Toledo command sanctioned for using unofficial personal database

For example, it recorded information on all cases of gender violence (VioGén System) of which the armed institute was aware in the province, Asesgc reported at the time. To this end, the Operations Headquarters had ordered officers to daily upload data from the automated file known as SIGO (Integrated Operational Management System) to an undeclared database called “Toletum”. With this it was generated “processing of personal information out of control” of the Spanish Data Protection Agency, according to the association of non-commissioned officers.

The Asesgc held the head of operations, Lieutenant Colonel Montero, responsible. However, the head of the Toledo command, Colonel Francisco Javier Vélez Alcalde, then denied to ABC that the request was clandestine, because It was “hosted on the official computer server”.

When the affair was discovered, the AEPD carried out an audit and its results were made public through a publication in ‘La pauta’, the Aesgc magazine in which this affair was reported, although the resolution is dated June 19. “There are gaps in security measures” and there was no “data deletion policy” either.which persisted in “Toletum” despite its cancellation in official systems. These are some of the conclusions of the 31-page final report, signed by the agency’s director, Mar España Martí, and sent to the ombudsman, Ángel Gabilondo.

For its report, to which ABC had access, the AEPD requested documents from the General Directorate of the Civil Guard. The General Sub-Directorate for Data Inspection carried out an inspection of the Toledo Commandwhere those responsible justified the tool to apply the “required” security measures for victims of gender violence. They defended that with “Toletum” “the processes were automated and the coordination and collaboration of efforts were effectively improved (…), facilitating the control and supervision of their work by the command and control structures “. They also pointed out that, “Given the usefulness”, the General Directorate of the Civil Guard was going to study “the possibility of developing an official application”collects the agency’s report.

Those responsible for “Toletum” declared that, thanks only to the information contained in this tool, it was not possible to identify the victims or the attackers by their first and last name. To do that, they said, they had to look to other apps where this and other affiliate data mattered. Considering that “Toletum” did not contain personal data, they did not request a report from the Data Protection Officer of the Civil Guard nor carry out an analysis of the risks that the processing of the data could present.

The General Directorate of the Civil Guard was not informed and is not recorded in official documents because, “until the news is published in February 2023”, it told AEPD, The Toledo command was not “aware” that its actions “could be contrary to data protection regulations”.. And that following the publication, “those responsible for the Command requested an audit of the Data Protection Unit of the General Directorate of the Civil Guard, “offering their collaboration to try to clarify the facts”, they said. -they explained.

For the Asesgc, this is a “an exemplary resolution which, for the first time, imposes harsh sanctions” to a public administration “for having constituted a clandestine database”. However, the AEPD does not impose any financial sanctions because it is a public administration, “albeit with clear responsibilities”. From Asec, they designate the lieutenant-colonel as head of operations “with the approval of the colonel” head of barracks. From the Toledo command, official sources responded to ABC that “This is an internal matter for the Civil Guard.”