AEPD (Spain) - EXP202301529: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00076/2023 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/es/documento/pd-00076-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__...") |
(→Facts) |
||
Line 63: | Line 63: | ||
}} | }} | ||
The Spanish DPA ordered a controller to reply | The Spanish DPA ordered a controller to reply to a data subject's request to delete personal data, to an objection of processing of data for marketing purposes, transfer to third parties and profiling | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On September 23, 2022 the data subject requested the controller to (i) erase | On September 23, 2022 the data subject requested the controller to (i) erase his data, (ii) shared his objection to the processing of his personal data for marketing purposes or the transfer to third parties and (iii) the elaboration of financial profiles on his person. However, the data subject never received a reply from the controller. | ||
=== Holding === | === Holding === |
Revision as of 16:48, 5 September 2023
AEPD - PS/00076/2023 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 17 GDPR Article 21 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 23.09.2022 |
Decided: | 18.08.2023 |
Published: | 18.08.2023 |
Fine: | n/a |
Parties: | GLOBAL KAPITAL GROUP SPAIN, S.L |
National Case Number/Name: | PS/00076/2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Mgrd |
The Spanish DPA ordered a controller to reply to a data subject's request to delete personal data, to an objection of processing of data for marketing purposes, transfer to third parties and profiling
English Summary
Facts
On September 23, 2022 the data subject requested the controller to (i) erase his data, (ii) shared his objection to the processing of his personal data for marketing purposes or the transfer to third parties and (iii) the elaboration of financial profiles on his person. However, the data subject never received a reply from the controller.
Holding
The Spanish DPA determined the controller to, within the term of ten working days, to send the data subject a formal reply in which the requested rights are granted or denied, stating the reasons why the requested rights or deny them.
As highlighted by AEPD, the controller is obliged to provide mechanisms to facilitate the exercise of the data subject's rights, which shall be free of charge and to respond to the requests made within one month at the latest, considering the legal exceptions. In addition, the controller must state the reasons if it is unable to comply with such a request. The onus is on the data controller to prove that it has fulfilled the legal duty to respond to the data subject's request to exercise his or her rights.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 File No.: EXP202301529 RIGHTS PROCEDURE RESOLUTION The procedural actions provided for in Title VIII of the Law have been carried out Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the following have been verified FACTS FIRST: A.A.A. (hereinafter, the claimant) exercised the right of Opposition and Deletion against GLOBAL KAPITAL GROUP SPAIN, S.L. (hereinafter, the part claimed) without your request having received the legally established response. The complaining party states that, on September 23, 2022, it requested the claimed party the deletion of their data object of treatment, as well as their Opposition to the processing of your data for marketing purposes or its transfer to third parties and the elaboration of financial profiles on your person, without having received an answer within the legally established period. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in forward LOPDGDD), said claim was transferred to the claimed party, for to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements established in the regulations of Data Protection. THIRD: The result of the transfer procedure indicated in the previous Fact does not allowed to understand satisfied the claims of the claimant. In Consequently, on April 2, 2023, for the purposes set forth in article 64.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed accept the claim submitted for processing. The aforementioned agreement granted the defendant a hearing process, so that within a period of fifteen business days, submit the allegations that you consider convenient. Said entity declares the following: "...we want to detail that it is a client who has an active credit with our entity. The money corresponding to the principal of said credit was transferred to the client's account, although we have not yet received the payment corresponding to it. In addition, the client has presented before the Courts of First instance a lawsuit requesting the annulment of the contract. for these reasons, we cannot process the deletion of your personal data. On the other hand, We did proceed with the exercise of the right of opposition, eliminating the customer's data of our database related to the elaboration of financial profiles or marketing…" C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/7 FOURTH: Having examined the document presented by the claimed party, it is transferred to the complaining party, so that, within fifteen business days, it formulates the allegations that you deem appropriate. The complaining party, in summary, continues to say that it does not Your requests have been met. FUNDAMENTALS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1 and 64.