Resolutions, opinions and reports search tool

This report analyses the content of the documentation provided on a European research project, in particular in relation to the following issues: determination of liability or, where appropriate, co-responsibility of the processing; The information flows provided; International data Transfers (TID); Security; The use of anonymous data or pseudonimization. With regard to the processing of images captured with cameras by the city Council, this, as responsible, must have a sufficient legal base and must ensure compliance with the rest of the requirements of the data protection regulations. It is also necessary to provide an informed consent in the terms of article 4.11, and inform those affected (art. 13 RGPD).

The international transfer from data in the external offices of the entity on the basis of the type clauses of data protection adopted by the Commission would be legitimated by the article 46.2.c) of the RGPD, although it is necessary that the instruments that these clauses incorporate into adapt to the Decision 2001/497/CE, of 15 June 2001, and to the RGPD.

For the information offered by the same managing companies of the solutions of analyzed SMI, and of the reports and studies that have been able to be consulted, it is inferred that the analyzed applications fulfill certain aspects of the foreseen ones to the Resolution 280/XI of Catalan Parliament, although in some aspects, at least regarding the information that offers itself about this, it could be clearly improvable. The analysis of the different aspects made with respect to the three analyzed solutions (Whatsapp, Telegram and Nepcom), within the framework of the general analysis that had already been made in the Judgement CNS 55/2016, it can be an element to take Catalans into account when choosing a determinate application on the part of the public administrations. A more precise pronouncement about the fulfillment or noncompliance on the part of one of these entities, would require to carry out a process of research or auditing about these entities, which, in any case it would not correspond to make To this Authority but To the Spanish Agency of Data Protection.

Leaving aside the communications of data destined to countries of the EU, like this how those made in Argentina and Israel, the transfers aimed for by the entity will only be able to be made if suitable guarantees about the protection that the data will receive are brought in its destination in the terms established in the article 46 of the RGPD, since it has not been stated that the countries that will be addressing offer a suitable level of protection and since a priori none of the exceptional suppositions of the article 49.1 of the RGPD would result from application. This, without harm of the fulfillment of the rest of principles and duties established on the subject of data protection.

Leaving aside the communications of data destined to countries of the EU, the transfers aimed for by the entity will only be able to be made if suitable guarantees about the protection that the data will receive are brought in its destination in the terms established in the article 46 of the RGPD, since it has not been stated that the countries that will be addressing offer a suitable level of protection and since a priori none of the exceptional suppositions of the article 49.1 of the RGPD would result from application. This, without harm of the fulfillment of the rest of principles and duties established on the subject of data protection.

The contract examined of order of the treatment for the starting of a platform of civic participation can adapt to the regulations of data protection if the considerations made the relative ones in the judgement, especially, are taken into account to the need to specify the safety measures to implement for the person in charge and the fate of the data linked to the provision of the service, as well as of informing the users of the aspects related to the treatment of its data, especially, regarding the foreseen publication. It corresponds to the town council to keep vigil so that the international transfers from data that can take place adapt to the regulations of data protection.

The Decision of the Commission of 5 February 2010 taking into account, the Resolution of the AEPD of 9 May of 2014, as well as the adhesion of Microsoft to the Shield of Privacy, can be considered that the contract of order of the treatment that could subscribe the University with Microsoft in relation to the services "Microsoft 365" and "Microsoft Azure", it would be in principle fitting to the demands of the regulations of data protection (LOPD, RLOPD and RGPD). Regarding the technical and organizational safety measures to guarantee the security of the data, can be considered that "Microsoft 365" and "Microsoft Azure" can be the forecasts of Microsoft in relation to the services, a priori, suitable for what he foresees the regulations of data protection taking into account that the implantation of the foreseen measures is an object of certification and auditing on the part of one third independent.

The public administrations have to check that the third lenders of services and of systems of communication fulfill their responsibilities, it is already as persons in charge of the treatment or, if it is proper, as responsibles for the treatment of the data of the users (in the case of the SMI), since the treatment is subjected to the demands of the principles and guarantees of the European regulations of the protection of data (LOPD, RLOPD, and RGPD). When they consider the choice of a determinate system of instant messaging (SMI) they should take the purpose of the communication, the personal information which it is necessary to treat, into account, especially; the consent of the affected ones; the model of security and the evaluation of impact and the concrete applied safety measures; the mechanisms of certification; the international transfers from data and the location of the servers; the law of information and the transparency, in attention to the forecasts of the European regulations of protection of data.

When the data do not retire of the interested person but that facilitates them a third person, the assign does not have the duty to inform the persons affected if the communication is expressly foreseen in a law. The STJUE of 6 October 2015 has declared disabled the Decision 2000/520/CE, about the adequacy of the protection conferred by the principles of Port Segur, for the international transfers from data from the European Union towards the United States. Until the European Commission does not approve the adequacy of a new frame for the international transfer from data between Europe and the United States (EU-YOU Privacy Shield), it is necessary to be in the rest of habilitants suppositions for the international transfers of data.

The communication of data of the municipal census of inhabitants to public administrations of other countries requires to have the consent of the affected persons or with a rule with rank legal that fits out the communication and at the same time, in case the country of fate is not part of the European Economic Space, to comply with the specific régim established in the articles 33 and 34 of the LOPD for the international transfers from data. The article 16.3 of the LRBRL or the article 21 of the LOPD has to discard the possibility to communicate data of the municipal census of inhabitants to public administrations of other states with regard to what he establishes, since these would not have fitted in the concept of public administration that the article establishes 2 of the LRJPAC.