Resolutions, opinions and reports search tool

Data protection regulations do not prevent the claimant from having access to information concerning public employees who had intervened in the various previous research actions and disciplinary proceedings processed between 2020 and 2022, both of which have been resolved and who have not participated in the irregular conduct, unless there are exceptional circumstances. However, in accordance with the fundamentals that have been laid down, access to the files can be facilitated through the anonymisation mechanism or, where this measure is not effective, through a summary of the files, so that in no case are the natural persons concerned (people investigated and, if applicable, complainants or witnesses) identifiable.

Data protection regulations would not allow the trade union delegate to access a copy of the payrolls of the work staff affected by the application for access. However, it is possible to communicate the information contained in payrolls in an aggregate way, so as to ensure that they are not identified.

Local government regulations and extensive jurisprudence regulate and specify the right of councilors to obtain all background information, data or information held by the services of the local corporation and necessary for the exercise of their functions. In the event that the requested information contains personal data, as in the case raised in the consultation, the councilor's access could be justified for the exercise of the general functions attributed to the full body of the corporation related to the control and supervision of the bodies. of government, in cases in which the judicial processes are related to issues related to the professional field and linked to the functions in the municipal government of those accused or investigated and not linked to issues of the private or personal sphere of these. Access could also be justified, in cases in which the councilor has functions directly related to the control of the representation and defense of the corporation, with the legal defense of the case, or in another matter directly related to the judicial procedures in progress. . All this, without prejudice to the result of the weighing of the rights at stake, and taking into account the circumstances of each specific case, it will be considered that the right to data protection of the affected persons must be preserved.

It resolves to punish a city council as responsible for 2 offences provided for in police regulations (LO 7/2021), which were caused by the transfer of the police station to new municipal premises: 1) it lacks the placement of video surveillance camera information posters; and 2) it lacks security measures, due to the fact that everyone has a panel of screens in which real-time images were reproduced through cameras installed in public spaces.

It resolves to sanction the City Council as responsible for three infringements: 1) lack of contract for the processor or equivalent document, 2) lack of information on the ends provided for in art.

The corporate email address of a city council, since it allows the identification of the account holder, is a personal data protected by data protection regulations. The processing of personal data resulting from the sending of email messages by a public worker, in particular the inclusion of third-party corporate mail addresses and the submission to an external recipient, may be legal if a legal basis (art. 6.1 GDPR) occurs and compliance with the principle of purpose (art. 5.1.b) GDPR is met. According to the system of liability provided for in the GDPR, the responsibility for infringements of data protection regulations rests with the controllers, without prejudice to the consequences of disciplinary proceedings.

In this case, for the information available, access by the applicant to a copy of the users' register of the drinking water supply service in a town planning, supply contracts and receipts liquidated between May 2022 and February 2023 cannot be considered as justified, nor can it be considered to be the personal data that may appear in the accounting register system established during the replacement in the provision of this service. However, there would be no problem, if necessary, in providing him with economic information, broken down and aggregated on the cost arising from the provision of the service, in the terms indicated in the opinion.

The form of the application in paper format did not include all the information in Article 13 GDPR. The online application form included all the ends of Article 13 of the GDPR, although through a chain of links that made it unreachable and transparent.

The access of the councilors to information regarding the amount and reason for the doubtful debts could find its justification in the control and supervision functions legally attributed to the councilors. This, without the need to provide the identity (name and surname) of all affected natural persons, for the purposes of the minimization principle. This, without prejudice to the fact that, once the information is known in the terms indicated, in some cases it may also be pertinent to know the identity of those affected, a possibility that would require specific consideration, taking into account the principles of data protection.

The data protection regulations allow, in this case, the union delegate to have access to a copy of the decrees of the mayor's approval of the payroll of the staff of the City Council, prior to anonymization of the data of the public employees concerned and limiting their access, if applicable, to any other information that may appear in the said decrees that exceed the object of their claim, pursuant to the principle of minimization of the data (Article 5.1.c of the GDPR). However, it would be possible to provide the merely identifying information contained in the mayor's decrees relating to the mayor, in the terms that have been set out.