AEPD (Spain) - E/08210/2021: Difference between revisions

From GDPRhub
mNo edit summary
 
(One intermediate revision by one other user not shown)
Line 74: Line 74:


=== Facts ===
=== Facts ===
The data subject logded a complaint with the Dutch DPA against Banco de Sabadell, the controller, whose main establishment is located in Spain. The complaint was based on the right of access executed by the data subject and the fact that the controller handed over a copy containing only the personal data from the data subject’s file and not the detailed transactions from the account.
The data subject logded a complaint with the Spanish DPA against Banco de Sabadell, the controller, whose main establishment is located in Spain. The complaint was based on the right of access executed by the data subject and the fact that the controller handed over a copy containing only the personal data from the data subject’s file and not the detailed transactions from the account.


Next, the complaint was sent to the Spanish DPA through a system aimed for cross-border administrative cooperation and mutual assistance between the Member States and according to [[Article 56 GDPR#1|Article 56(1) GDPR]], due to the cross-border character of the complaint and the competence of the Spanish DPA as lead supervisor authority.
Next, the complaint was sent to the Spanish DPA through a system aimed for cross-border administrative cooperation and mutual assistance between the Member States and according to [[Article 56 GDPR#1|Article 56(1) GDPR]], due to the cross-border character of the complaint and the competence of the Spanish DPA as lead supervisor authority.

Latest revision as of 10:34, 13 December 2023

AEPD - E-08210-2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(22) GDPR
Article 15 GDPR
Article 56(1) GDPR
Article 60 GDPR
§74 LOPDGDD
Type: Complaint
Outcome: Rejected
Started: 07.02.2020
Decided:
Published: 26.10.2022
Fine: n/a
Parties: Banc de Sabadell S.A
National Case Number/Name: E-08210-2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Michelle Ayora

The Spanish DPA, as Lead Supervisory Authority, dismissed a complaint against a bank for alleged violation of Article 15 GDPR. It held that the controller sufficiently complied with the access request.

English Summary

Facts

The data subject logded a complaint with the Spanish DPA against Banco de Sabadell, the controller, whose main establishment is located in Spain. The complaint was based on the right of access executed by the data subject and the fact that the controller handed over a copy containing only the personal data from the data subject’s file and not the detailed transactions from the account.

Next, the complaint was sent to the Spanish DPA through a system aimed for cross-border administrative cooperation and mutual assistance between the Member States and according to Article 56(1) GDPR, due to the cross-border character of the complaint and the competence of the Spanish DPA as lead supervisor authority.

Under Article 60 GDPR, the following DPAs were identified as “concerned supervisory authorities” under Article 4(22) GDPR: the Netherlands, Italy, France and Portugal, since data subjects who reside on their territory might be substantially affected by the processing analysed in this case. On the other hand, the Polish DPA also claimed interest since the controller operated on its territory.

The controller claimed that the data subject did not specify the extent of the request in the sense of detailing either the data, purpose or processing operation which they wanted to access. Additionally, the controller interpreted the request as a demand for the “personal data used by the bank”, considering firstly, the information already provided on the website and in the contract according to Article 13 GDPR and, secondly, to avoid that the right to access results in excessive data disclosure, considering the amount of data handled.

Furthermore, in the same document, the controller provided information regarding the application “Banca a distancia” (long-distance banking) which allows to visualise and check the movements and operations on the account. The controller also stated to be at the client’s disposal to extend or clarify the request. Finally, the controller proceeded to hand over a copy containing all the information requested by the data subject.

Holding

In the first place, the Spanish DPA proposed the dismissal of the complaint to which the French DPA objected.

However, the Spanish DPA confirmed that the data subject did not specify the personal data expected, the controller attended to the request by providing a copy containing the personal data from the data subject’s file, and the same document communicated the possibility to extend the information. Moreover, the data subject had access to a secure and easy-access tool to get the information requested. The French DPA did not object this time.

The Spanish DPA also observed that with the second communication, on 1 September 2020, the controller satisfied the access request. Therefore, in case of a violation of Article 15 GDPR, that would be prescribed according to Article 74 of the national data protection law as the complaint was submitted on 7 February 2020.

