AEPD (Spain) - E/00739/2021: Difference between revisions

From GDPRhub
No edit summary
Line 57: Line 57:


===Facts===
===Facts===
A data subject filed a complaint with the Spanish DPA (AEPD) against a university where they had had different roles. The university provided the data subject with certain information (partly non-personal data too) and asked them to specify what additional information they required. They rejected the rest of the generic request with grounds on Article 12(5). The university alleged that they had tried to answer to the request on time but that they didn't have the resources, given that they have 26000 students, 1122 teaching and research staff, 521 administrative staff, 269 project staff; with a teaching structure of 7 faculties, 2 schools, 4 research institutes, 27 departments, 33 services and administrative Units, and 4 management centres, and the data subject had had a role in many of them, as an alumni, worker, and litigant.  
A data subject filed a complaint with the Spanish DPA (AEPD) against a university where they had had different roles, ("''an employee, an employee with disciplinary proceedings, undergraduate student, master's student, course assistant, interested party in administrative procedures, participant in administrative procedures, participant in selection processes, litigant, opposing party, etc.''"). 
 
The university provided the data subject with certain information (partly non-personal data too) and asked them to specify what additional information they required. They rejected the rest of the generic request with grounds on Article 12(5). The university alleged that they had tried to answer to the request on time but that they didn't have the resources, given that they have 26000 students, 1122 teaching and research staff, 521 administrative staff, 269 project staff; with a teaching structure of 7 faculties, 2 schools, 4 research institutes, 27 departments, 33 services and administrative Units, and 4 management centres, and the data subject had had a role in many of them, as an alumni, worker, and litigant.  


The controller also held that they were implementing a more efficient system to handle data subject request. They claim that the data subject is just trying to diminish the university's functioning via different requests, claims and lawsuits, also in law fields other than data protection.   
The controller also held that they were implementing a more efficient system to handle data subject request. They claim that the data subject is just trying to diminish the university's functioning via different requests, claims and lawsuits, also in law fields other than data protection.   

Revision as of 15:03, 15 December 2021

AEPD - E/00739/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12(5) GDPR
Article 13 GDPR
Article 15 GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published: 15.04.2021
Fine: None
Parties: UNIVERSIDAD MIGUEL HERNÁNDEZ DE ELCHE(UMH)
National Case Number/Name: E/00739/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA found that an access request was abusive, taking into account the context and the background of the relationship between the data subject and the controller. The data subject had previously filed various claims and lawsuits against the controller in other fields of law.

English Summary

Facts

A data subject filed a complaint with the Spanish DPA (AEPD) against a university where they had had different roles, ("an employee, an employee with disciplinary proceedings, undergraduate student, master's student, course assistant, interested party in administrative procedures, participant in administrative procedures, participant in selection processes, litigant, opposing party, etc.").

The university provided the data subject with certain information (partly non-personal data too) and asked them to specify what additional information they required. They rejected the rest of the generic request with grounds on Article 12(5). The university alleged that they had tried to answer to the request on time but that they didn't have the resources, given that they have 26000 students, 1122 teaching and research staff, 521 administrative staff, 269 project staff; with a teaching structure of 7 faculties, 2 schools, 4 research institutes, 27 departments, 33 services and administrative Units, and 4 management centres, and the data subject had had a role in many of them, as an alumni, worker, and litigant.

The controller also held that they were implementing a more efficient system to handle data subject request. They claim that the data subject is just trying to diminish the university's functioning via different requests, claims and lawsuits, also in law fields other than data protection.

The data subject reiterated the initial request in the same terms. To this, the controller again alleged Article 12(5) and stated that it constituted an abuse of rights.

Holding

The AEPD aligned with the controller and found that the data subject was abusively exercising their rights in bad faith. The AEPD brought forward Article 12(5) GDPR, as well as Article 7 of the Spanish Civil Code, that states that rights must be exercised in good faith, and that it cannot be done in a way that the natural limits of the right are respected.

They also based their decision in the interpretation of such Article by the Spanish Supreme Court, saying that the abuse of rights entails the exercise of a right that, while complying with the formal requirements of such right, the essence of the rights, and its ethos and nature are not respected.

In this regard, the AEPD's records show that the complainant had abnormally exercised their right, both in quantitative terms (this was not the first time they had complained against the respondent) and qualitative terms (given the submission of applications with numerous claims that are not subsequently clarified by the data subject in order to facilitate their processing when requested to do so).

