Resolutions, opinions and reports search tool

The Foundation could send an e-mail reporting on the training it will give this summer to its pupils on the legal basis of legitimate interest, provided that the information is limited to the training programme examined and is addressed exclusively to the pupils of up to 35 years of vocational training cycles, who should be given the option of opposing receiving communications of this kind.

The complainant complained that, within the framework of the processing of a request for access to public information, the GAIP would have revealed to third parties affected by the access, their identity without the latter having requested it. However, in the pre-information phase initiated by this Authority, the complained entity has stated that, one of the persons affected by the access asked to know who was requesting controversial information. In this regard, in accordance with Article 62 RLTC, the GAIP considered, after consulting the applicant, that the submission of the application with its identity could be essential for the defense of the rights and interests held by the third party concerned. That being so, it should be noted that, consulted by the GAIP, the person here denouncing consented to the revelation of his identity. According to the above, therefore, the reported treatment was left open by Article 6.1(a) and c), in connection with the LLT and the LTTE, which is why the present actions are being closed.

The right of access that the claimant formulated to the City Council of Sant Quirze del Vallès is estimated in relation to the purpose of processing the data provided to a municipal school. The City Council alleged that the petition had not been presented in the proper way and that it referred to data from a collective.

A private center communicated the result of an antigen test to the Health Department and this one, provided the said information to the educational center where the complainant provided his services. In this regard, Article 23 of Law 2/2021 of 29 March, on urgent measures for prevention, containment and coordination to deal with the health crisis caused by Covid-19 obliges establishments that carry out COVID-19 diagnostic tests to submit, on a daily basis, the results of the tests they carry out to the health authority and, in turn, Article 8.4 of Decree Law 41/2020, on extraordinary measures in the field of education to deal with the consequences of Covid-19, determines that the Health Department must communicate to the directors of educational centres, the health data corresponding to the results of the diagnostic tests. This being the case, it is appropriate to file the facts indicted since the communications concerned were carried out under Article 6.1 of the GDPR, in compliance with a legal obligation (in the case of the private laboratory), and in the exercise of public powers (in the case of the Ministry of Health). It should also be noted that, despite the notification of health data, the exceptions provided for in Article 9(2) and (i) of the GDPR would apply, which would allow the lifting of the ban on Article 9(1) of the GDPR.

Una madre denunció que la escuela había pedido que el primer día del curso escolar 2021-2022 aportaran el certificado de vacunación de covid-19 de su hijo menor de edad (de 12 años o más); que el dedo certificado también se pedía al personal de la escuela, y que la escuela tenía acceso a la aplicación informática Traçacovid. La denuncia se archiva porque, si bien se cierto que inicialmente la escuela se lo pidió, antes de iniciar el curso escolar comunicó a las madres y padres de alumnos que no lo aportaran (en base a una modificación de última hora del Plan de actuación para el curso 2021‐2022 para centros educativos en el marco de la pandemia); por otro lado, también se archiva porque no hay constancia que la escuela hubiera recogido ningún certificado de vacunación, y que la escuela negó tanto que requiriera el certificado a su personal, como haber accedido a la Traçacovid, y tampoco constan indicios. Además de los motivos de archivo, se concluye que el tratamiento de datos de salud por parte de los centros educativos por motivo de la gestión de los casos positivos de covid-19, estaría amparada por los 6.1.e) y 9.2.g) y y) del RGPD.

Infringement of the principle of application is required due to lack of legal basis in Article 6.1 GDPR. The Institute sent a statement with an attached document, to all parents, informing students of the optional subjects they will take, identified with the DNI number, and in order to purchase the school material. The DNI number is personal data, despite being treated in isolation.

The installation of a video surveillance system inside the classrooms of municipal kindergartens could be proportionate in the face of reasonable indications of the possible commission of a serious illegal act by a person working any of the children, exceptionally and for a limited time, and provided that information is provided in accordance with article 89 of the LOPDGDD. The person in charge, however, would not have sufficient legitimacy to install this system so that parents and/or legal guardians can view live images of the activities carried out by their children.

The Foundation's communication to families and students aged over 14 years of information on activities of external entities may have sufficient legal basis in the legitimate interest (art. 6.1.f) GDPR), provided that it refers to activities or entities linked to or related to the nature of the Foundation's schools, and provided that the Foundation applies the specific guarantees set out in the V Legal Foundation of this opinion.

The principle of application is violated, since the processing of biometric data by students is not included in any of the exceptions provided for in Article 9.2 GDPR, for the processing of special categories of data.

An education inspector incorporated unnecessary information concerning the person's working life by denouncing in the report he issued in response to a request from the Syndic of Greuges, a move in which he violated the principle of minimisation, as he gave more information than was necessary for the intended purpose.