DBEB/AVPD (Basque Country) - DICTAMEN No D22-013: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color= |DPAlogo=Logo_AVPD.png |DPA_Abbrevation=DBEB/AVPD |DPA_With_Country=DBEB/AVPD (Basque Country) |Case_Number_Name=DICTAMEN...")
 
Line 82: Line 82:
=== Holding ===
=== Holding ===
DPA’s considerations
DPA’s considerations




Line 87: Line 88:


Secondly, the DPA analyses if the pretended contracts management constitutes ‘processing’ in the sense of [[Article 4 GDPR#2|Article 4(2) GDPR]] and confirms that Alava Water Consortium will therefore have to observe the principles of [[Article 5 GDPR|Article 5 GDPR]] and be based on the legal basis listed in [[Article 6 GDPR#1|Article 6(1) GDPR]].
Secondly, the DPA analyses if the pretended contracts management constitutes ‘processing’ in the sense of [[Article 4 GDPR#2|Article 4(2) GDPR]] and confirms that Alava Water Consortium will therefore have to observe the principles of [[Article 5 GDPR|Article 5 GDPR]] and be based on the legal basis listed in [[Article 6 GDPR#1|Article 6(1) GDPR]].
Along the same line, the DPA highlights that when it comes to the processing carried out by Public Administrations the legal basis is commonly the public interest and the exercise of a public task for which the national legislation (LOPDGDD) on its Article 8(2) foresees that such basis can only be applied when the competence of the administrative body is established by Law.
Along the same line, the DPA highlights that when it comes to the processing carried out by Public Administrations the legal basis is commonly the public interest and the exercise of a public task for which the national legislation ([https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 LOPDGDD]) on its Article 8(2) foresees that such basis can only be applied when the competence of the administrative body is established by Law.


Next, the DPA analyses the legislation that regulates both local government and the competencies of local bodies in the water supply (Ley 2/2016, de 7 de abril de Instituciones Locales de Euskadi and Ley 7/1985, de 2 de abril, Reguladora de las Bases del Regimen Local, respectively). From them, the DPA concludes that a consortium can have the same competencies as a municipality in the management, supply, and control of the full water supply cycle for urban use, and for doing so, they may do direct management.
Next, the DPA analyses the legislation that regulates both local government and the competencies of local bodies in the water supply ([https://www.boe.es/diario_boe/txt.php?id=BOE-A-2016-4171 Ley 2/2016, de 7 de abril de Instituciones Locales de Euskadi] and [https://www.boe.es/buscar/act.php?id=BOE-A-1985-5392 Ley 7/1985, de 2 de abril, Reguladora de las Bases del Regimen Local], respectively). From them, the DPA concludes that a consortium can have the same competencies as a municipality in the management, supply, and control of the full water supply cycle for urban use, and for doing so, they may do direct management. The DPA concludes by stating that Alava water Consortium, according to its articles of association, is legitimate to substitute the municipalities which are the component members in carrying out the processing of personal data as long as they process only the necessary data for the purpose of managing the public service of water supply in the secondary network or low supply.  
The DPA concludes by stating that Alava water Consortium, according to its articles of association, is legitimate to substitute the municipalities which are the component members in carrying out the processing of personal data as long as they process only the necessary data for the purpose of managing the public service of water supply in the secondary network or low supply.  


