AEPD (Spain) - EXP202204836
AEPD - EXP202204836 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 15 GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | n/a |
Parties: | EasyJet |
National Case Number/Name: | EXP202204836 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | EXP202204836 (in ES) |
Initial Contributor: | n/a |
The Spanish DPA fined EasyJet a reduced fine of €8,000 for failing to reply to a data subject access request in due time.
English Summary
Facts
A data subject was denied boarding to an EasyJet flight. To ascertain why, he requested all the personal data that EasyJet held on him under Article 15 GDPR. This email was sent on the 28/12/2021. On 30/12/2021, EasyJet replied stating that it would take them time to reply to the access request as their staff was on holiday. On the 16/03/2022 the data subjecty sent EasyJet an email stating that he would file a complaint with the DPA given that he had still not received a reply.
EasyJet replied to the data subject stating that his original request had never come to the relevant team's attention as he had apparently sent the email to the wrong department. They asked the data subject to send it again so that they could resolve it promptly. When the data subject repeated the request, EasyJet stated on 01/04/2022 that they could not give him information related this boarding as claims relating to denied boarding are not related to the GDPR.
Holding
The Spanish DPA initially fined EasyJet €10,000 for a breach of Article 15 GDPR. However, given that EasyJet voluntarily paid it and accepted responsibility for the infraction, it was reduced to €8,000.
First, EasyJet told the DPA that they responded to the complainant by 01/04/2022. The DPA pointed out that Article 12(3) GDPR requires controller's to reply to access requests within one month. EasyJet took almost four months after the data subject had submitted his request (on 12/28/2022) to reply.
Second, while it is true that on 30/12/2021 EasyJet responded to the complainant's e-mail, the e-mail limited itself to providing a generic response confirming receipt of the e-mail. The e-mail mentioned that the complaint would be forwarded to the corresponding team for consultation. Thus, EasyJet already in December indicated an agreement to initiate the access request. The data subject was not provided an adequate response until April 2022.
Third, on the information related to the boarding, the DPA agreed that it was not related to the GDPR. For this reason, the DPA limited itself to focusing on Article 15 GDPR and the time that the controller took to reply to the access request.
Comment
It is the controller's responsibility to ensure that access requests are forwarded to the relevant department. EDPB guidelines (https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf at para 157) state that it is not the data subject's job to prove that their request arrived on the responsible person's desk. In fact, the controller does not even need to have taken notice of the request to be responsible. For the purposed of Article 15, the data subject only needs to prove that they sent the request through an official channel and that the controller has not replied within the one month deadline.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/19 File No.: EXP202204836 RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE VOLUNTEER From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On March 9, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against EASYJET AIRLINE COMPANY LIMITED (hereinafter the claimed party). Startup agreement notified and after analyzing the allegations presented, on November 3, 2023, issued the proposed resolution that is transcribed below: << File No.: EXP202204836 PROPOSED RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following: BACKGROUND FIRST: On 03/21/2022, this Agency received a document submitted by A.A.A. (hereinafter, the complaining party), through which the claim is made against EASYJET AIRLINE COMPANY LIMITED with NIF N0066592G (hereinafter, EASYJET), due to a possible non-compliance with the provisions of the regulations of Personal data protection. The reasons on which the claim is based are the following: "Good morning. On December 28, I requested access to my data in exercise of my right to access, to the company Easyjet, in the framework of a claim for breach of Regulation (EC) No 261/2004, to all data relating to me in your possession, in addition to those related to said file. I received only a mere acknowledgment of received on December 30 of the same year. To date I have not received any response to my request. