AEPD (Spain) - EXP202202183: Difference between revisions

From GDPRhub
(changed the phrasing)
 
(2 intermediate revisions by 2 users not shown)
Line 67: Line 67:
}}
}}


Spanish DPA dismissed a claim under Articles 6 and 15 GDPR concerning access to a phone call recorded without consent.
The Spanish DPA dismissed a claim under [[Article 6 GDPR|Articles 6]] and [[Article 15 GDPR|15 GDPR]] concerning access to a phone call recorded without consent. The DPA concluded that the controller had a valid legal basis for the recording and satisfied the access request by providing a transcript of the phone call.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 17 January 2022, A.A.A. (the complainant) filed an access request against ESCO EXPANSION, S.L.. On 18 January 2022, the complainant received a call informing that their request would be transferred to CAIXABANK, S.A (the controller) who was responsible for the corresponding procedure. The complainant requested access to the phone call, to whose recording they could not object. In response, the controller provided only a transcript of the phone conversation. Consequently, the complainant sent another letter specifically requesting a "copy of the call".  The controller explained that the recording could not be provided and must be requested from superior instances.   
On 17 January 2022, A.A.A. (the complainant) filed an access request against ESCO EXPANSION, S.L.. On 18 January 2022, the complainant received a call informing that their request would be transferred to CAIXABANK, S.A (the controller) who was responsible for the corresponding procedure.  
 
The complainant requested access to the phone call, to whose recording they could not object. In response, the controller provided only a transcript of the phone conversation. Consequently, the complainant sent another letter specifically requesting a "copy of the call".  The controller explained that the recording could not be provided and must be requested from superior instances.   


Since the requests of the complainant were not fulfilled, on 26 January 2022, they started a claim against the controller before the Spanish DPA. The complaint was based on two grounds. First, in what format should the copy of the phone call be provided. Second, whether the controller had lawfully recorded the call.   
Since the requests of the complainant were not fulfilled, on 26 January 2022, they started a claim against the controller before the Spanish DPA. The complaint was based on two grounds. First, in what format should the copy of the phone call be provided. Second, whether the controller had lawfully recorded the call.   

Latest revision as of 12:37, 13 December 2023

AEPD - PD-00127-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 15 GDPR
Article 13 LOPDGDD
Type: Complaint
Outcome: Rejected
Started: 26.01.2022
Decided:
Published: 08.09.2022
Fine: n/a
Parties: ESCO EXPANSION, S.L.
CAIXABANK, S.A
National Case Number/Name: PD-00127-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA dismissed a claim under Articles 6 and 15 GDPR concerning access to a phone call recorded without consent. The DPA concluded that the controller had a valid legal basis for the recording and satisfied the access request by providing a transcript of the phone call.

English Summary

Facts

On 17 January 2022, A.A.A. (the complainant) filed an access request against ESCO EXPANSION, S.L.. On 18 January 2022, the complainant received a call informing that their request would be transferred to CAIXABANK, S.A (the controller) who was responsible for the corresponding procedure.

The complainant requested access to the phone call, to whose recording they could not object. In response, the controller provided only a transcript of the phone conversation. Consequently, the complainant sent another letter specifically requesting a "copy of the call". The controller explained that the recording could not be provided and must be requested from superior instances.

Since the requests of the complainant were not fulfilled, on 26 January 2022, they started a claim against the controller before the Spanish DPA. The complaint was based on two grounds. First, in what format should the copy of the phone call be provided. Second, whether the controller had lawfully recorded the call.

Holding

First, the Spanish DPA emphasised that the voice constitutes personal data as it renders a person identifiable and, therefore, is protected under the GDPR and Spanish law. At the same time, recordings of phone calls also contain information about third parties, which cannot be disclosed without a valid legal basis. The DPA concluded that since the controller provided a transcript of the recording, the right of access as provided for in Article 15 GDPR and Article 13 LOPDGDD was exercised.

Secondly, the DPA noted that a valid legal basis under Article 6(1) GDPR is required in order to record a phone call without the consent of the data subject. In the present case, the recording was necessary for the performance of a contract. Hence, the recording of the phone call with the complainant was lawful and did not require their consent.

