Resolutions, opinions and reports search tool

El tratamiento de los datos necesarios para la realización de las pruebas de los procesos de selección de personal, incluidas los datos de salud de los participantes, tiene como base jurídica el cumplimiento de una misión en interés público y el cumplimiento de obligaciones específicas de las administraciones competentes establecidas por la normativa de función pública. La grabación de las pruebas psicotécnicas requiere, además de su previsión en las correspondientes bases de las convocatorias (con la concreción y determinación de las garantías específicas necesarias), la realización previa de una AIPD. No parece que la base jurídica del consentimiento sea adecuado para legitimar el tratamiento de los datos de los aspirantes a un proceso selectivo con la finalidad descrita, dado que no se puede considerar que en el caso planteado pudiera haber un consentimiento realmente libre, ni la posibilidad de establecer medios alternativos que garantizaran el principio de igualdad que tiene que regir los procedimientos selectivos.

Data protection regulations do not prevent the complainant from having access, if he is delegated from a trade union organisation that has the most representative status, to information on training data, professional experience, as well as punctuation with respect to merits and other valorative elements that have been taken into account in the selection process and the scores awarded in relation to the subject. In the event that the complainant does not belong to a union organization that has the most representative status, the information must be limited to the identity of the person selected in a selective process - if applicable, the worker concerned - and the scores obtained in the different merits or tests.

The Human Resources unit of a City Council ended up accessing, through its Occupational Risk Prevention Service, information on whether one of its workers had been inoculated with the 2nd dose of covid19.

The City Council published the list of admitted and excluded persons with identification of accepted candidates (name and surnames) in accordance with the applicable regulations and during the indispensable period to satisfy the purpose of advertising and notification, no violation of the data protection regulations is seen.

It is decided to file the present complaint, given that the accused City Council and, in particular, the Chief Inspector of the Local Police, included references to the data on the person's health reporting - who holds the status of local agent - since these were necessary to resolve the desirability of initiating a disciplinary file against him, for alleged withdrawal from service on health grounds. Thus, this Authority concludes that the processing of controversial personal data was covered by Article 6.1e) - processing carried out in the exercise of public powers - and that the circumstances provided for in Article 9.2 (f) and g) GDPR, which lift the prohibition on processing health data in Article 9.1 (GDPR).

The data protection regulations do not prevent access to information relating to the call and the bases of the selective processes carried out by the City Council, the rest of the acts of the processes subject to publication and, in particular, to the results of the called processes. Now, taking into consideration the circumstances that come together in the particular case, from the point of view of the general purpose of transparency, access to the tests carried out by the candidates in each of the selective processes, nor to the contracts of formalized work

One entity is sanctioned, absorbing another, within the framework of the provision of a health monitoring service. He sent citation emails to various workers who mistakenly contained data from other workers.

A private entity is sanctioned for having entrusted the management of the medical check appointments of workers to another entity without having formalised the contract of sub-responsor of the treatment, and without having requested the controller to authorise the sub-response of the treatment.

The registration of the pension scheme is a lawful treatment. It is not mandatory to report access to the data of the management and depository entities of the plan, since they have the status of processors.

The access and obtaining of a copy, by the Personnel Board, of the documentation certifying the merits alleged by the people participating in a provision process does not comply with the data protection regulations, due to the which should limit the query to the identity of the people who have obtained a job and the scores obtained in the different merits assessed.