AEPD (Spain) - TD/00133/2020: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 50: | Line 50: | ||
}} | }} | ||
The Spanish DPA (AEPD) held that the data controller must give an express answer which justifies by any means the receipt of a request for erasure, without undue delay, under | The Spanish DPA (AEPD) held that the data controller must give an express answer which justifies by any means the receipt of a request for erasure, without undue delay, under Article 12 GDPR. | ||
==English Summary== | ==English Summary== | ||
Line 62: | Line 62: | ||
===Holding=== | ===Holding=== | ||
The AEPD found that | The AEPD found that Article 12 GDPR does not allow the data controller to ignore the request after the on-month deadline. In the event where there is no personal data, where the request does not fulfill the requirements for the exercise of the right to erasure but rather the right to rectification or the request has to be rejected, the controller must indicate the reasons of the refusal. In any case the controller must provide an answer which justifies by any means the receipt of the request. Therefore, the APED clarified the obligation upon the data controller to give an express answer without undue delay. | ||
In the case at hand, the right to erasure has not been complied with due to the lack of answer. Thus, the AEPD ordered the data controller to send the complaint an answer within the limit of 10 working days. | In the case at hand, the right to erasure has not been complied with due to the lack of answer. Thus, the AEPD ordered the data controller to send the complaint an answer within the limit of 10 working days. | ||
==Comment== | ==Comment== | ||
The order to comply with the GDPR is not a surprise. However, it’s interesting to notice that the AEPD did not give reason for its decision on the basis of | The order to comply with the GDPR is not a surprise. However, it’s interesting to notice that the AEPD did not give reason for its decision on the basis of Article 17 GPDR (and the equivalent in domestic law) but on Article 12 GDPR. Therefore, this decision reinforces the obligation upon data controller to give an express answer for any rights exercised under Articles 15 to 22 GDPR, by virtue of Article 12 GDPR. | ||
==Further Resources== | ==Further Resources== |
Revision as of 10:27, 4 November 2020
AEPD - TD/00133/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 12 GDPR 12 LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 30.10.2020 |
Fine: | None |
Parties: | Associació per la participació política a Catalunya |
National Case Number/Name: | TD/00133/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Juliette Leportois |
The Spanish DPA (AEPD) held that the data controller must give an express answer which justifies by any means the receipt of a request for erasure, without undue delay, under Article 12 GDPR.
English Summary
Facts
The data subject - the complainant - filed a complaint with the AEPD against the organisation “l’Associació per la Participació Política a Catalunya (AppCat)” for failure to comply with his right to be forgotten.
Indeed, the data subject required from the data controller the erasure of his personal data. No answer to his request has been received.
Dispute
Does the GDPR allow the data controller to ignore a request for erasure ?
Holding
The AEPD found that Article 12 GDPR does not allow the data controller to ignore the request after the on-month deadline. In the event where there is no personal data, where the request does not fulfill the requirements for the exercise of the right to erasure but rather the right to rectification or the request has to be rejected, the controller must indicate the reasons of the refusal. In any case the controller must provide an answer which justifies by any means the receipt of the request. Therefore, the APED clarified the obligation upon the data controller to give an express answer without undue delay. In the case at hand, the right to erasure has not been complied with due to the lack of answer. Thus, the AEPD ordered the data controller to send the complaint an answer within the limit of 10 working days.
