DBEB/AVPD (Basque Country) - DICTAMEN No D22-013

From GDPRhub
Revision as of 16:31, 15 November 2022 by Kk (talk | contribs) (added to the comment section)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Logo AVPD.png
Authority: DBEB/AVPD (Basque Country)
Jurisdiction: Spain
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Article 5 GDPR
Article 6(1) GDPR
Type: Advisory Opinion
Outcome: n/a
Published: 11.11.2022
Fine: n/a
Parties: n/a
National Case Number/Name: DICTAMEN No D22-013
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AVPD (in ES)
Initial Contributor: Michelle Ayora

The Basque DPA issued an expert opinion regarding the envisaged processing of personal data by a municipal water supplier. The DPA highlighted the importance of observing the principles under Article 5 GDPR.

English Summary


Vitoria S.A, a water supplier, consulted the Basque DPA and requested an expert opinion on an envisaged processing of personal data. In particular, the consultation concerned the lawfulness of the potential transfer of personal data collected for the management of contracts for the provision of water service due to the transfer of functions from Vitoria S.A. to a new water supplier, Alava Water Consortium. The latter had requested a transfer of the mentioned data without obtaining prior consent from each of the users of the water supply services (the data subjects). Alava Water Consortium assumed the full execution and management of the water supply and considered it lawful to manage the contracts since the information that they contain allows it to control the consumption, fees, invoicing, and so forth. This competence was transferred to Alava Water Consortium by the municipal entities (the controllers) who owned the consotrium as a public limited company.


The DPA started by applying the concept of ‘personal data’ in Article 4(1) GDPR, stating that the information contained in the water supply agreements was personal data as long as it referred to identified or identifiable natural persons.

Further, the DPA analysed that the envisaged contract management constituted ‘processing’ in the sense of Article 4(2) GDPR and confirmed that Alava Water Consortium would therefore have to observe the principles of Article 5 GDPR and have a valid legal basis listed in Article 6(1) GDPR. The DPA highlighted that when it comes to the processing carried out by public administration entities, the legal basis usually is public interest and the exercise of a public task. The national legislation (Article 8(2) LOPDGDD) foresees that such basis can only be applied when the competence of the administrative body is established by law.

Next, the DPA looked at the legislation that regulates both local government and the competencies of local bodies in the water supply (Ley 2/2016, de 7 de abril de Instituciones Locales de Euskadi and Ley 7/1985, de 2 de abril, Reguladora de las Bases del Regimen Local, respectively). From this, the DPA concluded that a consortium can have the same competencies as a municipality in the management, supply, and control of the full water supply cycle for urban use, and for doing so, they may do direct management. The DPA held that it was legitimate to substitute the municipalities, which were the component members in carrying out the processing of personal data, as long as the consortium processed only the necessary data for the purpose of managing the public service of water supply.

Additionally, the DPA pointed out the principles to be observed, such as transparency, by informing the data subject at the time of the collection of data as foreseen in Articles 12, 13 and 14 GDPR and Article 11 LOPDGDD. The controller must observe the principles data minimisation under Article 5(1)(c) GDPR and purpose limitation contained in Article 5(1)(b) GDPR. In the case of the principle of integrity and confidentiality of Article 5(1)(f) GDPR, it is mandatory to guarantee the security of the data, including the protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure (Article 32 GDPR) and, also, to take into consideration that processing carried out by public administrations must observe the measures established by the National Security Scheme as foreseen in the LOPDGDD.

Finally, according to the DPA, it is mandatory under Article 30 GDPR to maintain a record of the processing activities which, in the case of public entities, must be made publicly available and accessible through electronic means.


The DPA did not discuss the specific envisaged processing activities of Alava Water Consortium. Although not explicitly mentioned in the decision itself, it seems to be a prior consultation procedure under Article 36(5) GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

File: CN22-005

OPINION No. D22-013



FIRST. - The Manager of Municipal Waters of Vitoria S.A. (AMVISA), by writing
requests an opinion regarding the legality of the transfer of data collected for the management
of the contracts for the provision of the "low" service (storage in warehouses and
distribution through pipes to the connections that connect with the facilities
private end users, such as homes, businesses, industry and other
establishments) upon request by URBIDE Arabako Ur Patzuergoa-Consortium

of Aguas de Álava, as the new provider of said service "in decline", without collecting
prior consent of each of the users of the supply services of
water in the secondary network of the Administrative Boards that adhere to the agreement of the
new lender.