Finally, the complaint was dismissed as unfounded. The Spanish DPA ordered to notify the controller of this outcome.

Comment

It seems from the reading of the decision that the Spanish DPA, as Lead Supervisory Authority, dismissed the complaint, despite Article 60(8) GDPR stating that "where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof."

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/9










     File No.: E/08210/2021

IMI Reference: A56ID 162649- Case Register 353519



                  RESOLUTION OF FILE OF ACTIONS



Of the actions carried out by the Spanish Agency for Data Protection and
based on the following

                                      FACTS


FIRST: A.A.A. (hereinafter, the claimant party) filed a claim with the
Netherlands data protection authority. The claim is directed against
BANK OF SABADELL, S.A. with NIF A08000143 (hereinafter, BANK OF
SABADELL). The grounds on which the claim is based are as follows:


When exercising the right of access in January 2019, Banco de Sabadell did not provide
the answer the detail of the transactions carried out, although the data that appears
in the customer file.

The complaining party provides:


- Copy of the document by which you requested the exercise of the right of access before
BANCO DE SABADELL, S.A., dated January 29, 2019.

- Exchange of emails between the address of the complaining party
*** EMAIL.1 and the address exercise derechosprotecdatos@bancsabadell.com, in which

the complaining party requests the exercise of the right of access before BANCO DE
SABADELL and the latter confirms the sending of a burofax with the information
requested, on February 13 and March 21, 2019.

- Copy of the document provided by BANCO DE SABADELL with the information

requested by the claimant, dated February 13, 2019.

SECOND: Through the “Internal Market Information System” (hereinafter
IMI system), regulated by Regulation (EU) No. 1024/2012, of the European Parliament
and of the Council, of October 25, 2012 (IMI Regulation), whose objective is to favor

cross-border administrative cooperation, mutual assistance between States
members and the exchange of information, the aforementioned complaint was transmitted on the 7th
February 2020 and was given a date of entry registration at the Spanish Agency for
Data Protection (AEPD) that same day. Transfer of this claim to the
AEPD is carried out in accordance with the provisions of article 56 of the Regulation
(EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the

Protection of Natural Persons with regard to Data Processing
Personal and the Free Circulation of these Data (hereinafter, RGPD), having
taking into account its cross-border nature and that this Agency is competent to act

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/9








as the main controlling authority, since BANCO DE SABADELL has its headquarters
registered office and main establishment] in Spain.

The data processing that is carried out affects interested parties in various
Member states. According to the information included in the IMI System,

in accordance with the provisions of article 60 of the RGPD, acts as
"interested control authority", in addition to the data protection authority of
Netherlands, the authorities of Italy, France and Portugal. All of these under
article 4.22 of the RGPD, since the interested parties who reside in the territory of these
supervisory authorities are likely to be substantially affected by the
treatment object of this procedure. For its part, the supervisory authority of

Poland was also interested, since the bank operates on its territory.

THIRD: The General Subdirectorate for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
question, by virtue of the functions assigned to the control authorities in the

article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following extremes:

According to the representatives of the BANCO DE SABADELL, the claimant

exercised his right of access to his personal data on January 29, 2019,
without specifying any data, treatment or purpose that you wish to know
specifically.

He was informed of the contracts signed with the entity, including the Banking contract
Remote, which allows you to view and check at any time the

movements of your accounts, positions and other operations.

In the response provided, the BANCO DE SABADELL remained at your disposal to
make clarifications, extensions, limitations or any other designation
specific to your personal data, purposes and treatments of which you wish to have
information, so if he had specifically requested it, it would have been provided to

through the same medium.

That, being a client and holder of a Distance Banking contract, the claimant
information was available through a secure and easily accessible remote medium
relating to the movements of all the positions held with the entity,
including the data of the transactions carried out.


With the existing availability through the means of Remote Banking, and the
response to the exercise of the right carried out with documents gave by
responded to the request of the complaining party, which did not specify that it required the data
of the transactions carried out and that will be facilitated if specifically requested.


In relation to the reason why the complainant has not been provided with all of the
the information, the representatives of BANCO DE SABADELL state that:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/9








1) The complaining party exercised a right of access to their personal data with
date January 29, 2019, using certain paragraphs of the literal
collected in article 15 of European Regulation 679/2016.


