AEPD (Spain) - TD/00133/2020: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
Line 50: Line 50:
}}
}}


The Spanish DPA (AEPD) held that the data controller must give an express answer which justifies by any means the receipt of a request for erasure, without undue delay, under Art.12 GDPR.  
The Spanish DPA (AEPD) held that the data controller must give an express answer which justifies by any means the receipt of a request for erasure, without undue delay, under Article 12 GDPR.  


==English Summary==
==English Summary==
Line 62: Line 62:


===Holding===
===Holding===
The AEPD found that Art.12 GDPR does not allow the data controller to ignore the request after the on-month deadline. In the event where there is no personal data, where the request does not fulfil the requirements for the exercise of the right to erasure but rather the right to rectification or the request has to be rejected, the controller must indicate the reasons of the refusal. In any case the controller must provide an answer which justifies by any means the receipt of the request. Therefore, the APED clarified the obligation upon the data controller to give an express answer without undue delay.  
The AEPD found that Article 12 GDPR does not allow the data controller to ignore the request after the on-month deadline. In the event where there is no personal data, where the request does not fulfill the requirements for the exercise of the right to erasure but rather the right to rectification or the request has to be rejected, the controller must indicate the reasons of the refusal. In any case the controller must provide an answer which justifies by any means the receipt of the request. Therefore, the APED clarified the obligation upon the data controller to give an express answer without undue delay.  
In the case at hand, the right to erasure has not been complied with due to the lack of answer. Thus, the AEPD ordered the data controller to send the complaint an answer within the limit of 10 working days.
In the case at hand, the right to erasure has not been complied with due to the lack of answer. Thus, the AEPD ordered the data controller to send the complaint an answer within the limit of 10 working days.




==Comment==
==Comment==
The order to comply with the GDPR is not a surprise. However, it’s interesting to notice that the AEPD did not give reason for its decision on the basis of Art. 17 GPDR (and the equivalent in domestic law) but on Art.12 GDPR. Therefore, this decision reinforces the obligation upon data controller to give an express answer for any rights exercised under Art. 15 to 22 GDPR, by virtue of Art. 12 GDPR.  
The order to comply with the GDPR is not a surprise. However, it’s interesting to notice that the AEPD did not give reason for its decision on the basis of Article 17 GPDR (and the equivalent in domestic law) but on Article 12 GDPR. Therefore, this decision reinforces the obligation upon data controller to give an express answer for any rights exercised under Articles 15 to 22 GDPR, by virtue of Article 12 GDPR.  


==Further Resources==
==Further Resources==

Revision as of 10:27, 4 November 2020

AEPD - TD/00133/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR
12 LOPDGDD
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 30.10.2020
Fine: None
Parties: Associació per la participació política a Catalunya
National Case Number/Name: TD/00133/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Juliette Leportois

The Spanish DPA (AEPD) held that the data controller must give an express answer which justifies by any means the receipt of a request for erasure, without undue delay, under Article 12 GDPR.

English Summary

Facts

The data subject - the complainant - filed a complaint with the AEPD against the organisation “l’Associació per la Participació Política a Catalunya (AppCat)” for failure to comply with his right to be forgotten.

Indeed, the data subject required from the data controller the erasure of his personal data. No answer to his request has been received.

Dispute

Does the GDPR allow the data controller to ignore a request for erasure ?

Holding

The AEPD found that Article 12 GDPR does not allow the data controller to ignore the request after the on-month deadline. In the event where there is no personal data, where the request does not fulfill the requirements for the exercise of the right to erasure but rather the right to rectification or the request has to be rejected, the controller must indicate the reasons of the refusal. In any case the controller must provide an answer which justifies by any means the receipt of the request. Therefore, the APED clarified the obligation upon the data controller to give an express answer without undue delay. In the case at hand, the right to erasure has not been complied with due to the lack of answer. Thus, the AEPD ordered the data controller to send the complaint an answer within the limit of 10 working days.


Comment

The order to comply with the GDPR is not a surprise. However, it’s interesting to notice that the AEPD did not give reason for its decision on the basis of Article 17 GPDR (and the equivalent in domestic law) but on Article 12 GDPR. Therefore, this decision reinforces the obligation upon data controller to give an express answer for any rights exercised under Articles 15 to 22 GDPR, by virtue of Article 12 GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/5










     File No.: TD / 00133/2020



                           RESOLUTION Nº: R / 00457/2020

       In view of the claim made on January 14, 2020 before this Agency by

Mrs. A.A.A. , (from now on the complaining party), against ASSOCIACIÓ PER LA
POLITICAL PARTICIPATION TO CATALUNYA, (from now on the claimed party), by
not having duly attended to their right to erasure.

       The procedural actions provided for in Title VIII of the Law have been carried out.
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of

digital rights (hereinafter LOPDGDD), the following have been verified

                                       ACTS


FIRST: On November 18, 2019, the complaining party exercised the right
suppression against the claimed, without your request having received the answer
legally established.

