Resolutions, opinions and reports search tool

One person reported that he had received a call from a call centre for the purposes of COVID-19 vaccination, in which he was asked why he did not want to be vaccinated, and was informed that the call would be recorded. The Authority processed a sanctioning procedure against the Department of Health, who was warned for not having fulfilled the duty of information provided for in art. 13 RGPD. At the same time, he filed the rest of the reported facts, since, on the one hand, it was found that the call had been made by SEMSA, on behalf of the CatSalut, to whom the Department had commissioned to make those calls; and on the other hand, it was found that the collection of the reason for not wanting to be vaccinated (by free will) was protected by the applicable health regulations.

A person (A) submitted to a municipal company a request to renew their registration in the Register of Housing Applicants with Official Protection of Catalonia. The company incorrectly incorporated this request into the Register file that corresponded to another person (B), which led to error in the Housing Agency of Catalonia, which erroneously renewed the registration in B and modified its telephone number and its email address. The municipal company is sanctioned with a fine, due to violation of the principle of accuracy.

Indra, in his capacity as sub-processor, did not apply the basic level security measures required by SocMobility in the treatment processor's contract, to ensure a safety level appropriate to the risk (thus to prevent unauthorised persons from accessing these data), since the T-Mobility access portal did not modify the password that the manufacturer of the "Liferay" undercuture assigns to the admin, so that access was opened, and in turn accessible to third parties.

SocMobility (processing controller) did not adequately determine the appropriate security measures to guarantee a safety level appropriate to the risk of the data processing entrusted to Indra (those who are in charge of processing) for the implementation and management of the T-Mobility card, while in the processing order contract the SocMobility entity indicated to Indra that the security measures it had to implement for the provision of the services being commissioned were of the basic level, i.e. it categorized the system as basic, when according to the concurrent circumstances in the processing being commissioned, the basic level was not sufficient.

One entity is sanctioned, absorbing another, within the framework of the provision of a health monitoring service. He sent citation emails to various workers who mistakenly contained data from other workers.

A private entity is sanctioned for having entrusted the management of the medical check appointments of workers to another entity without having formalised the contract of sub-responsor of the treatment, and without having requested the controller to authorise the sub-response of the treatment.

Within the framework of the contracting of a private home aid service, the entity did not make effective the right of information of the person concerned.

The request of the local company, to the banking entities, for the identification data of the persons who have made bank transfers for the payment of funeral rights of which the updated ownership is not stated may be covered by the legal basis. of Article 6.1.e) of the RGPD. With regard to the data relating to the telephone number and e-mail address of the person who made the payment, once their identity is known, it is considered compatible to use the contact details that the same entity has for the management. other funeral rights, as well as the possibility of contacting the person concerned using the data contained in the Municipal Register of Inhabitants or in the INE databases, so that it is the affected person who faciliti. Ultimately, and in a subsidiary manner with regard to the avenues just set out, the communication by banks of the contact details of the persons who have made the payments may be considered compatible if they are previously guarantees the right of the person concerned to oppose it.

The whistleblower complained that the public company fired her while in trial, due to a photograph that would have been made while she was drinking during the labor break. Previous information is archived because it could not be credited that the reported company has performed any processing of the image of the complainant. There is also no evidence to indicate that the company had any interest in obtaining the photograph of the person complaining for use for the purposes described by the person complaining, that is, to motivate the termination of the working relationship.