AEPD (Spain) - EXP202204752
AEPD - PD-00148-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | § 15 RGPD; § 13 LOPDGDD |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | PD-00148-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | RESOLUCIÓN No: R/00934/2022 (in ES) |
Initial Contributor: | n/a |
The data subject submitted an access request and the controller did not comply with it. The DPA ordered the controller to provide the requested data or to justify the denial.
English Summary
Facts
The data subject exercised their right to access against the controller, the Universidad Autónoma de Madrid, asking for a physical copy of their data and to have access to a video call recording. The controller failed to comply with the request and the data subject filed a complaint with the Spanish DPA.
In response to the complaint, the controller argued that it was not possible to comply with the request to access the video call since it was already deleted. As for the physical copy of the data it agreed to provide them to the data subject.
The DPA started an investigation on the facts.
Holding
The DPA emphasized that the controller is obliged to respond to the requests within one month, unless it can prove that it is unable to identify the data subject making the request. Then, it highlighted that the communication shall be expressed in concise, easily accessible, and simple language.
The DPA rejected the controller's argument that the recordings were deleted as the data subject had requested them right after the viodeocall was made and held the right of access was not carried out in a proper manner.
According to the DPA, the controller violated Article 15 of the RGPD and Article 13 of the LOPDGDD which establish that the data subject has the right to obtain from the controller confirmation if their personal data is being processed and to have acces to it.
For these reasons, the controller was orderes to certify within ten working days that it sent the data subject the requested data. Otherwise, it should present proper justification for denying it.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
File No.: EXP202204752 RESOLUTION No: R/00934/2022 Having regard to the claim formulated on April 6, 2022 before this Agency by A.A.A., (hereinafter the claimant party), against UNIVERSIDAD AUTÓNOMA DE MADRID, (hereinafter the claimed party), for not having duly attended to his right of access. Once the procedural actions provided for in Title VIII of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), have been verified: FACTS FIRST: The claimant exercised the right of access against the claimant with NIF Q2818013A, without his request having received the legally established response. Your request includes: A PHYSICAL FORMAT COPY OF THE ORIGINAL MOTIVATIONAL ACT and access to the video call through the Microsoft Teams digital platform dated July 20, 2021. It provides various documentation related to the claim filed with this Agency and on the exercise of the right exercised. SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided a mechanism prior to the admission for processing of the claims that are formulated before the AEPD, consisting of transferring them to the Data Protection Delegates designated by those responsible or in charge of the treatment, for the purposes provided for in article 37 of the aforementioned regulation, or to them when they have not designated them, the claim was forwarded to the entity claimed so that it could proceed with its analysis and respond to the claimant and to this Agency in within one month. THIRD: The result of the transfer procedure indicated in the previous Fact did not allow the claims of the claimant to be satisfied. Consequently, on June 27, 2022, for the purposes set forth in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit the claim submitted for processing and informed the parties that the maximum term to resolve this procedure, which is understood to have started through said agreement for admission to processing, will be six months. The aforementioned agreement granted the defendant entity a hearing process, so that within fifteen business days it could present the allegations it deemed appropriate. In the only response received in this Agency from the defendant, we have verified that the defendant states that he has partially complied with the right, namely: "...FIRST: DISMISS the delivery of the physical copy of the recording of the review of the END of Degree Project (TFG) made on 07/20/2021 through the Microsoft Teams platform because, given the elapsed time, the requested recording is no longer available. SECOND: ESTIMATE the delivery to the interested party of a copy of the reasoned record of the court of claim justifying the qualification..." FOURTH: The complaining party presents allegations in which it shows its disagreement. He provides some emails exchanged with the claimant where he requests the recording of the review on the same day it occurs. In addition, it adds that the requested document has not been provided. FUNDAMENTALS OF LAW FIRST: The Director of the Spanish Data Protection Agency is competent to resolve, in accordance with the provisions of section 2 of article 56 in relation to section 1 f) of article 57, both of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter, GDPR); and in article 47 of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). SECOND: In accordance with the provisions of article 55 of the GDPR, the Spanish Agency for Data Protection is competent to carry out the functions assigned to it in article 57, including that of enforcing the Regulation and promoting public awareness. the managers and those in charge of the treatment about the obligations incumbent on them, as well as to treat the claims presented by an interested party and investigate the reason for them. Correlatively, article 31 of the GDPR establishes the obligation of those responsible and in charge of the treatment to cooperate with the control authority that requests it in the performance of their functions. In the event that they have designated a data protection officer, article 39 of the GDPR attributes to the latter the function of cooperating with said authority. In the same way, the internal legal system, in article 65.4 of the LOPDGDD, has provided for a mechanism prior to the admission for processing of the claims that are formulated before the Spanish Agency for Data Protection, which consists of transferring them to the data protection delegates appointed by those responsible or in charge of the treatment, for the purposes provided in article 37 of the aforementioned standard, or to them when they have not designated them, so that they proceed to the analysis of said claims and respond to them within the term of one month. In accordance with this regulation, prior to the admission for processing of the claim that gives rise to this procedure, it was forwarded to the responsible entity so that it could proceed with its analysis, respond to this Agency within the period of one month and certify having provided the claimant with the due response, in the event of exercise of the rights regulated in articles 15 to 22 of the GDPR. The result of said transfer did not make it possible to understand the claimants' claims satisfied. Consequently, on June 27, 2022, for the purposes provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit the claim submitted for processing. Said agreement for admission to processing determines the opening of this procedure for lack of attention to a request to exercise the rights established in articles 15 to 22 of the GDPR, regulated in article 64.1 of the LOPDGDD, according to which: "1. When the procedure refers exclusively to the lack of attention to a request to exercise the rights established in articles 15 to 22 of Regulation (EU) 2016/679, it will begin with an agreement