As a result, the DPA dismissed the claim.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


1/7
 File No.: EXP202202183
RESOLUTION No.: R/00728/2022
Considering the claim made on January 26, 2022 before this Agency by D.
A.A.A., against CAIXABANK, S.A., for not having duly addressed their right
of access.
Carrying out the procedural actions provided for in Title VIII of the Law
Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD), the following have been verified
FACTS
FIRST: On January 17, 2022, Ms. A.A.A. (hereinafter the part
claimant) exercised the right of access against ESCO EXPANSION, S.L. (duty manager
of treatment, hereinafter, in charge) CAIXABANK, S.A. with NIF A08663619
(responsible for the treatment, hereinafter, the claimed one), without your request having
received the legally established reply.
The complaining party states that it exercises its right before ESCO EXPANSION, S.L.
in relation to a call received from this entity on behalf of CAIXABANK S.A.,
receiving a response on January 18, 2022 informing him that "in
In relation to the request regarding the exercise of the right of access, indicate that it has been
proceeded to transfer it to the data controller, CAIXABANK S.A., for
to proceed with the corresponding procedure".
The claimant party through the signed claim, apparently by his partner D.
B.B.B., shows that the person in charge carried out a telephone recording without
that would allow him to oppose it. That the name of the DPD has not been provided
of the person in charge, the transcription of the recording is provided and the recording is not provided
voice.
In the second letter he expressly requests "a copy of the call", which according to
manifest has not been delivered to you. From what has been provided, it can be deduced that the SAC of
CAIXABANK told you that it cannot provide you with the recording, and you must request it from
superior instances, facilitating the transcription of the telephone conversation, in the
which include both the manifestations of the affected person and those of her partner.
The complaining party provides various documentation related to the claim raised
before this Agency and on the exercise of the exercised right, among which
find a decalogue of telephone harassment of the Andalusian Ombudsman.
SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a
mechanism prior to the admission to processing of the claims that are formulated before
the AEPD, consisting of transferring them to the Data Protection Delegates
designated by those responsible or in charge of the treatment, for the purposes foreseen
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
2/7
in article 37 of the aforementioned rule, or to these when they have not been designated,
transferred the claim to the claimed entity so that it could proceed with its
analysis and respond to the complaining party and this Agency within a
month.
The representative/Delegate of Data Protection of the claimed party states that, the
person filing the claim on behalf of the claiming party does not prove their
representation.
That the claim brings about a mortgage contract in default and with
the purpose of monitoring compliance with contracts with
monetary obligations, contracts with external agencies to carry out actions of
debt collection management in order to offer alternatives and regularize possible
default situations. In the course of these calls, agreements are reached that
contractual conditions with clients are modified (for example, the
deadlines or fees to pay), so the call is recorded for the purpose of
document the contractual modification.
That the person in charge of the treatment transferred the claim and the due response was given
to the requested access, facilitating the transcriptions of the recorded calls, in the
letter that was sent to him on February 14, 2022, for which due due
response to the access request.
THIRD: The result of the transfer process indicated in the previous Fact does not
allowed to understand satisfied the claims of the claimant. In
Consequently, on April 26, 2022, for the purposes provided in its article
64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection
agreed to admit the submitted claim for processing and the maximum term to resolve the
this procedure, which is understood to have been initiated by said admission agreement
to be processed, it will be six months.
The aforementioned agreement granted the respondent entity a hearing procedure, to
that within a period of fifteen business days present the allegations that it deems
convenient. Said entity made, in summary, the following allegations:
That is reiterated in the content of the previous letter provided to this Agency, where
expose the actions carried out to comply with their obligations as
responsible for treatment in relation to the issues raised in the
transferred requirement.
Taking into account that the provisions of the regulations of
data protection, and the existence of reasonable doubt, has not proceeded to send
additional response to the one already sent and that is also attached to the brief of
claim filed with the Agency, to avoid incurring the risk of disclosing
personal or financial information to someone who does not happen to be the owner.
FOURTH: After examining the allegations presented by the respondent, they are subject to
transfer to the complaining party, so that, within fifteen business days, it can formulate
allegations it deems appropriate, without receiving a response.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
3/7
FOUNDATIONS OF LAW
FIRST: The Director of the Spanish Agency for
