AEPD (Spain) - EXP202203923: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PD-00110-2022 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/es/documento/pd-00110-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__...") |
mNo edit summary |
||
Line 72: | Line 72: | ||
=== Facts === | === Facts === | ||
The data subject exercised its right to erasure against COFIDIS S.A., SUCURSAL EN ESPAÑA, a bank focusing on consumer credits (the controller). The controller did not reply to this request. Subsequently, the data subject lodged a complaint with the Spanish DPA and provided documents which proved that the right had been exercised. | The data subject exercised its right to erasure against COFIDIS S.A., SUCURSAL EN ESPAÑA, a bank focusing on consumer credits (the controller). The controller did not reply to this request. Subsequently, the data subject lodged a complaint with the Spanish DPA and provided documents which proved that the right had been exercised. | ||
The DPA then granted the controller a hearing, so that they could present their point of view. As their response, the controller sent the DPA an answer to the request by the data subject. However, the controller still did not send a response directly to the data subject. | The DPA then granted the controller a hearing, so that they could present their point of view. As their response, the controller sent the DPA an answer to the request by the data subject. However, the controller still did not send a response directly to the data subject. | ||
=== Holding === | === Holding === | ||
First, the Spanish DPA pointed out that a controller needs to answer requests by a data subject within one month according to [[Article 12 GDPR]]. The authority also noted that a controller must not in any case ignore requests by a data subject. The controller bears the burden of proof of compliance with these provisions. | First, the Spanish DPA pointed out that a controller needs to answer requests by a data subject within one month according to [[Article 12 GDPR]]. The authority also noted that a controller must not in any case ignore requests by a data subject. The controller bears the burden of proof of compliance with these provisions. | ||
Second, the DPA held that it is not acceptable that the reponse to a request is only made on the occasion of an administrative procedure, like the formulation of allegations in this case. | Second, the DPA held that it is not acceptable that the reponse to a request is only made on the occasion of an administrative procedure, like the formulation of allegations in this case. | ||
Hence, the DPA upheld the complaint. The authority additionally urged the controller to inform the data subject whether the right to erasure is granted or not within ten working days. | Hence, the DPA upheld the complaint. The authority additionally urged the controller to inform the data subject whether the right to erasure is granted or not within ten working days. | ||
Revision as of 15:22, 30 May 2023
AEPD - PD-00110-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 12 GDPR Article 17 GDPR Article 12 LOPDGDD Article 15 LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | 07.03.2022 |
Decided: | |
Published: | 07.09.2022 |
Fine: | n/a |
Parties: | COFIDIS S.A., SUCURSAL EN ESPAÑA |
National Case Number/Name: | PD-00110-2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Lukas Fiebiger |
The Spanish DPA held that it is not sufficient when a controller only sends their response to a data erasure request to the DPA after a complaint has been lodged. The response should rather be directly sent to the data subject within one month.
English Summary
Facts
The data subject exercised its right to erasure against COFIDIS S.A., SUCURSAL EN ESPAÑA, a bank focusing on consumer credits (the controller). The controller did not reply to this request. Subsequently, the data subject lodged a complaint with the Spanish DPA and provided documents which proved that the right had been exercised.
The DPA then granted the controller a hearing, so that they could present their point of view. As their response, the controller sent the DPA an answer to the request by the data subject. However, the controller still did not send a response directly to the data subject.
Holding
First, the Spanish DPA pointed out that a controller needs to answer requests by a data subject within one month according to Article 12 GDPR. The authority also noted that a controller must not in any case ignore requests by a data subject. The controller bears the burden of proof of compliance with these provisions.
Second, the DPA held that it is not acceptable that the reponse to a request is only made on the occasion of an administrative procedure, like the formulation of allegations in this case.
Hence, the DPA upheld the complaint. The authority additionally urged the controller to inform the data subject whether the right to erasure is granted or not within ten working days.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/4 File No.: EXP202203923 RESOLUTION Nº: R/00738/2022 Having regard to the claim made on March 7, 2022 before this Agency by A.A.A. (to from now on the claiming party), against COFIDIS S.A., SUCURSAL EN ESPAÑA (from now on the claimed party), for not having been duly attended to request to exercise the rights established in Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter GDPR). The procedural actions provided for in Title VIII of the Law have been carried out Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the following have been verified: FACTS FIRST: The complaining party exercised the right of Suppression against the defendant, without your request having received the legally established response. The claimant provides various documentation related to the claim raised before this Agency and on the exercise of the exercised right. SECOND: Once the procedure provided for in article 65.4 of the LOPDGDD has been completed, the claim was admitted for processing and the requested entity was granted processing of hearing, so that within a period of fifteen business days he could present the allegations that deemed convenient. With its statement of allegations, the claimed entity has sent to this Agency the response to the exercised right. However, it does not provide documentation proving that the request for the exercise of rights has been duly answered to the interested. FUNDAMENTALS OF LAW FIRST: The Director of the Spanish Agency for Data Protection, in accordance with the provisions of section 2 of article 56 in relation to section 1 f) of article 57, both of the GDPR; and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the GDPR, the Agency Española de Protección de Datos is competent to perform the functions that are assigned to it in its article 57, among them, that of enforcing the Regulation and promote awareness of controllers and processors about the obligations incumbent upon them, as well as dealing with claims presented by an interested party and investigate the reason for them. