AEPD (Spain) - TD/00263/2020: Difference between revisions
m (AN - updated overview to include more information) |
|||
Line 50: | Line 50: | ||
}} | }} | ||
The Spanish DPA decided | The Spanish DPA decided that, in light of an access request, the controller needs to inform the data subject about whether it has transferred their data to third parties and to whom, even if the controller does not hold any data itself. | ||
== English Summary == | == English Summary == | ||
Line 63: | Line 63: | ||
The AEPD concluded that, even if the portal did not have any data ''per se'', the right to access includes the communications of such data and the recipients to which it is disclosed. Therefore, the controller should at least provide this information. | The AEPD concluded that, even if the portal did not have any data ''per se'', the right to access includes the communications of such data and the recipients to which it is disclosed. Therefore, the controller should at least provide this information. | ||
In their holding, they | In their holding, they ordered the controller to comply with the right to access in this sense. | ||
== Comment == | == Comment == |
Revision as of 07:46, 5 May 2021
AEPD - R/00214/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR Article 15 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 28.05.2021 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | R/00214/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | n/a |
The Spanish DPA decided that, in light of an access request, the controller needs to inform the data subject about whether it has transferred their data to third parties and to whom, even if the controller does not hold any data itself.
English Summary
Facts
A data subject made an access request to a job portal for accessing the assessment that the company had carried out on her regarding her application to a job. The job offer was a blind offer, so the claimant did not know which company was behind the offer.
The job portal alleged that they did not store any of the data from the candidates or the companies, and that the companies were not allowed either to store or process any data outside the portal. Therefore, they could not give the data subject any data, given that they did not have any.
They said, however, that they could help the data subject contact the company that made the offer.
Holding
The AEPD concluded that, even if the portal did not have any data per se, the right to access includes the communications of such data and the recipients to which it is disclosed. Therefore, the controller should at least provide this information.
In their holding, they ordered the controller to comply with the right to access in this sense.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 File No.: TD / 00263/2020 RESOLUTION NO: R / 00214/2021 Considering the claim made on August 18, 2020 before this Agency by Mr. A.A.A. , against ADEVINTA SPAIN, S.L., for not having been duly attended to your Right of access. The procedural actions provided for in Title VIII of the Law have been carried out. Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the following have been verified FACTS FIRST: On June 27, 2020, D. A.A.A. (hereinafter, the part claimant) exercised the right of access against ADEVINTA SPAIN, S.L. with NIF B83411652 (hereinafter, the claimed one), without your request having received the legally established reply. The complaining party provides various documentation related to the claim made before this Agency and on the exercise of the right exercised, states that, participated in a personnel selection procedure in InfoJobs and requested them, access to the assessment made to your CV by the company that had offered the job, since he did not know the entity that convened the position, he also points out that, given the anonymous nature of the bidding company, you cannot exercise your right of access before the company that processed your data, because the complainant does not provide them. SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a mechanism prior to the admission for processing of claims made before the AEPD, consisting of transferring them to the Data Protection Delegates designated by those responsible or in charge of the treatment, for the intended purposes in article 37 of the aforementioned norm, or to these when they have not been designated, transferred the claim to the claimed entity to proceed with its analysis and respond to the complaining party and this Agency within a period of month. In summary, the defendant made the following allegations, they do not participate in the selection process or in the evaluation of candidatures and that it does not request that information in any case. That the offers published with a "blind profile" of the company, the protection policy of data explicitly informs the user about this point. That the company in question cannot incorporate the CV into its database or extract the the system itself, so there was no data communication, and there is no possibility to request any right of access to third parties. What is Infojobs who is responsible for the information, custody and facilitates C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/7 its users the exercise of their rights, and does not make any communication without their explicit consent (when the job offers so require). Within this framework of action, client companies that use Infojobs to recruit, only have temporary access to candidate data, but do not have any rights to extract that information or process it in other systems, nor of course they can use the information for purposes other than those related to the selection process. As the personal data of the affected party is related to said candidacy solely and exclusively responsibility of Infojobs, so there is no possibility of requesting the exercise of rights to any other entity, such and how the candidate requested That it does not store any information related to the subjective assessment of the candidate and his selection process by client companies as the affected party claims. THIRD: The result of said transfer did not allow us to understand that the claims of the complaining party. Consequently, for the purposes provided in its Article 64.2 of the LOPDGDD, the Director of the Spanish Agency for the Protection of Data agreed to admit the submitted claim for processing and it was granted to the entity claimed hearing procedure, so that within fifteen business days submit the allegations it deems appropriate. In summary, the defendant made the following allegations, that the offer was processed directly by the claimed and not in the company's database client, it is necessary to differentiate the two types of inscriptions to job offers that exist, in which it affects the complaining party, all selection process is managed within the Infojobs environment, the other