AEPD (Spain) - EXP202101314: Difference between revisions
No edit summary |
(Changed the short summary for the newsletter, please do have a look at the updated version for an example of what it should look like :) Thank you for the summary otherwise, it was really clear and to the point!) |
||
Line 52: | Line 52: | ||
}} | }} | ||
Spanish DPA | The Spanish DPA ordered a controller to comply with a data subject's access request, either by providing the requested information or refusing to company. in which case it has to explain its reasoning. | ||
== English Summary == | == English Summary == |
Revision as of 10:30, 15 December 2021
AEPD (Spain) - R/00852/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 15 GDPR Article 31 GDPR Article 13 LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 03.12.2021 |
Fine: | None |
Parties: | AD735 DATA MEDIA ADVERTISING S.L |
National Case Number/Name: | R/00852/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Sergi Ariño Mayans |
The Spanish DPA ordered a controller to comply with a data subject's access request, either by providing the requested information or refusing to company. in which case it has to explain its reasoning.
English Summary
Facts
A data subject made use of their right of access with AD735 DATA MEDIA ADVERTISING S.L. via phone and several emails, but the company ignored the request and did not provide the requested information.
Holding
The DPA held that according to Article 15 GDPR the data subject shall have the right to obtain confirmation from the controller as to whether or not their personal data is being processed, as well as access to that personal data. As a consequence, the DPA held that the controller should grant the data subject's request and provide this information within ten business days following this decision, or deny the request indicating the causes and reasoning. The action taken as a result of this decision shall be communicated to the DPA.
In addition, the DPA warned that failure to comply with this decision will be sanctioned as an infringement of Article 58(2) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/6 File No.: EXP202101314 RESOLUTION NO: R / 00852/2021 Considering the claim made on April 21, 2021 before this Agency by A.A.A. (on forward, the complaining party), against AD735 DATA MEDIA ADVERTISING S.L. (on hereinafter, the claimed party), for not having been duly attended to their right to suppression. The procedural actions provided for in Title VIII of the Law have been carried out. Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the following have been verified FACTS FIRST: The claimant exercised the right of access against the claimed with NIF B87781795, without your request having received the legally established reply. According to the claimant, during the course of a commercial call he requested access and was denied it, referring him to a website. Later, requested through several emails access to the claimed entity without receive reply. Given the lack of legal attention, he filed a claim with this Agency Spanish Data Protection, starting the procedure TD / 00035/2021. After the corresponding instruction this one was solved «FIFTH: In the case analyzed here, the complaining party exercised its right of access and, in principle, he did not receive a response, but later on Throughout the procedure, the defendant requested the necessary data to be able to serve you. The claimant is aware of these circumstances, both for the emails sent by the claimed as for the transfer that made this However, the Agency does not certify having sent the request for the right could be taken care of. Based on the foregoing, considering that the present procedure has as an object that the guarantees and rights of those affected remain duly restored, and since the defendant answered the claimant requesting a correction to be able to attend the right that the claimant did not respond, we consider that the request has been attended by denying motivated but outside the established deadline. Based on the foregoing, considering that the present procedure has as an object that the guarantees and rights of those affected remain duly restored, it is necessary to first estimate the claim for reasons formal since it has been attended after the deadline and second, notify the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/6 claimant who must correct what is requested by the claimed and thus be able to obtain access to your data. Considering the aforementioned precepts and others of general application, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: ESTIMATE for formal reasons, the claim made by A.A.A., against the entity AD735 DATA MEDIA ADVERTISING S.L .. No However, the issuance of a new certification by said entity, as the response was issued extemporaneously, without requires the performance of additional actions by the person in charge. " SECOND: On April 21, 2021, a letter from the claimant stating that during the processing of the procedure TD / 00035/2021, dated March 2, 2021, received an email from the entity requesting the telephone number to "accurately identify your registration and facilitate the requested right of access as soon as possible ",. The same day he received that email, he answered by giving him the phone number requested, and received the following response: «Thank you for contacting AD735 DATA MEDIA ADVERTISING, S.L., we have successfully received your email. We inform you that to process the cancellation / deletion of your personal data, You must access the following link: www.ad735.es/bajas. WILL NOT BE ATTENDED REMOVAL / DELETE REQUESTS AT THE MAILING ADDRESS DPO@AD735.ES. If you have exercised any other right recognized in the RGPD, or have made a consultation, we will attend to you as soon as possible. You can find more information on the web http://www.ad735.es/derechosRGPDAD735.pdf » For this reason, the present procedure was opened, transferring the claim to the claimed party, dated September 7, 2021, granting hearing process, so that within fifteen business days it could present the allegations that it deems appropriate. The electronic notification sent was “expired” as it was not accessed, due to which, it was reiterated by postal mail, being received on the date September 29, 2021, without this Agency having any response from the claimed part. FOUNDATIONS OF LAW FIRST: The Director of the Spanish Agency for Data Protection, in accordance with the provisions of section 2 of article 56 in in relation to paragraph 1 f) of article 57, both of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/6 natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter, GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish Data Protection is competent to perform the functions that are assigned to it in its article 57, among them, that of enforcing the Regulation and promote the awareness of those responsible and those in charge of the treatment about their obligations, as well as dealing with claims submitted by an interested party and investigate the reason for them. Correlatively, article 31 of the RGPD establishes the obligation of those responsible and those in charge of the treatment to cooperate with the control authority that requests it in the performance of their duties. In the event that they have designated a data protection officer, article 39 of the RGPD attributes to him the function of cooperate with said authority. Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has Provided a mechanism prior to the admission for processing of the claims that are made before the Spanish Agency for Data Protection, which consists of giving transfer of the same to the data protection delegates designated by the responsible or in charge of the treatment, for the purposes provided in article 37 of the aforementioned norm, or to them when they have not been designated, to proceed to the analysis of said claims and to respond to them within a month. In accordance with these regulations, prior to the admission for processing of the claim that gives rise to the present procedure, it was transferred to the responsible entity to proceed with its analysis, provide a response to this Agency within a month and certify having provided the claimant with the proper response, in the event of exercise of the rights regulated in articles 15 to 22 of the GDPR. The result of said transfer did not allow for the satisfaction of the claims of the complaining party. Consequently, on August 23, 2021, for the purposes provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit the submitted claim for processing. Saying The agreement of admission for processing determines the opening of the present procedure of lack of attention to a request to exercise the rights established in the Articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the which: "1. When the procedure refers exclusively to the lack of attention of a request to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, will start by agreement of admission for processing, which will be adopt in accordance with the provisions of the following article. In this case, the deadline to resolve the procedure will be six months from from the date on which the claimant was notified of the admission agreement to Procedure. After this period, the interested party may consider his claim". C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/6 The purging of administrative responsibilities in the framework of of a sanctioning procedure, whose exceptional nature implies that it is chosen, whenever possible, due to the prevalence of alternative mechanisms that have I amparo in the current regulations. It is the exclusive competence of this Agency to assess whether there are responsibilities administrative procedures that must be purged in a sanctioning procedure and, in Consequently, the decision on its opening, there being no obligation to initiate a procedure before any request made by a third party. Such a decision must be based on the existence of elements that justify said start of the activity sanctioning, circumstances that do not concur in the present case, considering that with this procedure, the guarantees and Claimant's rights. THIRD: The rights of people in terms of data protection Personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the LOPDGDD. The rights of access, rectification, deletion, opposition, right to limitation of treatment and right to portability. The formal aspects relating to the exercise of these rights are established in the Articles 12 of the RGPD and 12 of the LOPDGDD. It also takes into account what is expressed in Considerations 59 and following of the GDPR. In accordance with the provisions of these rules, the data controller should arbitrate formulas and mechanisms to facilitate the interested party the exercise of their rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3 of the RGPD), and is obliged to respond to requests made no later than one month, unless you can show that you are unable to identify the interested, and to express their reasons in case they were not to attend said application. The person responsible is responsible for the proof of compliance with the duty of Respond to the request for the exercise of their rights made by the affected party. The communication addressed to the interested party on the occasion of their request must express themselves in a concise, transparent, intelligible and easily accessible way, with a clear and simple language. In the case of the right of access to personal data, in accordance with the established in article 13 of the LOPDGDD, when the exercise of the right is refers to a large amount of data, the person in charge may request the affected party to specify the "data or processing activities to which the request refers." The Right will be understood to be granted if the person in charge provides remote access to the data, the request being considered as attended (although the interested party may request the information referring to the extremes provided for in article 15 of the RGPD). The exercise of this right may be considered repetitive on more than one occasion. during the period of six months, unless there is legitimate cause for it. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/6 On the other hand, the request will be considered excessive when the affected party chooses a medium other than the one offered that involves a disproportionate cost, which must be assumed by the affected party. FOURTH: In accordance with the provisions of article 15 of the RGPD and article 13 of the LOPDGDD, "the interested party has the right to obtain from the person responsible for the treatment confirmation of whether or not personal data concerning you is being processed and, as such case, right of access to personal data ”. Like the rest of the rights of the interested party, the right of access is a very personal right. Allows the citizen to obtain information about the treatment what is being done of your data, the possibility of obtaining a copy of the data personal concerns that are being processed, as well as information, in particular, about the purposes of the treatment, the categories of data personal concerned, the recipients or categories of recipients to whom the communicated or will be communicated the personal data, the foreseen term or criteria conservation, the possibility of exercising other rights, the right to present a claim before the supervisory authority, the information available on the origin of the data (if these have not been obtained directly from the owner), the existence of automated decisions, including profiling, and information about transfers of personal data to a third country or to an international organization. The possibility of obtaining a copy of the personal data being processed does not negatively affect the rights and freedoms of others, that is, the right to Access will be granted in a way that does not affect third party data. In the case analyzed here, the examination of the documentation provided, has It has been established that the claimant requested access to their personal data and that the claimed entity has not duly attended the aforementioned right. Considering the aforementioned precepts and others of general application, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: ESTIMATE the claim made by D.A.A.A. and urge AD735 DATA MEDIA ADVERTISING S.L. with NIF B87781795, so that, within ten business days following notification of this resolution, send to the party claimant certification in which the requested right of access is addressed or motivated denial indicating the reasons why it is not appropriate to address the petition, in accordance with the provisions of the body of this resolution. The Actions carried out as a consequence of this Resolution must be communicated to this Agency within the same period. Failure to comply with this resolution could lead to the commission of the offense considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, in accordance with article 58.2 of the RGPD. SECOND: NOTIFY this resolution to A.A.A. and AD735 DATA MEDIA ADVERTISING S.L .. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/6 Against this resolution, which puts an end to the administrative procedure in accordance with article 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after notification of this resolution or directly Contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 1195-180321 Mar Spain Martí Director of the Spanish Agency for Data Protection 28001 - Madrid 6 sedeagpd.gob.es