AEPD (Spain) - PS/00016/2022

From GDPRhub
Revision as of 14:09, 14 March 2023 by Ls (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00016/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 15 GDPR
Article 56 GDPR
Article 60 GDPR
Article 83(2) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 05.01.2021
Decided: 28.02.2023
Published:
Fine: n/a
Parties: Holidays Edreams
National Case Number/Name: PS/00016/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: ls

A controller who fails to respond to an access request due to an employee error is nonetheless liable for the violation of Article 15 GDPR.

English Summary

Facts

A data subject made a purchase from Edream (the controller). Slight after, he contacted the controller via phone. On January 5, 2021, the data subject requested access to the call recording but, after one month, he did not receive any response. He therefore filed a complaint with the French DPA. The case was then sent to the Spanish authority, under Articles 56 and 60 GDPR.

During the investigation, the controller explained that the data subject contacted the customer service department and not the privacy department and that the internal process for responding to the request was not followed due to a human error. He also stated that as soon as the relevant department was informed, i.e. in response to the proceeding, the controller responded to the access request and sent the records by email. Finally, he explained that he had put measures in place to prevent this from happening again.

Holding

In accordance with Article 60 GDPR, the Spanish DPA allowed the other supervisory authorities concerned to give their opinions, none of which reacted.

The DPA considered that human error on the part of an employee does not exonerate the controller from its responsibility for the protection of personal data. It acknowledged that measures had been taken to ensure that access requests would be properly managed in the future. These measures however did not allow the data subject to exercise his rights before the proceedings were initiated.

The DPA therefore concluded that the controller had violated Article 15 GDPR and, considering that the infringement was minor, issued a warning.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/20








     Procedure No.: PS/00016/2022
IMI Reference: A60DD 403656 - A61VMA 298021 - Case Register 79805



                  RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on the
following:


                                     BACKGROUND


FIRST: A.A.A. (hereinafter, the claimant) filed a claim with the
French data protection authority. The claim is directed against HOLIDAYS

EDREAMS, S.L., with NIF B61965778 (hereinafter, EDREAMS). The reasons on which the
claim are as follows:

The claimant has requested EDREAMS by e-mail to access the recording of all
telephone exchanges with the company, but, after a month, has not
received no reply.


Date on which the claimed events took place: January 5, 2021

Along with the claim, provide:


- Capture of email sent by the complaining party to the addresses
customerservice-fr@contact.edreams.com and service.client@edreams.com, dated 5
January 2021, in which you make a complaint about a purchase made in dollars
Canadians and requests access to all conversations held between the party
claimant and EDREAMS customer service on August 14, 2020,

October 26, 2020, November 17, 2020 and December 28, 2020, and provides the
following information for your identification: name and surname, date of birth and four
last digits of your credit card.


SECOND: Through the "Internal Market Information System" (hereinafter

IMI System), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the
Council, of October 25, 2012 (IMI Regulation), whose objective is to promote the
cross-border administrative cooperation, mutual assistance between Member States and
the exchange of information, the aforementioned claim was transmitted on May 21, 2021 and
was given the date of registration of entry in the Spanish Agency for Data Protection

(AEPD) that same day. The transfer of this claim to the AEPD is carried out
in accordance with the provisions of article 56 of Regulation (EU) 2016/679, of the
European Parliament and of the Council, of 04/27/2016, regarding the Protection of Persons
Physical with regard to the Processing of Personal Data and the Free Movement of
these Data (hereinafter, GDPR), taking into account its cross-border nature and that

this Agency is competent to act as main control authority, given that
EDREAMS has its registered office and sole establishment in Spain.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 2/20








The data processing that is carried out affects interested parties in several States
members. According to the information incorporated into the IMI System, in accordance with the
established in article 60 of the GDPR, acts as a "control authority

data subject”, in addition to the French data protection authority, the data protection authorities
Portugal, Italy, Lower Saxony (Germany) and Denmark. All of them under article
4.22.b) of the GDPR, given that the interested parties residing in the territory of these authorities
of control are substantially affected or are likely to be substantially affected
affected by the treatment object of this procedure.



THIRD: On June 1, 2021, in accordance with article 64.3 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of the
digital rights (hereinafter, LOPDGDD), the claim filed was admitted for processing
by the complaining party.



FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
preliminary investigation actions to clarify the facts in question, in
by virtue of the functions assigned to the control authorities in article 57.1 and of the
powers granted in article 58.1 of Regulation (EU) 2016/679 (General Regulation

of Data Protection, hereinafter GDPR), and in accordance with the provisions of the
Title VII, Chapter I, Second Section, of the LOPDGDD, being aware of the
following extremes:

Response to the request for information presented on behalf of EDREAMS

with entry registration O00007128e2100036021, with entry into the AEPD on August 27
2021, which provides, among other things, the following information:

1. Statement that they have not received any request from the complaining party through the
   privacy form on your website, so it has not been processed by an agent

   specialized but has been dealt with by customer service.

2. Statement that this request failed because the service agent
   customer service that responded to this request closed it manually without managing it properly
   according to internal processes; these internal processes indicate that, in these
   requests must be answered by referring to the privacy form or escalating the

   exercise of law internally.

3. Declaration that they have responded to the complaining party as a result of having knowledge of
   this claim. And they provide a screenshot of an email addressed to the party
   claimant in French (and its translation into Spanish), indicating that they are attached

   the recordings.

4. Regarding the causes that originated this incident, statement that it occurred
   due to human error that occurred in a situation where the service
   customer service tripled the number of requests received due to the

   cancellations caused in the travel agency by COVID-19.

