AEPD (Spain) - EXP202301529

From GDPRhub
Revision as of 13:05, 13 December 2023 by Ar (talk | contribs) (Ar moved page AEPD (Spain) - PS/00076/2023 to AEPD (Spain) - EXP202301529)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00076/2023
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 17 GDPR
Article 21 GDPR
Type: Complaint
Outcome: Upheld
Started: 23.09.2022
Decided: 18.08.2023
Published: 18.08.2023
Fine: n/a
Parties: GLOBAL KAPITAL GROUP SPAIN, S.L
National Case Number/Name: PS/00076/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mgrd

The Spanish DPA ordered a controller to reply to a data subject's request to delete personal data, to an objection of processing of data for marketing purposes, transfer to third parties and profiling

English Summary

Facts

On September 23, 2022 the data subject requested the controller to (i) erase his data, (ii) shared his objection to the processing of his personal data for marketing purposes or the transfer to third parties and (iii) the elaboration of financial profiles on his person. However, the data subject never received a reply from the controller.

Holding

The Spanish DPA determined the controller to, within the term of ten working days, to send the data subject a formal reply in which the requested rights are granted or denied, stating the reasons why the requested rights or deny them.

As highlighted by AEPD, the controller is obliged to provide mechanisms to facilitate the exercise of the data subject's rights, which shall be free of charge and to respond to the requests made within one month at the latest, considering the legal exceptions. In addition, the controller must state the reasons if it is unable to comply with such a request. The onus is on the data controller to prove that it has fulfilled the legal duty to respond to the data subject's request to exercise his or her rights.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/7









     File No.: EXP202301529


                RIGHTS PROCEDURE RESOLUTION

The procedural actions provided for in Title VIII of the Law have been carried out
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD), the following have been verified


                                       FACTS

FIRST: A.A.A. (hereinafter, the claimant) exercised the right of Opposition and
Deletion against GLOBAL KAPITAL GROUP SPAIN, S.L. (hereinafter, the part
claimed) without your request having received the legally established response.


The complaining party states that, on September 23, 2022, it requested the
claimed party the deletion of their data object of treatment, as well as their
Opposition to the processing of your data for marketing purposes or its transfer to
third parties and the elaboration of financial profiles on your person, without having

received an answer within the legally established period.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
forward LOPDGDD), said claim was transferred to the claimed party, for

to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements established in the regulations of
Data Protection.

THIRD: The result of the transfer procedure indicated in the previous Fact does not
allowed to understand satisfied the claims of the claimant. In

Consequently, on April 2, 2023, for the purposes set forth in article 64.1
of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed
accept the claim submitted for processing.

The aforementioned agreement granted the defendant a hearing process, so that

within a period of fifteen business days, submit the allegations that you consider
convenient. Said entity declares the following:

"...we want to detail that it is a client who has an active credit

with our entity. The money corresponding to the principal of said credit was
transferred to the client's account, although we have not yet received the payment
corresponding to it. In addition, the client has presented before the Courts of

First instance a lawsuit requesting the annulment of the contract. for these
reasons, we cannot process the deletion of your personal data. On the other hand,
We did proceed with the exercise of the right of opposition, eliminating the customer's data

of our database related to the elaboration of financial profiles or
marketing…"



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/7








FOURTH: Having examined the document presented by the claimed party, it is transferred to the
complaining party, so that, within fifteen business days, it formulates the allegations

that you deem appropriate. The complaining party, in summary, continues to say that it does not
Your requests have been met.



                           FUNDAMENTALS OF LAW

                                            Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each

control authority and as established in articles 47, 48.1 and 64.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."



                                           II

In accordance with the provisions of article 55 of the GDPR, the Spanish Agency for
Data Protection is competent to perform the functions assigned to it
in its article 57, among them, that of enforcing the Regulation and promoting the

sensitization of controllers and processors about the
obligations incumbent upon them, as well as dealing with claims filed by a
interested and investigate the reason for them.

Correlatively, article 31 of the GDPR establishes the obligation of those responsible

and those in charge of the treatment to cooperate with the control authority that requests it in
the performance of their functions. In the event that they have designated a
data protection delegate, article 39 of the GDPR attributes to him the function of
cooperate with said authority.


