In their fight for free access to information and data protection, Spanish EDRi member Xnet contacted the Spanish Data Protection Agency (AEPD). As the AEPD is the institution responsible for the implementation of the General Data Protection Regulation (GDPR) in Spain, Xnet brought up questions about the compliance of the agency’s work with the new regualation.
You can read Xnet’s letter below:
“To whom it may concern,
We have two questions:
1. In order to offer information that should be publicly accessible, you ask for all the personal details of those requesting said information. Does this not clash with article 5 of the GDPR, which states that only the data necessary for performance of the task should be obtained? It is our understanding that for the task of offering information on topics in the public domain, you do not need any data.
As a specific example, in order to ask you this very question, we had to write to you with our electronic certificate, which means you have access to our personal data. As we understand it, your task is to answer these questions to whomever asks, it should have been possible to ask them without you needing to know who we are. Is this not the case? However, you offer no information by email or by telephone, only in response to communications using electronic certificates.
If our understanding is not correct, we would kindly ask you to send us the legal articles that corroborate your interpretation.
2. We do not understand why the Spanish Data Protection Agency, which as previously mentioned is highly demanding with individuals, does not use https (Secure Hypertext Transfer Protocol) by default in its digital spaces. This leaves the data of those who access your websites vulnerable. We would like to know the reason for this.
Thank you for your attention.
(Contribution by Xnet, EDRi member)
A Digestible Guide to Individual’s Rights under GDPR (29.05.2018)