SECOND. - The aforementioned document states that Aguas Municipales de Vitoria S.A.,
incorporated in 1970 as a public limited company and which is the exclusive property of the
Vitoria-Gasteiz City Council.

The purpose of said corporation is to provide the public collection service,
purification and distribution of drinking water, as well as the purification of wastewater in
the city of Vitoria-Gasteiz, as well as in certain towns within its jurisdiction.

This public limited company has an automated subscriber file when
water supply contracts are formalized in the secondary network, whose purpose is the
management of the relations of users of the service in order to demand the considerations

URBIDE Arabako Ur Patzuergoa-Álava Water Consortium, has requested AMVISA the
transfer of the data that it has regarding the supply contracts of the users
residents of the Administrative Boards attached to the Consortium, in order to proceed with the transfer
of supply management “in decline”.

THIRD. - In response to the request made by the Basque Agency for
Data Protection, URBIDE Arabako Ur Patzuergoa-Álava Water Consortium
declares that it has assumed the execution and management of the services related to the cycle
of water and therefore considers that it is appropriate that he himself holds the
recognition or ownership of the contracts related to the services it provides,

     c/ Beato Tomás de Zumárraga, 71, 3º - 01008 Vitoria – Gasteiz - Tel. 945 016 230 - Fax. 945 016 231 avpd@avpd.eus - www.avpd.eus such as control of metering equipment, contracting of services, control of
consumption, its invoicing and collection and non-payment management, the resolution of
claims and the power to impose sanctions derived from said activity, to
which requires the disposition of the data that AMVISA currently has.

It also states that the Consortium exercises the power to manage the water that
corresponds to the local entities themselves, who hold the ownership of the
competence which empowers them to perform the function of data controllers.
Personal information.

FOURTH. - Article 17.1 of Law 2/2004, of February 25, on Data Files of
Personal Nature of Public Ownership and Creation of the Basque Protection Agency
of Data, in its section n) attributes to the Basque Data Protection Agency the following

       “Attend to queries regarding the protection of personal data
       formulated by the public administrations, institutions and corporations to which
       referred to in article 2.1 of this Law, as well as other natural or legal persons, in
       relation to the processing of personal data included in the scope of
       application of this Law”.

The Basque Data Protection Agency is the control authority for data processing.
personal data carried out by the Public Administrations and other public entities of the Country
Vasco, as data controllers, or where appropriate, as data processors.
In this case, AMVISA is a public limited company, so its performance is not subject to the

control of the Basque Agency for Data Protection, in accordance with the provisions of the
article 17 in relation to article 2 of Law 2/2004, of February 25, on Files of
Personal Data of Public Ownership and Creation of the Basque Agency for
Data protection, being the competent authority the Spanish Agency for the Protection of

However, it corresponds to this Basque Data Protection Agency, by virtue of the
aforementioned regulations, the control of the processing of personal data carried out by URBIDE
Arabako Ur Patzuergoa-Álava Water Consortium for being one of the entities
referred to in article 2.1 of Law 2/2004, and therefore, the issuance of the
this opinion.



This Agency is going to analyze the possible legitimation of URBIDE Arabako Ur Patzuergoa-
Consorcio de Aguas de Álava so that it can proceed with the processing of the data
personnel involved in the transfer of supply management "in decline" with respect to the
data of the neighboring users of the Administrative Boards that the company has
municipal AMVISA, that is, personal data of natural persons, sole holders of the
fundamental right to data protection regulated in Regulation (EU) 2016/679
of the European Parliament and of the Council on the protection of natural persons with regard to

regarding the processing of personal data and the free movement of such data (in
Forward GDPR.

Prior to the issuance of this opinion, we must proceed to the analysis of concepts

core elements of the fundamental right to data protection, such as the definition of data
personal and data processing.
The RGPD defines in its article 4.1 personal data as: All information about a

identified or identifiable natural person ("the interested party"); will be considered a natural person
identifiable person any person whose identity can be determined, directly or indirectly, in
by an identifier, such as a name, phone number,
identification, location data, an online identifier, or one or more elements
inherent to the physical, physiological, genetic, mental, economic, cultural or social identity of
said person”.