Additionally, the DPA also pointed out the principles to be observed, such as transparency by informing the data subject at the time of the collection of data as foreseen in Articles 12, 13 and 14 GDPR and 11 LOPDGDD, giving special attention to Article 14 of the Regulation about the obligation to inform the source of the data.  
Additionally, the DPA also pointed out the principles to be observed, such as transparency by informing the data subject at the time of the collection of data as foreseen in [[Article 12 GDPR|Articles 12]], [[Article 13 GDPR|13]] and [[Article 14 GDPR|14 GDPR]] and [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 11 LOPDGDD], giving special attention to Article 14 of the Regulation about the obligation to inform the source of the data. About the principle of data minimization of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], the DPA states that only adequate, relevant, and limited data to what is necessary in relation to the purposes must be processed. Also, according to the purpose limitation principle of [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]], data collected must respond to specified, explicit and legitimate purposes and no further processing in a manner incompatible with them is allowed, with the only exception or [[Article 89 GDPR#1|Article 89(1) GDPR]]. [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] stated that data should be kept in a form which permits the identification of data subjects for no longer than is necessary for the purpose of the processing except in the case of [[Article 89 GDPR#1|Article 89(1) GDPR]]. In the case of the principle of integrity and confidentiality of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] it is mandatory to guarantee the security of the data, including the protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure ([[Article 32 GDPR]]) and, also, to take into consideration that processing carried out by public administrations must observe the measures established by the National Security Scheme as foreseen in the LOPDGDD.
About the principle of data minimization of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], the DPA states that only adequate, relevant, and limited data to what is necessary in relation to the purposes must be processed. Also, according to the purpose limitation principle of [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]], data collected must respond to specified, explicit and legitimate purposes and no further processing in a manner incompatible with them is allowed, with the only exception or [[Article 89 GDPR#1|Article 89(1) GDPR]]. [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] stated that data should be kept in a form which permits the identification of data subjects for no longer than is necessary for the purpose of the processing except in the case of [[Article 89 GDPR#1|Article 89(1) GDPR]].
In the case of the principle of integrity and confidentiality of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] it is mandatory to guarantee the security of the data, including the protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure (Article 32 GDPR) and, also, to take into consideration that processing carried out by public administrations must observe the measures established by the National Security Scheme as foreseen in the LOPDGDD.


Finally, the is mandatory under [[Article 30 GDPR|Article 30 GDPR]] to maintain a record of the processing activities which, in the case of public entities, must be made publicly available and accessible through electronic means.
Finally, the is mandatory under [[Article 30 GDPR]] to maintain a record of the processing activities which, in the case of public entities, must be made publicly available and accessible through electronic means.


== Comment ==
== Comment ==

Revision as of 21:50, 14 November 2022

DBEB/AVPD - DICTAMEN No D22-013
Logo AVPD.png
Authority: DBEB/AVPD (Basque Country)
Jurisdiction: Spain
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 5 GDPR
Article 6(1) GDPR
LOPDGDD
Type: Advisory Opinion
Outcome: n/a
Started:
Decided:
Published: 11.11.2022
Fine: n/a
Parties: n/a
National Case Number/Name: DICTAMEN No D22-013
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AVPD (in ES)
Initial Contributor: Michelle Ayora

The Basque DPA analyses the legitimacy of a new water provider for the processing of personal data contained in the water supply agreements that the previous supplier used to manage. The new provider is a consortium that requested the transfer of the data without obtaining prior consent from each of the users.

English Summary

Facts

Background Information:

Basque DPA published an expert opinion regarding the consultation made by the legal representative of Vitoria S.A, a water supplier which is the current controller. The aim of the consultation is to verify the lawfulness of the potential transfer of the data collected for the management of contracts for the provision of water service in the secondary network or low supply due to the transfer of functions from Vitoria S.A to Alava Water Consortium (the new water supplier). The latter requested the transfer of the mentioned data without obtaining prior consent from each of the users of the water supply services who are represented by the Administrative Boards that subscribe to the agreement. Alava consortium assumed the full execution and management of the water supply and considers itself legitimate to hold the entitlement to manage the contracts since the information that they contain allows it to control the consumption, fees, invoicing, and so forth.

Secondly, Alava Water Consortium has competence in the management of water which was transferred by the local entities (controllers).

Thirdly, the Basque DPA is competent in this matter since Alava Water Consortium is a public entity.

Holding

DPA’s considerations


The DPA starts by applying the concept of ‘personal data’ of Article 4(1) GDPR, stating that the information contained in the water supply agreements will be personal data as long as it refers to identified or identifiable physical persons.