Comment
The order to comply with the GDPR is not a surprise. However, it’s interesting to notice that the AEPD did not give reason for its decision on the basis of Article 17 GPDR (and the equivalent in domestic law) but on Article 12 GDPR. Therefore, this decision reinforces the obligation upon data controller to give an express answer for any rights exercised under Articles 15 to 22 GDPR, by virtue of Article 12 GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/5 File No.: TD / 00133/2020 RESOLUTION Nº: R / 00457/2020 In view of the claim made on January 14, 2020 before this Agency by Mrs. A.A.A. , (from now on the complaining party), against ASSOCIACIÓ PER LA POLITICAL PARTICIPATION TO CATALUNYA, (from now on the claimed party), by not having duly attended to their right to erasure. The procedural actions provided for in Title VIII of the Law have been carried out. Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the following have been verified ACTS FIRST: On November 18, 2019, the complaining party exercised the right suppression against the claimed, without your request having received the answer legally established. The complaining party provides various documentation related to the claim raised before this Agency and on the exercise of the right exercised. SECOND: Once the procedure provided for in article 65.4 of the LOPDGDD has been completed, The claim was admitted for processing and the claimed entity was granted hearing, so that within fifteen business days the allegations that deemed convenient. The claimed entity has not replied to this Agency and has not proven that has responded to the request for the exercise of rights that was presented by the complaining party. FOUNDATIONS OF LAW FIRST: The Director of the Spanish Agency for Data Protection, in accordance with the provisions of section 2 of article 56 in in relation to paragraph 1 f) of article 57, both of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter, RGPD); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish Data Protection is competent to perform the functions that are assigned to it in its article 57, among them, that of enforcing the Regulation and promote the awareness of those responsible and those in charge of the treatment C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/5 about their obligations, as well as dealing with claims submitted by an interested party and investigate the reason for them. Correlatively, article 31 of the RGPD establishes the obligation of the responsible and in charge of the treatment to cooperate with the control authority that he requests it in the performance of his functions. In the event that these have designated a data protection officer, article 39 of the RGPD attributes to This one the function of cooperating with said authority. Similarly, the domestic legal system, in article 65.4 the LOPDGDD, has provided a mechanism prior to the admission for processing of the claims that are made before the Spanish Agency for Data Protection, which consists of transferring them to the data protection delegates designated by those responsible or in charge of the treatment, for the intended purposes in article 37 of the aforementioned rule, or to these when they have not designated them, to to proceed to the analysis of said claims and to respond to them within the period of one month. In accordance with these regulations, prior to admission for processing of the claim gives rise to this procedure, it was transferred to the responsible entity to proceed with its analysis, provide a response to this Agency within a month and certify having provided the claimant with the proper response, in the event of exercise of the rights regulated in articles 15 to 22 of the RGPD. The result of said transfer did not allow the satisfaction of the claims of the complaining party. Consequently, dated XXXXXXXX, at effects provided for in article 64.2 of the LOPDGDD, the Director of the Agency Spanish Data Protection Agency agreed to accept the submitted claim for processing. Said admission for processing agreement determines the opening of this procedure lack of attention to a request to exercise the rights established in the Articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the which: "1. When the procedure refers exclusively to the lack of attention of a request to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, will start by agreement of admission for processing, which is adopt in accordance with the provisions of the following article. In this case, the period to resolve the procedure will be six months from from the date that the claimant was notified of the admission agreement to Procedure. After this period, the interested party may consider his claim." The purging of administrative responsibilities is not considered appropriate in the framework of a sanctioning procedure, the exceptional nature of which implies that opt, whenever possible, for the prevalence of alternative mechanisms that have protection in current regulations. It is the exclusive competence of this Agency to assess whether there are responsibilities administrative procedures that must be purged in a sanctioning procedure and, in C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/5 Consequently, the decision on its opening, there being no obligation to initiate a procedure before any request made by a third party. Such a decision must be based on the existence of elements that justify said start of the activity sanctioning, circumstances that do not concur in the present case, considering that With this procedure, the guarantees and Claimant's rights. THIRD: Article 12 of Regulation (EU) 2016/679, of April 27, 2016, General Data Protection (RGPD), provides that: "1. The controller will take the appropriate measures to facilitate the interested party all information indicated in articles 13 and 14, as well as any communication in accordance with articles 15 to 22 and 34 regarding the treatment, in the form concise, transparent, intelligible and easily accessible, with a clear and simple language, in particular any information specifically directed at a child. Information will be provided in writing or by other means, including, if applicable, by means electronic. When requested by the interested party, the information may be provided verbally provided that the identity of the interested party is proven by other means. 2. The person in charge of the treatment will facilitate the interested party the exercise of their rights under articles 15 to 22. In the cases referred to in article 11, section 2, the controller will not refuse to act at the request of the interested party in order to exercise your rights under articles 15 to 22, unless you can demonstrate that it is not in a position to identify the interested party. 