The necessity of good faith is also stated by the Spanish Procedural Civil Act in its Article 247, also interpreted by the Spanish Supreme Court, that has stated in this regard that complainants shall act in good faith, saying that acting in good faith also means not claiming to access data in a generic way when it can be done through other means. In this case, the AEPD condemns the negative of the data subject to narrow their claim, given that they are aware of the roles they had had in such university and can possibly know what particular information the university holds on them and what specific information they want to access.

Based on these grounds, the AEPD decides not to uphold the data subject's claim and archives the proceeding.

Comment

An interesting decision, the background of which is delineated by a provision in Spanish law which explicitly states that when data controllers process large quantities of data they can ask data subjects to specify their access requests (Article 13(1) of the LOPDGDD).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/10








     Procedure No.: E / 00739/2021

                   RESOLUTION OF ACTION FILE



Of the actions carried out by the Spanish Agency for Data Protection and
based on the following


                                       FACTS

FIRST: The claim filed by A.A.A. (hereinafter, the claimant) has
entry dated November 20, 2019 in the Spanish Agency for the Protection of
Data.


The claim is directed against the MIGUEL HERNÁNDEZ DE ELCHE UNIVERSITY
(UMH), with NIF Q5350015C (hereinafter, the claimed one).

The reasons on which the claim is based are the following:


That he addressed several writings to the defendant, 6 months ago, related to questions
referred to data protection. He was told that they needed some time, but he had not yet
have answered. Accompany the request made to the defendant in which he asks:
What data do you have about the claimant? Where are they stored? Who has access to
data ?, Is any graphic document saved ?, In what location and with what measures

of security?. As they were previously sanctioned, you want to know what
measures were taken to prevent further infractions. Request. Data, charts, titles,
courses, accesses made to files with your data, and related employees.

SECOND: On December 2, 2019, the claimant submits the briefs of
answer of the claimed.


On November 5, 2019, the respondent communicates the following:

- As data controllers, who must provide you with all the information
established in article 13 and 14 of the European Data Protection Regulation.

That since the University is a complex entity in matters of personal data management,
and since the claimant has been an employee, an employee with a disciplinary record,
undergraduate student, master's student, course assistant, interested in
administrative procedures, participant in selective processes, litigating party,
contrary, etc ..., it is difficult to attend to the exercise of the right of access. That according to

established in article 13.2 of the LOPDGDD request that it be more specific in its
request, specify the treatment you want to access, to proceed to facilitate the
access.

- The claimant answers by requesting exactly the same thing that he already requested.


- Based on the provisions of article 12.5 of the RGPD, they reject the request for
excessive.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/10








THIRD: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), with reference number E / 00952/2020, a transfer of

said claim to the defendant, so that it could proceed to its analysis and inform this
Agency within a month, of the actions carried out to adapt to the
requirements provided in the data protection regulations.

The defendant answered the request for information stating that they had already answered the
claimant to complete their application, since they have more than 26,000 students, 1,122

teaching and research staff, 521 people in administration, 269 hired from
Projects; with a teaching structure of 7 faculties, 2 SCHOOLS, 4 Institutes of
Research, 27 Departments, 33 Services and Administrative Units, and 4 centers
management. Since the claimant has had numerous roles at the University, he is
answered various questions raised in his request that had nothing to do with the

right of access and was asked to specify what data and treatments he wanted
to access. Answer by reiterating what was requested and therefore the requested access is denied
understanding that it is excessive. They have tried to meet the legally established deadlines
to answer, although it has not been possible. For this reason they have established the possibility of
exercise of rights through the electronic headquarters so that the
requests to competent persons. A protocol is being developed so that

all those affected to exercise their rights act.

FOURTH: On June 2, 2020, the Director of the Spanish Agency for
Data Protection agreed to accept for processing the claim presented by the
claimant.


FIFTH: The defendant presented a brief of allegations to said admission, on date 23
June 2021, stating the following:

After reiterating what was indicated in previous writings, he specified that of all his requests he

has responded who was responsible for data processing and the measures to be taken
they had taken after the resolution of the sanctioning procedure; and all the
Sections in which your data were recorded so that you could specify what you were referring to.
The claimant should not use data protection regulations as a subterfuge
to hinder the normal functioning of an entity such as the University
claimed, requesting information that can be obtained through different channels. Has been

a clear abuse of rights, as reflected in numerous judgments. In many
resolutions of the AEPD it is stated that the requests cannot be generic.