Secondly, the DPA analyses if the pretended contracts management constitutes ‘processing’ in the sense of Article 4(2) GDPR and confirms that Alava Water Consortium will therefore have to observe the principles of Article 5 GDPR and be based on the legal basis listed in Article 6(1) GDPR. Along the same line, the DPA highlights that when it comes to the processing carried out by Public Administrations the legal basis is commonly the public interest and the exercise of a public task for which the national legislation (LOPDGDD) on its Article 8(2) foresees that such basis can only be applied when the competence of the administrative body is established by Law.

Next, the DPA analyses the legislation that regulates both local government and the competencies of local bodies in the water supply (Ley 2/2016, de 7 de abril de Instituciones Locales de Euskadi and Ley 7/1985, de 2 de abril, Reguladora de las Bases del Regimen Local, respectively). From them, the DPA concludes that a consortium can have the same competencies as a municipality in the management, supply, and control of the full water supply cycle for urban use, and for doing so, they may do direct management. The DPA concludes by stating that Alava water Consortium, according to its articles of association, is legitimate to substitute the municipalities which are the component members in carrying out the processing of personal data as long as they process only the necessary data for the purpose of managing the public service of water supply in the secondary network or low supply.

Additionally, the DPA also pointed out the principles to be observed, such as transparency by informing the data subject at the time of the collection of data as foreseen in Articles 12, 13 and 14 GDPR and 11 LOPDGDD, giving special attention to Article 14 of the Regulation about the obligation to inform the source of the data. About the principle of data minimization of Article 5(1)(c) GDPR, the DPA states that only adequate, relevant, and limited data to what is necessary in relation to the purposes must be processed. Also, according to the purpose limitation principle of Article 5(1)(b) GDPR, data collected must respond to specified, explicit and legitimate purposes and no further processing in a manner incompatible with them is allowed, with the only exception or Article 89(1) GDPR. Article 5(1)(d) GDPR stated that data should be kept in a form which permits the identification of data subjects for no longer than is necessary for the purpose of the processing except in the case of Article 89(1) GDPR. In the case of the principle of integrity and confidentiality of Article 5(1)(f) GDPR it is mandatory to guarantee the security of the data, including the protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure (Article 32 GDPR) and, also, to take into consideration that processing carried out by public administrations must observe the measures established by the National Security Scheme as foreseen in the LOPDGDD.

Finally, the is mandatory under Article 30 GDPR to maintain a record of the processing activities which, in the case of public entities, must be made publicly available and accessible through electronic means.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

File: CN22-005


OPINION No. D22-013


OPINION RELATED TO THE PROCESSING OF PERSONAL DATA THAT IT INTENDS
CREATE THE ÁLAVA WATER CONSORTIUM FOR THE PROVISION OF THE
WATER SUPPLY SERVICE IN SECONDARY NETWORK OR SUPPLY
"IN DOWN"



                                    BACKGROUND


FIRST. - The Manager of Municipal Waters of Vitoria S.A. (AMVISA), by writing
requests an opinion regarding the legality of the transfer of data collected for the management
of the contracts for the provision of the "low" service (storage in warehouses and
distribution through pipes to the connections that connect with the facilities
private end users, such as homes, businesses, industry and other
establishments) upon request by URBIDE Arabako Ur Patzuergoa-Consortium

of Aguas de Álava, as the new provider of said service "in decline", without collecting
prior consent of each of the users of the supply services of
water in the secondary network of the Administrative Boards that adhere to the agreement of the
new lender.

SECOND. - The aforementioned document states that Aguas Municipales de Vitoria S.A.,
incorporated in 1970 as a public limited company and which is the exclusive property of the
Vitoria-Gasteiz City Council.

The purpose of said corporation is to provide the public collection service,
purification and distribution of drinking water, as well as the purification of wastewater in
the city of Vitoria-Gasteiz, as well as in certain towns within its jurisdiction.

This public limited company has an automated subscriber file when
water supply contracts are formalized in the secondary network, whose purpose is the
management of the relations of users of the service in order to demand the considerations
rates.