5. Statement that the following actions have been taken: send a reminder in the
   weekly newsletter to customer service agents on the centralization of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 3/20








   attention to data protection rights in the Privacy Formulation so that
   are attended by specialized agents; advance training in protection of
   data and include the case of this claim within a practical assumption in the
   training; inform the agent who handled the request and his manager at a meeting about what
   occurred; and include a reminder of the existence of the Privacy Form in the

   email that interested parties receive automatically in response to the
   emails received from customer service.

As of December 30, 2021, a search is performed on the site
https://web.archive.org of the historical data that appeared in the Privacy Policy of the
EDREAMS website aimed at the Spanish public (https://www.edreams.es/politica-de-

privacy/) on January 13, 2021 and addressed to the French public (https://www.edreams.fr/
politique-confidentialite/) on January 20, 2021, obtaining the following information:

6. Both privacy policies indicate that their last update took place in June
   of 2019.


7. Both privacy policies indicate two ways to exercise rights: a
   through an online form, or through a postal address. Specifically, in the
   privacy policy in Spanish indicates the following: "In order to exercise your rights,
   Click here or send your request by postal mail to the following address: Protection of
   data – Calle Bailén, 67, 08009 Barcelona, Spain, European Union. In your application you must

   clearly indicate your identity, specifying your full name and e-mail address
   email you used to make the purchase or create an account, and the rights you want
   exercise."


FIFTH: On 01/12/2022, the Director of the AEPD adopted a project proposal

decision to initiate disciplinary proceedings. Following the process established in the
article 60 of the GDPR, on 02/09/2022 this proposal was transmitted through the IMI System and
the concerned authorities were informed that they had two weeks from that
time to make your comments. Within the period for this purpose, the authorities of
control concerned made their comments in this regard.



SIXTH: On 05/24/2022, the Director of the AEPD adopted a draft decision of
initiation of disciplinary proceedings. Following the process established in article 60 of the
GDPR, on 06/02/2022 this draft decision was transmitted through the IMI system and
informed the concerned authorities that they had four weeks from that
moment to formulate pertinent and reasoned objections. Within the term for this purpose, the

control authorities concerned did not present pertinent and reasoned objections to the
in this regard, so it is considered that all the authorities agree with said
draft decision and are bound by it, in accordance with the provisions of the
paragraph 6 of article 60 of the GDPR.


This draft decision was notified to EDREAMS in accordance with the rules established in the
Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP) on 05/25/2022, as stated in the
acknowledgment of receipt in the file.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 4/20









SEVENTH: On 07/15/2022, the Director of the Spanish Agency for the Protection of
Datos agreed to initiate a sanctioning procedure against EDREAMS, in accordance with the provisions of

Articles 63 and 64 of the LPACAP, for the alleged violation of Article 15 of the GDPR,
typified in Article 83.5 of the GDPR, in which it is indicated that you have a period of ten days
to present claims.

This start-up agreement, which was notified to EDREAMS in accordance with the rules established in
Law 39/2015, of October 1, on the Common Administrative Procedure of

Public Administrations, was collected on 07/18/2022, as stated in the acknowledgment of
receipt that works in the file.


EIGHTH: On 07/30/2022, this Agency receives, in due time and form, a written

EDREAMS in which it alleges the initial agreement in which, in summary,
stated that:

"FIRST. - EXERCISE OF RIGHTS IN EDREAMS IN ACCORDANCE WITH THE
NORMATIVE.


EDREAMS centralizes the management of the exercise of rights (including the right of access) to
through its Privacy Form. In this way, it is easier for users to exercise
of said exercises, through this easily accessible tool, linked in our Notice
of Privacy and managed through a defined process and by a team formed and
dedicated for that purpose.


The Privacy Form allows, in turn, to automate part of the process, in order to
provide a better and faster response.

Initially, the interested party exercises his right through the Privacy Form. Bliss

The request is exclusively conditioned to the fact that the agents specialized in the management
of these rights can confirm the information and have sufficient guarantees that
the person claims to be who they are and/or that the representation of a third party is sufficiently
accredited (normally the confirmation happens because the client, who receives an email
verification email, confirm in your personal email registered in
our systems that you have requested the corresponding right).


After said confirmation, it connects with the appropriate departments, to execute the
corresponding actions based on the right exercised. Finally, once the actions
necessary have been carried out, we proceed to respond to the interested party according to a
internal guide (in this case, the right of access guide).


This process is carried out in accordance with our Privacy Notice and our Policy
internal privacy policy (see Annex 1 - Index and applicable section of the Internal Privacy Policy
privacy), as well as internal procedures; specifically the Internal Guide on the
exercise of the right of access (see Annex 2 - Internal guide on the exercise of the right of

access) and with the data protection regulations:

Article 12 GDPR: "The controller will take the appropriate measures to
provide the interested party with all the information indicated in articles 13 and 14, as well as any

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 5/20








communication pursuant to articles 15 to 22 and 34 relating to processing, in the form
concise, transparent, intelligible and easily accessible, with clear and simple language, in
particular any information directed specifically to a child. The information will be

provided in writing or by other means, including, if applicable, by electronic means.”

Article 11.1 LOPDGDD2: "When personal data is obtained from the affected party, the
responsible for the treatment may comply with the duty of information established in
article 13 of Regulation (EU) 2016/679 providing the affected party with basic information to
referred to in the following section and indicating an electronic address or other means

that allows easy and immediate access to the rest of the information.”

