Resolutions, opinions and reports search tool

The Authority considers that the provisions of the legislation on the prevention of money laundering and terrorist financing on the conduct of an impact assessment in relation to certain data processings could be interpreted, for the case of foundations and associations, to the effect that they should only do so at the same time that, if necessary, they detect facts that might be indications of money laundering or terrorist financing, given the obligation to report them to the SEPBLAC. This is without prejudice to the fact that, in view of the concurrence of certain specificities, the entities consider it appropriate to carry it out in advance in the event that they may encounter any of the communication assumptions imposed by this regulation.

The complaint against a healthcare Foundation is filed, in which the complainant considered that his shared clinical history in Catalonia (HCCC) had been abused, since it was found that the doctor who accessed it did so to assist the complainant in a medical test, and that the information recorded about the access centre actually corresponded to the information about the centre where the doctor regularly provided his services, which was in his user profile.

Infraction of security measures within the framework of an internal audit conducted by the Foundation: 1) in the process of assigning new passwords, it was not guaranteed that credentials were under the exclusive control of users, as in the first entry the system did not force change by the user. 2) This also meant that it could not be guaranteed to know in an undoubted way what, who and when he performed a certain amount of work in the computer system. This lack of security was particularly apparent when auditors created new "ex novo" credentials for the system technician, and with these new credentials they accessed their work team in order to avoid risks in the system.

In order to be able to process the data relating to the vaccine status of Covid19 of the users of the center for the organization of group therapeutic activities on the basis of articles 6.1.c) and 9.2.i) of the RGPD, it would be necessary that the competent public health authorities establish a decision to this effect, which is not stated on the date of issue of this opinion.

The junction of anonymized data coming from different sources in order to develop a mathematical model for the prevention of epidemics and pandemics could end up identifying concrete persons, for which it is necessary to measure, to evaluate and to manage this risk of re-identification adopting the measures adapted to reduce it.

The requesting parent has the right to access a copy of the referral report prepared by the social services, except for the information that refers to the contact details of the other parent, as well as the data of the partner. this one and his daughter. This, except with regard to information affecting minor children, may also have to be restricted in the event that social services detect that there is a conflict of interest between the interests of the requesting parent and those of the minor children. to justify it.

The facts denounced because the sealed|stamped card|letter, user of the home-residence service addressed to the person for disabled persons, deposited in a deprived place for its|his|her|their addressee|recipient (in the rucksack) and accessible are filed by its|his|her|their legal tutors, in spite of the lack of concrete warning|notice to the parents of such performance|action.

The accusing person complained because the managing entity of a home residence for persons with disability, it|he|she would have collected images of its|his|her|their son without its|his|her|their consent. The complaint|denunciation is filed because the entity has denied that it|he|she has collected images, and the generic electronic mail that the entity sent in a massive way is not a sufficient test|proof of the existence of treatment.

Taking into account the principles of purpose limitation and minimization (art. 5.1, sections b) and c) GDPR, there is sufficient empowerment (art. 6.1.c) GDPR and LTC), to communicate to the works council the identity (name and surnames) and, if applicable, the professional category of Foundation workers, which are listed according to the information available in the work census, for the purposes of calculating and contrasting the credit of monthly hours attributed to workers' representatives.

The access on the part of the claimant to the identity of the physical persons buyers of the entries for the opening ceremony of the XVII Games of the Mediterranean, it does not seem justified for attaining the purpose of transparency for the purpose of control of the performances on the part of the entity responsible of the organization. Therefore, it would be necessary to facilitate the information related with the previous sale of entries anonimització of its data. There would not be inconvenience on facilitating the merely identificatives data of the charges or employees who figure in the requested documentation. The access to the identity of the addressing physical persons of the entries given by the Foundation as to consideration of a contract of sponsorship or title free it would be justified for the purpose of transparency, except for the cases in that it is been a matter of persons that they are part of collectives vulnerable and of the supposition in what concrete circumstances alleged in the formality of audience foreseen in the articles 31.1 and 42 of the LTC coincide that they can limit the access.