Data Protection, in accordance with the provisions of section 2 of article 56 in
in relation to section 1 f) of article 57, both of Regulation (EU) 2016/679 of the
European Parliament and of the Council of April 27, 2016 on the protection of
individuals with regard to the processing of personal data and the free
circulation of these data (hereinafter GDPR); and in article 47 of the Law
Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).
SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency
Spanish Data Protection is competent to perform the functions that
are assigned to it in its article 57, among them, that of enforcing the Regulation and
promote awareness of controllers and processors
about the obligations incumbent on them, as well as dealing with claims
presented by an interested party and investigate the reason for them.
Correlatively, article 31 of the RGPD establishes the obligation of those responsible
and those in charge of the treatment to cooperate with the control authority that requests it in
the performance of their duties. In the event that they have appointed a
data protection delegate, article 39 of the RGPD attributes to it the function of
cooperate with that authority.
Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has
foreseen a mechanism prior to the admission to processing of the claims that are
formulated before the Spanish Agency for Data Protection, which consists of giving
transfer of the same to the data protection delegates designated by the
responsible or in charge of the treatment, for the purposes provided in article 37 of
the aforementioned norm, or to these when they have not been designated, so that they proceed to the
analysis of said claims and to respond to them within a month.
In accordance with this regulation, prior to the admission for processing of the
claim that gives rise to this procedure, it was transferred to the
responsible entity to proceed with its analysis, respond to this Agency
within a month and prove that they have provided the claimant with the due response,
in the event of exercising the rights regulated in articles 15 to 22 of the
GDPR.
The result of said transfer did not allow to understand satisfied the claims of the
claiming party. Consequently, on April 26, 2022, for the purposes
provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for
Data Protection agreed to admit the submitted claim for processing. Saying
agreement of admission to procedure determines the opening of the present procedure of
lack of attention to a request to exercise the rights established in the
articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the
which:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
4/7
"1. When the procedure refers exclusively to the lack of attention of a
request to exercise the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, will start by agreement of admission to process, which will be
shall adopt in accordance with the provisions of the following article.
In this case, the term to resolve the procedure will be six months from
from the date on which the claimant was notified of the admission agreement to
Procedure. Once this period has elapsed, the interested party may consider their
claim".
The purging of administrative responsibilities in the framework of the
of a sanctioning procedure, whose exceptional nature implies that it is chosen,
whenever possible, due to the prevalence of alternative mechanisms that have
protection in current regulations.
It is the exclusive competence of this Agency to assess whether there are responsibilities
administrative that must be purged in a sanctioning procedure and, in
consequently, the decision on its opening, not existing obligation to initiate a
procedure before any request made by a third party. Such a decision must
be based on the existence of elements that justify said start of the activity
sanctioning, circumstances that do not concur in the present case, considering that
With this procedure, the guarantees and guarantees are duly restored.
claimant's rights.
THIRD: The rights of individuals in terms of data protection
personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the
LOPDGDD. The rights of access, rectification, deletion,
opposition, right to limitation of treatment and right to portability.
The formal aspects related to the exercise of these rights are established in the
articles 12 of the RGPD and 12 of the LOPDGDD.
It also takes into account what is expressed in Considerations 59 and following of the
GDPR.
In accordance with the provisions of these rules, the data controller
must arbitrate formulas and mechanisms to facilitate the interested party in the exercise of their
rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3
of the RGPD), and is obliged to respond to the requests made no later than one
month, unless you can show that you are unable to identify the
interested party, and to express his reasons in case he was not going to attend said
request. The proof of compliance with the duty of
respond to the request to exercise their rights made by the affected party.
The communication addressed to the interested party on the occasion of their request must
be expressed in a concise, transparent, intelligible and easily accessible manner, with a
clear and simple language.
Regarding the right of access to personal data, in accordance with the
established in article 13 of the LOPDGDD, when the exercise of the right is
refers to a large amount of data, the person in charge may request the affected party to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
5/7
specify the “data or treatment activities to which the request refers”. The
