AEPD (Spain) - EXP202202928

From GDPRhub
Revision as of 12:37, 13 December 2023 by Ar (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202202928
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR
Article 17(1) GDPR
Article 12 Organic Law on Protection of Personal Data and Guarantee of Digital Rights (Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales - LOPDGDD)
Article 15 Organic Law on Protection of Personal Data and Guarantee of Digital Rights (Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales - LOPDGDD)
Type: Complaint
Outcome: Upheld
Started: 02.02.2022
Decided:
Published:
Fine: n/a
Parties: A.A.A.
LLEVANT OPTION PROJECTS S.L.
National Case Number/Name: EXP202202928
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish Data Protection Agency held that controllers must take the data subject's rights seriously and a request to exercise a right requires an immediate answer by the controller. Non-compliance can lead to administrative sanctions.

English Summary

Facts

A data subject submitted a request for data erasure according to Article 17(1) GDPR to the company LLEVANT OPTION PROJECTS S.L. (the controller), but they did not receive a response which is legally required according to Article 12 GDPR. On 2 February 2022, the data subject filed a complaint with the Spanish Data Protection Agency (AEPD) after not receiving an answer. Upon reviewing the case, the AEPD determined that it is competent to handle the matter and has the authority to investigate and process complaints regarding the violation of data protection rights. After following the procedural steps outlined in the Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD), the complaint was admitted on 2 May 2022. The controller failed to demonstrate that they had responded to the data subject’s request for data erasure.

Holding

The AEPD came to the conclusion that the data subject’s rights were not properly addressed, and that the controller failed to provide a response within the legally required timeframe of one month. Therefore, the AEPD upheld the data subject’s complaint and ordered the controller to fulfil the request for data erasure or in case of denial, to provide an explanation within ten business days. Non-compliance with the resolution may result in administrative sanctions. The controller has the right to appeal the decision within a specified timeframe.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Considering the claim formulated on February 2, 2022 before this Agency by A.A.A. (hereinafter the claimant), against LLEVANT OPTION PROJECTS S.L. (hereinafter the claimed party), for not having duly addressed his request to exercise the rights established in Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter, GDPR).
After the procedural actions provided for in Title VIII of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the following have been verified:
FACTS
FIRST: The complaining party exercised the right of Suppression against the defendant, without his request having received the legally established response.
The complaining party provides various documentation related to the claim filed with this Agency and on the exercise of the exercised right.
SECOND: Once the procedure provided for in article 65.4 of the LOPDGDD was completed, the claim was admitted for processing and the entity claimed was granted a hearing procedure, so that within fifteen business days it could present the allegations it deems appropriate.
The requested entity has not accredited, on the occasion of the formalized procedures, that it has responded to the request for the exercise of rights that was presented to it by the complaining party.

FUNDAMENTALS OF LAW
FIRST: The Director of the Spanish Data Protection Agency is competent to resolve, in accordance with the provisions of section 2 of article 56 in relation to section 1 f) of article 57, both of the GDPR; and in article 47 of the LOPDGDD.

SECOND: In accordance with the provisions of article 55 of the GDPR, the Spanish Agency for Data Protection is competent to carry out the functions assigned to it in article 57, including that of enforcing the Regulation and promoting public awareness. the managers and those in charge of the treatment about the obligations incumbent on them, as well as to treat the claims presented by an interested party and investigate the reason for them.
Correlatively, article 31 of the GDPR establishes the obligation of those responsible and in charge of the treatment to cooperate with the control authority that requests it in the performance of their functions. In the event that they have designated a data protection officer, article 39 of the GDPR attributes to the latter the function of cooperating with said authority.
In the same way, the internal legal system, in article 65.4 of the LOPDGDD, has provided for a mechanism prior to the admission for processing of the claims that are formulated before the Spanish Agency for Data Protection, which consists of transferring them to the data protection delegates appointed by those responsible or in charge of the treatment, for the purposes provided in article 37 of the aforementioned standard, or to them when they have not designated them, so that they proceed to the analysis of said claims and respond to them within the term of one month.
In accordance with this regulation, prior to the admission for processing of the claim that gives rise to this procedure, it was forwarded to the responsible entity so that it could proceed with its analysis, respond to this Agency within the period of one month and certify having provided the claimant with the due response, in the event of exercise of the rights regulated in articles 15 to 22 of the GDPR.
The result of said transfer did not make it possible to understand the claimants' claims satisfied. Consequently, on May 2, 2022, for the purposes provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit the claim submitted for processing. Said agreement for admission to processing determines the opening of this procedure for lack of attention to a request to exercise the rights established in articles 15 to 22 of the GDPR, regulated in article 64.1 of the LOPDGDD, according to which:
"1. When the procedure refers exclusively to the lack of attention to a request to exercise the rights established in articles 15 to 22 of Regulation (EU) 2016/679, it will begin with an agreement for admission to processing, which will be adopted in accordance with the established in the following article.
In this case, the term to resolve the procedure will be six months from the date on which the claimant was notified of the agreement for admission to processing. After that period, the interested party may consider his claim upheld.
The purification of administrative responsibilities within the framework of a disciplinary procedure is not deemed appropriate, the exceptional nature of which implies that, whenever possible, the prevalence of alternative mechanisms that are protected by current regulations is considered.
It is the exclusive competence of this Agency to assess whether there are administrative responsibilities that must be cleared in a disciplinary procedure and, consequently, the decision on its opening, there being no obligation to initiate a procedure before any request made by a third party. Said decision must be based on the existence of elements that justify said initiation of the sanctioning activity, circumstances that do not occur in the present case, considering that with this procedure the guarantees and rights of the claimant are duly restored.

