AEPD (Spain) - TD/00293/2021: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 40: Line 40:
|EU_Law_Link_2=
|EU_Law_Link_2=


|National_Law_Name_1=
|National_Law_Name_1=Ley 16/2011, de 24 de junio, de contratos de crédito al consumo (law on consumer credit contracts)
|National_Law_Link_1=
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2011-10970
|National_Law_Name_2=
|National_Law_Name_2=
|National_Law_Link_2=
|National_Law_Link_2=
Line 61: Line 61:
}}
}}


The Spanish DPA ordered a bank to answer a customer's access request, reversing its previous assessment that the GDPR's right of access did not apply to the data under the principle of ''lex specialis''.
The Spanish DPA ordered a bank to answer a customer's request to access personal financial documents, reversing its previous assessment that the GDPR's right of access did not apply to the data under the principle of ''lex specialis''.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
The controller, a bank, sent an incomplete response to the data subject's access request, prompting the data subject to file a complaint with the Spanish DPA. Initially, the Spanish DPA held that the controller was not obliged to fulfill the data subject's access request because the data were documents relating to a contractual relationship between the two parties. The DPA had agreed with the controller, who argued that, for the data requested, the right of access (Article 15 GDPR) was overridden by more specific provisions in the Spanish law 16/2011, of June 24, on consumer credit contracts (LCCC).   
The controller, a bank, sent an incomplete response to the data subject's access request, prompting the data subject to file a complaint with the Spanish DPA.  
 
Initially, the DPA held that the controller was not obliged to fulfill the data subject's access request because the data were documents relating to a contractual relationship between the two parties. The DPA had agreed with the controller, who argued that, for the data requested, the right of access ([[Article 15 GDPR]]) was overridden by more specific provisions in the Spanish law 16/2011, of June 24, on consumer credit contracts ([https://www.boe.es/buscar/act.php?id=BOE-A-2011-10970 LCCC]).   


However, the DPA issued a final decision in response to a "''recurso de reposición''" (an appeal to an administrative authority to reconsider its own decision) lodged by the data subject.   
However, the DPA issued a final decision in response to a "''recurso de reposición''" (an appeal to an administrative authority to reconsider its own decision) lodged by the data subject.   


On appeal, the data subject argued that the LCCC did not control because the data at issue related to a contract that had already been concluded, not an ongoing contractual relationship. In support of their claim, the data subject pointed out that, while the LCCC has provisions specifically governing access to contractual documents prior to and during their validity, it does not mention documents relating to a concluded contract.   
On appeal, the data subject argued that the LCCC did not control because the data at issue related to a contract that had already been concluded, not an ongoing contractual relationship. In support of their claim, the data subject pointed out that, while the LCCC has provisions specifically governing access to contractual documents prior to and during their validity, it does not mention documents relating to a concluded contract.   
=== Holding ===
===Holding===
The DPA reversed its previous decision, upholding the data subject's appeal for reconsideration and requiring the controller to answer the data subject's access request within 10 business days.  
The DPA reversed its previous decision, upholding the data subject's appeal for reconsideration and requiring the controller to answer the data subject's access request within 10 business days.  


The DPA noted that bank transactions are personal data under [[Article 4 GDPR#1|Article 4(1) GDPR]] and are as such subject to the right of access guaranteed by Article 15 GDPR. The DPA did not, however, explicitly decide on the parties' arguments regarding the LCCC.  
The DPA noted that bank transactions are personal data under [[Article 4 GDPR#1|Article 4(1) GDPR]] and are as such subject to the right of access guaranteed by [[Article 15 GDPR]]. The DPA did not, however, explicitly decide on the parties' arguments regarding the LCCC.  


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.



Revision as of 16:54, 6 July 2022

AEPD - REPOSICION-TD-00293-2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(1) GDPR
Ley 16/2011, de 24 de junio, de contratos de crédito al consumo (law on consumer credit contracts)
Type: Complaint
Outcome: Upheld
Started: 26.01.2022
Decided:
Published: 01.07.2022
Fine: n/a
Parties: 4Finance Spain Financial Services, S.A.U.
National Case Number/Name: REPOSICION-TD-00293-2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: sofi.gk

The Spanish DPA ordered a bank to answer a customer's request to access personal financial documents, reversing its previous assessment that the GDPR's right of access did not apply to the data under the principle of lex specialis.