Article 12.2 LOPDGDD: “2. The person in charge of the treatment will be obliged to inform the
concerned about the means at his disposal to exercise the rights that correspond to him.
The means must be easily accessible to the affected party. The exercise of the right

It may be denied for the sole reason that the affected party opts for another means.” In this sense
we want to insist that we do not deny the exercise of the right (which would also have been
managed to be exercised by the Privacy Form by the team and process
dedicated to that end) but rather the exceptional situation and a human error in an agent
gave rise to not reiterating once again to the CLIENT, in accordance with our Notice of
Privacy, the availability of the Privacy Form for the exercise of your rights.

We will develop this point in the second argument. Likewise, we will establish why and
how we have mitigated the risk of this happening again.

European Commission - How should we process applications from people who exercise
your rights in terms of data protection?: "When personal data is processed

with electronic means, you must offer means so that the requests are
submit electronically.”

AEPD - Exercise your rights: "The person in charge is obliged to inform you about the means
to exercise these rights. These means must be accessible and cannot be denied

this right for the sole reason that you opt for another means”.

Furthermore, EDREAMS is aware that customers can contact
Contact us in different ways for different purposes. For this reason, we train
our Customer Service agents and we carry out awareness actions regarding the
exercise of rights. In the same way, we provide an answer guide to which you most

we will refer to, with the purpose that they know how to detect the exercise of rights and
know how to reiterate the information already collected in our Privacy Notice, regarding the
Privacy Form as a means to exercise rights.



SECOND.- EDREAMS MAKES EXTRA EFFORTS IN GENERIC CHANNELS OF
CUSTOMER SERVICE IN ORDER TO GIVE THE BEST SERVICE TO ITS CUSTOMERS.

First of all, it is necessary to confirm that after internal investigations we verified
that the CLIENT did not exercise his right in accordance with our Privacy Notice,

through our Privacy Form (mentioned in the first allegation and through
which guarantees that a specialized agent manages the corresponding request). In
Secondly, we have analyzed the generic Customer Service email inboxes
client and we have verified that we received a request from the CLIENT.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 6/20









We have contacted the Customer Service team who have informed us
that the agent manually closed the ticket without having handled it properly in

based on our internal processes that guarantee the corresponding management of said
request, referring to our Privacy Form (as indicated in the
internal process of data protection rights management) or to escalate the exercise of
right internally to the specialized department that is in charge of it. this mistake
agent manual occurs upon receipt of the communication on January 5, 2021, in which the
agent does not open internal response ticket and therefore does not instruct the CLIENT to exercise the

right in the Privacy Form, as you should have done at that time.

In addition, this occurs in a context of an exceptional situation in which he was
EDREAMS given the unprecedented saturation of requests in our mailboxes
Customer Service email that we received due to the situation caused by COVID-19.


We have asked the Customer Service team for the number of emails
received in our general Customer Service email inboxes and that
We provide confidentially to the Spanish Agency for Data Protection: in the
month in which the CLIENT communicated to the Customer Service department
client, and due to the entire COVID-19 crisis, we had a reception traffic of

communications consisting of a 450% increase with respect to communications
received the same month of the previous year; Specifically, we received a total of 63,837
communications in the month of January 2021, this being an exceptional saturation without
precedents.


Despite these devastating circumstances both financially and organizationally,
We have tried to continue responding in the best possible way to all requests
of our clients, obtaining internal support from other teams for this management and
We have tried to get out of these months as best as possible.


In these Customer Service channels we try to answer as soon as possible but there is no
no specific fixed term of answer, since it depends on the filtering of topics and the
their prioritization, which is done manually by the Customer Service team.
client and that carries risks of incorrect manual categorization unlike what
occurs when they are exercised by the appropriate and proportionate means for the exercise of
rights (the Privacy Form).


And it is precisely for this reason that a specific medium was created (through the Form
of Privacy), complying with the data protection regulations and in order to be
capable of offering a mature process that is as guaranteed and transparent as possible so that
customers exercise their data protection rights.


In addition, we have automated this process with a privacy tool
(***TOOL.1), to reduce risks and improve our responses, and
It is managed with alerts to avoid deadlines and respond to customers as soon as possible
possible and within a maximum period of thirty days.


Evidence of the same is the management of the priority and immediate response to the exercise of
right of the CLIENT as quickly as possible since we became aware of it:
was assigned to a senior specialist to give treatment to this exercise of law

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 7/20








immediately, performing all internal actions in our systems, the
timely checks and the CLIENT responded accordingly.


Much to our regret, the CLIENT's case was not addressed correctly to the information
timely and to the Privacy Form. Exceptional circumstances and manual error
of the agent, as well as the measures implemented (which we will transfer to you below),
make the risk of reproducing this case remote.



THIRD.- CONTINUOUS IMPROVEMENT OF TRANSPARENCY REGARDING THE EXERCISE OF
RIGHTS

We take advantage of this case (produced by not exercising the right correctly and through
of the appropriate means as well as a manual error by the agent who did not follow our

internal policies and guidelines, in a context as well as exceptionality) as a
opportunity to analyze all the causes and circumstances of this case, referred to
above in the second allegation, and that have allowed us to take extra steps to
prevent similar situations from occurring.

We would like to emphasize that we believe our compliance program

regulation in the field of privacy and data protection is based on the continuous
monitoring and continuous improvement and learning in order to increase the levels of
normative compliance.

In this context of exercising rights, we also maintain the same philosophy and

We take the rights of data subjects very seriously, not only as an action of
essential regulatory compliance, but because it is the best way to ensure the
trust of our clients.

That is why we have a dedicated and specifically trained team, as well as

an internal process for the exercise of data protection rights, to guarantee the best
possible response to our clients, through the Privacy Form, and the systems
Internal coordination to deal with such requests in accordance with the regulations.

