AEPD (Spain) - TD/00325/2019: Difference between revisions

AEPD - TD/00325/2019
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 12 GDPR Article 15 GDPR Article 56(2) GDPR Article 57(1)(f) GDPR
Type:	Complaint
Outcome:	Upheld
Decided:	n/a
Published:	3.02.2020
Fine:	None
Parties:	Health Department of Madrid Vs. Anonymous
National Case Number:	TD/00325/2019
European Case Law Identifier	n/a
Appeal:	n/a
Original Language:	Spanish
Original Source:	AEPD (in ES)

The DPA ordered a bank (KUTXABANK S.A.) to respond to a subject access request.

English Summary

Facts

A bank's client complained that they could not exercise their right to access after the bank has blocked his account due to debts. The bank refused to fulfill the request, claiming that it does not process personal data anymore since the account was blocked.

Dispute

Could the controller refuse to answer to a request for access because the requested data is part of a "blocked" account?

Holding

The AEPD found that as there is an ongoing relationship, the bank still holds personal data. The DPA ordered the bank to fulfill the data subject’s request within the ten working days following the decision. It further ordered the company to inform the AEPD during the same time period on its compliance with the decision. Lastly, it decided that the fact that the controller blocked the account cannot is irrelevant and the controller must comply with the request of access, as required by Article 15 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

To be completed..