Can personal data contained in communications received through the Internal Information System (IIS) be processed for purposes other than those provided for in Law 2/2023?
The Spanish Data Protection Agency (AEPD) analyses this issue in its Opinion 77/2023, following a consultation in which the possibility of using the information received through the Internal Information System (SII) for other purposes was raised, after verifying that it did not fall within the material scope of Law 2/2023, of 20 February, regulating the protection of persons who report infringements of the law and the fight against corruption.
Since these communications may contain personal data, their processing falls within the scope of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rights.
Before doing so, it is necessary to differentiate which is the legitimate basis for the processing to be carried out, depending on whether the entity is or not an obliged subject under Law 2/2023:
- Obliged entities: the basis of legitimacy for the processing of personal data is the fulfilment of a legal obligation applicable to the Controller, art. 6.1.c) of the RGPD, since the latter is provided for in article 30.2 of Law 2/2023 itself.
- On the other hand, for entities not subject to Law 2/2023, the processing of personal data contained in communications will be presumed to be based on legitimate interest.
The AEPD assumes that there is a legal basis and a purpose expressly provided for by Law 2/2023, as well as a new purpose whose legal basis must be determined. To this end, the AEPD highlights the following:
- Communications received by the IIS that do not fall within the subjective or objective scope of application of Law 2/2023 are subject to the same guarantees provided for in that law, and therefore the same obligations are required of the data controller.
- The purpose limitation principle is also manifested in Law 2/2023 through a numerus clausus as to the persons who may access the content of the communication, and this continues to apply to those communications that do not fall within the scope of application of the Law.
- Law 2/2023 establishes what to do with communications that fall outside its scope of application, which, as provided for by the purpose limitation principle in the field of personal data protection, will be deleted as they fall outside the subjective or material scope.
- Law 2/2023 establishes a time limitation, stating that communications that have not been acted upon must be deleted, unless the purpose of the retention is to leave evidence of the functioning of the system.
Therefore, communications that do not pass the admissibility procedure because they do not fall within the subjective or objective scope are not excluded from the purpose of the processing provided for in art. 1 of Law 2/2023, so that the legal basis for processing the personal data contained therein remains the same, i.e., compliance with a legal obligation.
New Purpose.
In the event that the personal data contained in the communications received through the ISS should be processed, as indicated by the AEPD, ‘this new processing must be brought into line with the principle of purpose and another legal basis for legitimisation must be found’.
Likewise, the AEPD stresses that if one wishes to use another legal obligation as a legal basis for legitimisation for the new processing, such as the one raised in the consultation that gave rise to this opinion, this must comply with the necessary requirements that justify the interference with the right to the protection of personal data, being that the legal basis claimed must provide for such interference, justify the legal obligation or the public interest of a processing different to that provided for by Law 2/2023, as well as the establishment of the necessary guarantees or limits for the proposed processing.
Regarding a possible basis for legitimisation under the protection of the controller’s legitimate interest, the AEPD emphasises that it’s up to the controller to carry out a weighing or balancing test between its interests and the rights of the data subject.
For this purpose, in accordance with paragraph 47 of the GDPR, “account must be taken of the reasonable expectations of data subjects based on their relationship with the controller (…)”, with this reference to the foreseeability of the further processing to be undertaken being the determining element in the compatibility of purpose and in the balancing test.
Furthermore, according to Recital 47 of the GDPR, ‘the interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing’.
As a result, the AEPD considers that ‘it is difficult for a hypothetical informant using the internal information system covered by the law with notes of confidentiality and anonymity to reasonably expect that the information he or she provides could be used for another purpose than that intended by the applicant’.
Compatibility of purposes.
To be able to analyse further processing, it is necessary to start from the principle of purpose limitation, since, in accordance with the principles set out in the GDPR, personal data must be collected for specified, explicit and legitimate purposes and must not be further processed in a manner incompatible with those purposes.
The purpose of the processing of personal data contained in communications, whether or not they have been accepted, is regulated by Law 2/2023, in addition to the procedure to be followed, the duty of confidentiality and the retention period. This applies to all communications received through the IIS, even if they do not fall within the material scope of the IIS.
Taking into account the parameters provided by Opinion 3/2013 of the Article 29 Working Party, currently the European Data Protection Committee, on “Purpose Limitation”, the IIS controller who wishes to make a use other than the purpose indicated by Law 2/2023 must carry out an assessment of compatibility with this new purpose, taking into account the following factors, among others:
- The link between the reason why the personal data was collected and the reason why it will be processed.
- The context in which the personal data was collected and the reasonable expectations of those concerned regarding its further use.
- The nature of the personal data and the impact of further processing on the data subjects.
- The controller’s safeguards to ensure fair processing and avoid undue impact on data subjects.
It is therefore essential to analyse the feasibility of further processing, to assess the necessity of further processing and to determine the appropriate legal basis to legitimise the processing in question.
It is also essential to carry out a purpose adequacy assessment in case the personal data previously collected are to be used for a purpose other than the original one.
Finally, if the result of the assessment is that there is a lack of compatibility between the purposes, in view of the proactive responsibility of the data controller, it will be necessary to consider other ways and mechanisms to compensate for the change of purpose, thus guaranteeing the protection of the data subject within the framework of the protection of his personal data and the provisions of Law 2/2023.
Melanie Díaz
Compliance Department of Molins Criminal Defense.