Resolutions, opinions and reports search tool

The Authority considers that the provisions of the legislation on the prevention of money laundering and terrorist financing on the conduct of an impact assessment in relation to certain data processings could be interpreted, for the case of foundations and associations, to the effect that they should only do so at the same time that, if necessary, they detect facts that might be indications of money laundering or terrorist financing, given the obligation to report them to the SEPBLAC. This is without prejudice to the fact that, in view of the concurrence of certain specificities, the entities consider it appropriate to carry it out in advance in the event that they may encounter any of the communication assumptions imposed by this regulation.

The lack of a sufficient legal basis to enable the processing of workers' personal data in an electoral procedure by electronic voting prevents a response to the questions raised, since it would be necessary to keep to the specific provisions of legal empowerment and possible regulatory deployment, in order to assess the specific aspects relating to compliance with data protection regulations.

The incorporation of the address relative to the domicile in the notifications that must be made through electronic means would be contrary to the principle of data minimization. In this case, it is necessary to adopt the appropriate measures to ensure that the program used to generate the notifications does not incorporate this personal data by default. It is also necessary to proceed with the blocking of this data in the electronic notifications already made to a working person, given their deletion request.

The data protection regulations do not prevent the councilor's access to information on the registrations and deregistrations of the Register that occurred in the specified period, including the date of registration or deregistration, without, in view of what is set out in the query, it is justified to include the name and surname, or the ID number or the address of the registered persons, or any other data that allows the information to be linked to identified or identifiable persons. As for the councilors of the government team, they can be identified with their first and last names indicating the date on which they were appointed or dismissed, but it would not be in line with data protection regulations to provide 'access to coexistence certificates.

The regulations on the protection of personal data would enable, for the purpose of tax management, the communication of data with tax significance to the Tax Administration through a procedure to request the information, in each specific case, when it refers to a specific person or set of people, such as creating a specific mailbox to address requests. On the other hand, in the absence of a general provision establishing this, the regulations would not enable the periodic supply of information. In cases where the protection regulations enable the communication of data, it is not necessary to inform the people affected by the communication to the Tax Administration, in accordance with what is set out. With regard to communication with the aim of improving annual market forecasts and studies, and to complement the information system on the market, it will be necessary to be aware of the provisions of the additional provision of the Tax Code of Catalonia.

The installation of a video surveillance system inside the classrooms of municipal kindergartens could be proportionate in the face of reasonable indications of the possible commission of a serious illegal act by a person working any of the children, exceptionally and for a limited time, and provided that information is provided in accordance with article 89 of the LOPDGDD. The person in charge, however, would not have sufficient legitimacy to install this system so that parents and/or legal guardians can view live images of the activities carried out by their children.

The councilors' access to personal data included in the Municipal Register of Inhabitants may be enabled when, taking into account the specific purposes of the Register, access is necessary and provided for the development of the control functions of the activities of the municipal corporation, or other functions that may be attributed to the councilor, in the terms provided for in the LRBRL. It is not justified for the councilor to access the municipal register of inhabitants to configure the electoral program of the municipal group in relation to the tax ordinances, to perform the relevant calculations, identifying the people who are registered there.

The Foundation's communication to families and students aged over 14 years of information on activities of external entities may have sufficient legal basis in the legitimate interest (art. 6.1.f) GDPR), provided that it refers to activities or entities linked to or related to the nature of the Foundation's schools, and provided that the Foundation applies the specific guarantees set out in the V Legal Foundation of this opinion.

The transparency regulation lays down the minimum content to be disseminated in respect of the partnership agreements by limiting it, as regards personal data, to information on the name and surname of persons acting on behalf of the parties that sign them.

The municipal policy for the use of digital information systems and devices must cover clear rules on the management to be made of the personalised corporate email account, and on the access to the information contained in it, both for the purpose of ceasing the employment relationship and in the event of temporary absence of the worker. It must also include specific provisions regarding the proper use of information systems by its staff and the control that the City Council can make of them to ensure their safety and good functioning. With regard to requests for access to and copying of e-mails by ex-workers, the observations made in this opinion must be taken into account.