AEPD (Spain) - EXP202202937: Difference between revisions
No edit summary |
No edit summary |
||
Line 63: | Line 63: | ||
}} | }} | ||
The Spanish DPA notified a bank as a controller, ABANCA, for not replying to a data subject's right | The Spanish DPA notified a bank as a controller, ABANCA, for not replying to a data subject's exercise right, violating Article 12 GDPR. | ||
== English Summary == | == English Summary == |
Revision as of 18:56, 26 February 2024
AEPD - EXP202202937 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 12 GDPR Article 17 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 08.02.2022 |
Decided: | 26.08.2022 |
Published: | 26.08.2022 |
Fine: | n/a |
Parties: | ABANCA CORPORACIÓN BANCARIA, S.A. |
National Case Number/Name: | EXP202202937 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | mgrd |
The Spanish DPA notified a bank as a controller, ABANCA, for not replying to a data subject's exercise right, violating Article 12 GDPR.
English Summary
Facts
On February 8, 2022 the data subject complaint in AEPD against ABANCA CORPORACIÓN BANCARIA, S.A. due to not responding to an access request.
The data subject also approached LEXER, the credit recovery company for ABANCA, requesting for an immediate cessation of telephone harassment, mail, letters to the data subject requesting money recovery.
LEXER answered that regarding the debt with ABANCA, the communications were sent to the data subject since they provide a service of money recovery for ABANCA and they would immediately stop the processing.
LEXER stated that the first complaint made by the data subject was not considered as an exercise right since the data subject did not specify any of the rights in data protection laws.
ABANCA attributed the failure to immediately address the data subject's request to an internal error at LEXER, which did not communicate the request for data suppression to ABANCA in a timely manner.
Holding
AEPD highlighted that the controller must reply to the exercise of rights by the data subject within 30 days, exempt in cases which it cannot identify the data subject and it shall justify the reasons.
AEPD stated that, with the documentation provided, the data subject exercised the right of deletion of his data and that LEXER did not forward the request to the ABANCA. In additional, ABANCA, after being aware of the request via the procedure at hand, denied the request claiming existing contractual relations in force, which included debts, thus justifying their refusal to erase the complainant's data.
AEPD decided to formally notify ABANCA for the exercise of right by the data subject, without any further proceedings, since ABANCA later replied to the data subject.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8 File No.: EXP202202937 RESOLUTION NO.: R/00818/2022 Considering the claim made on February 8, 2022 before this Agency by D. A.A.A. against ABANCA CORPORACIÓN BANCARIA, S.A. (hereinafter, the part claimed), because their right to deletion has not been duly attended to. The procedural actions provided for in Title VIII of the Law have been carried out Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the following have been verified FACTS FIRST: D. A.A.A. (hereinafter, the complaining party), submitted a document to ABANCA CORPORACIÓN BANCARIA, S.A. (hereinafter, the claimed party, or Abanca) indicating that the data contained in the CIRBE File is erroneous, and requesting “(…) agree to the rectification of the statements corresponding to the appearing at the CIRBE, canceling my data and deregistering me all legally established effects (…)” Likewise, the claimant addressed LEXER requesting “(…) that they order the termination immediate harassment by telephone, email, letters,... to me for the demand of any type of collection, both on me and on possible third parties related.)” This entity answers you, regarding the communications that have been sent to you by a debt with Abanca, “(…) that our organization only provides a recovery on account of the Abanca entity, as Data Processor of personal data according to the definition of article 33 of Organic Law 3/2018 (…). However, we would like to inform you that we will proceed to immediately paralyze the procedures. associated with your file, in a preventive manner, until what happened is clarified.” SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a mechanism prior to the admission for processing of claims made before the AEPD, consisting of transferring them to the Data Protection Delegates designated by those responsible or in charge of the treatment, for the intended purposes in article 37 of the aforementioned norm, or to these when they have not been designated, transferred the claim to the two entities so that they could proceed with their analysis and respond to the complaining party and this Agency within a period of one month. - The representation of Lexer Servicios Integrales de Recovery S.L.U., formerly called Cobralia Servicios Integrales de Recovery S:L: noted that the first claim received was not considered a exercise of rights given that the claimant did not specify any of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/8 rights of data protection regulations, requested the “cessation of communications”, “harassment” and “claiming debts”. "Notwithstanding the above, and given that LSIR processed the claimant's data in quality of data processor, in accordance with our procedures internally, that same day, 01/27/2022, we informed the person responsible for the treatment, to obtain instructions for action on your part. Once received, that same day, the confirmation of the suspension of efforts by of the person responsible, LSIR proceeded to said stoppage, with the corresponding marking in the management program. On 02/14/2022, due