URBIDE Arabako Ur Patzuergoa-Álava Water Consortium, has requested AMVISA the
transfer of the data that it has regarding the supply contracts of the users
residents of the Administrative Boards attached to the Consortium, in order to proceed with the transfer
of supply management “in decline”.

THIRD. - In response to the request made by the Basque Agency for
Data Protection, URBIDE Arabako Ur Patzuergoa-Álava Water Consortium
declares that it has assumed the execution and management of the services related to the cycle
of water and therefore considers that it is appropriate that he himself holds the
recognition or ownership of the contracts related to the services it provides,



     c/ Beato Tomás de Zumárraga, 71, 3º - 01008 Vitoria – Gasteiz - Tel. 945 016 230 - Fax. 945 016 231 avpd@avpd.eus - www.avpd.eus such as control of metering equipment, contracting of services, control of
consumption, its invoicing and collection and non-payment management, the resolution of
claims and the power to impose sanctions derived from said activity, to
which requires the disposition of the data that AMVISA currently has.

It also states that the Consortium exercises the power to manage the water that
corresponds to the local entities themselves, who hold the ownership of the
competence which empowers them to perform the function of data controllers.
Personal information.

FOURTH. - Article 17.1 of Law 2/2004, of February 25, on Data Files of
Personal Nature of Public Ownership and Creation of the Basque Protection Agency
of Data, in its section n) attributes to the Basque Data Protection Agency the following
function:

       “Attend to queries regarding the protection of personal data
       formulated by the public administrations, institutions and corporations to which
       referred to in article 2.1 of this Law, as well as other natural or legal persons, in
       relation to the processing of personal data included in the scope of
       application of this Law”.

The Basque Data Protection Agency is the control authority for data processing.
personal data carried out by the Public Administrations and other public entities of the Country
Vasco, as data controllers, or where appropriate, as data processors.
In this case, AMVISA is a public limited company, so its performance is not subject to the

control of the Basque Agency for Data Protection, in accordance with the provisions of the
article 17 in relation to article 2 of Law 2/2004, of February 25, on Files of
Personal Data of Public Ownership and Creation of the Basque Agency for
Data protection, being the competent authority the Spanish Agency for the Protection of
Data.

However, it corresponds to this Basque Data Protection Agency, by virtue of the
aforementioned regulations, the control of the processing of personal data carried out by URBIDE
Arabako Ur Patzuergoa-Álava Water Consortium for being one of the entities
referred to in article 2.1 of Law 2/2004, and therefore, the issuance of the
this opinion.


                                   CONSIDERATIONS


                                              Yo

This Agency is going to analyze the possible legitimation of URBIDE Arabako Ur Patzuergoa-
Consorcio de Aguas de Álava so that it can proceed with the processing of the data
personnel involved in the transfer of supply management "in decline" with respect to the
data of the neighboring users of the Administrative Boards that the company has
municipal AMVISA, that is, personal data of natural persons, sole holders of the
fundamental right to data protection regulated in Regulation (EU) 2016/679
of the European Parliament and of the Council on the protection of natural persons with regard to

regarding the processing of personal data and the free movement of such data (in
Forward GDPR.

                                                                                           2II
Prior to the issuance of this opinion, we must proceed to the analysis of concepts

core elements of the fundamental right to data protection, such as the definition of data
personal and data processing.
The RGPD defines in its article 4.1 personal data as: All information about a

identified or identifiable natural person ("the interested party"); will be considered a natural person
identifiable person any person whose identity can be determined, directly or indirectly, in
by an identifier, such as a name, phone number,
identification, location data, an online identifier, or one or more elements
inherent to the physical, physiological, genetic, mental, economic, cultural or social identity of
said person”.

In this case, the personal data contained in the contracts for the provision of the
"unsubscribed" service will be personal data insofar as they refer to natural persons
identified or identifiable.