                            FOUNDATIONS OF LAW


                                            I

By virtue of the powers that article 58.2 of Regulation (EU) 2016/679 (Regulation-
General Data Protection Mention, hereinafter RGPD), recognizes each Authority
Control, and as established in articles 47, 48.1, 64.2 and 68.1 of the Law

Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), the Director of the Spanish Agency
Data Protection is competent to initiate and resolve this procedure.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/10








Article 63.2 of the LOPDGDD determines that: «The procedures processed by the
Spanish Data Protection Agency shall be governed by the provisions of the
Regulation (EU) 2016/679, in this organic law, by the provisions

regulations dictated in their development and, as long as they do not contradict them, in a
subsidiary, by the general rules on administrative procedures. "

                                             II

This procedure has its origin in the exercise of the right of access to its

data and numerous documentation exercised by the claimant against the claimed.

Article 12 of Regulation (EU) 2016/679, of April 27, 2016, General of
Data Protection (RGPD), provides that:


    "1. The person responsible for the treatment will take the appropriate measures to facilitate the
interested party all information indicated in articles 13 and 14, as well as any
communication in accordance with articles 15 to 22 and 34 regarding the treatment, in the form
concise, transparent, intelligible and easily accessible, with a clear and simple language, in
particular any information directed specifically to a child. Information
will be provided in writing or by other means, including, if applicable, by means

electronic When requested by the interested party, the information may be provided
verbally provided that the identity of the interested party is proven by other means.

    2. The person in charge of the treatment will facilitate the interested party the exercise of their
rights under articles 15 to 22. In the cases referred to in article 11,

section 2, the person in charge will not refuse to act at the request of the interested party in order
to exercise your rights under articles 15 to 22, unless you can demonstrate
that it is not in a position to identify the interested party.

    3. The person responsible for the treatment will provide the interested party with information regarding their

proceedings on the basis of a request pursuant to Articles 15 to 22, and, in
In any case, within one month of receipt of the request. Saying
The term may be extended for another two months if necessary, taking into account the
complexity and number of requests. The person in charge will inform the interested party of
any of said extensions within a period of one month from the receipt of the
request, stating the reasons for the delay. When the interested party presents the

request by electronic means, the information will be provided by electronic means
when possible, unless the interested party requests that it be provided otherwise.

    4. If the person responsible for the treatment does not comply with the request of the interested party,
inform without delay, and no later than one month after receipt of the

request, the reasons for not acting and the possibility of submitting a
claim before a control authority and to exercise legal actions.

    5. The information provided by virtue of articles 13 and 14 as well as all
communication and any action carried out pursuant to articles 15 to 22 and 34

they will be free of charge. When the requests are manifestly unfounded or
excessive, especially due to its repetitive nature, the person responsible for the
treatment may:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/10








    a) charge a reasonable fee based on the administrative costs incurred
to facilitate information or communication or perform the requested action, or
    b) refuse to act on the request.

    The data controller will bear the burden of proving the character
manifestly unfounded or excessive of the request.

    6. Without prejudice to the provisions of article 11, when the person responsible for the
treatment has reasonable doubts regarding the identity of the natural person
making the request referred to in articles 15 to 21, may request that the

provide the additional information necessary to confirm the identity of the interested party.

    7. The information that must be provided to interested parties by virtue of articles
13 and 14 may be transmitted in combination with standard icons that allow
provide in an easily visible, intelligible and clearly legible way a suitable

overview of the planned treatment. Icons presented in the format
electronic will be machine readable.

    8. The Commission is empowered to adopt delegated acts in accordance with
Article 92 in order to specify the information to be submitted through
icons and procedures for providing standard icons. "


                                             III

Article 13 of the LOPDGDD determines the following:


    "1. The right of access of the affected party will be exercised in accordance with the provisions
in article 15 of Regulation (EU) 2016/679.
    When the person in charge treats a large amount of data related to the affected person and
it exercises its right of access without specifying whether it refers to all or a part
of the data, the person in charge may request, before providing the information, that the

affected specify the data or processing activities to which the
request.

    2. The right of access will be understood to be granted if the person responsible for the treatment
provide the affected party with a system of remote, direct and secure access to data
that guarantees, permanently, access to its entirety. Such

effects, the communication by the person in charge to the affected party of the way in which he may
Accessing said system will be enough to consider the request to exercise the
right.
    However, the interested party may request from the person in charge the information referred to
the points provided for in article 15.1 of Regulation (EU) 2016/679 that are not

be included in the remote access system.

    3. For the purposes established in article 12.5 of Regulation (EU) 2016/679,
may consider the exercise of the right of access repetitive on more than one occasion
during the period of six months, unless there is legitimate cause for it.


