Ministerio de Transportes, Movilidad y Agenda Urbana – No Violation (Spain, 2021)

The Spanish DPA investigated the impact study carried out by the Spanish Ministry of Transport on the daily commuting trends during the first days of COVID pandemic. In particular the investigation focused on whether the data used for the study was appropriately pseudonymised and whether there was any risk of re-using the data for different purposes to the original ones. Data from individuals' mobile phones belonging to one operator were collected during several days to measure daily commuting trends of people on regular days. This data was pseudonymised by the operator with hash techniques and by grouping the data by areas of origin of at least 5000 people. Then the data was provided to a consultant firm that aggregated such data automatically and then processed it to produce the indicators required by the Ministry of Transport. All the measures put in place to unlink the data, pseudonymise, aggregate and further group and process it to produce the final indicators are considered enough to make practically impossible the identification of the data subjects that originate it. Has the mobility study of the Spanish Ministry of Transport been conducted in compliance with GDPR in particular with the appropriate pseudonymisation of the data and the impossibility to re-use the data for incompatible purposes? The Spanish DPA held that the measures put in place by the Spanish Ministry of Transport to conduct the mobility study were enough to ensure that the data could not be associated to individual people or re-used for purposes incompatible with the original ones.