In this case, the personal data contained in the contracts for the provision of the
"unsubscribed" service will be personal data insofar as they refer to natural persons
identified or identifiable.

With regard to data processing, it is defined in article 4.2 of the RGPD as
“Any operation or set of operations carried out on personal data or
sets of personal data, whether by automated procedures or not, such as the
collection, registration, organization, structuring, conservation, adaptation or modification,

extraction, consultation, use, communication by transmission, diffusion or any other
form of authorization of access, collation or interconnection, limitation, suppression or destruction”.

The management of the contracts for the provision of the canceled service sought by URBIDE
Arabako Ur Patzuergoa-Álava Water Consortium, involves data processing
personal, so it will be subject to compliance with the obligations contained in the
regulations on data protection.

The processing of personal data must necessarily respect the principles
proclaimed in article 5 of the RGPD, among them the principle of legality, loyalty and
transparency [art. 5.1.a) of the RGPD].

In compliance with this principle, these treatments must be covered by one of the
the legal bases of the treatment included in article 6.1 of the RGPD: consent,
contract, legal obligation, public interest or exercise of public powers, legitimate interest and
vital interest of the affected party.

In the case of Public Administrations, it is the fulfillment of a mission carried out in
public interest and the exercise of public powers the most common legitimating basis. In
In relation to it, Organic Law 3/2018 of December 5, on Data Protection
Personal and guarantee of digital rights in its article 8.2 provides:

       "two. The processing of personal data can only be considered based on the
       fulfillment of a mission carried out in the public interest or in the exercise of powers
       data conferred on the controller, under the terms provided in article 6.1 e) of the
       Regulation (EU) 2016/679, when it derives from a competence attributed by a
       norm with the force of law”.

                                                                                            3In the case at hand, it is appropriate to analyze the regulations that regulate the local regime and the
competences of local entities in the provision of the public supply service
of water.
Law 2/2016, of April 7, on Local Institutions of the Basque Country (hereinafter LILE) in its

Article 17 provides that the municipalities within the framework of the provisions of the same Law and in the
legislation that is applicable, they may exercise their own powers in the organization,
management, provision and control of services in the integral cycle of water for urban use,
which includes the supply of water in high or adduction, supply of water in low,
Sanitation or collection of urban wastewater and rainwater from the nuclei of
population and purification of urban wastewater.

Article 2.1.b) of the LILE stipulates that they will be considered local entities
the councils and any other local territorial entities of less than
municipality, in accordance with the existing regional regulations in each territory and the provisions of the
basic legislation of local regime.

Article 2.5 of the LILE states that councils, associations, gangs...
All the powers provided for in the basic legislation of the local regime will correspond to them
(Law 7/1985, of April 2, Regulating the Bases of the Local Regime, hereinafter LBRL).

In the indicated section in fine it is provided that "in the case of the Historical Territory of Álava,
the councils have the powers recognized by the laws or regulations
Likewise, article 2.2 of the LILE provides that local public services will be

provided, preferably by the municipality, and when this is not feasible or converge
reasons of efficiency or effectiveness, by local entities constituted by the
municipalities (associations, consortiums...).

The aforementioned article 2 in its third section continues to say that public services
local entities may also be provided by other local entities, including by entities
supramunicipal, in which case the will and request of the different
municipalities that will be part of them.

For its part, section 3 of article 10 provides that the power of self-organization
is projected in the right to agree on associative formulas for the provision of services
local public, especially the provision of services by associations and consortiums

Thus, article 19 in its second paragraph establishes that the exercise of its own powers
may be carried out by the same municipality or through municipal associative formulas that
facilitate, where appropriate, the management or provision derived from their powers, in the terms
determined by the affected municipalities themselves.

In this sense, article 104 of the LILE provides that municipalities and other entities
Local authorities may form consortiums with other public administrations for purposes of
common interest whose purpose is economic, technical and administrative cooperation
for the provision of local public services.

Said article in its third section indicates that, for the management of the services of your
competition, consortiums may use direct management, by the consortium itself, as
results in the matter sent for consultation, or indirect management through the forms in the
public service management contract.