English Summary

Facts

The controller, a bank, sent an incomplete response to the data subject's access request, prompting the data subject to file a complaint with the Spanish DPA.

Initially, the DPA held that the controller was not obliged to fulfill the data subject's access request because the data were documents relating to a contractual relationship between the two parties. The DPA had agreed with the controller, who argued that, for the data requested, the right of access (Article 15 GDPR) was overridden by more specific provisions in the Spanish law 16/2011, of June 24, on consumer credit contracts (LCCC).

However, the DPA issued a final decision in response to a "recurso de reposición" (an appeal to an administrative authority to reconsider its own decision) lodged by the data subject.

On appeal, the data subject argued that the LCCC did not control because the data at issue related to a contract that had already been concluded, not an ongoing contractual relationship. In support of their claim, the data subject pointed out that, while the LCCC has provisions specifically governing access to contractual documents prior to and during their validity, it does not mention documents relating to a concluded contract.

Holding

The DPA reversed its previous decision, upholding the data subject's appeal for reconsideration and requiring the controller to answer the data subject's access request within 10 business days.

The DPA noted that bank transactions are personal data under Article 4(1) GDPR and are as such subject to the right of access guaranteed by Article 15 GDPR. The DPA did not, however, explicitly decide on the parties' arguments regarding the LCCC.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/4










     Procedure no.: TD/00293/2021

SUBJECT: Appeal for Replenishment No.: EXP202101467

Examined the appeal for reconsideration filed by A.A.A. against the decision issued
by the Director of the Spanish Agency for Data Protection in the file
TD/00293/2021, and based on the following



                                       FACTS

FIRST: On January 26, 2022, a resolution was issued by the Director of the
Spanish Data Protection Agency in file TD/00293/2021, in which

it was agreed to dismiss the claim for Protection of Rights made by D. A.A.A.
against 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U.

SECOND: The resolution now appealed was reliably notified to D.A.A.A.
on January 31, 2022, as stated in the proof of notification.


THIRD: The appellant has filed an appeal for reconsideration on February 28
2022, with entry into this Agency on February 28, 2022, in which it indicates, in
synthesis, that "(...) our interested party has the right to be provided with all the
information regarding the processing of your data, being obliged to comply with the
responsible for the treatment, that is, the aforementioned financial entity. Our

represented, current interested party and owner of the data, also has the right to receive
the information by the requested means. In the event that the application is submitted by
digital means, you should obtain it by the same means, unless expressly requested in
contrary.


The rights granted by access to information are not limited to mere consultation.
In addition, the interested party must receive a copy of their personal information, which may be
save privately. And in the event that access to personal data involves
certain complexity, the data controller may request that the interested party
specify the files you want to query. In that case, you will need to provide a
list with all the files so that the individual can identify them.


(...) is not a reason to deny access to the aforementioned contracts on the basis that
They were paid for and closed.

(...) Although it is true that the Spanish Data Protection Regulation provides that

when the laws applicable to certain treatments establish a regime
that affects the exercise of rights, the provisions of those will be followed;
in the present cannot be a reason for denial of the claim
presented by us, since the specific regulations referenced by the
claimed entity, Law 16/2011, of June 24, of credit contracts to the

consumption, at no time expressly mentions the non-compulsory nature of
submit consumer credit contracts, once they have been finalized, paid
and closed. If this is the case, please provide us with information on the
specific articles that make such a reference. The specific regulations do

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/4








reference to the obligation to deliver the referenced documents before starting
the contractual relationship and during the term of this relationship, a fact that
We acknowledge that it has been fulfilled by the aforementioned financial entity

claimed; however, there is no mention at any time of the non-compulsory nature of
delivery of the documents once the contractual relations have been finalized.”

FOURTH: Transferred to the claimed party the appeal for reconsideration filed by the
claimant party to express what it deems appropriate, it is ratified in what
already exposed during the processing of the procedure.


“(…) the right of access does not cover, in general, “obtaining a copy of
certain documents or other information associated with a business relationship,
labor, contractual or administrative”. The affected person must go to the authorities
competent since, as the Agency indicates, "the requested documents do not

are part of the access regulated in the data protection regulations as they are
documents linked to the contractual relationship between the parties.”