Likewise, as an extra effort to guarantee and safeguard the exercise of rights, it is
forms and indicates to the Customer Service agents so that in the event of receiving any

matter of protection of personal data, they must direct the client to the Form of
Privacy so that he can exercise his rights.

Despite understanding that this case occurs in the exceptional circumstances before
mentioned, and having received several manual errors from Customer Service agents

in generic channels of said service, we have taken the opportunity to implement a
Customer Service Form, which customers will access, either via the Customer Help Center
Customer service, either by sending an email to the email inboxes
generic Customer Care still available.


Said form has assessed categories, among which is the exercise option
of rights that redirects you to our Privacy Form (as the only means that
must be used for the exercise of any right of the interested parties for the purposes of
personal data protection; since it is managed by a specialized and dedicated team

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 8/20








for this purpose) (see Annex 3 - Customer Service Form and Annex 4 - Help Center
and frequently asked questions).
In this way, we guarantee a specialized and guarantee procedure, while

We also redirect our customers who contact us by
other means (such as the general means of contact for Customer Service) in order to
to have a system that allows anyone who wants to exercise their rights to do so without
problems and mitigating the risks of manual errors by Customer Service agents.

Likewise, we train annually on a mandatory basis on data protection and

specialized in the exercise of rights, including practical cases such as this
case, as well as awareness actions by the Customer Service team (see
Annex 5 - Awareness articles on the exercise of rights), such as,
covering topics such as “what is an exercise of data protection rights” and “how
accompany clients to exercise them via the Privacy Form”.


On the other hand, in recent months we have carried out a migration of the
Privacy and rights management form, going from a generic to a
specialized in privacy (such as ***TOOL.1) in which apart from being
managed by a specialized and highly qualified team aware of
data protection, we work on process automation to be more

agile and reduce risks of human errors.

We are sorry for what happened in this exceptional case. At the same time we understand that given the
circumstances and the measures described above, EDREAMS complies with the regulations of
data protection as well as the guidelines of the AEPD itself (previously referred to

in the first allegation) and that the closure of the disciplinary proceedings against EDREAMS
with a warning, entails a disproportionate interpretation of maximums of the
data protection regulations, in a context of a global pandemic with effects
never lived, especially by the tourist industry in which it carries out its activity, said
company, as well as for the efforts made by it, especially when we have

mitigated that the risk of cases similar to this occurring again, with a Form
of Customer Service that guides customers in the event that, without having read or ignoring
the Privacy Notice, want to exercise their rights, and can be guided accordingly
and their rights managed, through the Privacy Form.

We reiterate the commitment of the EDREAMS team to work tirelessly regarding

to learning and continuous improvement of our processes, with the aim of not only complying
with the regulations, but to strengthen the trust of our customers in us. And in this one
context, we will continue to monitor and continuously improve policies, processes,
actions and measures referred to herein.”



NINTH: On 09/02/2022, the instructing body of the disciplinary procedure
formulated a resolution proposal, in which the Director of the AEPD is proposed to direct
a warning to EDREAMS, with NIF B61965778, for a violation of article 15 of the
GDPR, typified in Article 83.5 of the GDPR.


This proposed resolution, which was notified to EDREAMS in accordance with the rules
established in Law 39/2015, of October 1, of the Common Administrative Procedure


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 9/20








of Public Administrations (LPACAP), was collected on 09/02/2022, as stated
in the acknowledgment of receipt in the file.


TENTH: On 09/16/2022, this Agency receives, in due time and form, a written

EDREAMS in which it makes allegations to the motion for a resolution in which, in summary,
stated that:

“ SOLE.- EXERCISE OF RIGHTS IN EDREAMS IN ACCORDANCE WITH THE REGULATIONS
GOES.


EDREAMS reiterates its previous allegations and understands that it complies with the
regulations in the terms described below.

On the one hand, it has an official channel, the Privacy Form (Annex 1 –
Privacy Form), which is transparently informed and made available

position of the interested parties in our Privacy Notice, resulting in easy
access for the interested party (Annex 2 - Privacy Notice: exercise of rights).

 On the other, it has processes, tools, training materials and other measures.
opportune days in which it is contemplated that the hypothetical cannot be denied

exercise of rights by the simple fact that it is exercised through other channels
that are not the official channel.

In this last direction, EDREAMS works tirelessly in continuous improvement
of the previously mentioned measures, and that were confirmed in accordance with
the third argument of our response to the agreement to initiate proceedings

sanctioning document dated July 29, 2022 (with registration number
O00007128e22P0006395), so that in all its Customer Service channels
customers are redirected to the official and dedicated channel for their management
(the aforementioned Privacy Form), in the event that they were used for the
exercise of rights.


We agree that an organization should have an official channel that collects a pro-
guarantor transfer in the terms included in the protection regulations
of data, as well as appropriate measures that guide the actions of any
employee thereof to inform any interested party on how to exercise their

data protection rights. However, an interpretation in which
requires the same degree of diligence that the official channel must have (as long as
when it is transparently informed in the Privacy Notice) to any
another channel of the organization, would entail, on the one hand, an overload and dedication
disproportionate allocation of resources of the organization and, on the other, we understand
which would be contrary to the fact that the regulations require an official channel

for the exercise of rights.

The interpretation that we collect previously is based on the fact that the
rule in question (article 12.2 LOPDGDD) clearly establishes that the res-
responsible for the treatment can determine an official channel, as long as

be easily accessible (as it is in our case).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 10/20








It is clear that the standard has wanted to go further and therefore requires organizations
tions greater cooperation to enhance the effectiveness of rights and, therefore,
Therefore, it has been collected that organizations cannot hide behind the fact that

that the corresponding right had been exercised through another official channel,
to directly deny it without further ado, without having internal controls in this regard (in
the aforementioned article 12.2 LOPDGDD).