3. The person responsible for the treatment will provide the interested party with information regarding their proceedings on the basis of a request pursuant to Articles 15 to 22, and, in In any case, within one month of receiving the request. Saying The term may be extended for another two months if necessary, taking into account the complexity and number of requests. The person in charge will inform the interested party of any of said extensions within a period of one month from the receipt of the request, stating the reasons for the delay. When the interested party presents the request by electronic means, the information will be provided by electronic means when possible, unless the interested party requests that it be provided otherwise. 4. If the person responsible for the treatment does not comply with the request of the interested party, will inform without delay, and no later than one month after receiving the request, the reasons for not acting and the possibility of submitting a claim before a control authority and to exercise legal actions. 5. The information provided by virtue of articles 13 and 14 as well as all communication and any action carried out pursuant to articles 15 to 22 and 34 they will be free of charge. When the requests are manifestly unfounded or excessive, especially due to its repetitive nature, the person responsible for the treatment may: a) charge a reasonable fee based on the administrative costs incurred to facilitate information or communication or carry out the requested action, or b) refuse to act on the request. The data controller will bear the burden of proving the character manifestly unfounded or excessive of the request. 6. Without prejudice to the provisions of article 11, when the person responsible for the treatment has reasonable doubts regarding the identity of the natural person making the request referred to in articles 15 to 21, may request that provide the additional information necessary to confirm the identity of the interested party. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/5 7. The information that must be provided to the interested parties by virtue of articles 13 and 14 may be transmitted in combination with standard icons that allow provide easily visible, intelligible and clearly legible an adequate overview of the planned treatment. Icons presented in the format electronic will be machine readable. 8. The Commission is empowered to adopt delegated acts in accordance with Article 92 in order to specify the information to be submitted through icons and procedures for providing standard icons. " FOURTH: Article 12 of the LOPDGDD determines the following: 1. The rights recognized in articles 15 to 22 of the Regulation (EU) 2016/679, may be exercised directly or through a legal representative or voluntary. 2. The person responsible for the treatment will be obliged to inform the affected party about the means at your disposal to exercise the rights that correspond to you. The means must be easily accessible to the affected person. The exercise of the right does not It may be denied for the sole reason that the affected party opts for another means. 3. The person in charge may process, on behalf of the person in charge, requests for exercise made by those affected of their rights if so established in the contract or legal act that binds them. 4. Proof of compliance with the duty to respond to the exercise request of their rights formulated by the affected party will fall on the person responsible. 5. When the laws applicable to certain treatments establish a special regime that affects the exercise of the rights provided for in Chapter III of the Regulation (EU) 2016/679, the provisions of those will be followed. 6. In any case, the holders of parental authority may exercise in name and representation of minors under fourteen years of age, access rights, rectification, cancellation, opposition or any other that could correspond to them in the context of this organic law. 7. The actions carried out by the person in charge of the treatment to meet requests for the exercise of these rights, without prejudice to the provisions of articles 12.5 and 15.3 of Regulation (EU) 2016/679 and in the sections 3 and 4 of article 13 of this organic law. " FIFTH: In the case analyzed here, the complaining party exercised its right to deletion and, after the period established in accordance with the aforementioned regulations, your request did not obtain the legally required response. The aforementioned rules do not allow the request to be ignored as if had not been raised, leaving it without the answer that they must compulsorily issue those responsible, even in the event that there is no data of the interested party in the files of the entity or even in those cases in which it does not meet the stipulated requirements, in which case the recipient of said request also comes obliged to request the correction of the deficiencies observed or, where appropriate, deny the request with reasons indicating the reasons why it is not applicable consider the right in question. Therefore, the request that is formulated obliges the person in charge to respond express, in any case, using any means that justifies the receipt of the reply. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/5 Given that the right has not been addressed, the claim that originated the present proceeding. Considering the cited precepts and others of general application, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: ESTIMATE the claim made by Ms. A.A.A. and urge ASSOCIACIÓ FOR POLITICAL PARTICIPATION IN CATALUNYA with NIF G67207472, so that, in within the ten business days following notification of this resolution, Send the complaining party a certification stating that you have attended the right of deletion exercised by the latter or is reasonedly denied indicating the causes for which the requested deletion does not proceed. The actions carried out As a consequence of this Resolution, they must be communicated to this Agency in the same period. Failure to comply with this resolution could lead to commission of the offense typified in article 72.1.m) of the LOPDGDD, which is sanction, in accordance with art. 58.2 of the RGPD. SECOND: NOTIFY this resolution to Ms. A.A.A. and ASSOCIACIÓ PER LA POLITICAL PARTICIPATION IN CATALUNYA. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may optionally file an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of month from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 1034-080719 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es