    4. When the affected party chooses a means other than the one offered that involves a
disproportionate cost, the request will be considered excessive, so that said
affected will assume the excess costs that his election entails. In this case, only

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/10








The data controller will be required to satisfy the right of access without
undue delay. "


                                             IV

From the documentation provided by the claimant and the defendant, it is proven that the

First, he went to the University requesting numerous information, both referring to the
access to the data object of treatment by the claimed, as well as to other questions
such as the measures taken by the defendant after the sanctioning procedure
instructed by the Spanish Agency for Data Protection, people who have accessed
to your data ...


Regarding the exercise of the right of access, the complainant, in accordance with the
established in article 13.1 of the LOPDGDD addressed the claimant informing him
to specify what data he was referring to, adding that he had been a student, worker,

litigant…; the claimant reiterates the initial request in the same terms, without
specify which data you are requesting access to. Faced with this answer, the claimed
resolves to deny the exercise of the requested right as it is considered excessive, and
in accordance with the provisions of article 12.5 of the RGPD.


Subsequently, the defendant submits a new statement of allegations in which he indicates
that the claimant's request constitutes an abuse of rights, since in the
multiple roles that he has maintained with the University, the litigating party stands out
against it for different reasons, unrelated to data protection.

































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/10








Article 7 of the Civil Code (CC hereinafter), provides that:


        "1. The rights must be exercised in accordance with the requirements of good faith.

        2. The Law does not protect the abuse of the right or the antisocial exercise of it.
Any act or omission that, by the intention of its author, by its object or by the
circumstances in which it is carried out manifestly exceeds the normal limits of the

exercise of a right, with damage to a third party, will give rise to the corresponding
compensation and the adoption of judicial or administrative measures that prevent
persistence in abuse ”.

Good faith is a general principle of law incorporated into positive law that

translates into the imposition of a series of duties on whoever holds the ownership of
a right. At the same time, the consideration that a right has been exercised in a
abusive must be supported by objective, rigorous and true data, so that it is recorded
proven that the right holder has manifestly exceeded the limits
normal of this on the occasion of his exercise.


In this regard, the ruling of the Supreme Court of 05/20/2002 states that “In this way, to
the courts of this jurisdiction, the abuse of the right or the antisocial exercise of the
same that the law does not protect (art. 7.2 of the CC), it supposes that even respecting the limits
formalities with the actions carried out by those who are the holders of the rights

produces a violation of the values or the axiological idea that is part of the
content of the subjective right or of the norm whose objective is addressed ”.

Therefore, sometimes, even while exercising the rights that the legal system
recognizes and acting in a way that formally respects the requirements set by

the law, its exercise is abusive. This, either because it is performed abnormally in
relationship with the end pursued by the legal norm, or with the absence of an interest
legitimate or exceeding in excess the natural limits of the right, to the point
which is distorted in its essence.


In this sense, the antecedents in this Agency regarding the
claimant, an abnormal exercise of his right is revealed, both due to
quantitative issues (it is not the first time that the defendant has been denounced) such as
qualitative (submissions of applications with numerous claims that are not
clarified to facilitate processing when requested).

















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/10








For its part, in the Civil Procedure Law (LEC, hereinafter) and within Book I,
Title VIII, dedicated to procedural good faith, establishes in article 247 that:


        "1. Those involved in all types of processes must adjust in their
actions to the rules of good faith.

        2. The courts will fundamentally reject the petitions and incidents that are
formulate with manifest abuse of rights or involve legal or procedural fraud ”.


In relation to the principle of good faith (either in its material aspect, art. 7 CC or
in its procedural-formal aspect, art. 247 LEC) and its adequacy in the performance of the
claimant, it is enough to make a reference to the literality of the requests and
clarifications presented collected in the Facts of this resolution for
evidence the absence of this principle.


The Judgment of the Supreme Court of February 4, 2011 being especially revealing
relapse into Appeal No. 425/2007, which analyzes an alleged violation of the right
of access by a Public University with respect to an administrator who had
permanent access to your data as a computer-enabled user,
considering that invoking the absence of satisfaction of the right of access is

contrary to the principle of good faith, because precisely he had the means to
"Access your data" autonomously without having to go to the person responsible for the file.
Specifically, in its Fourth Law Foundation, it provides that:

        Since this fact has to be taken for granted, it is clear that the request for

access to the personal data collected in the letter of February 9, 2004 was
reiterative, when not merely rhetorical; and, for this same reason, present a
claim before the AEPD for breach of the duty to allow access to the
personal data is, without any doubt, a behavior contrary to good faith.
It is not fair to reproach another for not having done something that, in fact, they have already done. Y

justify this imputation in the non-observance of forms and deadlines provided for in the law
it is no longer an abuse of formal requirements, something that has traditionally been
seen as one of the archetypal assumptions of violation of the general principle of
good faith. Moreover, it is not just that the applicant had the possibility
permanent access to your personal data by computer means, but in your
letter of February 9, 2004 did not specify by what specific means of access

he wanted his right to be satisfied; and, in these circumstances, affirm that it is
denied access within the legally established period is simply abusive
deformation of reality.