right will be understood granted if the person in charge provides remote access to the data,
taking the request as granted (although the interested party may request the information
referring to the ends provided for in article 15 of the RGPD).
The exercise of this right may be considered repetitive on more than one occasion.
for a period of six months, unless there is legitimate cause for it.
On the other hand, the request will be considered excessive when the affected party chooses a means
other than the one offered that involves a disproportionate cost, which must be
assumed by the affected party.
FOURTH: In accordance with the provisions of article 15 of the RGPD and article 13 of the
LOPDGDD, "the interested party has the right to obtain from the data controller
confirmation of whether or not personal data concerning you is being processed and, in such
case, right of access to personal data”.
Before going into the substance of the matter, that is, whether or not the requested access proceeds,
It should be noted that, in accordance with the provisions of sections 1 and 2 of article 4 of the
RLOPD, the voice is considered personal data. Therefore, in principle, the claimant
would have the right to be provided with these recordings, under the protection of
Data Protection. However, such recordings may contain, in addition to
your data, information related to third parties that could not be communicated,
since, otherwise, it could constitute a transfer of data without consent.
In this sense, it must be considered that the voice is a peculiar and
individual of each person that makes it identifiable, therefore, it is a data of
personal character. Consequently, the right of access to the recording of your voice
requested by the claimant if it is covered by current regulations on
data protection, therefore, they must provide the copy of the recording
requested from the claimant or, failing that, a transcript of its content.
In the case analyzed here, the complaining party exercised its right of access,
arguing that he could not oppose the voice recording carried out by the
commissioning of the treatment, which facilitates the transcription of the recording and not the
Voice recording. That the right of access to the voice recording was requested before
ESCO EXPANSION, S.L. and not before CAIXABANK, S.A.
ESCO EXPANSION, S.L. communicates to the complaining party that it acts as manager
of the treatment and proceeds to transfer the claim to CAIXABANK, S.A. as
responsible for the treatment and this, as responsible facilitates the requested access
facilitating the transcription of the telephone conversation.
In accordance with the definition in charge of the treatment contained in article 4.8 of the
RGPD, provides: "in charge of the treatment or in charge: the natural or legal person,
public authority, service or other body that processes personal data on behalf of the
responsible for the treatment.” and in article 28.3 e) it provides: “the person in charge will be assisted,
taking into account the nature of the treatment, through technical measures and
appropriate organizational arrangements, whenever possible so that it can comply with
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
6/7
its obligation to respond to requests that have as its object the exercise of the
rights of the interested parties established in chapter III;”
Therefore, in accordance with the regulations set forth, in the case examined,
It has been proven that the complaining party requested access to a voice recording,
and that, after the term established in accordance with the aforementioned regulations, its
request obtained the legally required response, given that the claim was transferred
to the person in charge of the treatment and this, attended the required access in accordance with the
criteria established in the transcribed precepts, facilitating the transcription of the
Voice recording.
In relation to the fact that it was not possible to oppose the voice recording, it should be noted that the
lawful processing of personal data must be covered by one of the
legal bases established in article 6.1 of the General Regulations of
Data Protection.
In this way, various legitimizing causes of the treatment are established, so that the
consent does not operate as the only possible one.
It must be ensured that personal data will be collected for certain purposes.
determined, explicit and legitimate, and will not be treated in a manner incompatible with
other purposes.
If the data is necessary in the context of the execution of a contract or the intention
to conclude the same, the treatment of the data will be lawful when it refers to the
parties to a business, labor or administrative relationship and are necessary for its
maintenance or compliance.
Therefore, it should be reported at the beginning of the conversation, the legitimacy of the
treatment, in this case, voice recording.
Based on the foregoing, considering that this procedure has as
object that the guarantees and rights of those affected are duly
restored, it is appropriate to dismiss the claim that originated this procedure
considering that the right of access to the voice recording was carried out in the
due form.
In view of the aforementioned precepts and others of general application, the Director of the Agency
Spanish Data Protection RESOLVES:
FIRST: DISMISS the claim made by Ms. A.A.A. versus
CAIXABANK, S.A.
SECOND: NOTIFY this resolution to Ms. A.A.A. and CAIXABANK, S.A.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
7/7
Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.
1037-020622
Sea Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es