But does that mean that an organization must have in any channel a

ticket filtration and management system that is not only extremely urgent -due to
the urgent nature of the period of exercise of rights included in the regulations
of data protection-, but that it is also infallible, because otherwise
disciplinary proceedings against the organization are opened, despite having measures
appropriate for said channels not specially dedicated to the exercise of rights.

chos (despite having an official channel, which is transparently informed
in the Privacy Notice and easily accessible in accordance with the regulations, as well
as measures to reduce the risk of potential manual error by an agent
that manages an unofficial channel)?


This part considers disproportionate an interpretation that entails a
positive response to the previous question, so please reconsider di-
interpretative position, understanding that said con-
clusion that, in practice, would result in there not being an official channel, but
any company communication channel would automatically become

an official channel for the exercise of rights.

If the law had intended such a conclusion, requiring the same level of diligence
for any channel of the organization, the wording should have included
the following position: "The person responsible for the treatment will be obliged to

inform the affected party about the fact that in any means of contact of the
organization may exercise the rights that correspond to it, as well as facilitate the
list of them."

In the case at hand, it is necessary to insist that these Customer Service channels

to the customer are intended for consumption purposes, and therefore cannot be
have an expectation of channel privacy due to its nature, and require the
same level of high diligence that supports a channel dedicated to the exercise of
rights.


Even so, in order to try to guarantee that the interested party has the
Privacy at hand even despite a possible exceptional oversight of an agent
Customer Service, we have implemented a note at the bottom of our emails
generic emails from Customer Service, in which the customer is informed again
client, once again, of the existence of the Privacy Form for a management

simple control of the exercise of rights and that allows the correct verification of the
identity of the interested parties (Annex 3 - Note at the foot of the emails of
Customer Support).

For all these reasons, this party considers that the precept in question requires a duty

of reasonable diligence, but not maximalist. And, in this logic, without prejudice to the
previously recognized position regarding the interpretation of the precept in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 11/20








matter, we want to insist that we are sorry for what happened in this exceptional case,
and we reiterate EDREAMS' commitment to continue working tirelessly-
in the continuous improvement of its processes, tools, and training in all

two of its Customer Service channels so that, in the event that they are used
for the exercise of rights, customers are directed to the special and dedicated channel
for their management (the aforementioned Privacy Form).

For final clarification purposes, we understand that in the proposed resolution

there is a mistake in the reference to article 112.1 of the LPACAP (which refers to
the final resolution), only article 89.2 of the LPACAP being applicable
(referring to the proposed resolution) and, according to it, present-
Here we present the present claim.





For all this, this part:


 REQUEST

1. That this allegation be considered submitted in due time and form.
2. That it be considered in the final resolution, taking into account that it is about
an exceptional manual error of non-compliance with our policies and procedures

internal proceedings, caused by not having exercised the right of access by the
channel intended and described in our Privacy Notice (Privacy Form-
ity) having addressed generic Customer Service channels in which
the expectation of response to the exercise of rights cannot be the same when
be intended for consumer issues. Also, let it be good that

EDREAMS has acted and acts diligently in the respect, defense and exercise
of the rights of the interested parties and always in collaboration with the AEPD
and that all this is not diminished by this exceptional case.”

Of the actions carried out in this procedure and of the documentation in hand

In the file, the following have been accredited:



                                PROVEN FACTS


FIRST: The claiming party, on January 5, 2021, sent to the addresses
customerservice-fr@contact.edreams.com and service.client@edreams.com, each email
emails in which you make a complaint about a purchase made in dollars
Canadians and requests access to all conversations held between the party
claimant and EDREAMS customer service on August 14, 2020,

October 26, 2020, November 17, 2020 and December 28, 2020, and provides the
following information for your identification: name and surname, date of birth and four
last digits of your credit card.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 12/20








SECOND: EDREAMS did not provide the complaining party with access to the recording of all
the telephone exchanges maintained with the company, without the complaining party
received no reply within a month.



THIRD: As stated by EDREAMS in its allegations, the lack of attention to the exercise
of the right of access occurred because “…the ticket was manually closed by the agent
without having handled it properly... This manual agent error occurs when
receive the communication on January 5, 2021, in which the agent does not open a ticket

internal response.


FOURTH: According to the search carried out on December 30, 2021, on the site https://
web.archive.org of the historical data that appeared in the Privacy Policy of the site

EDREAMS website aimed at the Spanish public (https://www.edreams.es/politica-de-
privacy/) on January 13, 2021 and addressed to the French public (https://www.edreams.fr/
politique-confidentialite/) on January 20, 2021, it was possible to obtain the following
information:


    - In both privacy policies it is indicated that their last update took place in
       June 2019.


    - Both privacy policies indicate two ways to exercise your rights:
       through an online form, or through a postal address. Specifically, in the

       privacy policy in Spanish indicates the following: "In order to exercise your
       rights, click here or send your request by postal mail to the following address:
       Data protection – Calle Bailén, 67, 08009 Barcelona, Spain, European Union.
       In your request you must clearly indicate your identity, specifying your name
       full name and the e-mail address you used to make the purchase or create a

       account, and the rights you wish to exercise.”



                              FUNDAMENTALS OF LAW


                                               Yo
                             Competition and applicable regulations

In accordance with the provisions of articles 58.2 and 60 of Regulation (EU) 2016/679 of the
European Parliament and of the Council of April 27, 2016 on the protection of

natural persons with regard to the processing of personal data and free movement
of these data (hereinafter, GDPR), and as established in articles 47, 48.1, 64.2 and
68.1 and 68.2 of Organic Law 3/2018, of December 5, on Data Protection
Personal and guarantee of digital rights (hereinafter, LOPDGDD) is competent
to initiate and resolve this procedure the Director of the Spanish Protection Agency

of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed
by the Spanish Data Protection Agency will be governed by the provisions of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 13/20








Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures.”



