AEPD (Spain) - TD/00293/2021
AEPD - REPOSICION-TD-00293-2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 26.01.2022 |
Decided: | |
Published: | 01.07.2022 |
Fine: | n/a |
Parties: | 4Finance Spain Financial Services, S.A.U. |
National Case Number/Name: | REPOSICION-TD-00293-2021 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | sofi.gk |
The Spanish DPA a reversed a prior decision that documents relating to a concluded contract between the data subject and controller were not governed by the GDPR, ordering the controller to honor the data subject's right of access.
English Summary
Facts
The data subject appealed a decision by the DPA that the controller, a bank, was not obliged to provide a copy of documents or information associated with a contractual relationship between the data subject and the controller. The DPA had agreed with the controller, who argued that the requested documents were not regulated under the GDPR and as such not subject to the right of access.
Spanish law states that when a special regime applies to certain processing operations and that regime affects the exercise of rights, the provisions of those special laws shall apply. The special law applicable in this case is Law 16/2011, of June 24, on consumer credit contracts. The controller alleged that the applicable Law only granted access rights to personal data when the contract was not yet concluded.
On appeal, the data subject pointed out that the law on consumer contracts never mentions that the controller is not obliged to provide information about the consumer credit contracts once they have been finalized.
Holding
After reviewing its previous decision, the DPA held that the financial movements are personal data under Article 4(1) GDPR and found that the information at issue in the case before them, relating to bank statements of the data subject, falls under this definition. Consequently, the controller was obliged to grant the data subject access to the documents.
Following this logic, the DPA upheld the data subject's claim on appeal and ordered the controller to honor the right of access within 10 business days.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/4 Procedure no.: TD/00293/2021 SUBJECT: Appeal for Replenishment No.: EXP202101467 Examined the appeal for reconsideration filed by A.A.A. against the decision issued by the Director of the Spanish Agency for Data Protection in the file TD/00293/2021, and based on the following FACTS FIRST: On January 26, 2022, a resolution was issued by the Director of the Spanish Data Protection Agency in file TD/00293/2021, in which it was agreed to dismiss the claim for Protection of Rights made by D. A.A.A. against 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U. SECOND: The resolution now appealed was reliably notified to D.A.A.A. on January 31, 2022, as stated in the proof of notification. THIRD: The appellant has filed an appeal for reconsideration on February 28 2022, with entry into this Agency on February 28, 2022, in which it indicates, in synthesis, that "(...) our interested party has the right to be provided with all the information regarding the processing of your data, being obliged to comply with the responsible for the treatment, that is, the aforementioned financial entity. Our represented, current interested party and owner of the data, also has the right to receive the information by the requested means. In the event that the application is submitted by digital means, you should obtain it by the same means, unless expressly requested in contrary. The rights granted by access to information are not limited to mere consultation. In addition, the interested party must receive a copy of their personal information, which may be save privately. And in the event that access to personal data involves certain complexity, the data controller may request that the interested party specify the files you want to query. In that case, you will need to provide a list with all the files so that the individual can identify them. (...) is not a reason to deny access to the aforementioned contracts on the basis that They were paid for and closed. (...) Although it is true that the Spanish Data Protection Regulation provides that when the laws applicable to certain treatments establish a regime that affects the exercise of rights, the provisions of those will be followed; in the present cannot be a reason for denial of the claim presented by us, since the specific regulations referenced by the claimed entity, Law 16/2011, of June 24, of credit contracts to the consumption, at no time expressly mentions the non-compulsory nature of submit consumer credit contracts, once they have been finalized, paid and closed. If this is the case, please provide us with information on the specific articles that make such a reference. The specific regulations do C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/4 reference to the obligation to deliver the referenced documents before starting the contractual relationship and during the term of this relationship, a fact that We acknowledge that it has been fulfilled by the aforementioned financial entity claimed; however, there is no mention at any time of the non-compulsory nature of delivery of the documents once the contractual relations have been finalized.” FOURTH: Transferred to the claimed party the appeal for reconsideration filed by the claimant party to express what it deems appropriate, it is ratified in what already exposed during the processing of the procedure. “(…) the right of access does not cover, in general, “obtaining