case, which is the one mentioned by the claimant but not applicable to your case, the selection process is managed outside the environment of Infojobs, allowing the client to store the data of the candidate. That both types of inscriptions have different characteristics. That the use of the service that is established in these cases the obligation of the client to use the data of the candidates who apply for their offers only to manage that specific selection process and always within the environment of the claimed and once the selection process is closed, the client is not authorized to use said data for other selection processes or to keep any type of data of said candidacies. Therefore, and since client companies only can temporarily view the candidate data, but cannot extract it or process them in other systems, there should be no candidate data on that selection process on any other platform or system. That the claimed is solely responsible for the data and these should not be found in systems other than the Infojobs platform. Therefore, any right access to your personal data related to this selection process must be attended exclusively by the claimed. That the complaining party was informed that the company's assessment of its candidacy does not exist, nor is it data that the platform processes or stores. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/7 That Infojobs client companies can view the candidate's data, and they can advance it in the selection process or discard it, but not enter data relating to the evaluation of the candidacy. Therefore, it is not possible to satisfy the User request or provide data that has not been received or stored. That I know from the user's privacy area, it is implemented in a automated to extract your personal data available on the portal and data from third parties that may intervene as data controllers, and incorporates all the information in a single file. That recruiters' ratings do not exist on the platform and should not exist in any other because the client, taking into account the conditions of use, does not it should store candidate data outside of the environment. However, information regarding the identity of the company can be extracted from the If you have signed up for a “blind profile” offer and if it is of interest to the claimant, they can be assisted so that they can go directly to the company to request confirmation regarding the treatment or not of your personal data. However, it is important to note that said company should not keep No specific data of the candidates, or evaluations, is stored. FOURTH: After examining the allegations presented by the respondent, they are the subject of transfer to the complaining party, so that, within fifteen business days, it can formulate allegations it deems appropriate. On 01/11/2021, this Agency through the Notification Service Support Electronic and Enabled Address (Notific @ platform), made available to the complaining party said allegations, and on 01/22/2021 the system proceeds to automatic rejection of the notification because ten calendar days have elapsed since making it available without accessing its content. FOUNDATIONS OF LAW FIRST: The Director of the Spanish Agency for Data Protection, in accordance with the provisions of section 2 of article 56 in in relation to paragraph 1 f) of article 57, both of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter, GDPR); and in article 47 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish Data Protection is competent to perform the functions that are assigned to it in its article 57, among them, that of enforcing the Regulation and promote the awareness of those responsible and those in charge of the treatment about their obligations, as well as dealing with claims submitted by an interested party and investigate the reason for them. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/7 Correlatively, article 31 of the RGPD establishes the obligation of those responsible and those in charge of the treatment to cooperate with the control authority that requests it in the performance of their duties. In the event that they have designated a data protection officer, article 39 of the RGPD attributes to him the function of cooperate with said authority. Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has Provided a mechanism prior to the admission for processing of the claims that are made before the Spanish Agency for Data Protection, which consists of giving transfer of the same to the data protection delegates designated by the responsible or in charge of the treatment, for the purposes provided in article 37 of the aforementioned norm, or to them when they have not designated them, to proceed to the analysis of said claims and to respond to them within a month. In accordance with these regulations, prior to the admission for processing of the claim that gives rise to the present procedure, it was transferred to the responsible entity to proceed with its analysis, provide a response to this Agency within a month and certify having provided the claimant with the proper response, in the event of exercise of the rights regulated in articles 15 to 22 of the GDPR. The result of said transfer did not allow for the satisfaction of the claims of the complaining party. Consequently, on December 3, 2020, for the purposes provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit the submitted claim for processing. Saying The agreement of admission for processing determines the opening of the present procedure of lack of attention to a request to exercise the rights established in the Articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the which: "1. When the procedure refers exclusively to the lack of attention of a request to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, will start by agreement of admission for processing, which will be adopt in accordance with the provisions of the following article. In this case, the deadline for resolve the procedure will be six months from the date on which there was The claimant has been notified of the acceptance for processing agreement. After this period, the interested party may consider their claim upheld ”. The purging of administrative responsibilities in the framework of the of a sanctioning procedure, whose exceptional nature implies that it is chosen, whenever possible, due to the prevalence of alternative mechanisms that have I amparo in the current regulations. It is the exclusive competence of this Agency to assess whether there are responsibilities administrative procedures that must be purged in a sanctioning procedure and, in Consequently, the decision on its opening, there being no obligation to initiate a procedure before any request made by a third party. Such a decision must be based on the existence of elements that justify said start of the activity