. In the same
In this sense, Law 2/2016, of April 7, on Local Institutions in the Basque Country, regulates in art. 17

the powers of the municipalities, highlighting the planning and management of the
local police, traffic management, road safety, vehicle parking and
collaboration in citizen security.

On the other hand, Law 15/2012, of June 28, on the Organization of the Security System
Public of Euskadi, regulates the public authorities in matters of security (art. 4), and
establishes that they participate in the public security system as authorities in the
the Mayors, and other holders of municipal bodies in
the framework of its powers.

Therefore, based on the exposed legal framework, it can be concluded that the members of
local corporations that have powers in matters of citizen security
may access information related to the performance of their duties, under
of the provisions of article 6.1 c) of the RGPD, as well as when the treatment is
necessary for the fulfillment of a mission carried out in the public interest or in the exercise

of public powers conferred on the data controller established by art. 6.1 e)
of the GDPR.
In any case, the central role that for a correct guarantee of the
fundamental right to data protection have the principle of minimization collected

in art. 5.1 c) of the RGPD, in accordance with which the personal data processed will be
adequate, relevant and limited to what is necessary in relation to the purposes for which they are
treated. This principle attempts to include a criterion of reasonableness and proportionality in the
handling of the information, in view of the purpose pursued by the treatment.

In the present case, the legality of including affiliation data in the incidents that
Every day, the local police send the councilor for citizen security and the mayor of the
locality, so that according to the established legal framework, access must be allowed

                                                                                           7, treating the data strictly necessary for the intended purpose in each case,
thus avoiding illegitimate interference in the right to privacy of the people of
accordance with the principle of minimization.

                         In Vitoria-Gasteiz, on March 7, 2022