                                              II
                                     previous questions

In the present case, in accordance with the provisions of article 4.1 of the GDPR, the

processing of personal data, since EDREAMS carries out the
Collection and storage of, among others, the following personal data of natural persons:
name and surname, email and call recordings, among others
treatments.


EDREAMS carries out this activity in its capacity as data controller, given that
is the one who determines the purposes and means of such activity, by virtue of article 4.7 of the GDPR.
In addition, it is a cross-border treatment, since EDREAMS is established in
Spain, although it provides services to other countries of the European Union.

The GDPR provides, in its article 56.1, for cases of cross-border processing,

provided for in article 4.23), in relation to the competence of the supervisory authority
principal, that, without prejudice to the provisions of article 55, the supervisory authority of the
main establishment or the only establishment of the person in charge or of the person in charge of the
treatment will be competent to act as main control authority for the
cross-border processing carried out by said controller or processor pursuant to

to the procedure established in article 60. In the case examined, as has been stated,
EDREAMS has its only establishment in Spain, so the Spanish Agency for
Data Protection is competent to act as the main control authority.

For its part, the right of access to personal data is regulated in article 15 of the

GDPR.


                                              II
                                    Allegations adduced


In relation to the allegations made in the agreement to initiate this proceeding
disciplinary action, we proceed to respond to them according to the order set forth by
EDREAMS:

1.- EXERCISE OF RIGHTS IN EDREAMS IN ACCORDANCE WITH THE REGULATIONS.


The existence of a "Privacy Form", through which EDREAMS centralizes the
management of the exercise of rights, should not prevent a request to exercise rights
regarding the protection of personal data must be addressed when
present by other means. As EDREAMS itself states in its allegations, the

Article 12.2 of the LOPDGDD provides that: "The controller will be obliged to
to inform the affected party about the means at their disposal to exercise the rights that
correspond. The means must be easily accessible to the affected party. The exercise
of the right may not be denied for the sole reason that the affected party opts for another means.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 14/20








The negligent action of the employee in attending to the request for the exercise of the right
access does not exempt EDREMAS from responsibility. The responsibility of the company in
the scope of sanctions for the negligent action of an employee that implies the
breach of data protection regulations has been confirmed by the
jurisprudence of the Supreme Court. In this regard, it is worth mentioning the Judgment of the

Supreme Court no. 188/2022 (Contentious Chamber, Section 3), of February 15,
2022 (rec. 7359/2020), whose Fourth Law Foundation provides: "The fact that
was the negligent action of an employee does not exempt her from her responsibility regarding
responsible for the correct use of security measures that should have
Guaranteed the proper use of the designed data recording system. as already
we sustained in STS no. 196/2020, of February 15, 2021 (rec. 1916/2020) the person in charge

of the treatment is also responsible for the actions of its employees and cannot be excused
in its diligent performance, separately from the performance of its employees, but it is the
"guilty" action of these, consequence of the violation of security measures
existing ones, which bases the responsibility of the company in the disciplinary field
by "own" acts of its employees or positions, not of third parties."

The sentence continues arguing about the responsibility of individuals
laws in our legal system: "...It simply happens that, being admitted in
our Administrative Law the direct responsibility of legal entities, to which
that, therefore, infringing capacity is recognized, the subjective element of the infringement is
plasma in these cases in a different way from what happens with respect to natural persons,
so that, as indicated by the constitutional doctrine that we have reviewed before -SsTC

STC 246/1991, of December 19 (F.J. 2) and 129/2003, of June 30 (F.J. 8)- the
direct reproach derives from the legal right protected by the norm that is infringed and the
the need for such protection to be truly effective and the risk that, in
Consequently, the legal entity that is subject to compliance with said
rule".



2.- EDREAMS MAKES EXTRA EFFORTS IN GENERIC SERVICE CHANNELS
TO THE CUSTOMER IN ORDER TO GIVE THE BEST SERVICE TO ITS CUSTOMERS.

The measures adopted by EDREAMS in order to ensure due compliance by
part of its employees of the data protection regulations, without undermining its

responsibility in the facts, along with prompt attention to the exercise of the right of
access due to the information request made by this Agency, have been
taken into account for the purpose of deciding the corrective power to apply, considering the
warning as more appropriate than the fine.



3.-CONTINUOUS IMPROVEMENT OF TRANSPARENCY REGARDING THE EXERCISE OF
RIGHTS

As stated in response to the above allegation, the measures adopted
by EDREAMS to facilitate the exercise of rights regarding data protection, without

distort the responsibility derived from the commission of the infraction, have been taken into
account for the purposes of deciding the corrective power to apply, considering the warning
as more appropriate than the fine.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 15/20








Formulated resolution proposal by the instructor of this procedure, in the
hearing process for the interested party, allegations are presented by EDREAMS
reiterating his previous allegations. It should be noted that the need for requests for

exercise of the right of access to personal data are not limited to requests
carried out through a certain channel, is a criterion shared with the Committee
European Data Protection Agency (hereinafter, CEPD), which, in compliance with the objective
to guarantee the coherent application of the General Data Protection Regulation
(according to article 70 of the GDPR), is developing guidelines
to provide a clear and transparent basis on the exercise of the right of access

(Guidelines 01/2022 on the rights of the interested parties - the right of access)
“Guidelines 01/2022 on data subject rights - Right of access”.