a copy of certain documents or other information associated with a business relationship, labor, contractual or administrative”. The affected person must go to the authorities competent since, as the Agency indicates, "the requested documents do not are part of the access regulated in the data protection regulations as they are documents linked to the contractual relationship between the parties.” FOUNDATIONS OF LAW Yo The Director of the Spanish Agency is competent to resolve this appeal. Data Protection, in accordance with the provisions of article 123 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP). II Due to operational reasons of the administrative body, therefore, no attributable to the appellant party, to date the mandatory statement of this Agency regarding the claim of the appellant. In accordance with the provisions of article 24 of the LPACAP, the meaning of silence in the proceedings to challenge acts and provisions is dismissive. However, and despite the time that has elapsed, the Administration is obliged to issue an express resolution and to notify it in all procedures whatever its form of initiation, as provided in article 21.1 of the aforementioned Law. Therefore, it is appropriate to issue the resolution that ends the appeal procedure replacement filed. III Based on these rules and in consideration of the facts considered proven, determined that: “In the present case, from the examination of the documentation in the file, it was notes that the right of access was met. The documents requested by the claimant are not part of that regulated access in the data protection regulations, as they are documents linked to the relationship C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/4 agreement between the parties, and the claimant must go to the authorities corresponding to your request. Therefore, taking into account the provisions of the preceding paragraphs, that access to said contractual data is independent of the right of access regulated in the data protection regulations, and that the respondent has provided access to their data, it is appropriate to dismiss the claim of rights.” IV The purpose of this resolution is the reversal appeal filed on the date February 28, 2022 against the resolution dated January 26, 2022, issued by the Director of the Spanish Data Protection Agency, agreeing to the dismissal of the claim initially filed. In the arguments presented by the defendant, in relation to the appeal for replacement presented by the appellant, ratifies what was already stated during the processing of the procedure. “(…) the right of access does not cover, in general, “obtaining a copy of certain documents or other information associated with a business relationship, labor, contractual or administrative”. The affected person must go to the authorities competent since, as the Agency indicates, "the requested documents do not are part of the access regulated in the data protection regulations as they are documents linked to the contractual relationship between the parties.” IV Article 4, Definitions, of the GDPR, provides that: “For the purposes of this Regulation, the following shall be understood as: 1) "personal data": any information about an identified natural person or identifiable ("the interested party"); An identifiable natural person shall be deemed to be any person whose identity can be determined, directly or indirectly, in particular by an identifier, such as a name, an identification number, location, an online identifier or one or more elements of the identity physical, physiological, genetic, psychic, economic, cultural or social of said person; (…)” After reviewing the documentation in the file again, it is verified that, taking into account that bank movements are data of a personal and that must be supplied by the data controller, and given that the information was partially provided, it is appropriate to uphold the present appeal of replacement so that the claimed entity provides the claimant with the information requested. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 4/4 Considering the aforementioned precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: ESTIMATE the motion for reversal filed by D. A.A.A. against Resolution of this Spanish Agency for Data Protection issued on the 26th of January 2022, in file TD/00293/2021, which rejects the claim of protection of rights formulated by the same against 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U. so that, within ten business days following the notification of this resolution, send the claimant the right to requested access, in accordance with the provisions of the body of this resolution. The actions carried out as a result of this Resolution must be communicated to this Agency within the same period. The breach of this resolution could lead to the commission of the offense considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, in accordance with article 58.2 of the GDPR. SECOND: NOTIFY this resolution to D. A.A.A. and 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure, it may be filed in the period of two months from the day following the notification of this act according to the provisions of article 46.1 of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, contentious-administrative appeal before the Contentious-administrative Chamber of the National High Court, in accordance with the provided for in article 25 and in section 5 of the fourth additional provision of the aforementioned legal text. 185-170919 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es