Resolutions, opinions and reports search tool

The medical history of the reported foundation is configured in such a way that, by design and by default, the foundation's own and external doctors can access it, through the foundation's information systems. This fact caused an external doctor who treated the reporting person within the framework of private healthcare to access his medical history, without his explicit consent or any other legal basis that legitimized this treatment. In this case, the violation of the duty of data protection by design and by default is not imputed, since there is an ideal competition of infringements and only the most serious infringement is imputed; that is, the violation of the principle of legality (qualified as very serious). Nor is the violation of the principle of purpose limitation imputed, because it is subsumed in the infringement relating to the principle of legality.

The City Council should be reprimanded for 1) capturing images of public roads through the video surveillance camera system located on container islands that were not closed or delimited; and 2) process the images captured by this video surveillance system located on public roads, to exercise the sanctioning power against residents of the municipality. There is a medial concurrence between both infractions, but only the main infraction should be sanctioned, which is the violation of the principle of legality regarding the installation of a video surveillance system on public roads.

A City Council is reprimanded as being responsible for an infraction due to violation of the principle of legality, for having sent to an inspector of the Generalitat-Mossos d'Esquadra police force two instances with personal data without legal basis, specifically, before the opening of confidential information against the reporting agent, and without there being a real danger to public safety or the investigation and prosecution of a crime.

The Department of Social Rights (DDS) consulted the tax data of the complainant who was in the possession of the AEAT. This action is considered legitimate, taking into account that in accordance with Law 12/2007 and Law 2/2014 enables the DDS to consult ex officio, and without prior consent of the interested persons, the data of the beneficiaries of aid and those of their "economic unit of coexistence". The DDS has also accredited that in the forms to request aid for the dependency, an information clause is included on the possibility of consulting the data.

One person reported that he had received a call from a call centre for the purposes of COVID-19 vaccination, in which he was asked why he did not want to be vaccinated, and was informed that the call would be recorded. The Authority processed a sanctioning procedure against the Department of Health, who was warned for not having fulfilled the duty of information provided for in art. 13 RGPD. At the same time, he filed the rest of the reported facts, since, on the one hand, it was found that the call had been made by SEMSA, on behalf of the CatSalut, to whom the Department had commissioned to make those calls; and on the other hand, it was found that the collection of the reason for not wanting to be vaccinated (by free will) was protected by the applicable health regulations.

The reported entity sent the unpaid invoices by the leaseholder of a property owned by the complainant, to the complainant since this was the owner of the contracted policy for the supply of water and, therefore, the one obliged to pay the invoices. In this case, regardless of what the parties stipulated in the rental contract, the person who owned the property was obliged to pay before AGISSA. In this regard, it is worth saying that, later, the complainant changed the ownership of the policy in favor of a third person who leased his property and, when he left the property, he asked for the billing to be returned to his name. In this second case, the complainant also asked AGISSA to know the outstanding debt of the tenant since the transfer of rights and obligations of the aforementioned policy could only be carried out if the complainant assumed the amounts not satisfied. Likewise, he also alleged that he needed to know the outstanding amounts in order to be able to claim them judicially to the leased person of his property, to breach the clauses of the rental contract. In accordance with the above, the Authority considered that the sending of said information was protected by Article 6.1 f) RGPD since it was carried out to satisfy the legitimate interests of the complainant. Specifically, to satisfy the legitimate interest of the complainant to obtain the necessary evidence, to claim to the tenant of the property the amounts that he did not satisfy.

The Foundation could send an e-mail reporting on the training it will give this summer to its pupils on the legal basis of legitimate interest, provided that the information is limited to the training programme examined and is addressed exclusively to the pupils of up to 35 years of vocational training cycles, who should be given the option of opposing receiving communications of this kind.

The City Council put into operation and keep the system of fixed video surveillance cameras active in the municipality, without having obtained the prior authorization of the General Directorate of Citizen Security.

The corporate email address of a city council, since it allows the identification of the account holder, is a personal data protected by data protection regulations. The processing of personal data resulting from the sending of email messages by a public worker, in particular the inclusion of third-party corporate mail addresses and the submission to an external recipient, may be legal if a legal basis (art. 6.1 GDPR) occurs and compliance with the principle of purpose (art. 5.1.b) GDPR is met. According to the system of liability provided for in the GDPR, the responsibility for infringements of data protection regulations rests with the controllers, without prejudice to the consequences of disciplinary proceedings.

The City Council stored a common electronic folder, to which all agents and administrative staff of the Local Police could access, a complaint that the complainant filed about the counting of hours of the service days carried out.