With regard to data processing, it is defined in article 4.2 of the RGPD as
“Any operation or set of operations carried out on personal data or
sets of personal data, whether by automated procedures or not, such as the
collection, registration, organization, structuring, conservation, adaptation or modification,

extraction, consultation, use, communication by transmission, diffusion or any other
form of authorization of access, collation or interconnection, limitation, suppression or destruction”.

The management of the contracts for the provision of the canceled service sought by URBIDE
Arabako Ur Patzuergoa-Álava Water Consortium, involves data processing
personal, so it will be subject to compliance with the obligations contained in the
regulations on data protection.

The processing of personal data must necessarily respect the principles
proclaimed in article 5 of the RGPD, among them the principle of legality, loyalty and
transparency [art. 5.1.a) of the RGPD].

In compliance with this principle, these treatments must be covered by one of the
the legal bases of the treatment included in article 6.1 of the RGPD: consent,
contract, legal obligation, public interest or exercise of public powers, legitimate interest and
vital interest of the affected party.

In the case of Public Administrations, it is the fulfillment of a mission carried out in
public interest and the exercise of public powers the most common legitimating basis. In
In relation to it, Organic Law 3/2018 of December 5, on Data Protection
Personal and guarantee of digital rights in its article 8.2 provides:

       "two. The processing of personal data can only be considered based on the
       fulfillment of a mission carried out in the public interest or in the exercise of powers
       data conferred on the controller, under the terms provided in article 6.1 e) of the
       Regulation (EU) 2016/679, when it derives from a competence attributed by a
       norm with the force of law”.





                                                                                            3In the case at hand, it is appropriate to analyze the regulations that regulate the local regime and the
competences of local entities in the provision of the public supply service
of water.
Law 2/2016, of April 7, on Local Institutions of the Basque Country (hereinafter LILE) in its

Article 17 provides that the municipalities within the framework of the provisions of the same Law and in the
legislation that is applicable, they may exercise their own powers in the organization,
management, provision and control of services in the integral cycle of water for urban use,
which includes the supply of water in high or adduction, supply of water in low,
Sanitation or collection of urban wastewater and rainwater from the nuclei of
population and purification of urban wastewater.

Article 2.1.b) of the LILE stipulates that they will be considered local entities
the councils and any other local territorial entities of less than
municipality, in accordance with the existing regional regulations in each territory and the provisions of the
basic legislation of local regime.

Article 2.5 of the LILE states that councils, associations, gangs...
All the powers provided for in the basic legislation of the local regime will correspond to them
(Law 7/1985, of April 2, Regulating the Bases of the Local Regime, hereinafter LBRL).

In the indicated section in fine it is provided that "in the case of the Historical Territory of Álava,
the councils have the powers recognized by the laws or regulations
forales”.
Likewise, article 2.2 of the LILE provides that local public services will be

provided, preferably by the municipality, and when this is not feasible or converge
reasons of efficiency or effectiveness, by local entities constituted by the
municipalities (associations, consortiums...).

The aforementioned article 2 in its third section continues to say that public services
local entities may also be provided by other local entities, including by entities
supramunicipal, in which case the will and request of the different
municipalities that will be part of them.

For its part, section 3 of article 10 provides that the power of self-organization
is projected in the right to agree on associative formulas for the provision of services
local public, especially the provision of services by associations and consortiums

Thus, article 19 in its second paragraph establishes that the exercise of its own powers
may be carried out by the same municipality or through municipal associative formulas that
facilitate, where appropriate, the management or provision derived from their powers, in the terms
determined by the affected municipalities themselves.

In this sense, article 104 of the LILE provides that municipalities and other entities
Local authorities may form consortiums with other public administrations for purposes of
common interest whose purpose is economic, technical and administrative cooperation
for the provision of local public services.

Said article in its third section indicates that, for the management of the services of your
competition, consortiums may use direct management, by the consortium itself, as
results in the matter sent for consultation, or indirect management through the forms in the
public service management contract.


                                                                                           4In the case at hand, URBIDE Arabako Ur Patzuergoa-Álava Water Consortium,
as stated in its statutes, in force from its publication in the Official Gazette of
Historical Territory of Álava, on January 4, 2019, is a public law entity,
of an associative and voluntary nature made up of public administrations and, where appropriate,
by private non-profit entities, which pursue purposes of public interest,
concurrent with those of those.