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II In accordance with the provisions of article 55 of the GDPR, the Spanish Agency for Data Protection is competent to perform the functions assigned to it in its article 57, among them, that of enforcing the Regulation and promoting the sensitization of controllers and processors about the obligations incumbent upon them, as well as dealing with claims filed by a interested and investigate the reason for them. Correlatively, article 31 of the GDPR establishes the obligation of those responsible and those in charge of the treatment to cooperate with the control authority that requests it in the performance of their functions. In the event that they have designated a data protection delegate, article 39 of the GDPR attributes to him the function of cooperate with said authority. In accordance with this regulation, prior to the admission for processing of the claim that gives rise to this procedure, it was transferred to the claimed party to proceed with its analysis, respond to this Agency in within one month and certify having provided the claimant with the due response, in the assumption of exercise of the rights regulated in articles 15 to 22 of the GDPR. The result of said transfer did not allow us to understand satisfied the claims of the complaining party. Consequently, on April 2, 2023, for the purposes of provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit the claim submitted for processing. Saying agreement for admission to processing determines the opening of this procedure of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/7 lack of attention to a request to exercise the rights established in the articles 15 to 22 of the GDPR, regulated in article 64.1 of the LOPDGDD, according to the which: "1. When the procedure refers exclusively to the lack of care of a request to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, will begin with an agreement for admission to processing, which will be adopt in accordance with the provisions of the following article. In this case, the term to resolve the procedure will be six months from from the date the claimant was notified of the admission agreement to Procedure. After that period, the interested party may consider his claim". The depuration of administrative responsibilities within the framework is not considered opportune. of a disciplinary procedure, the exceptional nature of which implies that a choice be made, whenever possible, due to the prevalence of alternative mechanisms that have under the current regulations. It is the exclusive competence of this Agency to assess whether there are responsibilities administrative procedures that must be purged in a disciplinary proceeding and, in Consequently, the decision on its opening, there being no obligation to initiate a procedure for any request made by a third party. Such a decision must be based on the existence of elements that justify the start of the activity disciplinary action, circumstances that do not exist in the present case, considering that With this procedure, the guarantees and claimant's rights. II The rights of individuals regarding the protection of personal data are regulated in articles 15 to 22 of the GDPR and 13 to 18 of the LOPDGDD. HE contemplate the rights of access, rectification, deletion, opposition, right to limitation of treatment and right to portability. The formal aspects related to the exercise of these rights are established in the Articles 12 of the GDPR and 12 of the LOPDGDD. It also takes into account what is stated in Considering 59 et seq. of the GDPR. In accordance with the provisions of these regulations, the data controller must arbitrate formulas and mechanisms to facilitate the exercise of their rights by the interested party. rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3 of the GDPR), and is obliged to respond to requests made no later than a month, unless you can demonstrate that you are unable to identify the concerned, and to express their reasons in the event that they were not to attend said application. The proof of compliance with the duty of respond to the request to exercise their rights made by the affected party. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/7 The communication addressed to the interested party on the occasion of his request must express themselves in a concise, transparent, intelligible and easily accessible way, with a clear and simple language. IV. Article 21 of the GDPR, regarding the right of opposition, establishes the following: "1. The interested party will have the right to oppose at any time, for reasons related to your particular situation, to what personal data concerning you are subject to processing based on the provisions of article 6, paragraph 1, letters e) or f), including profiling on the basis of those provisions. The person responsible for the treatment will stop processing the personal data, unless accredit compelling legitimate reasons for the treatment that prevail over the interests, rights and freedoms of the data subject, or for the formulation, exercise or defense of claims. 2. When the processing of personal data is for marketing purposes directly, the interested party will have the right to oppose at all times the treatment of personal data concerning you, including profiling on the insofar as it is related to said marketing. 3. When the interested party opposes the treatment for direct marketing purposes, personal data will no longer be processed for said purposes. 4. At the latest at the time of the first communication with the data subject, the right indicated in sections 1 and 2 will be explicitly mentioned to the interested party and it will be presented clearly and apart from any other information. 5. In the context of the use of information society services, and not Notwithstanding the provisions of Directive 2002/58/EC, the interested party may exercise his right to oppose by automated means that apply specifications techniques. 