       The complaining party provides various documentation related to the claim
raised before this Agency and on the exercise of the right exercised.



SECOND: Once the procedure provided for in article 65.4 of the LOPDGDD has been completed,
The claim was admitted for processing and the claimed entity was granted
hearing, so that within fifteen business days the allegations that

deemed convenient.

       The claimed entity has not replied to this Agency and has not proven that
has responded to the request for the exercise of rights that was presented by
the complaining party.



                           FOUNDATIONS OF LAW


FIRST: The Director of the Spanish Agency for

Data Protection, in accordance with the provisions of section 2 of article 56 in
in relation to paragraph 1 f) of article 57, both of Regulation (EU) 2016/679 of the
European Parliament and of the Council of April 27, 2016 on the protection of
natural persons with regard to the processing of personal data and the free
circulation of these data (hereinafter, RGPD); and in article 47 of the LOPDGDD.


SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency
Spanish Data Protection is competent to perform the functions that
are assigned to it in its article 57, among them, that of enforcing the Regulation and
promote the awareness of those responsible and those in charge of the treatment

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/5








about their obligations, as well as dealing with claims
submitted by an interested party and investigate the reason for them.


       Correlatively, article 31 of the RGPD establishes the obligation of the
responsible and in charge of the treatment to cooperate with the control authority
that he requests it in the performance of his functions. In the event that these have
designated a data protection officer, article 39 of the RGPD attributes to
This one the function of cooperating with said authority.


       Similarly, the domestic legal system, in article 65.4 the
LOPDGDD, has provided a mechanism prior to the admission for processing of the
claims that are made before the Spanish Agency for Data Protection, which
consists of transferring them to the data protection delegates
designated by those responsible or in charge of the treatment, for the intended purposes

in article 37 of the aforementioned rule, or to these when they have not designated them, to
to proceed to the analysis of said claims and to respond to them within the period of
one month.

       In accordance with these regulations, prior to admission for processing
of the claim gives rise to this procedure, it was transferred to the

responsible entity to proceed with its analysis, provide a response to this Agency
within a month and certify having provided the claimant with the proper response,
in the event of exercise of the rights regulated in articles 15 to 22 of the
RGPD.


       The result of said transfer did not allow the satisfaction of the
claims of the complaining party. Consequently, dated XXXXXXXX, at
effects provided for in article 64.2 of the LOPDGDD, the Director of the Agency
Spanish Data Protection Agency agreed to accept the submitted claim for processing.
Said admission for processing agreement determines the opening of this procedure

lack of attention to a request to exercise the rights established in the
Articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the
which:

"1. When the procedure refers exclusively to the lack of attention of a
request to exercise the rights established in articles 15 to 22 of the

Regulation (EU) 2016/679, will start by agreement of admission for processing, which is
adopt in accordance with the provisions of the following article.
In this case, the period to resolve the procedure will be six months from
from the date that the claimant was notified of the admission agreement to
Procedure. After this period, the interested party may consider his

claim."

       The purging of administrative responsibilities is not considered appropriate in
the framework of a sanctioning procedure, the exceptional nature of which implies that
opt, whenever possible, for the prevalence of alternative mechanisms that

have protection in current regulations.

        It is the exclusive competence of this Agency to assess whether there are responsibilities
administrative procedures that must be purged in a sanctioning procedure and, in

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/5








Consequently, the decision on its opening, there being no obligation to initiate a
procedure before any request made by a third party. Such a decision must
be based on the existence of elements that justify said start of the activity

sanctioning, circumstances that do not concur in the present case, considering that
With this procedure, the guarantees and
Claimant's rights.

THIRD: Article 12 of Regulation (EU) 2016/679, of April 27, 2016,
General Data Protection (RGPD), provides that:


       "1. The controller will take the appropriate measures to facilitate
the interested party all information indicated in articles 13 and 14, as well as any
communication in accordance with articles 15 to 22 and 34 regarding the treatment, in the form
concise, transparent, intelligible and easily accessible, with a clear and simple language, in

particular any information specifically directed at a child. Information
will be provided in writing or by other means, including, if applicable, by means
electronic. When requested by the interested party, the information may be provided
verbally provided that the identity of the interested party is proven by other means.
    2. The person in charge of the treatment will facilitate the interested party the exercise of their
rights under articles 15 to 22. In the cases referred to in article 11,

section 2, the controller will not refuse to act at the request of the interested party in order
to exercise your rights under articles 15 to 22, unless you can demonstrate
that it is not in a position to identify the interested party.
    3. The person responsible for the treatment will provide the interested party with information regarding their
proceedings on the basis of a request pursuant to Articles 15 to 22, and, in

In any case, within one month of receiving the request. Saying
The term may be extended for another two months if necessary, taking into account the
complexity and number of requests. The person in charge will inform the interested party of
any of said extensions within a period of one month from the receipt of the
request, stating the reasons for the delay. When the interested party presents the

request by electronic means, the information will be provided by electronic means
when possible, unless the interested party requests that it be provided otherwise.
    4. If the person responsible for the treatment does not comply with the request of the interested party,
will inform without delay, and no later than one month after receiving the
request, the reasons for not acting and the possibility of submitting a
claim before a control authority and to exercise legal actions.