In accordance with this regulation, prior to the admission for processing of the
claim that gives rise to this procedure, it was transferred to the
claimed party to proceed with its analysis, respond to this Agency in
within one month and certify having provided the claimant with the due response, in
the assumption of exercise of the rights regulated in articles 15 to 22 of the GDPR.


The result of said transfer did not allow us to understand satisfied the claims of the
complaining party. Consequently, on April 2, 2023, for the purposes of
provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for
Data Protection agreed to admit the claim submitted for processing. Saying
agreement for admission to processing determines the opening of this procedure of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/7








lack of attention to a request to exercise the rights established in the
articles 15 to 22 of the GDPR, regulated in article 64.1 of the LOPDGDD, according to the
which:


"1. When the procedure refers exclusively to the lack of care of a
request to exercise the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, will begin with an agreement for admission to processing, which will be
adopt in accordance with the provisions of the following article.
In this case, the term to resolve the procedure will be six months from

from the date the claimant was notified of the admission agreement to
Procedure. After that period, the interested party may consider his
claim".

The depuration of administrative responsibilities within the framework is not considered opportune.

of a disciplinary procedure, the exceptional nature of which implies that a choice be made,
whenever possible, due to the prevalence of alternative mechanisms that have
under the current regulations.

It is the exclusive competence of this Agency to assess whether there are responsibilities
administrative procedures that must be purged in a disciplinary proceeding and, in

Consequently, the decision on its opening, there being no obligation to initiate a
procedure for any request made by a third party. Such a decision must
be based on the existence of elements that justify the start of the activity
disciplinary action, circumstances that do not exist in the present case, considering that
With this procedure, the guarantees and

claimant's rights.

                                          II

The rights of individuals regarding the protection of personal data are
regulated in articles 15 to 22 of the GDPR and 13 to 18 of the LOPDGDD. HE

contemplate the rights of access, rectification, deletion, opposition, right to
limitation of treatment and right to portability.

The formal aspects related to the exercise of these rights are established in the
Articles 12 of the GDPR and 12 of the LOPDGDD.


It also takes into account what is stated in Considering 59 et seq. of the
GDPR.

In accordance with the provisions of these regulations, the data controller

must arbitrate formulas and mechanisms to facilitate the exercise of their rights by the interested party.
rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3
of the GDPR), and is obliged to respond to requests made no later than a
month, unless you can demonstrate that you are unable to identify the
concerned, and to express their reasons in the event that they were not to attend said
application. The proof of compliance with the duty of

respond to the request to exercise their rights made by the affected party.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/7








The communication addressed to the interested party on the occasion of his request must
express themselves in a concise, transparent, intelligible and easily accessible way, with a
clear and simple language.


                                          IV.

Article 21 of the GDPR, regarding the right of opposition, establishes the following:

"1. The interested party will have the right to oppose at any time, for reasons

related to your particular situation, to what personal data concerning you
are subject to processing based on the provisions of article 6, paragraph 1,
letters e) or f), including profiling on the basis of those provisions.
The person responsible for the treatment will stop processing the personal data, unless
accredit compelling legitimate reasons for the treatment that prevail over the
interests, rights and freedoms of the data subject, or for the formulation,

exercise or defense of claims.

2. When the processing of personal data is for marketing purposes
directly, the interested party will have the right to oppose at all times the treatment of
personal data concerning you, including profiling on the

insofar as it is related to said marketing.

3. When the interested party opposes the treatment for direct marketing purposes,
personal data will no longer be processed for said purposes.


4. At the latest at the time of the first communication with the data subject, the
right indicated in sections 1 and 2 will be explicitly mentioned to the interested party
and it will be presented clearly and apart from any other information.

5. In the context of the use of information society services, and not
Notwithstanding the provisions of Directive 2002/58/EC, the interested party may exercise his

right to oppose by automated means that apply specifications
techniques.

6. When personal data is processed for the purposes of scientific research or
historical or statistical purposes in accordance with article 89, paragraph 1, the

The interested party shall have the right, for reasons related to their particular situation, to
oppose the processing of personal data concerning you, unless it is
necessary for the fulfillment of a mission carried out for reasons of interest
public".