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/19 On March 18, I sent a reminder to the company and they answered me. ignoring the access request, denying its existence, even “acknowledgment of receipt exists.” Along with the claim, provide, among others, the following documentation: - Email from the complaining party, dated 12/28/2021, sent to electronic addresses ***EMAIL.1 and ***EMAIL.2, with the subject “Claim Regulation (EC) nº261/2004-Right of Access Request”. Its content does allusion to a claim presented by the complaining party in relation to the fact that he was denied boarding on a company flight, as well as, to the request to exercise their right of access. - Email from the address ***EMAIL.2, dated 12/30/2021, in which indicates that the previous email will be forwarded to the competent team for query, but that, due to the holiday period, the answer may be delayed. - Email from the address ***EMAIL.3, dated 03/18/2022, whose content is as follows: “Dear Mr. A.A.A., Thanks for your reply. Please keep in mind that we are a different department and have not received any request related to the Data Protection Policy in your name. We are only responsible for the Data Protection Policy part and Our team does not handle claims. Please let us know if you would like to receive the information easyJet holds about you in a request for access to the subject's data, and we will be happy to help you. For any other question or claim you may have, contact the Privacy we cannot help you. Please note that if we do not receive a response within 17 days, your application will be automatically filed. (…)” - Email from the complaining party, dated 03/18/2022, sent to the email address ***EMAIL.3 and ***EMAIL.4, in which he answers “here you have the receipt of the request by your team (…)”. SECOND: In view of the reported events, on 04/21/2022 this Agency agreed to the website ***URL.1, being verified that the privacy policy indicates as contact address ***EMAIL.2. However, to “exercise any of its rights in relation to the data that easyJet holds about you” a specific form. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/19 In accordance with article 65.4 of Organic Law 3/2018, of December 5, of Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), on 06/03/2022, said claim was transferred to EASYJET, so that proceed to its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the regulations of Data Protection. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on 06/06/2022 as stated in the acknowledgment of receipt that appears in the file. THIRD: On 06/21/2022, in accordance with article 65 of the LOPDGDD, The claim presented by the complaining party was admitted for processing. FOURTH: On 07/05/2022, this Agency received a written response in the which states the following: “[…] Second.- Notwithstanding the above and in relation to the content of your request, it has been meaning that on the Easyjet website there is a specific form so that Users can exercise the rights of the RGPD of access, information, rectification and deletion, as shown below. Likewise, the email address that is made available to the users for any issue related to GDPR rights is the following: ***EMAIL.2. (…). Third.- However, as can be deduced from the information provided by the complainant in its annex nº2 it seems that the emails requesting access were sent to a different email, specifically to ***EMAIL.3, as well as to customer service address: ***EMAIL.4. On the other hand, in the communications sent to my client they have confused claims related to the compensation required as a result of the alleged denial of boarding suffered by the claimant together with the demand for right of access to personal data, which is why it could have been altered the system for handling this type of requests. Fourth.- Having explained the above and regarding the questions raised to this part in your request, we will answer them correlatively: 1. (…) A request was received that was not clear and clarification was requested from the interested. 2. (…) The claimant was asked to adequately inform what his specific request and see what specific element in your case you wanted to rectify to proceed accordingly. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/19 […]” FIFTH: On 03/09/2023, the Director of the Spanish Agency for the Protection of Data agreed to initiate sanctioning proceedings against EASYJET, in accordance with the provided in articles 63 and 64 of the LPACAP, for the alleged violation of article 15 of the RGPD, typified in article 83.5.b) of the RGPD. This initiation agreement, which was notified in accordance with the rules established in the LPACAP through electronic notification, was collected by EASYJET on 03/16/2023. SIXTH: On 03/30/2023, EASYJET presented a written document, in a timely manner, before this Agency in which it stated the following: “[…] First.- That in this procedure an initial agreement has been issued by which It is agreed to set an initial penalty of €20,000 as a result of the facts and infringement contemplated therein. Second.- That following the provisions of the initiation agreement and in accordance with the provided in article 85 of LPACAP, this party shows its willingness to avail itself of the 40% reduction in the amount of the penalty, showing express recognition of compliance responsibility as well as the payment of the fine of voluntarily, waiving the filing of any action or resource administrative matter where applicable. […]” SEVENTH: On 05/05/2023, EASYJET presented a new document to this Agency in which he stated the following: “[…] Second.