to an internal error, of an exceptional nature, that has already been resolved, the contact details of the complainant were reactivated, which which caused the claims service to begin again of debt by LSIR. That same day, an email is received from the claimant, apparently with the same content as the claim received from you on 01/27/2022, therefore that at that time, as happened with the claim of 01/27/2022, It was not processed as an exercise of rights by the claimant. However, currently and due to the request for information received on the part of the AEPD, we have been able to show that said communication did included the request for the right of deletion. In this sense, from LSIR have put in place all the necessary steps to process said right, transferring the request to the person responsible for the treatment.” Provide a copy of the response sent to the claimant, dated April 27, 2022, informing you that your request has been transferred to the person responsible for the treatment. - There is no record that this Agency has received any response from Abanca. THIRD: The result of the transfer procedure indicated in the previous Fact does not allowed the claims of the complaining party to be understood as satisfied. In consequently, dated May 8, 2022, for the purposes provided for in its article 64.2 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit the claim presented for processing and the parties were informed that the maximum period to resolve this procedure, which is understood to have been initiated through said admission agreement for processing, it will be six months. The aforementioned agreement granted Abanca a hearing process, so that within the period within fifteen business days to present the allegations it deems appropriate. Bliss entity stated, in summary, that “(…) the claimant maintains contractual relations active with the entity derived from the subscription of different products and/or services financial positions, maintaining, at the date of filing said claim, debtors with the entity. Likewise, it is confirmed that Abanca commissioned the company Lexer the management for the collection of the debt of Mr. (…); acting accordingly C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/8 Lexer in its capacity as Data Processor of Abanca's data is responsible for the treatment.” It indicates that Lexer responded to the claimant, after his request of February 1, 2022, and following the instructions sent by Abanca in relation to your file, informing you of the suspension of the procedures associated with it. Notwithstanding the above, due to an internal error by Lexer, it was not transferred to Abanca the new request to cease communications related to the management of your debt and the exercise of the right to deletion of their data presented by the claimant, which which makes it impossible for Abanca to give a timely response to the interested party, in addition to a breach of the obligations stipulated in the commissioning contract treatment signed between Abanca and Lexer. Due to the transfer of the claim made by this Agency, Lexer put in knowledge of Abanca's receipt of the claimant's deletion exercise. For this reason, and after the corresponding investigations, Abanca responded to the complainant indicating that “(…) it is not possible to attend to your request since currently maintains active positions with the Entity. (…) To proceed with the downgrade of your personal data in this entity, it is necessary that you previously proceed to cancel their positions” by providing a copy of the letter sent. FOURTH: Once the allegations presented by the defendant have been examined, they are the subject of transfer to the complaining party, so that, within a period of fifteen business days, it can formulate allegations that it considers appropriate, without the response being recorded in this Agency some. FOUNDATIONS OF LAW FIRST: The Director of the Spanish Agency for Data Protection, in accordance with the provisions of section 2 of article 56 in in relation to section 1 f) of article 57, both of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and the free circulation of this data (hereinafter referred to as GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish Data Protection Agency is competent to perform the functions that are assigned to it in its article 57, among them, to enforce the Regulation and promote awareness of data controllers and those in charge of processing about their obligations, as well as dealing with claims presented by an interested party and investigate the reason for them. Correlatively, article 31 of the RGPD establishes the obligation of those responsible and those in charge of processing to cooperate with the supervisory authority that requests it in the performance of their functions. In the event that they have designated a data protection officer, article 39 of the RGPD attributes to him the function of cooperate with said authority. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/8 Likewise, the domestic legal system, in article 65.4 of the LOPDGDD, has provided for a mechanism prior to the admission for processing of claims that are formulate before the Spanish Data Protection Agency, which consists of giving transfer of the same to the data protection delegates designated by the responsible or in charge of the treatment, for the purposes provided for in article 37 of the aforementioned norm, or to these when they have not been designated, to proceed to the analysis of said claims and to respond to them within a period of one month. In accordance with this regulation, prior to the admission for processing of the claim that gives rise to this procedure, it was transferred to the responsible entity to proceed with its analysis, provide a response to this Agency within a period of one month and proves that it has provided the claimant with the appropriate response, in the event of exercise of the rights regulated in articles 15 to 22 of the GDPR. The result of said transfer did not allow the claims of the complaining party. Consequently, on May 8, 2022, for the purposes provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to accept the claim presented for processing. Saying admission agreement for processing determines the opening of this procedure lack of attention to a request to exercise the rights established in the articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the which: "1. When the procedure refers exclusively to the lack of attention of a request to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, will begin by agreement of admission to processing, which will be will be adopted in accordance with the provisions of the following article. In this case, the period to resolve the procedure will be six months from from the date on which the claimant was notified of the admission agreement to Procedure. After this period, the interested party may consider his claim". It is not considered appropriate to clarify administrative responsibilities within the framework of a sanctioning procedure, the exceptional nature of which implies that it is opted, whenever possible, due to the prevalence of alternative mechanisms that have protection in current regulations. It is the exclusive responsibility of this Agency to assess whether there are responsibilities administrative actions that must be purged in a sanctioning procedure and, in consequently, the decision on its opening, there being no obligation to initiate a procedure for any request made by a third party. Such a decision must be based on the existence of elements that justify said start of the activity sanctioning, circumstances that do not occur in the present case, considering that With this procedure, the guarantees are duly restored and rights of the claimant. THIRD: The rights of people regarding data protection personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/8 LOPDGDD. The rights of access, rectification, deletion, opposition, right to limitation of processing and right to portability. The formal aspects related to the exercise of these rights are established in the articles 12 of the RGPD and 12 of the LOPDGDD. Furthermore, what is expressed in Considering 59 and following of the GDPR. In accordance with the provisions of these regulations, the person responsible for the treatment must arbitrate formulas and mechanisms to facilitate the interested party in the exercise of their rights. rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3 of the RGPD), and is obliged to respond to requests made no later than a month, unless you can demonstrate that you are not in a position to identify the interested, and to express his reasons in case he was not going to attend said application. It falls on the person responsible to prove compliance with the duty of respond to the request to exercise their rights made by the affected party. The communication addressed to the interested party on the occasion of their request must be expressed in a concise, transparent, intelligible and easily accessible manner, with a clear and simple language. In the case of the right of access to personal data, in accordance with the established in article 13 of the LOPDGDD, when the exercise of the right is refers to a large amount of data, the person responsible may request the affected person to specify the “data or processing activities to which the request refers”. He The right will be deemed granted if the person responsible provides remote access to the data, considering the request has been attended to (although the interested party may request the information referring to the extremes provided for in article 15 of the RGPD). The exercise of this right may be considered repetitive on more than one occasion. during the period of six months, unless there is legitimate cause for it. On the other hand, the request will be considered excessive when the affected party chooses a means different from the one offered that entails a disproportionate cost, which must be assumed by the affected person. FOURTH: Article 17 of the RGPD, which regulates the right to deletion of data personal, establishes the following: "1. The interested party will have the right to obtain without undue delay from the person responsible for the processing the deletion of personal data that concerns you, which will be obliged to delete personal data without undue delay when any of the following circumstances: a) the personal data are no longer necessary in relation to the purposes for which they were were collected or otherwise treated; b) the interested party withdraws the consent on which the treatment is based in accordance with Article 6(1)(a) or Article 9(2)(a) and this is not based on another legal basis; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/8 c) the data subject objects to the processing in accordance with Article 21(1) and does not other legitimate reasons for the processing prevail, or the interested party opposes the treatment pursuant to Article 21(2); d) the personal data have been processed unlawfully; e) personal data must be deleted for compliance with a legal obligation established in the law of the Union or of the Member States that applies to the responsible for the treatment; f) the personal data have been obtained in relation to the offer of services of the information society mentioned in Article 8, paragraph 1. 