                           FOUNDATIONS OF LAW

                                            Yo


The Director of the Spanish Agency is competent to resolve this appeal.
Data Protection, in accordance with the provisions of article 123 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP).


                                           II

Due to operational reasons of the administrative body, therefore, no
attributable to the appellant party, to date the mandatory

statement of this Agency regarding the claim of the appellant.

In accordance with the provisions of article 24 of the LPACAP, the meaning of silence
in the proceedings to challenge acts and provisions is
dismissive. However, and despite the time that has elapsed, the Administration is

obliged to issue an express resolution and to notify it in all procedures
whatever its form of initiation, as provided in article 21.1 of the aforementioned
Law. Therefore, it is appropriate to issue the resolution that ends the appeal procedure
replacement filed.


                                           III

Based on these rules and in consideration of the facts considered proven,
determined that:

“In the present case, from the examination of the documentation in the file, it was

notes that the right of access was met.

The documents requested by the claimant are not part of that regulated access
in the data protection regulations, as they are documents linked to the relationship

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/4








agreement between the parties, and the claimant must go to the authorities
corresponding to your request.


Therefore, taking into account the provisions of the preceding paragraphs, that access to
said contractual data is independent of the right of access regulated in the
data protection regulations, and that the respondent has provided access to their
data, it is appropriate to dismiss the claim of rights.”

                                           IV


The purpose of this resolution is the reversal appeal filed on the date
February 28, 2022 against the resolution dated January 26, 2022, issued by
the Director of the Spanish Data Protection Agency, agreeing to the
dismissal of the claim initially filed.


In the arguments presented by the defendant, in relation to the appeal for
replacement presented by the appellant, ratifies what was already stated during the
processing of the procedure.

“(…) the right of access does not cover, in general, “obtaining a copy of

certain documents or other information associated with a business relationship,
labor, contractual or administrative”. The affected person must go to the authorities
competent since, as the Agency indicates, "the requested documents do not
are part of the access regulated in the data protection regulations as they are
documents linked to the contractual relationship between the parties.”


                                           IV

Article 4, Definitions, of the GDPR, provides that:


“For the purposes of this Regulation, the following shall be understood as:

1) "personal data": any information about an identified natural person or
identifiable ("the interested party"); An identifiable natural person shall be deemed to be any person
whose identity can be determined, directly or indirectly, in particular by
an identifier, such as a name, an identification number,

location, an online identifier or one or more elements of the identity
physical, physiological, genetic, psychic, economic, cultural or social of said person;
(…)”

After reviewing the documentation in the file again, it is verified

that, taking into account that bank movements are data of a
personal and that must be supplied by the data controller, and given that
the information was partially provided, it is appropriate to uphold the present appeal of
replacement so that the claimed entity provides the claimant with the information
requested.






C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 4/4








Considering the aforementioned precepts and others of general application,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: ESTIMATE the motion for reversal filed by D. A.A.A. against
Resolution of this Spanish Agency for Data Protection issued on the 26th of
January 2022, in file TD/00293/2021, which rejects the claim of

protection of rights formulated by the same against 4FINANCE SPAIN FINANCIAL
SERVICES, S.A.U. so that, within ten business days following the
notification of this resolution, send the claimant the right to
requested access, in accordance with the provisions of the body of this
resolution. The actions carried out as a result of this Resolution

must be communicated to this Agency within the same period. The breach of this
resolution could lead to the commission of the offense considered in article
72.1.m) of the LOPDGDD, which will be sanctioned, in accordance with article 58.2 of the
GDPR.


SECOND: NOTIFY this resolution to D. A.A.A. and 4FINANCE SPAIN
FINANCIAL SERVICES, S.A.U.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure, it may be filed in the
period of two months from the day following the notification of this act
according to the provisions of article 46.1 of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, contentious-administrative appeal before the
Contentious-administrative Chamber of the National High Court, in accordance with the
provided for in article 25 and in section 5 of the fourth additional provision of the
aforementioned legal text.

                                                                              185-170919

Sea Spain Marti
Director of the Spanish Data Protection Agency






















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es