- Attention to the exercise of the Claimant's right of access As can be seen from the schedule included in the previous Allegation, the Company attended to the exercise of the Claimant's right of access on April 1, 2022, sending you all the information about you that it kept in its systems, as well as the information required by article 15 of the GDPR. For these purposes, a copy of the email through the which the corresponding response is sent to the Claimant, along with all the information that is made available to you (see Annex I). In accordance with the above, the Company is interested in highlighting that the request for exercise of the right of access sent by the Complainant to the Company, was attended to by the latter prior to receipt of the Information Request (15 June 2022) and, therefore, upon receipt of the Startup Agreement (March 17, 2023). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/19 Third.- Other considerations Likewise, the Company is interested in highlighting that: (i) Although the claim was initially filed by the interested party on the day December 28, 2021, this only included in its penultimate paragraph a mention of the exercise of your right of access in accordance with the RGPD. Yes ok It is true that the Society treated the Complainant's message initially as a mere claim for damages and not as an exercise of rights of data protection, the Complainant also did not mention the exercise of his right in the subsequent conversations he had with the Company's customer service team. In fact, he didn't do it again. reference to the exercise of your right of access until March 17, 2021, when he demanded payment of the compensation that had been awarded to him presumably recognized by AESA. (i) Throughout the management of the exercise of the Claimant's right of access, the Company, as can be seen from the emails exchanged between the Company and the Claimant, a copy of which is attached as Annex I, has received, from the Claimant, a multitude of warnings about the initiation of legal action, including a mention of the possibility of desist from them if he receives payment of the amounts claimed. In the opinion of the Society, these messages and the lack of cooperation by part of the Complainant when the data protection team of the Society contacted him to address his right, denote a little concern about this matter, and it can be concluded that his exclusive intention was the collection of the economic amounts claimed, nothing related to the protection of their fundamental right to Data Protection. (ii) Once the claimant's claim is received on March 17, 2021, The Company contacted him on two occasions (17 and 22 March 2021) to apologize for the delay in responding to your Exercise of the right of access. Along with apologies, the team Data Protection Company attempted to confirm with the Complainant his claim to exercise the right of access, clarify the scope of its request, ask if you wish to exercise any other rights, and notify you that your management was being processed, since, from the request initial exercise of the right of access included within the writing of damage claim, the extent of the damage was not clear with certainty. same. (iii) On April 1, 2021, only 9 business days after receiving the confirmation by the Claimant of his desire to exercise his right to access and receive all the data that the Company maintains in its systems, it attended to said right and transferred the requested information (see attached Annexes I and II). […]” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/19 Along with the writing, provide the following documentation: - Email sent by EASYJET from the email address ***EMAIL.3, dated 04/01/2022 at 10:22 a.m., to the complaining party (***EMAIL.5), with the subject “Data Request-A.A.A.”. Its content does allusion to the information relating to the exercise of the right of access of the party claimant. - Copy of data stored in EASYJET systems in relation to the complaining party. EIGHTH: A list of documents on file is attached as an annex. procedure. Of the actions carried out in this procedure and the documentation recorded in the file, the following have been accredited: PROVEN FACTS FIRST: On 12/28/2021, at 10:34 p.m., the complaining party sends an email email (***EMAIL.5) to the addresses ***EMAIL.1 and ***EMAIL.2, with the subject “Complaint Regulation (EC) nº261/2004-Request Right of Access”. His content refers to a claim presented by the complaining party in connection with the fact that he was denied boarding on a company flight, as well as, to the request to exercise your right of access. SECOND: On 12/30/2021, at 0:45 a.m., the complaining party receives an email email address ***EMAIL.2, informing you that it has been moved your request to the corresponding department, but that, due to the vacation period, the response may be delayed. THIRD: On 03/16/2022, at 0:13 a.m., the complaining party sends an email email to the addresses ***EMAIL.1 and ***EMAIL.2, with the subject “NOTICE FILING LEGAL ACTIONS/COMPLAINMENT TO THE PROTECTION AUTHORITY DATA/RESOLUTION AESA/ Re: Complaint Regulation (EC) No. 261/2004- Access right request.” In the text, the opinion is communicated to the claimed entity. estimate of the Spanish Aviation Safety Agency in relation to the expenses derived from the denial to board and, in addition, points out the following: “Likewise, and in the absence of a response within the estimated period to the request for exercise of the right of access contemplated in the General Protection Regulation of Data (EU), the filing of the corresponding