6. When personal data is processed for the purposes of scientific research or historical or statistical purposes in accordance with article 89, paragraph 1, the The interested party shall have the right, for reasons related to their particular situation, to oppose the processing of personal data concerning you, unless it is necessary for the fulfillment of a mission carried out for reasons of interest public". V Article 17 of the GDPR, which regulates the right to delete personal data, sets the following: "1. The interested party shall have the right to obtain without undue delay from the person responsible for the treatment the deletion of personal data that concerns you, which will be obliged to delete without undue delay the personal data when any of the following circumstances: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/7 a) the personal data is no longer necessary in relation to the purposes for which it was were collected or otherwise processed; b) the interested party withdraws the consent on which the treatment is based in accordance with Article 6(1)(a) or Article 9(2)(a) and this is not based on another legal basis; c) the interested party opposes the processing in accordance with article 21, paragraph 1, and does not other legitimate reasons for the treatment prevail, or the interested party opposes the treatment according to article 21, paragraph 2; d) the personal data have been unlawfully processed; e) personal data must be deleted to comply with a legal obligation established in the law of the Union or of the Member States that applies to the responsible for the treatment; f) the personal data have been obtained in relation to the offer of services of the information society referred to in article 8, paragraph 1. 2. When you have made the personal data public and are obliged, by virtue of the provided in section 1, to delete said data, the person responsible for the treatment, taking into account the technology available and the cost of its application, it will adopt reasonable measures, including technical measures, with a view to informing responsible who are processing the personal data of the request of the interested party deletion of any link to such personal data, or any copy or replica of the same. 3. Sections 1 and 2 will not apply when the treatment is necessary: a) to exercise the right to freedom of expression and information; b) for compliance with a legal obligation that requires data processing imposed by the law of the Union or of the Member States that applies to the responsible for the treatment, or for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the person responsible; c) for reasons of public interest in the field of public health in accordance with Article 9, paragraph 2, letters h) and i), and paragraph 3; d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1), to the extent that the right indicated in paragraph 1 could make it impossible or hinder seriously impair the achievement of the objectives of such treatment, or e) for the formulation, exercise or defense of claims". SAW During the processing of this procedure, the defendant entity has answered to this Agency, but it does not certify having fulfilled what was requested by the complaining party addressing the rights or denying reasonedly and, remitting the mandatory response to your request. Thus, it is not possible to accept that the answer that corresponds to give can be manifested with occasion of a mere administrative procedure, such as the formulation of allegations with reason for this proceeding, initiated precisely for not duly addressing the application in question. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/7 The aforementioned rules do not allow the request to be ignored as if it were not would have raised, leaving her without the answer that must be issued by the responsible, even in the event that there is no data in the files or even in those cases in which it does not meet the established requirements, in which case the recipient of said request is also obliged to request the correction of the deficiencies observed or, where appropriate, deny the request with reasoned indicating the causes for which it is not appropriate to consider the right in question. Therefore, the request that is formulated obliges the person in charge to give an express response in in any case, using any means that justifies the receipt of the reply. Given that a copy of the necessary communication that must be addressed to the complaining party informing him about the decision he has adopted regarding the request to exercise rights, it is appropriate to estimate the claim that originated the present procedure. Given the aforementioned precepts and others of general application, the Director of the Agency Spanish Data Protection RESOLVES: FIRST: ESTIMATE the claim made by A.A.A. considering that it has violated the provisions of Article 17 of the GDPR and Article 21 of the GDPR and urge GLOBAL CAPITAL GROUP SPAIN, S.L. with NIF B87258091, so that, within the period of within ten business days of notification of this resolution, send to the claiming party certification in which the requested rights are addressed or reasonedly deny indicating the causes for which it is not appropriate to address the request, in accordance with the provisions of the body of this resolution. The actions carried out as a consequence of this Resolution must be communicated to this Agency in the same term. Failure to comply with this resolution could lead to the commission of a violation of art. 83.6 of the GDPR, classified as very serious for the purposes of prescription in article 72.1.m) of the LOPDGDD, which is sanctioned in accordance with art. 58.2 of the GDPR. SECOND: NOTIFY this resolution to A.A.A. and GLOBAL CAPITAL GROUP SPAIN, S.L. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of one month from count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/7 day following the notification of this act, as provided for in article 46.1 of the referred Law. 1381-140623 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es