In section 3.1.2 (paragraphs 52 to 57) of the version submitted to public consultation of the
aforementioned Guidelines

(https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-
access_0.pdf), the following is expressed about the requirements of the exercise request
of the right of access (unofficial translation):

“52. As noted above, the GDPR does not impose any requirements on data subjects
in relation to the request form for access to personal data. Therefore,

In principle, there are no GDPR requirements that interested parties must observe when choosing a
communication channel through which they come into contact with the person in charge.

53. The CEPD encourages data controllers to provide channels of
most appropriate and user-friendly communication, in accordance with article 12, paragraph

2, and article 25, to allow the interested party to make an effective request. Nevertheless,
if the interested party makes a request through a communication channel provided
by the person in charge that is different from the one indicated as preferable, the request will be considered,
in general, effective and the person in charge of the treatment must process said request. In
Consequently, data controllers must make all reasonable efforts

reasonable to ensure that the exercise of the rights of the interested party is facilitated
(for example, in the event that the interested party sends the data of the request to an employee who
is on leave, an automatic message informing the interested party about a channel of
alternative communication for your request may be a reasonable effort).

54. It should be noted that the controller is not required to act in response

to a randomly sent request or incorrect email (or postal) address, we will not
provided directly by the person in charge, or to any communication channel that is
It is evident that it is not intended to receive requests regarding the rights of the interested party,
whether the data controller has provided an appropriate communication channel,
that can be used by the interested party.


55. The data controller is also not obliged to respond to a request
sent to the email address of your employees who are unable to participate in
the processing of requests relating to the rights of data subjects (eg drivers,
cleaning staff, etc.). Said requests will not be considered effective, if the person in charge

of the treatment has clearly provided the interested party with the channel of communication
appropriate. However, if the data subject sends a request to the employee of the controller
who deals with the data subject's affairs on a daily basis (one-time customer contact, such as
example, personal account manager), such contact should not be considered

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 16/20








as random and the person in charge must make all reasonable efforts to process
said request so that it can be redirected to the point of contact and respond within
of the deadlines established by the GDPR.


56. However, the CEPD recommends, as a good practice, that those responsible for the
treatment introduce, to the extent possible, mechanisms to improve the
internal communication between employees on requests received by those who
may not be competent to meet such requests, in order to facilitate the exercise of
the rights of the interested parties.


57. The date of receipt of the request by the active data controller,
as a general rule, a period of one month for the data controller to provide
information on actions taken in response to a request, in accordance with
article 12, paragraph 3 of the GDPR. The CEPD considers as good practices of the

data controllers confirm receipt of requests in writing, by
example, by sending emails (or information by mail, if applicable) to the
applicants, who confirm that their applications have been received and that the period
of a month goes from day X to day Y”.

These criteria determine a broad interpretation regarding the acceptance of the

requests for the exercise of the right of access addressed by an interested party to the person responsible for the
treatment. In general, the request to exercise the right of access to data
personal information must be considered effective, so those responsible for the treatment must
make all reasonable efforts to ensure that the exercise of the rights is facilitated.
rights of the interested parties. The claimant sent the request to two emails

emails belonging to EDREAMS, specifically to its customer service
customer. This service cannot be understood as excluded from the obligation to care for the
requests for the exercise of rights made by EDREAMS clients, either
directly or by transfer to the corresponding unit. According to section 55 of the
Guide 01/2022, the controller is not obliged to respond to a request,

sent to the email address of your employees, who cannot participate in
the treatment of requests related to the rights of the interested parties, such as drivers or
Housekeeping. However, a department whose activity is customer service,
such as EDREAMS customer service, which performs functions that
involve the processing of personal data of citizens, cannot be excluded from
the obligation to attend to the requests of its clients in the exercise of the right of

access to your personal data. In this way, EDREAMS itself, as explained in its
SECOND allegation, it has internal processes so that the customer service team
manage requests for the exercise of rights in terms of data protection, which do not
were applied to the request made by the complaining party: “…We have contacted
contacted the Customer Service team who informed us that the agent closed for

manual error the ticket without having managed it properly based on our processes
that guarantee the corresponding management of said request, making reference to
our Privacy Form (as indicated in the internal process of managing
data protection rights) or to escalate the exercise of right internally to the
specialized department that is in charge of it.”


In the present case, despite the measures referred to by EDREAMS, the lack of
response to the exercise of the right of access by the complaining party within a period of one month from
from the receipt of the application has been accredited in this procedure.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 17/20








These allegations do not distort any of the proven facts, having been taken into
consideration for the purpose of assessing the concurrent circumstances in the commission of the
infringement.


For all the above, all the allegations are dismissed.


                                               IV.
                                      Right of access


Article 15 "Right of access of the interested party" of the GDPR establishes:

"1. The interested party shall have the right to obtain from the data controller confirmation of
whether or not personal data concerning you is being processed and, in such a case, the right to

access to personal data and the following information:
       a) the purposes of the processing;
       b) the categories of personal data concerned;
       c) the recipients or categories of recipients to whom they were communicated or
       personal data will be communicated, in particular to third party recipients
       countries or international organizations;

       d) if possible, the expected period of conservation of personal data or, if not
       if possible, the criteria used to determine this term;
       e) the existence of the right to request from the person in charge the rectification or deletion of
       personal data or the limitation of the processing of personal data relating to the
       interested party, or to oppose said treatment;

       f) the right to file a claim with a control authority;
       g) when the personal data has not been obtained from the interested party, any
       available information on its origin;
       h) the existence of automated decisions, including profiling, to
       referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, information

       significant about the applied logic, as well as the importance and consequences
       provisions of said treatment for the interested party.
2. When personal data is transferred to a third country or to an organization
international, the interested party shall have the right to be informed of the adequate guarantees in
under article 46 relating to the transfer.
3. The data controller shall provide a copy of the personal data object of

treatment. The person in charge may receive for any other copy requested by the
interested party a reasonable fee based on administrative costs. When the interested
submit the application by electronic means, and unless the latter requests that it be provided
Otherwise, the information will be provided in a commonly used electronic format.
4. The right to obtain a copy mentioned in section 3 will not negatively affect the

rights and liberties of others.