complaint to the relevant data protection authorities. FOURTH: On 03/17/2022, at 09:45 a.m., EASYJET (***EMAIL.3) sends an email email to the complaining party with the following content: “Dear Mr. A.A.A., C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/19 We are writing to you from the easyJet privacy team regarding your incident, but specifically in regards to your request regarding the Protection of Data that you may have done with us. Unfortunately, this request never came to the attention of our team and therefore we would like you to will clarify your original request so that it can be resolved promptly. Please reply directly to this email address. We thank you for your patience and We apologize for this situation. We look forward to your prompt response to in order to be able to follow up on your request. Best regards, Protection team easyJeT Data Center.” On that same date, at 09:51 a.m., the complaining party responded as follows: "Dear I have the acknowledgment of receipt of the request issued by your team. In fact, one Once the grace period of one week that I have granted them has expired, I will report easyJet to the competent data protection authority.” On that same day, at 10:45 a.m., EASYJET responds to the complaining party: “Dear Mr. A.A.A., We are writing to you from the easyJet privacy team regarding your incident, but specifically in regards to your request regarding the Protection of Data that you may have done with us. Unfortunately, this request never came to the attention of our team and therefore we would like you to will clarify your original request so that it can be resolved promptly. Please reply directly to this email address. We thank you for your patience and We apologize for this situation. We look forward to your prompt response to in order to be able to follow up on your request. Best regards, Protection team from easyJet Data FIFTH: On 03/18/2022, at 11:50 a.m., the complaining party receives an email email from the address ***EMAIL.3 in which, in summary, you are informed: “Please, Please note that we are a different department and have not received any request related to the Data Protection Policy on your behalf. Only We are responsible for the Data Protection Policy part and our team does not manage claims. Please let us know if you would like to receive the information that easyJet has about you in a request for access to the subject's data, and We will be happy to help you. For any other issue or claim that you may have, the Privacy team cannot help you. Please keep in mind Please note that if we do not receive a response within 17 days, your request will be automatically archived. (…)” That same day, at 1:23 p.m., the complaining party sends an email to ***EMAIL.3 and ***EMAIL.4, in which he informs his intention to sue EASYJET before the corresponding judicial instance and before this Agency. SIXTH: On 03/21/2022, at 12:13 p.m., the complaining party sends an email email to the address ***EMAIL.3 and ***EMAIL.4, with the subject “URGENT///COMMUNICATION OF COMPLAINT AND FIRING OF ACTIONS JUDICIAL”. In the content it informs EASYJET of having presented a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/19 claim against the entity before this Agency in relation to your request for access. SEVENTH: On 03/22/2022, at 08:46 hours, EASYJET (***EMAIL.3) responds to the complaining party: “Dear Mr. A.A.A., Thanks for your reply. First of all, we would like to apologize for the delay. that has occurred in ours and in case your initial complaint has not been interpreted correctly. However, we believe that you are confusing the two issues, your complaint and data protection request. From the Protection team Data, we are trying to complete your request, but we need clarification What specifically are you looking for? If you can help us by telling us what kind of information you are looking for, we will be happy to help you. We have been able find out that the Data Protection team has considered your email, of which you have sent us the acknowledgment of receipt, as a claim, and therefore has both reported it to the competent team at that time, which is that of Claims. Our team (Privacy Team) has not received clarification of your request related to data protection. Please note that our team is responsible for writing DSARs, which are requests for access to subjects' data, which we disclose when a client wants to have access to the information that easyJet has about him. Our team is also responsible for removals, restrictions and corrections of addresses of email in our clients' accounts. However, we do not We handle claims. We appeal to your understanding of what has been explained. above, and we will be happy to help you, if you have any request related to the GDPR. Do you want to receive a document with the information you easyJet has on you? Perform a deletion, restriction or correction of your account? If so, please let us know and we will comply. But, as we have already indicated, Please note that claims regarding denied boarding do not are related to the GDPR, and our team only aims to help you in your data request. Please reply directly to this email letting us know how we can help you. Thank you for your collaboration and comprehension. Best regards, Data Protection team” That