for admission to processing, which will be adopted in accordance with the established in the following article. In this case, the term to resolve the procedure will be six months from the date on which the claimant was notified of the agreement for admission to processing. After that period, the interested party may consider his claim upheld. The purification of administrative responsibilities within the framework of a disciplinary procedure is not deemed appropriate, the exceptional nature of which implies that, whenever possible, the prevalence of alternative mechanisms that are protected by current regulations is considered. It is the exclusive competence of this Agency to assess whether there are administrative responsibilities that must be cleared in a disciplinary procedure and, consequently, the decision on its opening, there being no obligation to initiate a procedure before any request made by a third party. Said decision must be based on the existence of elements that justify said initiation of the sanctioning activity, circumstances that do not occur in the present case, considering that with this procedure the guarantees and rights of the claimant are duly restored. THIRD: The rights of individuals regarding the protection of personal data are regulated in articles 15 to 22 of the GDPR and 13 to 18 of the LOPDGDD. The rights of access, rectification, deletion, opposition, right to limitation of treatment and right to portability are contemplated. The formal aspects related to the exercise of these rights are established in articles 12 of the GDPR and 12 of the LOPDGDD. Furthermore, what is expressed in Recitals 59 et seq. of the GDPR is taken into account. In accordance with the provisions of these regulations, the person responsible for the treatment must arbitrate formulas and mechanisms to facilitate the exercise of their rights by the interested party, which will be free of charge (without prejudice to the provisions of articles 12.5 and 15.3 of the GDPR), and is obliged to to respond to requests made no later than one month, unless you can demonstrate that you are not in a position to identify the interested party, and to express your reasons in the event that you are not going to attend to said request application. The proof of compliance with the duty to respond to the request for the exercise of their rights made by the affected party falls on the person responsible. The communication addressed to the interested party on the occasion of their request must be expressed in a concise, transparent, intelligible and easily accessible manner, with clear and simple language. In the case of the right of access to personal data, in accordance with the provisions of article 13 of the LOPDGDD, when the exercise of the right refers to a large amount of data, the person responsible may request the affected party to specify the "data or activities treatment to which the request refers. The right will be understood as granted if the person in charge provides remote access to the data, taking the request for granted (although the interested party may request the information referring to the points provided in article 15 of the GDPR). The exercise of this right may be considered repetitive on more than one occasion during the period of six months, unless there is legitimate cause for it. On the other hand, the request will be considered excessive when the affected party chooses a means other than the one offered that entails a disproportionate cost, which must be borne by the affected party. FOURTH: In accordance with the provisions of article 15 of the GDPR and article 13 of the LOPDGDD, "the interested party has the right to obtain from the data controller confirmation of whether or not personal data concerning him or her is being processed and, in such case, the right of access to personal data”. Like the rest of the rights of the interested party, the right of access is a very personal right. It allows the citizen to obtain information about the treatment that is being made of their data, the possibility of obtaining a copy of the personal data that concerns them and that are being processed, as well as information, in particular, about the purposes of the treatment, the categories of personal data in question, the recipients or categories of recipients to whom the personal data was communicated or will be communicated, the expected term or conservation criteria, the possibility of exercising other rights, the right to file a claim with the control authority, the information available on the origin of the data (if these have not been obtained directly from the owner), the existence of automated decisions, including the preparation of profiles, and information on transfers of personal data to a third country or to an international organization. The possibility of obtaining a copy of the personal data subject to treatment will not negatively affect the rights and freedoms of others, that is, the right of access will be granted in such a way that it does not affect the data of third parties. In the case analyzed here, the complaining party exercised its right of access to a recording and documentation. The claimed party responds with respect to the recording that it cannot meet the right because it has been deleted despite the fact that the claimant requested it since it was produced. This is confirmed in the emails provided. And with respect to the requested documentation, the claimed party refers to a "copy of the reasoned record of the court of claim justifying the qualification" and the claimant of "COPY IN PHYSICAL FORMAT OF THE ORIGINAL MOTIVATIONAL RECORD". In view of the discrepancies between the parties, it seems that there is no agreement in the requested document either, since the claimant literally states: "...not having proceeded to comply with either of the two Petitums Capitales...", referring to the documentation and recording. Based on the foregoing, considering that the purpose of this procedure is to ensure that the guarantees and rights of those affected are duly restored and that the rights must be attended to or denied on grounds, the defendant must justify the reason why, despite having received the request for the copy of the recording for the first time while it was still in his possession, he did not provide it to the claimant. The claimant provides some emails that prove it. And, it must also clarify whether what was requested by the claimant regarding the documentation corresponds to what was provided, clarifying the difference in the denomination or giving the correct documentation. Since the right of access was not carried out properly, the claim is estimated. Given the aforementioned precepts and others of general application, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: ESTIMATE the claim made by A.A.A. and urge UNIVERSIDAD AUTÓNOMA DE MADRID with NIF Q2818013A, so that, within ten business days following the notification of this resolution, it sends the claimant a certification in which the requested right of access is addressed or denied reasonedly indicating the causes for which it is not appropriate to attend to the request, in accordance with the provisions of the body of this resolution. The actions carried out as a consequence of this Resolution must be communicated to this Agency within the same period. Failure to comply with this resolution could lead to the commission of the offense considered in article 72.1.m) of the LOPDGDD, which will be penalized, in accordance with art. 58.2 of the GDPR. SECOND: NOTIFY this resolution to A.A.A. and the AUTONOMOUS UNIVERSITY OF MADRID. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may optionally file an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of one month from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/ 1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law.