                                           V

Article 17 of the GDPR, which regulates the right to delete personal data,
sets the following:

"1. The interested party shall have the right to obtain without undue delay from the person responsible for the

treatment the deletion of personal data that concerns you, which will be
obliged to delete without undue delay the personal data when any
of the following circumstances:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/7









a) the personal data is no longer necessary in relation to the purposes for which it was
were collected or otherwise processed;

b) the interested party withdraws the consent on which the treatment is based in accordance
with Article 6(1)(a) or Article 9(2)(a) and this is not
based on another legal basis;
c) the interested party opposes the processing in accordance with article 21, paragraph 1, and does not
other legitimate reasons for the treatment prevail, or the interested party opposes the
treatment according to article 21, paragraph 2;

d) the personal data have been unlawfully processed;
e) personal data must be deleted to comply with a legal obligation
established in the law of the Union or of the Member States that applies to the
responsible for the treatment;
f) the personal data have been obtained in relation to the offer of services of the

information society referred to in article 8, paragraph 1.

2. When you have made the personal data public and are obliged, by virtue of the
provided in section 1, to delete said data, the person responsible for the treatment,
taking into account the technology available and the cost of its application, it will adopt
reasonable measures, including technical measures, with a view to informing

responsible who are processing the personal data of the request of the interested party
deletion of any link to such personal data, or any copy or replica of
the same.

3. Sections 1 and 2 will not apply when the treatment is necessary:


a) to exercise the right to freedom of expression and information;
b) for compliance with a legal obligation that requires data processing
imposed by the law of the Union or of the Member States that applies to the
responsible for the treatment, or for the fulfillment of a mission carried out in the interest

public or in the exercise of public powers conferred on the person responsible;
c) for reasons of public interest in the field of public health in accordance with
Article 9, paragraph 2, letters h) and i), and paragraph 3;
d) for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes, in accordance with Article 89(1), to the extent that
the right indicated in paragraph 1 could make it impossible or hinder

seriously impair the achievement of the objectives of such treatment, or
e) for the formulation, exercise or defense of claims".

                                            SAW


During the processing of this procedure, the defendant entity has answered
to this Agency, but it does not certify having fulfilled what was requested by the complaining party
addressing the rights or denying reasonedly and, remitting the mandatory
response to your request.

Thus, it is not possible to accept that the answer that corresponds to give can be manifested with

occasion of a mere administrative procedure, such as the formulation of allegations with
reason for this proceeding, initiated precisely for not duly addressing
the application in question.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/7









The aforementioned rules do not allow the request to be ignored as if it were not
would have raised, leaving her without the answer that must be issued by the

responsible, even in the event that there is no data in the files or even in
those cases in which it does not meet the established requirements, in which case the
recipient of said request is also obliged to request the correction of
the deficiencies observed or, where appropriate, deny the request with reasoned
indicating the causes for which it is not appropriate to consider the right in question.


Therefore, the request that is formulated obliges the person in charge to give an express response in
in any case, using any means that justifies the receipt of the
reply.

Given that a copy of the necessary communication that must be addressed to the

complaining party informing him about the decision he has adopted regarding the
request to exercise rights, it is appropriate to estimate the claim that originated the
present procedure.

Given the aforementioned precepts and others of general application, the Director of the Agency
Spanish Data Protection RESOLVES:


FIRST: ESTIMATE the claim made by A.A.A. considering that it has
violated the provisions of Article 17 of the GDPR and Article 21 of the GDPR and urge
GLOBAL CAPITAL GROUP SPAIN, S.L. with NIF B87258091, so that, within the period of
within ten business days of notification of this resolution, send to the

claiming party certification in which the requested rights are addressed or
reasonedly deny indicating the causes for which it is not appropriate to address the
request, in accordance with the provisions of the body of this resolution. The
actions carried out as a consequence of this Resolution must be
communicated to this Agency in the same term. Failure to comply with this resolution

could lead to the commission of a violation of art. 83.6 of the GDPR, classified as
very serious for the purposes of prescription in article 72.1.m) of the LOPDGDD, which is
sanctioned in accordance with art. 58.2 of the GDPR.

SECOND: NOTIFY this resolution to A.A.A. and GLOBAL CAPITAL
GROUP SPAIN, S.L.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.

Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the

LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reversal before the
Director of the Spanish Agency for Data Protection within a period of one month from
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/7











day following the notification of this act, as provided for in article 46.1 of the
referred Law.



                                                                                                1381-140623
Mar Spain Marti

Director of the Spanish Data Protection Agency































































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es