same day, at 10:35 a.m., the complaining party responds to the entity claimed as follows: "Good morning. Question posed by the Easyjet data protection team, 03/22/2022 "Would you like to receive a document with the information that easyJet has about you? Perform a deletion, restriction or correction of your account? If so, please let us know know and we will fulfill it. But, as we have already indicated, keep in mind that the Claims relating to denied boarding are not related to the GDPR, and our team only aims to help you with your data request." Extract from my complaint EU Passenger Regulation/GDPR access request, 12/28/2022 "Finally, please serve this writing as a formal request for the purposes of the General Data Protection Regulation or data protection regulations C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/19 corresponding, for the exercise of my right of access to all data relating my person in the power of Easyjet." Enjoy what has been reported. Any dismissal for reasons of form will be appealed to the highest possible levels, posing a risk of a fine for EasyJet, with the corresponding negative impact that it will have on the media given the public interest in the matter, which in any case does not will compensate for the refusal to repay the amounts legitimately recognized by the aeronautical supervisory body. By the way, it seems that your colleagues on the claims team have not received the AESA opinion nor my warning of the filing of legal actions. Them I would appreciate it if you would send them the opinion, which I attach below. All the best, A.A.A. EIGHTH: On 04/01/2022, at 10:22 a.m., EASYJET responded to the right of access of the complaining party, by email sent from the address ***EMAIL.3 to the complaining party (***EMAIL.5) with a copy of the data in their can. That same day, at 12:20 p.m., the complaining party sends an email to the addresses ***EMAIL.6 and ***EMAIL.7, with the following content: “Dear B.B.B. Thank you very much for sending me the requested information. However, we will leave to the Spanish Data Protection Agency to decide on the appropriateness of the action of EasyJet regarding this exercise of the right of access. However, I would like to tell you that the information contained in the report is incorrect. It's not that I want to initiate the corresponding legal actions, I have already formalized and the judicial process is already underway. You will be summoned to testify by the competent court as soon as possible. You can call me at ***PHONE.1 to coordinate the payment of the amounts required and close this matter, or we will see each other in Court soon. If you want, You can pass this information on to your colleagues. All the best, A.A.A. FOUNDATIONS OF LAW Yo Competition and applicable regulations In accordance with the powers that article 58.2 of the RGPD grants to each authority of control and as established in articles 47, 48.1, 64.2 and 68.1 of LOPDGDD, it is competent to initiate and resolve this procedure the Director of the Agency Spanish Data Protection. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/19 regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Previous issues Article 4 “Definitions” of the GDPR defines the following terms for the purposes of Regulation: "1) 'personal data': any information about an identified natural person or identifiable ("the interested party"); Any person will be considered an identifiable natural person whose identity can be determined, directly or indirectly, in particular by an identifier, such as a name, an identification number, data location, an online identifier or one or more elements of identity physical, physiological, genetic, mental, economic, cultural or social of said person;” “2) “treatment”: any operation or set of operations performed on personal data or sets of personal data, whether by procedures automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of enabling access, collation or interconnection, limitation, deletion or destruction;” “7) “responsible for the treatment” or “responsible”: the natural or legal person, public authority, service or other body that, alone or jointly with others, determines the purposes and means of processing; whether Union or Member State law determines the purposes and means of the treatment, the person responsible for the treatment or the Specific criteria for their appointment may be established by Union Law. or of the Member States;” In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is the processing of personal data, since EASYJET carries out the collection and conservation of, among others, the following personal data: name and surnames EASYJET carries out this activity in its capacity as data controller, given which is the one who determines the ends and means of such activity, by virtue of article 4.7 of the GDPR. III Allegations alleged In relation to the allegations alleged to the agreement at the beginning of this sanctioning procedure, we proceed to respond to them. EASYJET claims to have responded to the complaining party on 04/01/2022 Sending you all the personal information that appears in their systems and the necessary information to address the right in question. It emphasizes that the access request was attended to before receiving the