sanctioning, circumstances that do not concur in the present case, considering that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/7 With this procedure, the guarantees and Claimant's rights. THIRD: The rights of people in terms of data protection Personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the LOPDGDD. The rights of access, rectification, deletion, opposition, right to limitation of treatment and right to portability. The formal aspects relating to the exercise of these rights are established in the Articles 12 of the RGPD and 12 of the LOPDGDD. It also takes into account what is expressed in Considering paragraphs 59 and following of the GDPR. In accordance with the provisions of these rules, the person responsible for the treatment should arbitrate formulas and mechanisms to facilitate the interested party the exercise of their rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3 of the RGPD), and is obliged to respond to requests made no later than a month, unless you can show that you are unable to identify the interested party, and to express their reasons in case they were not to attend said request. The person responsible is responsible for proof of compliance with the duty of Respond to the request for the exercise of their rights made by the affected party. The communication addressed to the interested party on the occasion of their request must express themselves in a concise, transparent, intelligible and easily accessible way, with a clear and simple language. FOURTH: Article 15 of the RGPD provides that: "1. The interested party will have the right to obtain from the person responsible for the treatment confirmation of whether or not personal data concerning you is being processed and, as such case, right of access to personal data and the following information: a) the purposes of the treatment; b) the categories of personal data in question; c) the recipients or categories of recipients to whom they were communicated or will be communicated personal data, in particular recipients in third parties or international organizations; d) if possible, the expected period of conservation of personal data or, if not if possible, the criteria used to determine this period; e) the existence of the right to request from the person responsible the rectification or deletion of personal data or the limitation of the processing of personal data relating to the interested party, or to oppose said treatment; f) the right to file a claim with a supervisory authority; g) when the personal data have not been obtained from the interested party, any information available on its origin; h) the existence of automated decisions, including profiling, to which referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information significant on the applied logic, as well as the importance and consequences provided for said treatment for the interested party. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/7 2. When personal data is transferred to a third country or to an organization international, the interested party will have the right to be informed of the guarantees appropriate under Article 46 relating to the transfer. 3. The person responsible for the treatment will provide a copy of the personal data object of treatment. The person in charge may receive for any other copy requested by the interested a reasonable fee based on administrative costs. When the interested party submit the request by electronic means, and unless he requests otherwise provided, the information will be provided in an electronic format of Common use. 4. The right to obtain a copy mentioned in section 3 shall not negatively affect to the rights and freedoms of others. " FIFTH: Once the documentation in the procedure has been examined, the verifies that the response to the access request is incomplete. You are not informed the complaining party to whom your personal data was communicated. Before going into the merits of the issues raised here, it should be noted that the art. 4.2 of the RGPD defines treatment, as “any operation or set of operations carried out on personal data or personal data sets, already whether by automated procedures or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of authorization of access, collation or interconnection, limitation, deletion or destruction. " 12.5 of the RGPD provides that, “The information provided by virtue of articles 13 and 14 as well as all communication and any action carried out by virtue of the Articles 15 to 22 and 34 will be free of charge. […] " The exercise of the right of access, like the rest of the rights, is a right very personal, consists of the right of the citizen to obtain information about the treatment that is being made of your data, the possibility of obtaining a copy of the personal data that concerns you and that is being subject to treatment, as well as information, in particular, about the purposes of the treatment, the categories of data, recipients, possible communications, the expected period conservation, the possibility of exercising other rights, the information available on the origin of the data (if these have not been obtained directly from the owner) or the existence of automated decisions, including profiling, without affect third-party data. That said, data communication is understood as any mechanism that provide access to the data of a file to an interested third party, therefore, the responsible is obliged to inform the interested party about the treatment and about who has communicated your personal data, as well as related information with the. Given that, access to the personal data of the complaining party is incomplete, the claim that originated the present procedure should be upheld and the requested access. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/7 The rest of the questions raised by the parties do not result from the competence of this Agency, having to settle and resolve by the corresponding instances. Considering the cited precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: ESTIMATE the claim made by D. A.A.A. and urge ADEVINTA SPAIN, S.L. with NIF B83411652, so that, within ten business days following notification of this resolution, send the complaining party certification stating that you have complied with the right of access exercised, of in accordance with the provisions of the body of this resolution. The Actions carried out as a result of this Resolution must be communicated to this Agency within the same period. Failure to comply with this resolution could lead to the commission of the offense considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, in accordance with art. 58.2 of the GDPR. SECOND: NOTIFY this resolution to D.A.A.A. and ADEVINTA SPAIN, S.L .. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 1034-080719 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es