In the present case, it is clear that the claimant sent an email to the
addresses customerservice-fr@contact.edreams.com and service.client@edreams.com, with
dated January 5, 2021, in which you make a complaint about a purchase made on

Canadian dollars and, in turn, requests access to all conversations held
between the claimant and EDREAMS customer service on August 14
of 2020, October 26, 2020, November 17, 2020 and December 28, 2020.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 18/20








EDREAMS only responded to this request once the request for
information from this Agency.


Therefore, according to the evidence available at this time in
disciplinary procedure resolution, it is considered that the known facts are
constituting an infringement, attributable to EDREAMS, for violation of article 15 of the
GDPR.



                                               V
                     Classification of the infringement of article 15 of the GDPR

The aforementioned infringement of article 15 of the GDPR supposes the commission of the infringements
typified in article 83.5 of the GDPR that under the heading "General conditions for the

imposition of administrative fines” provides:

Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of
a company, for an amount equal to a maximum of 4% of the total turnover
annual global of the previous financial year, opting for the one with the highest amount:

       (…)
        b) the rights of the interested parties in accordance with articles 12 to 22; (…)”

In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that:


"Infractions are the acts and conducts referred to in sections 4, 5 and 6
of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law”.

For the purposes of the limitation period, article 74 "Infringements considered minor" of the

LOPDGDD indicates:

"The remaining infractions of a merely
of the articles mentioned in sections 4 and 5 of article 83 of the Regulation
(EU) 2016/679 and, in particular, the following:
(…)


        c) Failure to respond to requests to exercise the rights established in the
        Articles 15 to 22 of Regulation (EU) 2016/679, unless it is applicable
        provided in article 72.1.k) of this organic law. (…)”



                                               SAW
                      Penalty for violation of article 15 of the GDPR

Without prejudice to the provisions of article 83 of the GDPR, the aforementioned Regulation provides in the

section 2.b) of article 58 "Powers" the following:

"Each control authority will have all the following corrective powers indicated
next:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 19/20








       (…)
       b) send a warning to any person in charge or person in charge of the treatment when
       the processing operations have infringed the provisions of this

       Regulation; (…)”

For its part, recital 148 of the GDPR indicates:

In the case of a minor offence, or if the fine likely to be imposed constitutes a
disproportionate burden on a natural person, instead of sanction by a fine may

impose a warning. However, special attention should be paid to the nature,
seriousness and duration of the infringement, its intentional nature, the measures taken to
alleviate the damages suffered, the degree of responsibility or any infringement
above, to the way in which the supervisory authority has learned of the
infringement, compliance with measures ordered against the person in charge or manager, the

adherence to codes of conduct and any other aggravating or mitigating circumstance.”

According to the evidence available at the present time of
disciplinary procedure resolution, it is considered that the offense in question is minor
for the purposes of article 83.2 of the GDPR given that in the present case, given that there is no
This Agency has evidence that procedures for similar offenses have been resolved

of EDREAMS in the year prior to the facts, to which the complaining party sent the request to
customer service email addresses instead of the one indicated on the
privacy policy or through the form for this purpose and that the request for access in
The matter was diligently addressed once the request for information was received from
this Agency, all of which allows considering a reduction of guilt in the facts, for

what is considered in accordance with the law, not imposing a sanction consisting of a fine
administration and replace it by directing a warning to EDREAMS.




Therefore, in accordance with the applicable legislation and assessed graduation criteria
of the sanctions whose existence has been accredited,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: ADDRESS a warning to VACACIONES EDREAMS, S.L., with NIF

B61965778, for a violation of Article 15 of the GDPR, typified in Article 83.5 of the
GDPR.

SECOND: NOTIFY this resolution to VACACIONES EDREAMS, S.L.


In accordance with the provisions of article 50 of the LOPDGDD, this Resolution
It will be made public once the interested parties have been notified.

In accordance with the provisions of article 60.7 of the GDPR, this information will be
resolution, once it is final, to the control authorities concerned and to the European Committee

of Data Protection.

Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 20/20








Interested parties may optionally file an appeal for replacement before the Director of

the Spanish Agency for Data Protection within a period of one month from the day
following the notification of this resolution or directly contentious appeal
before the Contentious-Administrative Chamber of the National Court, with
in accordance with the provisions of article 25 and section 5 of the fourth additional provision

of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction,
within two months from the day following the notification of this act,
according to the provisions of article 46.1 of the aforementioned Law.


Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, it may be
provisionally suspend the final resolution in administrative proceedings if the interested party expresses
their intention to file a contentious-administrative appeal. If this is the case, the
The interested party must formally communicate this fact by writing to the Agency
Spanish Protection of Data, presenting it through the Electronic Registry of the

Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the
remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1.
You must also transfer to the Agency the documentation that proves the filing
effective of the contentious-administrative appeal. If the Agency were not aware of the

filing of the contentious-administrative appeal within a period of two months from the day
following the notification of this resolution, would terminate the suspension
precautionary




                                                                                       938-120722
Mar Spain Marti
Director of the Spanish Data Protection Agency






























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es