request for information and, subsequently, the initiation agreement. As proof, provide a copy of the email sent to the complaining party in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/19 indicated date, as well as the information provided to it in response to the request of access. In this regard, this Agency wishes to point out that article 12.3 of the RGPD grants the responsible for the treatment one month from receiving the access request to give response to the right exercised, without prejudice to the fact that it may be extended for another two months if necessary, and the interested party must be informed of this. However, in the In this case, EASYJET did not properly attend to the right of access exercised by the complaining party until 04/01/2022, almost four months after there was submitted your application on 12/28/2021. Although it is true that on 12/30/2021 EASYJET responded to the email from the complaining party in which it exercised its right of access, it is no less true that the entity limited itself to giving him a generic response in which it confirmed receipt of the email and that it would be forwarded to the corresponding team for consultation. So that, As already indicated in the agreement to initiate this sanctioning procedure, It is evident that it was not possible for the complaining party to access their data nor was an adequate response provided until April. EASYJET alleges that it has received a multitude of warnings from the complaining party regarding the initiation of legal actions, including a mention of the possibility of withdrawing of the same if he received payment of the amounts claimed in relation to the denial to board a company flight. In this regard, this Agency wishes to point out that it is not competent to resolve issues that are not related to the matter of protection of personal data. IV Right of access Article 15 “Right of access of the interested party” of the GDPR establishes: "1. The interested party will have the right to obtain from the data controller confirmation of whether or not personal data that concerns you are being processed and, as such case, right of access to personal data and the following information: a) the purposes of the processing; a) the categories of personal data in question; b) the recipients or categories of recipients to whom they were communicated or personal data will be communicated, in particular recipients in third parties or international organizations; c) if possible, the expected period of conservation of the personal data or, if possible, If not possible, the criteria used to determine this period; d) the existence of the right to request rectification or deletion from the person responsible of personal data or the limitation of the processing of personal data relating to the interested party, or to oppose said treatment; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/19 e) the right to file a claim with a supervisory authority; f) when the personal data have not been obtained from the interested party, any available information about its origin; g) the existence of automated decisions, including profiling, to referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information about the logic applied, as well as the importance and foreseen consequences of said processing for the interested party. 2. When personal data is transferred to a third country or to an organization international, the interested party will have the right to be informed of the guarantees appropriate under Article 46 relating to transfer. 3. The person responsible for the treatment will provide a copy of the personal data subject to treatment. The person responsible may receive any other copy requested by the interested party a reasonable fee based on administrative costs. When the interested party submits the request by electronic means, and unless requested If otherwise provided, the information will be provided in an electronic format. Common use. 4. The right to obtain a copy mentioned in section 3 will not negatively affect to the rights and freedoms of others.” For its part, article 13 “Right of access” of the LOPDGDD provides that: "1. The right of access of the affected person will be exercised in accordance with the provisions of the article 15 of Regulation (EU) 2016/679. When the person responsible processes a large amount of data related to the affected person and this exercise your right of access without specifying whether it refers to all or part of the data, the person responsible may request, before providing the information, that the affected person specify the data or processing activities to which the request refers. 2. The right of access will be understood to be granted if the person responsible for the treatment will provide the affected person with a remote, direct and secure access system to the data personal data that guarantees, permanently, access to its entirety. To such effects, the communication by the person responsible to the affected party of the way in which the latter may accessing said system will be enough to have the request to exercise the right. However, the interested party may request from the person responsible the information regarding the extremes provided for in article 15.1 of Regulation (EU) 2016/679 that are not included in the remote access system. 