The consortium has its own legal personality, differentiated and full capacity to
the fulfillment of its purposes, which are none other than the establishment and exploitation of the
infrastructures of public water supply and sanitation services
in accordance with current regulations. Specifically, the Consortium will provide the services

directly related to the water cycle in terms of:
       a.-To the water supply that includes adduction services (or supply
in the primary network: supply in discharge) and distribution (supply of water in network
secondary or low supply).

       b.-To the sanitation, those of "interception/purification" and to the "sewerage".

The consortium entities exercise their competence through the consortium, remaining in
In any case, the ownership of the competition in those. The consortium will replace the entities
premises that comprise it for the fulfillment of its purposes for which it will count, among other
with the power to manage supply and sanitation services.

In accordance with the aforementioned regulations, we can conclude that URBIDE Arabako Ur
Partzuergoa-Aguas de Álava Consortium, as a substitute for the consortium entities,
will have a legal basis to process personal data to the extent that they are
strictly necessary for the management of the public electricity supply service
water supply in secondary network.

In addition, in this data processing, the Consortium must comply with the rest of the
principles contained in article 5 of the General Data Protection Regulation.

Thus, by virtue of the principle of transparency, it must comply with the duty to inform the
interested in the collection of personal data, observance that will be adjusted to the
prescribed in articles 12, 13 and 14 of the RGPD and in article 11 of the LOPDGDD. In
In this case, you must pay special attention to the provisions of article 14, so
You must inform the interested parties of the source from which you have received the data.

For its part, the principle of data minimization proclaimed in article 5.1.c) requires
that only those data that are relevant, adequate and limited to what is necessary in
relation to the intended purpose.

The purpose limitation principle [art. 5.1.b)] requires that the data be collected
for specific, explicit and legitimate purposes, without being able to be processed further
manner incompatible with those purposes; only deviation from the purpose is allowed
in the cases provided for in article 89, section 1, that is, archiving purposes in the interest

public, scientific and historical research purposes or statistical purposes.
The fulfillment of the purpose also affects the period of conservation of the information,
being the limitation of the term of conservation another of the principles that the RGPD proclaims

in its article 5.1.d). Under this principle, the data must be kept in a
that the identification of the interested parties is allowed for no longer than necessary

                                                                                            5for the purposes of processing personal data, although they may be kept for
longer periods as long as they are treated exclusively for archival purposes in the interest
public, scientific or historical research purposes or statistical purposes, in accordance with
Article 89, paragraph 1, without prejudice to the application of technical measures and
appropriate organizational measures imposed by the Regulation in order to protect the rights and
liberties of the interested party.

The RGPD also includes among the principles applicable to data processing
personal data the principle of integrity and confidentiality [art. 5 f)] which requires that the data
personal data are treated in such a way as to ensure their safety, including the
protection against unauthorized or unlawful processing and against loss, destruction or

accidental damage, through the application of appropriate technical or organizational measures
(article 32).
In this sense, it should be taken into account that when those responsible for the treatment,
as is the case, whether they are Public Administrations, they must apply to the processing of

personal data the security measures that correspond to those provided in the
National Security Scheme (First Additional Provision section 2 of the
LOPDGDD)

Finally, it should be noted that the RGPD eliminates the obligation to create and declare
of files and replaces it with the so-called "registry of treatment activities",
regulating its content in article 30.
Thus, each data controller is obliged to keep a record of the

treatment activities carried out under your responsibility (art. 30 RGPD), and of
In accordance with article 31.2 of the LOPDGDD, the Administrations must make public
an inventory of your processing activities, accessible by electronic means, in the
stating the information required in the aforementioned article 30 RGPD and its legal basis

These are the considerations made by the Basque Data Protection Agency in
relation to the query.


                            Vitoria-Gasteiz, July 11, 2022



















                                                                                           6