Resolutions, opinions and reports search tool

Taking into account the applicable regulations, it can be considered that there is a sufficient legal basis for the publication and dissemination of the academic qualifications of the group of university students (eg art. 6.1, sections e) and f) RGPD), without prejudice to the necessary compliance with the rest of the principles and guarantees of the data protection regulations. Given the principle of minimization, only the data necessary to comply with the intended purpose should be disseminated, taking into account the parameters and guidelines derived from the seventh additional provision of the LOPDGDD.

Access by the bodies representing public workers to the remuneration information of these people on a case-by-case basis will be conditional upon the applicable legislative provisions and concurrent circumstances in the specific case. University workers' committee members on the negotiating Commission for the Equality Plan must be able to access the information in the Retributive Register, which must comply with the terms of Article 28.2 of the ET, despite having professional categories with a small number of workers, while remaining those obliged to respect the confidentiality of the information obtained, as well as the principle of purpose.

It resolves to warn the Autonomous University of Barcelona since it disseminated through the internet the list corresponding to the "Result of the draw for allocation of hospital teaching unit (2022-2023)" that contained personal data of certain students of the degree of medicine. Specifically, their name, surnames and university identification number (hereinafter, NIU). The aforementioned publication allowed third parties to know the hospital center assigned to each student, as well as their NIU, from which you can access other university data of the student (such as academic results). The aforementioned publication violated the principle of minimization of personal data, and constitutes the infringement foreseen in art. 72.1 a) LOPDGDD.

The principle of application is violated, since the processing of biometric data by students is not included in any of the exceptions provided for in Article 9.2 GDPR, for the processing of special categories of data.

The claimant exercised his right to object to the effects that the FUOC did not provide his personal data to (...). In this respect, this Authority cannot ignore the fact that (...) it has the status of processor of the FUOC and that, the legal basis that legitimises the submission of data to (...) is, precisely, the execution of a contract. Given that the processing of controversial personal data does not fall within the scope of Article 21 of the GDPR, in order to exercise the right of opposition, it is appropriate to reject this claim to guardianship of the right of opposition.

The access and obtaining of a copy, by the Personnel Board, of the documentation certifying the merits alleged by the people participating in a provision process does not comply with the data protection regulations, due to the which should limit the query to the identity of the people who have obtained a job and the scores obtained in the different merits assessed.

The complainant, in his capacity as a student of the UAB, received an informative email from the International Day of the Workers' Women. By not wanting to receive any more emails of this type, he responded to the university's email, so his message was received by third parties outside his sender. This is attributable to their actions, and not to a human error or computer error by the reported entity that has led to a violation of the data protection rules, which is why the complaint is filed.

Since the requested entity partially handed over the information subject to the right of access, it is appropriate to estimate the claim, and to require the FUOC to comply with the literality of Article 15 GDPR by handing the claimant any data in his possession referring to his person, with the understanding that, in addition to the submission of the data provided for in the aforementioned article, the documents that are stated in this legal basis, as well as other information relating to the claimant, should be handed over to the claimant, which would open up to the claimant's power.

A person had been registered in a university for the purpose of receiving information about studies, which he did not eventually enroll, and requested the deletion of his personal data, without achieving such a deletion. The Authority dismisses his claim, considering that the university had not deleted his data because that person did not accredit his identity, despite having requested it, and the email address from which he made the application for deletion did not appear in the university's databases.

A former UOC worker, who maintained the role as a student, continued to receive emails linked to her work as a worker (ppi. request) and could continue accessing a folder with information from other people (safety measures).