3. For the purposes established in article 12.5 of Regulation (EU) 2016/679, The exercise of the right of access on more than one occasion may be considered repetitive. during the period of six months, unless there is legitimate cause for it. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/19 4. When the affected person chooses a means other than the one offered that entails a cost disproportionate, the request will be considered excessive, so said affected person will assume the excess costs that its choice entails. In this case, it will only be the person responsible for the treatment is required to satisfy the right of access without undue delays.” In the present case, it is clear that the complaining party requested EASYJET access to your personal data, on 12/28/2021, via email sent to the addresses ***EMAIL.2 and ***EMAIL.5. Not only did it indicate in the subject of the email “Complaint Regulation (EC) No. 261/2004-Request Right of Access” (the emphasis is from the Agency), but also, at the end of the content, it says textually “that this writing serves as a formal request for the purposes of the General Data Protection Regulation or data protection regulations corresponding, for the exercise of my right of access to all data relating to my person in the hands of Easyjet.” In this sense, the electronic address to which directed by the complaining party is one of the means that EASYJET makes available to those affected to exercise their GDPR rights, along with a form request specific. This is stated in the privacy policy of their website. (***URL.2). For its part, EASYJET limited itself to sending you a generic response on 12/30/2021 in the confirming receipt of your email and that it would be forwarded to the team corresponding for your consultation. However, after the complaining party communicate its intention to the claimed entity to file a claim with this Agency in the absence of a response to your access request, on 03/17/2022, one day Later, EASYJET responded indicating that it had not received the access request and asking him to clarify his original request. It was not until 04/01/2022 when EASYJET gave the complaining party access to the requested information. In accordance with the evidence available at this time proposed resolution of sanctioning procedure, it is considered that the facts known could constitute an infringement, attributable to EASYJET, for violation of article 15 of the RGPD. V Classification of the violation of article 15 of the GDPR If confirmed, the aforementioned violation of article 15 of the RGPD could mean the commission of the infraction classified in article 83.5.b) of the RGPD that under the rubric “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: to) (…) a) the rights of the interested parties under articles 12 to 22; (…)” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/19 For the purposes of the limitation period, article 72.1 “Infringements considered very serious” of the LOPDGDD indicates the following: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: (…) k) The impediment or obstruction or repeated failure to attend to the exercise of the rights established in articles 15 to 22 of the Regulation (EU) 2016/679; (…)” SAW Penalty for violation of article 15 of the GDPR The corrective powers available to the Spanish Agency for the Protection of Data, as a supervisory authority, is established in article 58.2 of the GDPR. Between They have the power to impose an administrative fine in accordance with the article 83 of the RGPD -article 58.2 i)-, or the power to order the person responsible or processor that the processing operations comply with the provisions of the GDPR, where applicable, in a certain manner and within a specified period -article 58.2 d)-. According to the provisions of article 83.2 of the GDPR, the measure provided for in article 58.2 d) of the aforementioned Regulation is compatible with the sanction consisting of a fine administrative. In the present case, taking into account the facts presented and without prejudice to what results from the instruction of the procedure, it is considered that the sanction that It would be appropriate to impose an administrative fine. The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the article 83.1 of the GDPR. In order to determine the administrative fine to be imposed, to observe the provisions of article 83.2 of the RGPD, which indicates: "2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/19 c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the treatment, taking into account the technical or organizational measures that have been applied under of articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, in what extent; i) when the measures indicated in Article 58, paragraph 2, have been ordered previously against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with article 42, k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through infringement.” For its part, in relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its article 76, “Sanctions and corrective measures”, provides: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of medical treatments. