Resolutions, opinions and reports search tool

The complainant complains that the hospital where he is receiving medical treatment has provided his personal data to an external company, without his consent. It is established that the company that has processed the data is a data processor that uses his data to fulfill one of the purposes of the data controller, CatSalut. Specifically, for a medical treatment subscribed to by the complainant. For this reason, an archiving resolution is issued.

Taking into account the applicable regulations, it can be considered that there is a sufficient legal basis for the publication and dissemination of the academic qualifications of the group of university students (eg art. 6.1, sections e) and f) RGPD), without prejudice to the necessary compliance with the rest of the principles and guarantees of the data protection regulations. Given the principle of minimization, only the data necessary to comply with the intended purpose should be disseminated, taking into account the parameters and guidelines derived from the seventh additional provision of the LOPDGDD.

A City Council is reprimanded as being responsible for an infraction due to violation of the principle of legality, for having sent to an inspector of the Generalitat-Mossos d'Esquadra police force two instances with personal data without legal basis, specifically, before the opening of confidential information against the reporting agent, and without there being a real danger to public safety or the investigation and prosecution of a crime.

The City Council of Sant Boi de Llobregat is admonished as responsible for an infringement provided for in Article 83.5.a in relation to Article 5.1.f, both of the GDPR, for sending an email to numerous people without using the hidden copy tool.

There is no element that allows to accredit the commission of an infringement of the data protection regulations by the bar association, the only data of the address of the complainant who has registered, and that the bar association provided to the Consejo General de la Abogacía Espa'ola (CGAE) is the one that the same person denouncing them in the moment of registration, without any modification.

In relation to the data published by the representative of a political party in a plenary session of the city council, it is archived because it has not been proven that the published data was provided by the City Council. Furthermore, the data published is incorrect, which is indicative of the fact that the person who provided it was not linked to the City Council. In relation to the leak of personal data through a WhatsApp group, this fact is also archived since the fact that the photographs of the squares (with shifts and schedules) have been exchanged in a WhatsApp group is not an indication sufficient to allow a violation of the principle of confidentiality to be attributed because it is not proven that the people in the group are members of the local police of the City Council.

The claimant complained about the lack of attention to their rights of access and opposition that he would have exercised before the City Council, within the framework of his participation in a process of citizen participation of urban theme. The claim is estimated and the City Council is required to make effective the rights of access and opposition of the claimant and to account for this Authority.

The complainant complained that the City Council would have shared their personal data, in particular the content of the various SAIPs that it had formulated, with other municipalities, which would have received similar requests. The archiving is resolved as long as no evidence element is available that allows to accredit the communication of reported data.

It is necessary to apply the principle of presumption of innocence since the professional who attended and responded to the consultation of the complainant acted in the exercise of its functions and only treated the personal data that the same complainant provided him for the purpose of managing his query.

With the information available, it can be concluded that the jobs of A17 officials who are not LITERate (heads of department) can be considered to be places of special trust, of special responsibility within the organisation or of high pay. Access to individualised information on the pay of public workers must, in principle, be limited to senior managers and staff as well as to staff who hold positions of special trust, of special responsibility within the organisation or high level in the hierarchy of the entity, of free designation, or who carry a high level of pay. With regard to other public workers, the public interest in controlling public activity with regard to the destination of resources could also be satisfied without sacrificing the privacy of the persons concerned in such a way that information must be provided aggregated by groups and levels of intervals. As regards the three-year period of these workers, it would be in line with data protection regulations to provide information grouped by categories or by groups and levels of intervals. It is generally not considered appropriate to data protection regulations to provide information relating to the description, chronologically speaking, of the administrative situation of an entire group of officials throughout their administrative career, whether they are management staff or special responsibility or whether it affects other groups of officials.