Due to the large amount of data that the data controller, such as
financial entity, deals with its clients and the information itself in terms of
Data Protection that, in accordance with article 13 of the RGPD, the BANK OF
SABADELL provides, both on its website and in the documentation
contractual, to the interested parties about the numerous treatments that it carries out,

led to the interpretation that the answer given covered the exercise of the right of access of
the complaining party understanding that he already knew the general information about the
data processing carried out by the entity and that its interest was focused on
know exactly what personal data is used by the bank. (In the
currently consider this interpretation to have been erroneous).


The claimant's own request, revealing a certain familiarity
with the RPGD made them trust that by providing the personal data object of the
treatment responded to the request adequately, without trying to close the
possibility of being able to offer greater detail on any specific treatment that
could be of interest.


The experience acquired by the entity in dealing with the exercise of rights in
matter of data protection as well as the change of culture that both interested
as entities have experienced leads to a continuous review of their
action in the matter and, in order to avoid that due to the large amount of data

they deal with, the exercise of the right of access of the interested parties can be seen
distorted by an offer of excess information, they offer the interested party the
possibility of contacting the entity again if the expectation of
information has not been fulfilled.


2) Once it is understood that the response to the exercise of the right of access has not been
correct, they have proceeded to provide all the information requested by the
claimant, remaining at your disposal to provide further details on any
issue you deem appropriate. This information would have been equally
provided if it had been requested directly from the entity without submitting
claim before the Data Protection Authorities.


On September 2, 2020, the BANCO DE SABADELL sent a
email informing the complaining party that a complaint had been sent
certified letter with the response to the exercise of the right of access.


The representatives of the entity provide documentation with compliance with the
exercise of the right of access sent to the complaining party and proof of
shipment dated September 1, 2020.

FOURTH: On July 23, 2021, the Director of the AEPD declared the expiration

of the proceedings, as more than twelve months have elapsed since their inception, and
new investigative actions were opened with number E/08210/2021, and
incorporated into these new actions the documentation in the
E/02669/2020.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/9









This resolution, which was notified to the BANCO DE SABADELL in accordance with the regulations
established in Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (LPACAP), was collected on July 26
of 2021, as stated in the acknowledgment of receipt that is in the file.

FIFTH: On August 16, 2021, the Director of the AEPD adopted a
draft decision to archive the proceedings. Following the established process
in article 60 of the RGPD, on August 20, 2021 it was transmitted through the system

IMI this draft decision and the concerned authorities were informed that
they had four weeks from that moment to formulate relevant objections and
motivated. Within the deadline for this purpose, the French supervisory authority submitted
their pertinent and motivated objections for the purposes of the provisions of article 60 of the
GDPR.


SIXTH: On July 20, 2022, the Director of the AEPD adopted a project
revised decision to file the proceedings. Following the established process
in article 60 of the RGPD, on July 21, 2022 it was transmitted through the system
IMI this draft decision and the concerned authorities were informed that
they had two weeks from that moment to formulate relevant objections and

motivated. Within the period for this purpose, the control authorities concerned
presented pertinent and motivated objections in this regard, for which it is considered
that all authorities agree with the said revised draft decision and
are bound by this, in accordance with the provisions of section 6 of the
article 60 of the RGPD.




                           FOUNDATIONS OF LAW


                                           Yo
                          Competition and applicable regulations

In accordance with the provisions of article 60.8 of the RGPD and according to the provisions of the
Article 47 and 48 of the LOPDGDD, is competent to resolve these actions of
investigation by the Director of the Spanish Data Protection Agency.


Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures.”


                                           II
                                  Previous issues


In the present case, in accordance with the provisions of article 4.1 and 4.2 of the RGPD,
there is evidence of the processing of personal data, whenever the BANK
DE SABADELL collects and stores, among others, the following data

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/9








personal data of natural persons: name and surname and financial data, among others
treatments.


BANCO DE SABADELL carries out this activity in its capacity as responsible for the
treatment, since it is who determines the purposes and means of such activity, by virtue
of article 4.7 of the RGPD. In addition, it is a cross-border treatment, given
that BANCO DE SABADELL is established in Spain, although it provides services to
other countries of the European Union.


