ESF Monitoring & Evaluation and Data Protection in Spain José Leandro Núñez García Director Agencia Española de Protección de Datos
BACKGROUND A brief overview of the Data Protection Framework
A fundamental right The Lisbon Treaty made legally binding the EU Charter of Fundamental Rights. Its Article 8 is devoted to data protection: 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.
Legal framework in Spain Spanish Constitution Directive 95/46/EC Convention 108 LOPD Enacted in 1999 Replaces the Act of 1992 EAEPD RLOPD 4
Legitimacy grounds Personal data may only be processed… With the data subject’s consent… …unless laid down otherwise by law For the exercise of powers by public bodies When necessary for performing a contract To protect the data subject’s vital interests When data are in sources available to the public and it is necessary for the legitimate interests pursued by the controller 5
Legitimacy grounds Data concerning racial origin, health or sex life may only be processed… With the data subject’s explicit consent When provided for by law, for reasons of general interest Where it is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment, or the management of health-care services. 6
GENERAL PICTURE ESF Monitoring & Evaluation and Data Protection in Spain 7
How information flows Beneficiaries Participants Managing authorities European Commission Pollsters
How information flows Insofar as they are sharing aggregated information, the processing is not within the scope of the Data Protection legislation Beneficiaries Participants Managing authorities European Commission Pollsters 9
How information flows However, personal data is collected by beneficiaries and pollsters in order to compile statistics. Insofar as they process those personal information, they have to be compliant with the Data Protection legislation. Beneficiaries Participants Managing authorities European Commission Pollsters 10
How to be compliant 1. Legitimacy Citizens apply freely to participate in each program… … CONSENT Once accepted, the collection of their data is necessary to comply with Art. 40 of the Regulation 1826/2006 … processing PROVIDED FOR BY LAW
How to be compliant 2. Information Each application (or poll form) should include a data protection notice, drafted in a clear and plain language: Beneficiary’s (or pollster’s) identity and details Intended purpose of the processing (including stats provided for by Law) Recipients to whom the data will de disclosed Data protection rights 12
How to be compliant 3. Proportionality The collection and subsequent use of data should be limited to such processing as is: Adequate Relevant Non excesive Data collected should be limited to the minimum necessary. 13
How to be compliant 4. Other obligations Purpose limitation Appropriate security measures Data retention periods Confidentiality Ensure respect of data subjects’ rights Notification to the Data Protection Register 14
AN SPECIFIC CASE Self-employed beneficiaries 15
Beneficiaries & participants Pursuant to Art. 7(2)d, the list of beneficiaries shall be published by the managing authority. However, “participants in an operation of the ESF shall not be named”. How to deal with self-employed beneficiaries, who are simultaneously participants? 16
Beneficiaries & participants Ruling of the Court of Justice “Volker und Markus Schecke GbR (C-92/09), Hartmut Eifert (C-93/09) v Land Hessen”. 77. It is thus necessary to determine whether the Council of the European Union and the Commission balanced the European Union’s interest in guaranteeing the transparency of its acts and ensuring the best use of public funds against the interference with the right of the beneficiaries concerned to respect for their private life in general and to the protection of their personal data in particular. 17
Beneficiaries & participants Ruling of the Court of Justice “Volker und Markus Schecke GbR (C-92/09), Hartmut Eifert (C-93/09) v Land Hessen”. 85. It is necessary to bear in mind that the institutions are obliged to balance, before disclosing information relating to a natural person, the European Union’s interest in guaranteeing the transparency of its actions and the infringement of the rights recognised by Articles 7 and 8 of the Charter. No automatic priority can be conferred on the objective of transparency over the right to protection of personal data (see, to that effect, Commission v Bavarian Lager, paragraphs 75 to 79), even if important economic interests are at stake. 18
Beneficiaries & participants Ruling of the Court of Justice “Volker und Markus Schecke GbR (C-92/09), Hartmut Eifert (C-93/09) v Land Hessen”. Articles 42(8b) and 44a of Council Regulation (EC) No 1290/2005 of 21 June 2005 on the financing of the common agricultural policy, as amended by Council Regulation (EC) No 1437/2007 of 26 November 2007, and Commission Regulation (EC) No 259/2008 of 18 March 2008 laying down detailed rules for the application of Regulation No 1290/2005 as regards the publication of information on the beneficiaries of funds deriving from the EAGF and the EAFRD are invalid in so far as, with regard to natural persons who are beneficiaries of EAGF and EAFRD aid, those provisions impose an obligation to publish personal data relating to each beneficiary without drawing a distinction based on relevant criteria such as the periods during which those persons have received such aid, the frequency of such aid or the nature and amount thereof 19
PROSPECTIVES FOR FUTURE A comprehensive data protection framework 20
Future of Privacy Include the fundamental principles of data protection into one comprehensive legal framework. There should be room for flexibility. Specific rules could complement and enhance the protection, provided that they fit within the notion of a comprehensive framework and comply with the main principles. 21
THANK YOU! 22
www.agpd.es