//by Xavier Seguí López//
Each country has its own peculiarities in terms of data protection regulations. In Europe, while we do have transversal regulations that affect every member of the EU (the General Data Protection Regulation 679/2016), each country is given its own space to clarify issues regarding the regulations. Nevertheless, the main point in regard to data protection regulation is that the countries must comply with it.
“In general terms, the LSSI does not apply to Public Administrations, as they don’t work as an information society service provider, which is defined in its annex. Furthermore, certain typical activities of Public Administrations such as the online management of tax recollection or the information about the services of a third party (as could be the information on the website of a City Council regarding the different rural houses in its municipality) are considered public activities or to be of general interest which differentiates them from the “economic activity” that is mentioned in the LSSI. However, when the activity of an Administration does have an economic background (for example, the selling of tourist books by a public entity dependant on a City Council), the LSSI will apply to it”.
Recently, in November 2021, a resolution was published by the Spanish Data Protection Authority (PS/00219/2021: https://www.aepd.es/es/documento/ps-00219-2021.pdf) which expands the activities carried out by the Public Administration, and can now be considered as a “Service Provider” (in which case, the LSSI would apply to it). Specifically, if the web page has a job bank with a form that allows its users to attach a CV.
• They carry out an economic activity (selling books or tickets for public events, renting rooms in public buildings, etc.)
• They carry out recruitment activities (as, according to resolution PS/00219/201 of the AEPD, this activity would fit into the previous economic activity, as it is a “Service Provider”)
• They use third-party Cookies for analytical or advertising purposes (the most used examples would be Cookies from Google, Facebook, etc.)
Regarding this last point, the public entities’ obligation of having a Cookies Policy on its website would no longer be required for by the LSSI, in my opinion, but rather from the data protection regulation. Having Cookies from third parties located outside the EU comes into conflict with the articles 13.1.f GDPR (the obligation of informing about international data transfer) and 13.2f GDPR (informing about the existence of automated decisions, including profiling).
The aforementioned resolution against the European Parliament seems to be, at least partially, in line with these thoughts. And I say partially because, after all, it is likely that in the following months the issue dealt with here may be called into question, either because the use of these types of resources will be prohibited in public web pages or because a new EU-USA bilateral agreement will be approved, known as the “Trans-Atlantic Data Privacy Framework”.
Xavier Seguí López is Lawyer specialized in Data Protection, IT & IP