AEPD (Spain) - PD-00207-2022: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PD-00207-2022 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/pd-00207-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod...") |
No edit summary |
||
Line 24: | Line 24: | ||
|Date_Decided=15.11.2024 | |Date_Decided=15.11.2024 | ||
|Date_Published= | |Date_Published= | ||
|Year= | |Year= | ||
|Fine= | |Fine= | ||
|Currency= | |Currency= |
Latest revision as of 08:52, 30 January 2024
AEPD - PD-00207-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 12 GDPR Article 15 GDPR Article 15(3) GDPR Article 17 GDPR Article 31 GDPR Article 39 GDPR Article 55 GDPR Article 56(2) GDPR Article 57(1)(f) GDPR Article 12 LOPDGDD Article 13 LOPDGDD Article 37 LOPDGDD Article 47 LOPDGDD Article 48(6) LOPDGDD Article 50 LOPDGDD Article 64(1) LOPDGDD Article 64(2) LOPDGDD Article 65(4) LOPDGDD |
Type: | Complaint |
Outcome: | Rejected |
Started: | 06.07.2022 |
Decided: | 15.11.2024 |
Published: | |
Fine: | n/a |
Parties: | WORKING CAPITAL MANAGEMENT ESPAÑA |
National Case Number/Name: | PD-00207-2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | isabela.rosal.santos |
Spanish DPA dismisses the complaint of a data subject since the data controller did respond to the access and erasure request. The existence of an outstanding debt with the controller justifies the processing of the personal data.
English Summary
Facts
The data subject requested the access and the erasure of their personal data from the list of insolvent persons. The data was initially handled by the data controller, but there was a posterior change of control. Even though the data subject affirmed that their requests were not properly addressed by the initial controller, the company stated that all the answers were timely provided, including the change of control over the data.
Holding
The DPA dismissed the complaint of the data subject. Since the controller did provide timely and relevant information to the data controller and they have an outstanding debt with the controller, the complaint should not be upheld.
Comment
The Spanish DPA highlighted that, whenever possible, alternative mechanisms should be enforced over administrative sanctioning.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/6 File No.: EXP202205064 RESOLUTION NO.: R/01128/2022 Considering the claim made on April 6, 2022 before this Agency by A.A.A. (in hereinafter, the claiming party), against WORKING CAPITAL MANAGEMENT ESPAÑA, S.L. (hereinafter, the claimed party), because their right of access and deletion. The procedural actions provided for in Title VIII of the Law have been carried out Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the following have been verified FACTS FIRST: The complaining party exercised the right of access and deletion against the claimed, without his request having received the legally established response. The claimant states that his personal data is registered in systems common credit information in relation to a debt owed to the claimed entity which he does not know, so he requests the same information about the debt, as well as the deletion of your data. The complaining party provides various documentation related to the claim raised before this Agency and on the exercise of the right exercised. SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a mechanism prior to the admission for processing of claims made before the AEPD, consisting of transferring them to the Data Protection Delegates designated by those responsible or in charge of the treatment, for the intended purposes in article 37 of the aforementioned norm, or to these when they have not been designated, transferred the claim to the claimed entity so that it could proceed with its analysis and respond to the complaining party and this Agency within a period of one month. THIRD: The result of the transfer procedure indicated in the previous Fact does not allowed the claims of the complaining party to be understood as satisfied. In consequently, dated July 6, 2022, for the purposes provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed admit the claim presented for processing and the parties were informed that the deadline maximum to resolve this procedure, which is understood to have been initiated by said admission agreement for processing will be six months. The aforementioned agreement granted the claimed entity a hearing process, to that within a period of fifteen business days, present the allegations that it deems convenient. Said entity formulated, in summary, the following allegations: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/6 The claimed party states and certifies that it has informed the claimant of all the process by which the debt incurred passed from one company to another. Furthermore, regarding the delinquency files, I informed you: “…that your credit is included in the ASNEF asset solvency and credit file- EQUIFAX, also providing a copy of the information about you It appears at that time in the aforementioned asset solvency and credit file; and? During the period of 15 days from the date of said letter, your data will not be visible in the aforementioned file but that, if after said period it does not regularize its situation, your data will be visible in said file, appearing as a creditor Working Capital Management España, S.L…” The defendant affirms that there is a certain and enforceable debt and that he is the creditor of the same, documentary evidence in the allegations having requested the deletion of the claimant's data from the asset solvency entity, but states that the debt remains unpaid and therefore cannot delete the data. FOURTH: Once the allegations presented by the defendant have been examined, they are the subject of transfer to the complaining party, so that, within a period of fifteen business days, it can formulate allegations that he considers appropriate. As of the date of resolution of this claim, allegations have been made. FOUNDATIONS OF LAW FIRST: The Director of the Spanish Agency for Data Protection, in accordance with the provisions of section 2 of article 56 in in relation to section 1 f) of article 57, both of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and the free circulation of this data (hereinafter referred to as GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish Data Protection Agency is competent to perform the functions that are assigned to it in its article 57, among them, to enforce the Regulation and promote awareness of data controllers and those in charge of processing about their obligations, as well as dealing with claims presented by an interested party and investigate the reason for them. Correlatively, article 31 of the RGPD establishes the obligation of those responsible and those in charge of processing to cooperate with the supervisory authority that requests it in the performance of their functions. In the event that they have designated a data protection officer, article 39 of the RGPD attributes to him the function of cooperate with said authority. In accordance with this regulation, prior to the admission for processing of the claim that gives rise to this procedure, it was transferred to the responsible entity to proceed with its analysis, provide a response to this Agency within a period of one month and proves that it has provided the claimant with the appropriate response, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/6 in the event of exercise of the rights regulated in articles 15 to 22 of the GDPR. Said agreement of admission to processing determines the opening of this procedure of lack of attention to a request to exercise the rights established in the articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the