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have included the commission of the infringement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/19 e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity f) The impact on the rights of minors g) Have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which "There are disputes between those and any interested party." These are aggravating circumstances: - The duration of the infringement (article 83.2.a) of the RGPD): However, and all once this aggravating circumstance was taken into account in the initial agreement of this sanctioning procedure due to EASYJET not having responded to the right of access, it is considered that the severity of the same is diminished when the attention of the right exercised by the complaining party is proven, if Well this took place almost four months after the deadline established in the regulations in force. - The linking of the offender's activity with the performance of treatment personal data (article 76.2.b) of the LOPDGDD): EASYJET is an entity that processes personal data systematically and continuously and that it must take extreme care in fulfilling its obligations in data protection matters. The balance of the circumstances contemplated allows us to establish as an initial assessment a fine of €10,000 (ten thousand euros) for violating article 15 of the RGPD. In view of the above, the following is issued: MOTION FOR RESOLUTION That by the Director of the Spanish Data Protection Agency EASYJET AIRLINE COMPANY LIMITED, with NIF N0066592G, for a violation of article 15 of the RGPD, typified in article 83.5 of the RGPD, with a fine of €10,000 (ten thousand euros). Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be informs that it may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which It will mean a 20% reduction in the amount. With the application of this reduction, the penalty would be established at €8,000 (eight thousand euros) and its payment will imply the termination of the procedure. The effectiveness of this reduction will be conditioned upon the withdrawal or waiver of any action or appeal pending. administrative against the sanction. In the event that you choose to proceed with the voluntary payment of the specified amount above, in accordance with the provisions of article 85.2 cited, you must do so C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/19 effective by depositing it into the restricted account IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXXX) opened in the name of the Agency Spanish Data Protection in the banking entity CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause, for voluntary payment, of reduction of the amount of the penalty. Likewise, you must send proof of entry to the General Subdirectorate of Inspection to proceed to close the file. In its virtue You are notified of the above, and the procedure is made clear to you so that Within a period of TEN DAYS you can allege whatever you consider in your defense and present the documents and information that it considers relevant, in accordance with the article 89.2 of the LPACAP. In its virtue, you are notified of the above, and the procedure is made clear to you. so that within a period of TEN DAYS you can allege whatever you consider in your defense and present the documents and information that you consider pertinent, in accordance with article 89.2 of the LPACAP. 926-170223 C.C.C. INSPECTOR/INSTRUCTOR C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/19 EXHIBIT File index EXP202204836 03/21/2022 Claim from A.A.A. 03/06/2022 Transfer of claim to EASYJET AIRLINE SPAIN, S.E.E. 06/21/2022 Communication to A.A.A. 07/05/2022 Response to request from EASYJET AIRLINE CO LTD 03/10/2023 A. opening to AINHOA BILBAO RANDEZ 03/16/2023 Info. Claimant to A.A.A. 03/30/2023 Written by EASYJET AIRLINE CO LTD 05/05/2023 Written by EASYJET AIRLINE CO LTD >> SECOND: On November 14, 2023, the claimed party has proceeded to payment of the penalty in the amount of 8,000 euros making use of the planned reduction in the proposed resolution transcribed above. THIRD: The payment made entails the waiver of any action or resource pending. administrative against the sanction, in relation to the facts referred to in the resolution proposal. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), under the heading “Termination in sanctioning procedures” provides the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/19 "1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or a penalty can be imposed pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the alleged responsible, in Any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction has only a pecuniary nature, the body competent to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative with each other. The aforementioned reductions must be determined in the initiation notification. of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of any administrative action or appeal against the sanction. The reduction percentage provided for in this section may be increased “regularly.” According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202204836, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to EASYJET AIRLINE COMPANY LIMITED. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 968-171022 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es