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/4 Correlatively, article 31 of the GDPR establishes the obligation of those responsible and those in charge of the treatment to cooperate with the control authority that requests it in the performance of their functions. In the event that they have designated a data protection delegate, article 39 of the GDPR attributes to him the function of cooperate with said authority. In the same way, the internal legal system, in article 65.4 of the LOPDGDD, has provided a mechanism prior to the admission for processing of the claims that are formulated before the Spanish Agency for Data Protection, which consists of giving transfer of the same to the data protection delegates designated by the responsible or in charge of the treatment, for the purposes provided in article 37 of the aforementioned norm, or to them when they have not designated them, so that they proceed to the analysis of said claims and to respond to them within a month. In accordance with this regulation, prior to the admission for processing of the claim that gives rise to this procedure, it was transferred to the responsible entity to proceed with its analysis, respond to this Agency within a month and certify having provided the claimant with the due response, in the event of exercise of the rights regulated in articles 15 to 22 of the GDPR. The result of said transfer did not allow us to understand satisfied the claims of the complaining party. Consequently, on May 20, 2022, for the purposes of provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit the claim submitted for processing. Saying agreement for admission to processing determines the opening of this procedure of lack of attention to a request to exercise the rights established in the articles 15 to 22 of the GDPR, regulated in article 64.1 of the LOPDGDD, according to the which: "1. When the procedure refers exclusively to the lack of care of a request to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, will begin with an agreement for admission to processing, which will be adopt in accordance with the provisions of the following article. In this case, the term to resolve the procedure will be six months from from the date the claimant was notified of the admission agreement to Procedure. After that period, the interested party may consider his claim". The depuration of administrative responsibilities within the framework is not considered opportune. of a disciplinary procedure, the exceptional nature of which implies that a choice be made, whenever possible, due to the prevalence of alternative mechanisms that have under the current regulations. It is the exclusive competence of this Agency to assess whether there are responsibilities administrative procedures that must be purged in a disciplinary proceeding and, in Consequently, the decision on its opening, there being no obligation to initiate a procedure for any request made by a third party. Such a decision must be based on the existence of elements that justify the start of the activity C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/4 disciplinary action, circumstances that do not exist in the present case, considering that With this procedure, the guarantees and claimant's rights. THIRD: The rights of individuals in terms of data protection personal data are regulated in articles 15 to 22 of the GDPR and 13 to 18 of the LOPDGDD. The rights of access, rectification, deletion, opposition, right to limitation of treatment and right to portability. The formal aspects related to the exercise of these rights are established in the Articles 12 of the GDPR and 12 of the LOPDGDD. It also takes into account what is stated in Considering 59 et seq. of the GDPR. In accordance with the provisions of these regulations, the data controller must arbitrate formulas and mechanisms to facilitate the exercise of their rights by the interested party. rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3 of the GDPR), and is obliged to respond to requests made no later than a month, unless you can demonstrate that you are unable to identify the concerned, and to express their reasons in the event that they were not to attend said application. The proof of compliance with the duty of respond to the request to exercise their rights made by the affected party. The communication addressed to the interested party on the occasion of his request must express themselves in a concise, transparent, intelligible and easily accessible way, with a clear and simple language. FOURTH: In the case analyzed, the claimant exercised the right to Suppression regulated in article 17 of the GDPR and article 15 of the LOPDGDD. After the period established in the reviewed regulations, your request did not obtain the legally required response. During the processing of this procedure, the defendant entity has answered to this Agency, but does not certify having met the request of the claimant sending you the required response to your request. In this regard, it should be noted that it cannot be accepted that the corresponding answer perform can manifest itself on the occasion of a mere administrative procedure, such as the formulation of allegations on the occasion of this proceeding, initiated precisely for not properly addressing the request in question. The aforementioned rules do not allow the request to be ignored as if it were not would have raised, leaving her without the answer that must be issued by the responsible, even in the event that there is no data of the interested party in the files of the entity or even in those cases in which it did not meet the established requirements, in which case the addressee of said request is also obliged to require the correction of the deficiencies observed or, where appropriate, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/4 deny the request with reasons indicating the reasons why it is not appropriate consider the law in question. Therefore, the request made obliges the controller to give an express response, in in any case, using any means that justifies the receipt of the reply. Given that a copy of the necessary communication that must be addressed to the claimant informing him about the decision he has adopted regarding the request to exercise rights, it is appropriate to estimate the claim that originated the present procedure. Given the aforementioned precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: ESTIMATE the claim made by A.A.A. and urge COFIDIS S.A., BRANCH IN SPAIN, with NIF W0017686G, so that, within ten business days following the notification of this resolution, send to the party claimant certification in which the right of Suppression exercised is addressed or reasonedly deny indicating the causes for which it is not appropriate to address the request, in accordance with the provisions of the body of this resolution. The actions carried out as a consequence of this Resolution must be communicated to this Agency in the same term. Failure to comply with this resolution could lead to the commission of the offense considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, in accordance with art. 58.2 of the GDPR. SECOND: NOTIFY this resolution to A.A.A. and COFIDIS S.A., BRANCH IN SPAIN. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative procedure (article 18.4 of the LOPD), and in accordance with the provisions of article 123 of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, may optionally file an appeal for replacement before the Director of the Director of the Spanish Agency for Data Protection, within a period of one month from count from the day following the notification of this resolution, or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the Fourth Additional Provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred legal text. 1164-050321 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es