C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/10








       It is peaceful, moreover, that the general principle of good faith should not only

guide the actions of the Administration with respect to the administered, such as
provides art. 3 LRJ-PAC, but also has to preside over the exercise of all kinds
of rights by individuals by imperative of art. 7 CC. Since the exercise
unfair right of access to personal data by the individual is not

worthy of guardianship, the AEPD, as an administrative entity in charge of ensuring
due to compliance with data protection legislation, it should not have considered that the
UNED had violated the right of Don Manuel; and the same can be said of the court to
quo, since the aforementioned decision of the AEPD is deemed to be in accordance with the law. For all this, the

second reason for this appeal has to be upheld, which leads to the
annulment of the contested judgment.

In the present case, as stated at the beginning of this Resolution, the claimant
you can get the desired access if you clarify the terms of your request as it is

knowledgeable of the numerous roles that he has exercised in the claimed entity. When
Rights are exercised by formally adjusting to the requirements established by the
Law, but in an abnormal way, in such a way that its essential content is distorted,
incurs an abuse of rights that the legal system in no case can

protect.

                                            V





































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/10








The claimant requests that a sanctioning procedure be initiated against the defendant.
In this regard, it should be remembered that the sanctioning procedure constitutes
one of the manifestations of the "ius puniendi" of the State and it always starts ex officio

by the Director of the Spanish Agency for Data Protection, in accordance with
provided for in article 68.1 of the LOPDGDD, as the Hearing has maintained
National in judgments such as, among others, the one handed down in March 2006 (REC
319/2004).

Therefore, it is the exclusive competence of the Spanish Data Protection Agency.

assess whether there are administrative responsibilities that have to be clarified in a
sanctioning procedure and, consequently, the decision on its opening, not
existing obligation to initiate procedure before any request made by
third, but it must be based on the existence of elements that justify
said initiation of sanctioning activity.


On the other hand, it should be remembered that, to define the condition of "interested" to urge
to the exercise of the sanctioning competence of this Agency, the STS of October 6
of 2009 provides that the complainant is not interested, and does so in the following
terms: "the complainant of an infringement of data protection legislation
lacks active standing to challenge the resolution of the Agency in what

concerns the sanctioning result itself ”(imposition of a sanction, amount of the
same, exoneration, etc.) "

Applying the peaceful doctrine of the Supreme Court, according to which "the complaint
does not make the complainant the holder of a subjective right or personal interest

or legitimate that would have to translate into a benefit or utility "the circumstance of
having presented several complaints in this Agency, does not grant you the
condition of interested party, all without prejudice to the circumstances surrounding the
presentation of the same indicated in the Acts of this Resolution.


                                           SAW

Ultimately, from the background examined and the complaints submitted, it is
it follows that there are circumstances that allow questioning the serious purpose and
legitimacy of the claimant in the exercise of their rights, allowing to identify their
behavior as abusive and lacking in good faith.


The claimant may request the exercise of the right of access against the claimed
specifying your request, given that it is a University that carries out
numerous differentiated treatments with students, workers, teachers,
hired ... what you know having worked in the claimed entity; and being able

request all the desired accesses, well differentiated, in accordance with the provisions of the
data protection regulations.

Therefore, in accordance with the provisions, by the Director of the Spanish Agency for
Data Protection, IT IS AGREED:


FIRST: PROCEED WITH THE FILING of these actions.

SECOND: NOTIFY this resolution to the claimant and claimed.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/10










In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, and in accordance with the provisions of the

arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may
file, optionally, an appeal for reconsideration before the Director of the Agency
Spanish Data Protection within a period of one month from the day
following notification of this resolution or directly contentious appeal

administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and paragraph 5 of the provision
Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-Administrative, within two months from the next day

upon notification of this act, as provided in article 46.1 of the aforementioned Law.

                                                                                       940-0419
Mar Spain Martí
Director of the Spanish Agency for Data Protection








































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es