Share on social networks!

The right of access to information covers our geolocation data

Geolocation data

Recently, the Spanish Data Protection Agency through the Procedure EXP202213697 has resolved the right of interested parties to access the geolocation data that is used and processed by the data controller. In this case, the intern, through article 15 of the General Data Protection Regulation 2016/679, requested the right of access to information from his telephone company, in this case Vodafone, in which he requested the geolocation data of each company. of the contracted lines.

The operator responded to the interested party indicating that said data was not recorded in its files and that, therefore, it could not provide any information. Response that was presented to the Control Authority since the interested party considered that his right had not been attended to correctly and that he was not given data that was processed by the data controller.

What legal arguments did the operator use to not provide geolocation data?

Mainly his argument pivoted based on the Law 25/2007, of October 18, on the conservation of data related to electronic communications and public communications networks.

To the company, The interested party's request exceeds the scope of the exercise of the right of access to their personal data since it understands that the obligations of conservation and transfer of said data are only to public agents and always with prior judicial authorization in accordance with article 6 of the aforementioned law, so it could only facilitate access to said information to the authorities in within the framework of a criminal investigation and prior judicial authorization.

Geolocation Data

What does the Spanish Data Protection Agency say?

Article 15.1 of the GDPR states that “The interested party will have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed and, in such case, the right of access to the personal data and the following information”.

It indicates that Vodafone is only limited to stating that is not obliged to grant said right because, in his opinion, their conservation would be legally established with the sole objective of being placed at the disposal of the security forces and bodies, prior judicial authorization, in accordance with the provisions of Law 25/2007, of October 18. However, once the nature of the requested information as “personal data” has been determined, the only exceptions that may be established regarding the exercise of any right established in articles 15 to 22 of the Regulation will be those legally established.

It also makes an assessment of the legal argument that the telephone company makes when relying on article 9 of Law 25/2007, so the AEPD understands that The same provision does not establish any restriction in relation to the possibility of exercising the right of access.. It only contains the obvious precautions that the owner of the data will not have to be notified of the transfer of the data (an obvious issue since these are criminal investigations), and that the right to deletion cannot be exercised.

Geolocation Data Rights

The Control Authority concludes by establishing that the location data of the telephone line may be the subject of a request for the right of access.

The right of access is a very personal right. It allows citizens to obtain information about the processing that is being done to their data., the possibility of obtaining a copy of the personal data that concerns you and that is being processed, as well as information, in particular, on the purposes of the processing, the categories of personal data in question, the recipients or categories of recipients to whom the personal data were communicated or will be communicated, the expected period or conservation criteria, the possibility of exercising other rights, the right to file a claim with the supervisory authority, the information available on the origin of the data ( if these have not been obtained directly from the owner), the existence of automated decisions, including profiling, and information on transfers of personal data to a third country or an international organization.

Don't miss all the latest news on Data Protection & Regulatory Compliance from the best professionals in the sector in our Professional Master in Compliance & Data Protection Management.

Subscribe to our newsletter to stay up to date with all the news

Basic information on data protection.
Responsible for the treatment: Mainjobs Internacional Educativa y Tecnológica SAU
Purpose: Manage your subscription to the newsletter.
Legitimation for processing: Explicit consent of the interested party granted when requesting registration.
Transfer of data: No data will be transferred to third parties, except under legal obligation.
Rights: You may exercise the rights of Access, Rectification, Deletion, Opposition, Portability and, where applicable, Limitation, as explained in the additional information.
Additional information: You can consult additional and detailed information on Data Protection at https://www.mainfor.edu.es/politica-privacidad
Blog Master Dpo

Leave a comment