    5. The information provided by virtue of articles 13 and 14 as well as all
communication and any action carried out pursuant to articles 15 to 22 and 34
they will be free of charge. When the requests are manifestly unfounded or
excessive, especially due to its repetitive nature, the person responsible for the
treatment may:

    a) charge a reasonable fee based on the administrative costs incurred
to facilitate information or communication or carry out the requested action, or
    b) refuse to act on the request.
    The data controller will bear the burden of proving the character
manifestly unfounded or excessive of the request.

    6. Without prejudice to the provisions of article 11, when the person responsible for the
treatment has reasonable doubts regarding the identity of the natural person
making the request referred to in articles 15 to 21, may request that
provide the additional information necessary to confirm the identity of the interested party.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/5








    7. The information that must be provided to the interested parties by virtue of articles
13 and 14 may be transmitted in combination with standard icons that allow
provide easily visible, intelligible and clearly legible an adequate
overview of the planned treatment. Icons presented in the format
electronic will be machine readable.

    8. The Commission is empowered to adopt delegated acts in accordance with
Article 92 in order to specify the information to be submitted through
icons and procedures for providing standard icons. "

FOURTH: Article 12 of the LOPDGDD determines the following:
       1. The rights recognized in articles 15 to 22 of the Regulation (EU)

2016/679, may be exercised directly or through a legal representative or
voluntary.
       2. The person responsible for the treatment will be obliged to inform the affected party about
the means at your disposal to exercise the rights that correspond to you. The
means must be easily accessible to the affected person. The exercise of the right does not

It may be denied for the sole reason that the affected party opts for another means.
       3. The person in charge may process, on behalf of the person in charge, requests for
exercise made by those affected of their rights if so established in the
contract or legal act that binds them.
       4. Proof of compliance with the duty to respond to the exercise request
of their rights formulated by the affected party will fall on the person responsible.

       5. When the laws applicable to certain treatments establish a
special regime that affects the exercise of the rights provided for in Chapter III of the
Regulation (EU) 2016/679, the provisions of those will be followed.
       6. In any case, the holders of parental authority may exercise in
name and representation of minors under fourteen years of age, access rights,
rectification, cancellation, opposition or any other that could

correspond to them in the context of this organic law.
       7. The actions carried out by the person in charge of the
treatment to meet requests for the exercise of these rights, without prejudice to
the provisions of articles 12.5 and 15.3 of Regulation (EU) 2016/679 and in the
sections 3 and 4 of article 13 of this organic law. "



FIFTH: In the case analyzed here, the complaining party exercised its right to
deletion and, after the period established in accordance with the aforementioned regulations,
your request did not obtain the legally required response.

       The aforementioned rules do not allow the request to be ignored as if

had not been raised, leaving it without the answer that they must compulsorily
issue those responsible, even in the event that there is no data of the interested party in
the files of the entity or even in those cases in which it does not meet the
stipulated requirements, in which case the recipient of said request also comes
obliged to request the correction of the deficiencies observed or, where appropriate,

deny the request with reasons indicating the reasons why it is not applicable
consider the right in question.
       Therefore, the request that is formulated obliges the person in charge to respond
express, in any case, using any means that justifies the receipt
of the reply.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/5









       Given that the right has not been addressed, the claim that

originated the present proceeding.


       Considering the cited precepts and others of general application,
        the Director of the Spanish Agency for Data Protection RESOLVES:


FIRST: ESTIMATE the claim made by Ms. A.A.A. and urge ASSOCIACIÓ
FOR POLITICAL PARTICIPATION IN CATALUNYA with NIF G67207472, so that, in
within the ten business days following notification of this resolution,
Send the complaining party a certification stating that you have attended the

right of deletion exercised by the latter or is reasonedly denied indicating the
causes for which the requested deletion does not proceed. The actions carried out
As a consequence of this Resolution, they must be communicated to this
Agency in the same period. Failure to comply with this resolution could lead to
commission of the offense typified in article 72.1.m) of the LOPDGDD, which is

sanction, in accordance with art. 58.2 of the RGPD.

SECOND: NOTIFY this resolution to Ms. A.A.A. and ASSOCIACIÓ PER LA
POLITICAL PARTICIPATION IN CATALUNYA.



       In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.

       Against this resolution, which puts an end to the administrative procedure in accordance with art.

48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the
LPACAP, the interested parties may optionally file an appeal for reversal
before the Director of the Spanish Agency for Data Protection within a period of
month from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the

National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.



                                                                                 1034-080719
Mar Spain Martí
Director of the Spanish Agency for Data Protection











C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es