UTEs and data protection

UTEs and data protection

In this post, Business Adapter data protection will give its view on the obligations of a UTE to comply with the Data Protection Act.

Given the peculiarities of the UTE (it has a CIF but not its own legal personality), they cause great confusion about what the UTE itself must assume, in order to comply with the RGPD and the LOPD-GDD.

What is a joint venture?

A UTE is defined, according to Article 4. 1 of Law 18/1982 of May 26, 1982, on the tax regime for groupings and temporary joint ventures and regional industrial development companies, as the groupings of companies derived from the different contractual modalities of collaboration between entrepreneurs, valid under the law, which, without creating an entity with its own legal personality, serve to facilitate or develop jointly the business activity of its members.

We know, therefore, that the joint venture is materialized through the subscription of a contract that brings together several companies (legal entities). grouping several companies (legal entities) to create a new autonomous to create a new autonomous company, for a single purpose and with a limited life time.

We introduce ourselves to the data protection regulations.

Continuing with the previous defining line, Article 4.7 of the GDPR, indicates the Data Controller as the obliged subject that must comply with the GDPR and defines it as follows:

“Controller” or “Controller” shall mean the natural or legal person, public authority, department or other body which alone or jointly with others determines the purposes and means of the processing; if Union or Member State law determines the purposes and means of processing, the controller or the specific criteria for its nomination may be laid down by Union or Member State law;

In other words, a Controller could be any legal entity that alone or together with other controllers, determines the purposes and means of the processing of personal data.

The GDPR in its Article 4.1 and 4.2, defines a personal data and the meaning of the processing of these, in this way:

personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is any person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

“processing” means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Therefore, we understand that a personal data is considered to be any data that identifies a person (e.g. name and surname) or makes him/her identifiable (e.g. national identity card, telephone, e-mail or image) and that a processing of personal data is any digital or manual operation carried out on this personal data (e.g. data collection, data archiving or its use for different purposes).

Examples of UTEs acting as Controllers

The above exposition reveals that a UTE is a group of legal entities, which determine the need to process personal data, as well as the purposes and means to do so. A good example of this decision to process personal data would be the need to hire its own personnel for the UTE, which implies a data collection, in order to perform labor hiring, payroll, health monitoring, etc.

When a joint venture acts as an employer, it could be understood that it acts as a Responsible Party, since the contractual relationship with the worker falls on it, and the joint venture could also assume other obligations with its workers, such as, for example, contracting outside risk prevention services, among others.

Another example that would show a UTE acting as Responsible is when a web page is created for the project that is the reason for the creation of a UTE. Below, we show several examples of a UTE acting as Responsible, with well differentiated activities and different territorial scope:

La Monteñeta Parking (parkingcentroalicante.es)

EI Sanserito – Nursery School (escuelainfantil-sanserito.com)

UTE Terminal Mérida.

Even clearer would be the example below, which shows a joint venture acting as responsible and having to comply autonomously with the RGPD and the LOPD-GDD:

Let’s suppose that two companies form a joint venture whose activity is a kindergarten. This professional activity requires the appointment of a Data Protection Officer (DPD), as established in Article 34.1 letter b) of the LOPD-GDD.

In the case presented, we will determine that the activity of the two grouped companies does not have the obligation to appoint a DPD, according to the legal basis detailed above and that of Article 37.1 of the RGPD. Therefore, the obligation to have a Data Protection Officer falls on the UTE.

Conclusions

In the three examples shown, it is the UTE that carries out the processing, therefore it must identify itself as the Controller and therefore must comply with the Principles relating to processing (chapter II of the GDPR), the Rights of data subjects (chapter III of the GDPR) and other general Obligations (chapter IV of the GDPR), among other possible obligations.

It is true that a UTE is usually assisted by the companies that have created it and that can provide support for the fulfillment of its obligations in terms of data protection, but this is also done or can be done by certain data processors, but this fact does not change that the UTE can act as the Controller and therefore, must implement in its procedures all that is established in the RGPD and LOPD-GDD, in an autonomous way.

In short, cases have been presented where the UTE would act as the Controller and the need to comply with the RGPD and the LOPD-GDD, although it is true that this need would not apply when the grouped companies that create the UTE are the ones that assume the processing of personal data, for example, instead of the UTE hiring its own workers, it is the grouped companies that provide their own workers for the purpose of the UTE, or instead of the UTE hiring its own suppliers, the contractual relationship is between the supplier company and one of the grouped companies and creators of the UTE.

Business Adapter therefore concludes that a prior and personalized analysis will be necessary to determine whether a UTE acts as a Controller and, if so, to determine what issues it must assume in terms of personal data protection.

Need help?

Business Adapter can help a UTE to comply with the Data Protection Law. We study your case to develop all the necessary technical and organizational measures, so that the UTE complies with data protection regulations(RGPD and LOPD-GDD).

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]

Contact us, we will be pleased to help you.
error: Content is protected !!