                                                                                           4In the case at hand, URBIDE Arabako Ur Patzuergoa-Álava Water Consortium,
as stated in its statutes, in force from its publication in the Official Gazette of
Historical Territory of Álava, on January 4, 2019, is a public law entity,
of an associative and voluntary nature made up of public administrations and, where appropriate,
by private non-profit entities, which pursue purposes of public interest,
concurrent with those of those.

The consortium has its own legal personality, differentiated and full capacity to
the fulfillment of its purposes, which are none other than the establishment and exploitation of the
infrastructures of public water supply and sanitation services
in accordance with current regulations. Specifically, the Consortium will provide the services

directly related to the water cycle in terms of:
       a.-To the water supply that includes adduction services (or supply
in the primary network: supply in discharge) and distribution (supply of water in network
secondary or low supply).

       b.-To the sanitation, those of "interception/purification" and to the "sewerage".

The consortium entities exercise their competence through the consortium, remaining in
In any case, the ownership of the competition in those. The consortium will replace the entities
premises that comprise it for the fulfillment of its purposes for which it will count, among other
with the power to manage supply and sanitation services.

In accordance with the aforementioned regulations, we can conclude that URBIDE Arabako Ur
Partzuergoa-Aguas de Álava Consortium, as a substitute for the consortium entities,
will have a legal basis to process personal data to the extent that they are
strictly necessary for the management of the public electricity supply service
water supply in secondary network.

In addition, in this data processing, the Consortium must comply with the rest of the
principles contained in article 5 of the General Data Protection Regulation.

Thus, by virtue of the principle of transparency, it must comply with the duty to inform the
interested in the collection of personal data, observance that will be adjusted to the
prescribed in articles 12, 13 and 14 of the RGPD and in article 11 of the LOPDGDD. In
In this case, you must pay special attention to the provisions of article 14, so
You must inform the interested parties of the source from which you have received the data.

For its part, the principle of data minimization proclaimed in article 5.1.c) requires
that only those data that are relevant, adequate and limited to what is necessary in
relation to the intended purpose.

The purpose limitation principle [art. 5.1.b)] requires that the data be collected
for specific, explicit and legitimate purposes, without being able to be processed further
manner incompatible with those purposes; only deviation from the purpose is allowed
in the cases provided for in article 89, section 1, that is, archiving purposes in the interest

public, scientific and historical research purposes or statistical purposes.
The fulfillment of the purpose also affects the period of conservation of the information,
being the limitation of the term of conservation another of the principles that the RGPD proclaims

in its article 5.1.d). Under this principle, the data must be kept in a
that the identification of the interested parties is allowed for no longer than necessary

                                                                                            5for the purposes of processing personal data, although they may be kept for
longer periods as long as they are treated exclusively for archival purposes in the interest
public, scientific or historical research purposes or statistical purposes, in accordance with
Article 89, paragraph 1, without prejudice to the application of technical measures and
appropriate organizational measures imposed by the Regulation in order to protect the rights and
liberties of the interested party.

The RGPD also includes among the principles applicable to data processing
personal data the principle of integrity and confidentiality [art. 5 f)] which requires that the data
personal data are treated in such a way as to ensure their safety, including the
protection against unauthorized or unlawful processing and against loss, destruction or

accidental damage, through the application of appropriate technical or organizational measures
(article 32).
In this sense, it should be taken into account that when those responsible for the treatment,
as is the case, whether they are Public Administrations, they must apply to the processing of

personal data the security measures that correspond to those provided in the
National Security Scheme (First Additional Provision section 2 of the

Finally, it should be noted that the RGPD eliminates the obligation to create and declare
of files and replaces it with the so-called "registry of treatment activities",
regulating its content in article 30.
Thus, each data controller is obliged to keep a record of the

treatment activities carried out under your responsibility (art. 30 RGPD), and of
In accordance with article 31.2 of the LOPDGDD, the Administrations must make public
an inventory of your processing activities, accessible by electronic means, in the
stating the information required in the aforementioned article 30 RGPD and its legal basis

These are the considerations made by the Basque Data Protection Agency in
relation to the query.

                            Vitoria-Gasteiz, July 11, 2022