The RGPD provides, in its article 56.1, for cases of cross-border processing,
provided for in its article 4.23), in relation to the competence of the authority of
main control, that, without prejudice to the provisions of article 55, the authority of
control of the main establishment or of the only establishment of the person in charge or of the
The person in charge of the treatment will be competent to act as a control authority

principal for cross-border processing carried out by said controller or
commissioned in accordance with the procedure established in article 60. In the case
examined, as has been stated, the BANCO DE SABADELL has its establishment
main in Spain, so the Spanish Agency for Data Protection is the
competent to act as the main supervisory authority.


For its part, article 15 of the RGPD and article 13 of the LOPDGDD regulate the
right of access of the interested parties to their personal data.

                                            III
                                   Right of access


Article 15 “Right of access of the interested party” of the RGPD establishes:

"1. The interested party shall have the right to obtain from the data controller
confirmation of whether or not personal data concerning you is being processed and, in such

case, right of access to personal data and the following information:
       a) the purposes of the treatment;
       b) the categories of personal data in question;
       c) the recipients or categories of recipients to whom they were communicated
       or the personal data will be communicated, in particular recipients in
       third countries or international organizations;

       d) if possible, the expected term of conservation of the personal data or,
       if not possible, the criteria used to determine this period;
       e) the existence of the right to request from the controller the rectification or
       deletion of personal data or limitation of data processing
       personal information related to the interested party, or to oppose said treatment;

       f) the right to file a claim with a supervisory authority;
       g) when the personal data has not been obtained from the interested party, any
       available information about its origin;
       h) the existence of automated decisions, including the preparation of
       profiles, referred to in article 22, sections 1 and 4, and, at least in such

       cases, significant information about the applied logic, as well as the
       significance and anticipated consequences of such processing for the
       interested.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/9








2. When personal data is transferred to a third country or to an organization
international, the interested party shall have the right to be informed of the guarantees
appropriate under Article 46 relating to the transfer.


3. The data controller will provide a copy of the personal data object of
treatment. The person in charge may receive for any other copy requested by the
concerned a reasonable fee based on administrative costs. When the
The interested party submits the request by electronic means, and unless he requests
provided otherwise, the information will be provided in an electronic format of

Common use.

4. The right to obtain a copy mentioned in section 3 will not negatively affect
to the rights and freedoms of others”.


In this regard, article 13 "Right of access" of the LOPDGDD provides that:

"1. The right of access of the affected party will be exercised in accordance with the provisions of the
Article 15 of Regulation (EU) 2016/679.
When the person in charge processes a large amount of data related to the affected party and this
exercise your right of access without specifying whether it refers to all or part of the

data, the person in charge may request, before providing the information, that the affected party
specify the data or treatment activities to which the request refers.

2. The right of access shall be deemed granted if the data controller
will provide the affected party with a remote, direct and secure access system to the data

that guarantees, permanently, access to its entirety. to such
effects, the communication by the person in charge to the affected of the way in which the latter may
accessing said system will suffice to consider the request to exercise the
law.
However, the interested party may request from the person in charge the information referring to the

ends provided for in article 15.1 of Regulation (EU) 2016/679 that are not
included in the remote access system.

3. For the purposes established in article 12.5 of Regulation (EU) 2016/679,
may consider repetitive the exercise of the right of access on more than one occasion
for a period of six months, unless there is legitimate cause for it.


4. When the affected party chooses a means other than the one offered that involves a cost
disproportionate, the request will be considered excessive, for which said affected
will assume the excess costs that your choice entails. In this case, it will only be
required from the person responsible for the treatment the satisfaction of the right of access without

undue delays”.

In the present case, once the reasons stated by the BANCO DE
SABADELL, which are in the file, it has been verified that on 02/13/2019 he answered
the bank to the complaining party providing the data that appeared in the file

of customers, although the details of the transactions were not provided in that response.
made.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/9









However, the claimant exercised a right of access to their data
personal data dated January 29, 2019, generic, without specifying any data,

treatment or purpose that you wish to know specifically. And in his reply,
BANCO DE SABADELL informed him of the contracts signed with this entity, among
them the Distance Banking contract, which allows you to view and check in
any time the movements of your accounts, positions and other operations of
this entity.


