Valencia City Council failed to comply with data protection laws

Valencia City Council failed to comply with data protection laws

A few days ago, it was made public the news that the City Council of the city of Valencia has been sentenced by the National Court, for committing serious infringements on data protection, for events that occurred in 2017, through a survey related to falleros issues, a situation that was analyzed and resolved by the AEPD in Resolution R/03532/2017.

Actions carried out by the Valencia City Council

The Delegación de Cultura Festiva del Ayuntamiento de Valencia (data controller), through a third party (data processor) conducted a survey of falleros on the occasion of the proclamation of the Fallas as Intangible Heritage of Humanity by UNESCO, in order to know the socio-cultural impact of the Fallas on its main actors, and the future of the festival. The survey was conducted at street level, on a voluntary basis.

Processing of personal data in the survey

In the survey, questions related to freedom of religion and political issues were asked, such as the economic and political situation of the Valencian Community, whether the respondent is of the extreme right or extreme left, among others.

Similarly, the respondent’s identification data (name and address) and a cell phone number were requested.

The category of data included in the survey is special category data (ideology and religion/beliefs) and respondents’ express consent was not sought for it.

In addition, the data processor linked the answers provided by respondents to their personal data in its files for a period of time.

Very serious infringement

In accordance with current data protection regulations, it will be considered a very serious infringement that in which the processing of personal data occurs without any of the conditions of lawfulness of the processing established in Article 6 of Regulation (EU) 2016/679, one of the conditions of lawfulness being to have obtained the express consent of the data subject for the processing of their personal data (Article 6.1. a) RGPD).

Conclusions

All data controllers, whether they are part of the public administration or the private sector, must be extremely careful in their choice of data processors, as they must provide sufficient guarantees to ensure compliance with data protection obligations, especially if the processing involves special category data.

A bad choice at this point can cause too many inconveniences (not only economic, but also reputational), so we always recommend that in such circumstances, be advised by specialists in the field.

Data protection advisors in Valencia: Business Adapter
www.businessadapter.es
Contact us, we will be pleased to help you.
error: Content is protected !!