THIRD: The rights of individuals regarding the protection of personal data are regulated in articles 15 to 22 of the GDPR and 13 to 18 of the LOPDGDD. The rights of access, rectification, deletion, opposition, right to limitation of treatment and right to portability are contemplated.
The formal aspects related to the exercise of these rights are established in articles 12 of the GDPR and 12 of the LOPDGDD.
Furthermore, what is expressed in Recitals 59 et seq. of the GDPR is taken into account.
In accordance with the provisions of these regulations, the person responsible for the treatment must arbitrate formulas and mechanisms to facilitate the exercise of their rights by the interested party, which will be free of charge (without prejudice to the provisions of articles 12.5 and 15.3 of the GDPR), and is obliged to to respond to requests made no later than one month, unless they can demonstrate that they are not in a position to identify the interested party, and to express their reasons in the event that they were not to respond to said request. The proof of compliance with the duty to respond to the request for the exercise of their rights made by the affected party falls on the person responsible.
The communication addressed to the interested party on the occasion of their request must be expressed in a concise, transparent, intelligible and easily accessible manner, with clear and simple language.

FOURTH: In the case analyzed here, the complaining party exercised its right of Deletion regulated in article 17 of the GDPR and article 15 of the LOPDGDD.
After the period established in accordance with the aforementioned regulations, your request did not obtain the legally required response. The claimed entity has not responded to the claimant's request or the requirements that have been sent to it by this Agency.
The aforementioned rules do not allow the request to be ignored as if it had not been raised, leaving it without the answer that those responsible must necessarily issue, even in the event that there is no data on the interested party in the entity's files or even in those cases in which it does not meet the established requirements, in which case the addressee of said request is also obliged to request the correction of the deficiencies observed or, where appropriate, deny the request with reasons indicating the reasons why it is not appropriate to consider the right concerned.
Therefore, the request that is formulated obliges the person in charge to give an express response, in any case, using any means that justifies the receipt of the response.
Since no copy of the necessary communication that must be addressed to the claimant informing him of the decision he has adopted regarding the request for the exercise of rights has been provided, it is appropriate to uphold the claim that gave rise to this procedure.

Given the aforementioned precepts and others of general application,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: ESTIMATE the claim made by A.A.A. and urge LLEVANT OPTION PROJECTS S.L., with NIF B67347872, so that, within ten business days following the notification of this resolution, it sends the claimant a certification that addresses the right of Suppression exercised or reasonedly deny indicating the causes for which it is not appropriate to attend to the request, in accordance with the provisions of the body of this resolution. The actions carried out as a consequence of this Resolution must be communicated to this Agency within the same period. Failure to comply with this resolution could lead to the commission of the offense considered in article 72.1.m) of the LOPDGDD, which will be penalized, in accordance with art. 58.2 of the GDPR.

SECOND: NOTIFY this resolution to A.A.A. and LLEVANT OPTION PROJECTS S.L..
In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified.
Against this resolution, which puts an end to the administrative procedure (article 18.4 of the LOPD), and in accordance with the provisions of article 123 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, An appeal for reinstatement may be optionally filed with the Director of the Spanish Agency for Data Protection, within a month from the day following the notification of this resolution, or a contentious-administrative appeal may be filed directly with the Chamber of Contentious-Administrative Court of the National Court, in accordance with the provisions of article 25 and section 5 of the Fourth Additional Provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within the term two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned legal text.