In any case, being a client and holder of a Distance Banking contract, the party
claimant had available through a secure and easily accessible remote means
information regarding the movements of all the positions held
with the BANK OF SABADELL, including the details of the transactions carried out.


Furthermore, due to the large amount of data that the person in charge
of treatment, as a financial institution, deals with its clients and the information itself
regarding Data Protection that BANCO DE SABADELL provides, both
on its website and in the contractual documentation, to interested parties about the
numerous treatments that he carries out, led him to interpret, today they see that
inadequately, that the response given in 2019 covered the exercise of the right to

access of the complaining party when understanding that the interested party already knew the information
general about the processing of data carried out by the entity and that their interest is
focused on knowing exactly what personal data is used by the bank.
The claimant's own request, revealing a certain familiarity
with the RPGD made them trust that by providing the personal data object of the

treatment responded to the request adequately, without trying to close the
possibility of being able to offer greater detail on any specific treatment that
could be of interest. The experience acquired during these years by the BANK
OF SABADELL in the attention of the exercise of rights in the matter of protection of
data as well as the change of culture that both stakeholders and entities have

experienced, has led them to carry out a continuous review of their performance in the
matter and, therefore, in order to avoid that, due to the large amount of data that
treat, the exercise of the right of access of the interested parties can be seen, in a certain
way, distorted by an excess offer of information, they offer the
interested the new possibility of contacting the bank again if
the expectation of information has not been fulfilled, to maintain a channel of

open communication.

In any case, once it is understood that the response to the exercise of the right of
access had not satisfied the complaining party, the BANCO DE SABADELL facilitated,
on September 1, 2020, a new response to the exercise of rights of the

claimant party, in which all the aspects included in art.
15 of the RGPD, remaining at your disposal to offer more detail about any
matter that he deems appropriate.

                                          IV

            Classification of a possible infringement of article 15 of the RGPD




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/9








The aforementioned infringement of article 15 of the RGPD could lead to the commission of the
offenses typified in article 83.5 of the RGPD that under the heading "Conditions
rules for the imposition of administrative fines” provides:


“The infractions of the following dispositions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual turnover of the previous financial year, opting for
the largest amount:

       (…)
       b) the rights of the interested parties according to articles 12 to 22; (…)”

In this regard, the LOPDGDD, in its article 71 "Infringements" establishes that
“The acts and behaviors referred to in sections 4,

5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.

For the purposes of the limitation period, article 74 "Infringements considered minor" of
the LOPDGDD indicates:


“They are considered minor and the remaining infractions of a legal nature will prescribe after a year.
merely formal of the articles mentioned in paragraphs 4 and 5 of article 83
of Regulation (EU) 2016/679 and, in particular, the following:
       (…)
       c) Failure to respond to requests to exercise the rights established in the

       Articles 15 to 22 of Regulation (EU) 2016/679, unless it resulted from
       application of the provisions of article 72.1.k) of this organic law. (…)”

In the present case, on September 1, 2020, the BANCO DE SABADELL would have
duly attended to the right of access requested by the complaining party. By

Therefore, in the event that there is an infringement of article 15 of the RGPD, such infringement would be
prescribed, in accordance with the provisions of the aforementioned article 74 of the LOPDGDD.

Thus, in accordance with what was indicated, by the Director of the Spanish Agency for
Data Protection,
HE REMEMBERS:


FIRST: PROCEED TO FILE these proceedings.

SECOND: NOTIFY this resolution to BANCO DE SABADELL, S.A.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure

Common to Public Administrations, and in accordance with the provisions of the
art. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may
file, optionally, an appeal for reconsideration before the Director of the Agency
Spanish Data Protection Authority within a month from the day

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/9










following the notification of this resolution or directly contentious appeal
before the Contentious-Administrative Chamber of the National High Court,
in accordance with the provisions of article 25 and paragraph 5 of the provision

additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-Administrative, within two months from the day after
to the notification of this act, as provided in article 46.1 of the aforementioned Law.



                                                                                   940-110422
Sea Spain Marti
Director of the Spanish Data Protection Agency






















































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es