Resolutions, opinions and reports search tool

The access and obtaining of a copy, by the Personnel Board, of the documentation certifying the merits alleged by the people participating in a provision process does not comply with the data protection regulations, due to the which should limit the query to the identity of the people who have obtained a job and the scores obtained in the different merits assessed.

The complainant, in his capacity as a student of the UAB, received an informative email from the International Day of the Workers' Women. By not wanting to receive any more emails of this type, he responded to the university's email, so his message was received by third parties outside his sender. This is attributable to their actions, and not to a human error or computer error by the reported entity that has led to a violation of the data protection rules, which is why the complaint is filed.

Since the requested entity partially handed over the information subject to the right of access, it is appropriate to estimate the claim, and to require the FUOC to comply with the literality of Article 15 GDPR by handing the claimant any data in his possession referring to his person, with the understanding that, in addition to the submission of the data provided for in the aforementioned article, the documents that are stated in this legal basis, as well as other information relating to the claimant, should be handed over to the claimant, which would open up to the claimant's power.

A person had been registered in a university for the purpose of receiving information about studies, which he did not eventually enroll, and requested the deletion of his personal data, without achieving such a deletion. The Authority dismisses his claim, considering that the university had not deleted his data because that person did not accredit his identity, despite having requested it, and the email address from which he made the application for deletion did not appear in the university's databases.

A former UOC worker, who maintained the role as a student, continued to receive emails linked to her work as a worker (ppi. request) and could continue accessing a folder with information from other people (safety measures).

The proposed anonymization process would not guarantee the treatment of anonymous data within the Project to be developed by the University. However, the option of articulating the treatment on the basis of the explicit consent of the persons concerned could be considered, without prejudice to the adoption of appropriate measures to ensure that this treatment is in line with the RGPD, such as providing detailed and clear information in this regard, and applying the measures indicated in the opinion to make re-identification difficult.

The collection of data has to respect the principle|beginning of loyalty. For the treatment of special categories of data, it is necessary that one of the foreseen circumstances contributes to article|item 9.2 RGPD. In the collection of data cash has to be made the law|right of information. To determine the appropriate technical and organizational measures to guarantee the security|certainty of the data, it is necessary to make one analysis of risks. With character previous to the treatment, it is necessary to carry out an evaluation of impact related to the data protection when the treatment entails a high risk for the rights and freedoms of the affected persons. The representative of data protection has to take part in all the questions related to the data protection personal in a suitable way and in the appropriate moment.

Based on the information available, the processing of data relating to the communication of a university census to the Department of Health, through the Interuniversity Council of Catalonia, does not have authorization from the point of view of the regulations of data protection, as it is not covered by public health regulations.

The consent of the minor as a juridical basis that fits out the treatment of its|his|her|their data in the area of the rest|subtraction research subject to the regulations regulatory of the autonomy of the patient regarding the informed consent, that is, will be able to concede its|his|her|their consent in so far as the minor is competent, intellectually and emotionally, to understand|include the scope of the intervention about the health itself, and especially when he|it is emancipated or biggest of sixteen years. Otherwise, the assistance is required from the representative, having listened to it|him previously, in any case, if it|he|she is biggest of twelve years. In the case of the biomedical research, since the applicable regulations require the adult age to be able to loan the consent, the minors who are biggest of 14 years cannot loan the foreseen consent to the regulations of data protection. The titular persons of the parental authority or the tutors will have to make it in its|his|her|their place.

The regulations of data protection would not block the access of the progenitor to the academic data of its|his|her|their son, adult and economically dependent, referents in course 2018/2019, to|in the effects of proving its|his|her|their performance, on having to prevail the right to the effective judicial protection.