2. When you have made personal data public and are obliged, by virtue of the provided in section 1, to delete said data, the data controller, taking into account the available technology and the cost of its application, it will adopt reasonable measures, including technical measures, with a view to informing responsible parties who are processing the personal data of the interested party's request for deletion of any link to that personal data, or any copy or replication of the same. 3. Sections 1 and 2 will not apply when treatment is necessary: a) to exercise the right to freedom of expression and information; b) for compliance with a legal obligation that requires data processing imposed by Union or Member State law applicable to the responsible for the treatment, or for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the person responsible; c) for reasons of public interest in the field of public health in accordance with Article 9, paragraph 2, letters h) and i), and paragraph 3; d) for archival purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1), to the extent that the right indicated in paragraph 1 could make it impossible or hinder seriously the achievement of the objectives of said treatment, or e) for the formulation, exercise or defense of claims.” FIFTH: Article 4 of the GDPR, Definitions, establishes that “For the purposes of this Regulation it will be understood as: (…) 8) "processor" or "processor": the natural or legal person, authority public, service or other body that processes personal data on behalf of the responsible for the treatment; (…)” Article 28 of the GDPR, Data Processor, provides that 1. When treatment is to be carried out on behalf of a person responsible for the treatment, this will only choose a manager who offers sufficient guarantees to apply appropriate technical and organizational measures, so that the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/8 treatment complies with the requirements of this Regulation and ensures the protection of the rights of the interested party. 2. (…) 3. The treatment by the processor will be governed by a contract or other legal act with under the law of the Union or of the Member States, binding the person in charge regarding the person responsible and establishes the object, duration, nature and purpose of the processing, the type of personal data and categories of interested parties, and the obligations and rights of the person responsible. Said contract or legal act will stipulate, in particular, that the person in charge: a) will process personal data only following instructions documented data from the controller, including with respect to transfers of personal data to a third country or an international organization, unless is obliged to do so under Union or State law members that applies to the manager; In this case, the person in charge will inform the responsible for that legal requirement prior to treatment, unless such Right prohibits it for important reasons of public interest; b) will ensure that the persons authorized to process personal data are have agreed to respect confidentiality or are subject to a confidentiality obligation of a statutory nature; c) take all necessary measures in accordance with article 32; d) will respect the conditions indicated in sections 2 and 4 to resort to another processor; e) will assist the person responsible, taking into account the nature of the treatment, to through appropriate technical and organizational measures, whenever it is possible, so that it can fulfill its obligation to respond to the requests that have as their object the exercise of the rights of interested parties established in chapter III; f) will help the person responsible to ensure compliance with obligations established in articles 32 to 36, taking into account the nature of the treatment and information available to the person in charge; g) at the discretion of the controller, delete or return all personal data once the provision of the treatment services ends, and will delete the Existing copies unless retention of data is required personal under Union or Member State law; h) will make available to the person responsible all the information necessary to demonstrate compliance with the obligations established herein article, as well as to allow and contribute to the performance of audits, including inspections, by the responsible person or another authorized auditor by said person in charge. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/8 In relation to the provisions of letter h) of the first paragraph, the person in charge will inform immediately to the controller if, in your opinion, an instruction violates this Regulation or other data protection provisions of the Union or the member states. 4. (…)" SIXTH: In the present case, from the analysis of the documentation provided, it has It has been proven that the claimant requested the right to delete their data personal and that the person in charge of treatment did not transfer said request to the responsible for the treatment, Abanca, to process it. However, upon becoming aware of it through this procedure, Abanca has proceeded to respond to the claimant denying the requested deletion as there is current contractual relationships. Consequently, the claim must be upheld for formal reasons. Considering the aforementioned precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: ESTIMATE for formal reasons, the claim made by Mr. A.A.A., against ABANCA CORPORACIÓN BANCARIA, S.A.. However, the issuance of new certification by said entity, having issued the response extemporaneously, without requiring the performance of actions additional information from the person responsible. SECOND: NOTIFY this resolution to D. A.A.A. and ABANCA BANKING CORPORATION, S.A.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with article 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 1195-020622 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es