which: "1. When the procedure refers exclusively to the lack of attention of a request to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, will begin by agreement of admission to processing, which will be will be adopted in accordance with the provisions of the following article. In this case, the period to resolve the procedure will be six months from from the date on which the claimant was notified of the admission agreement to Procedure. After this period, the interested party may consider his claim". It is not considered appropriate to clarify administrative responsibilities within the framework of a sanctioning procedure, the exceptional nature of which implies that it is opted, whenever possible, due to the prevalence of alternative mechanisms that have protection in current regulations. It is the exclusive responsibility of this Agency to assess whether there are responsibilities administrative actions that must be purged in a sanctioning procedure and, in consequently, the decision on its opening, there being no obligation to initiate a procedure for any request made by a third party. Such a decision must be based on the existence of elements that justify said start of the activity sanctioning, circumstances that do not occur in the present case, considering that With this procedure, the guarantees are duly restored and rights of the claimant. THIRD: The rights of people regarding data protection personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the LOPDGDD. The rights of access, rectification, deletion, opposition, right to limitation of processing and right to portability. The formal aspects related to the exercise of these rights are established in the articles 12 of the RGPD and 12 of the LOPDGDD. Furthermore, what is expressed in Considering 59 and following of the GDPR. In accordance with the provisions of these regulations, the person responsible for the treatment must arbitrate formulas and mechanisms to facilitate the interested party in the exercise of their rights. rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3 of the RGPD), and is obliged to respond to requests made no later than a month, unless you can demonstrate that you are not in a position to identify the interested, and to express his reasons in case he was not going to attend said application. It falls on the person responsible to prove compliance with the duty of respond to the request to exercise their rights made by the affected party. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/6 The communication addressed to the interested party on the occasion of their request must be expressed in a concise, transparent, intelligible and easily accessible manner, with a clear and simple language. In the case of the right of access to personal data, in accordance with the established in article 13 of the LOPDGDD, when the exercise of the right is refers to a large amount of data, the person responsible may request the affected person to specify the “data or processing activities to which the request refers”. He The right will be deemed granted if the person responsible provides remote access to the data, considering the request has been attended to (although the interested party may request the information referring to the extremes provided for in article 15 of the RGPD). The exercise of this right may be considered repetitive on more than one occasion. during the period of six months, unless there is legitimate cause for it. On the other hand, the request will be considered excessive when the affected party chooses a means different from the one offered that entails a disproportionate cost, which must be assumed by the affected person. FOURTH: Article 17 of the RGPD, which regulates the right to deletion of data personal, establishes the following: "1. The interested party will have the right to obtain without undue delay from the person responsible for the processing the deletion of personal data that concerns you, which will be obliged to delete personal data without undue delay when any of the following circumstances: a) the personal data are no longer necessary in relation to the purposes for which they were were collected or otherwise treated; b) the interested party withdraws the consent on which the treatment is based in accordance with Article 6(1)(a) or Article 9(2)(a) and this is not based on another legal basis; c) the data subject objects to the processing in accordance with Article 21(1) and does not other legitimate reasons for the processing prevail, or the interested party opposes the treatment pursuant to Article 21(2); d) the personal data have been processed unlawfully; e) personal data must be deleted for compliance with a legal obligation established in the law of the Union or of the Member States that applies to the responsible for the treatment; f) the personal data have been obtained in relation to the offer of services of the information society mentioned in Article 8, paragraph 1. 2. When you have made personal data public and are obliged, by virtue of the provided in section 1, to delete said data, the data controller, taking into account the available technology and the cost of its application, it will adopt reasonable measures, including technical measures, with a view to informing responsible parties who are processing the personal data of the interested party's request for deletion of any link to that personal data, or any copy or replication of the same. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/6 3. Sections 1 and 2 will not apply when treatment is necessary: a) to exercise the right to freedom of expression and information; b) for compliance with a legal obligation that requires data processing imposed by Union or Member State law applicable to the responsible for the treatment, or for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the person responsible; c) for reasons of public interest in the field of public health in accordance with Article 9, paragraph 2, letters h) and i), and paragraph 3; d) for archival purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1), to the extent that the right indicated in paragraph 1 could make it impossible or hinder seriously the achievement of the objectives of said treatment, or e) for the formulation, exercise or defense of claims.” FIFTH: In the case analyzed here, the complaining party exercised its rights of access and deletion and these have been addressed, access has been facilitated and reasonedly denied deletion. The claimed entity certifies that it gave response to the claimant's request by letter dated 02/19/2022 and that in dated 09/15/2022 sent the response again. The claimant incurred a debt with one entity and the debt was assigned to another. This second entity, current creditor of the debt and party claimed in this claim, proves having informed the claimant of the entire claim procedure. change of credit institution, likewise, proves having informed the claimant of the inclusion in a file of asset solvency in the event of non-payment. Based on the foregoing, considering that this procedure has as its object that the guarantees and rights of those affected are duly restored, and since there is an outstanding debt and the claimed party complies with the regulations denying with reasons, this claim is rejected. Considering the aforementioned precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DISMISS the claim made by A.A.A. vs. WORKING CAPITAL MANAGEMENT ESPAÑA, S.L. SECOND: NOTIFY this resolution to A.A.A. and WORKING CAPITAL MANAGEMENT ESPAÑA, S.L. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/6 the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 1195-281022 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es