AEPD (Spain) - EXP202315744
AEPD - EXP202315744 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 17 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | 10.05.2019 |
Decided: | 21.03.2024 |
Published: | 21.03.2024 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | EXP202315744 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Mgrd |
The AEPD dismissed an appeal considering that the data controller had made every necessary effort to delete images of the data subject from its social media as requested, but faced issues due to an unrecoverable account, awaiting Meta's response.
English Summary
Facts
On May 10th 2019, the data subject consent for the processing of his personal data for the use of captured image in activities and interviews to be published in GABINETE DE NEUROCIENCIAS S.L. social networks and websites to disseminate the sporting activities.
On February 7th 2023, the data subject exercise his right of objection and withdrawal his consent for the use of his personal images, claiming that on March 30th 2023, his images still appeared in the claimed company social media.
The data controller, GABINETE DE NEUROCIENCIAS S.L., argued that they attempted to address the request appropriately and that technical and communication issues with META (the company behind the social networks used) prevented the timely deletion of the image. Despite their efforts, including multiple attempts to contact and requests for assistance from META, the corporate account in question could not be recovered or modified in time.
On the first decision by AEPD, they dismissed the complaint since the data controller did respond to the data subject’s request, complying with the applicable deadlines stipulated by GDPR and that the completeness of the request depends on META’s return.
The data subject filed an appeal. In the opportunity, the data controller reiterated their documented attempts and efforts to delete the images and communicate with META, but still faced issues in fully complying with the erasure request.
Holding
AEPD considered that the data controller has deleted part of the requested data, but not all of it. According to the data controller, they have put forth considerable effort to comply with the erasure request, as evidenced by the partial deletion achieved.
Therefore, the resolution considered the extent in which the complaint can be upheld, given that the erasure is not complete due to reasons beyond the control of the data controller.
AEPD decided to dismiss the appeal by the data subject given that the data controller has responded to the erasure request and was not able to fully address the request due to technical problems with META account.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/6 File No.: EXP202315744 RESOLUTION OF RIGHTS PROCEDURE The procedural actions provided for in Title VIII of the Law have been carried out Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the following have been verified FACTS FIRST: A.A.A. (hereinafter, the complaining party) exercised the right of Deletion in front of CABINETE DE NEUROCIENCIAS, S.L. (hereinafter, the claimed party) without that your request has received the legally established response. The claiming party states that on May 10, 2019, it authorized the processing of your personal data to, ADVANCED ORAL HEALTH UNIT, S.L.P., and GABINETE DE NEUROCIENCIAS S.L., for the use of your image captured in activities and/or interviews related to the activity of the B.B.B. TEAM, and may be published on the company's social networks, corporate website and publications, with the purpose of disseminating these activities. On February 7, 2023, he requested the deletion of the consent granted to the use of his personal image, stating that as of March 30, 2023, they continue Their images appearing in those claimed, GABINETE DE NEUROCIENCIAS, S.L. and ADVANCED ORAL HEALTH UNIT, S.L.P. SECOND: Once the claim presented by this Agency has been analyzed, it concludes: CABINET OF NEUROCIENCIAS S.L. has reported: "(...) The entity wants to show that at no time has it intended not to consciously attend to the request for deletion of the consent of the claimant. That since the facts became known, all efforts have been made means to respond to it and give satisfaction to the exercise of your right, as well how to give him complete explanations about what happened, eliminating the image from the account that we can manage. That the entity establishes the technical and organizational measures necessary for the response to the Exercise of the rights of the interested parties in accordance with their Procedure of Claims and Exercises of GDPR rights, regretting that sometimes problems arise beyond the control of the entity. That all necessary actions have been taken to prevent this from happening. again. That it became impossible to recover one of the corporate accounts, and the technical support of the social network did not respond, and this is shown in the document where Screenshots of the requests made to the support team are inserted. META companies, asking them to recover said account. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/6 All personnel of the entity involved in this type of requests remain Strict internally established management procedures. The facts that have motivated the claim that has been transferred to us mean the only incident that is recorded due to not having been managed in a timely manner request for withdrawal of consent for reasons beyond our control. At all times it has been carried out in accordance with what was established internally and always complying with the established legal and application deadlines. Although it has exercised its right of deletion by the entity, we are waiting for the entity in charge of activating our account again, give us a response in a reasonable time. We want to record that the attempt to recover said account has been carried out on several occasions, prior to the exercise of the claimant's right, without having any success (…) Once the reasons presented by the claimed party have been analyzed, which appear in the file, this Agency considers that the person responsible has attended to the claim presented. For this reason, in accordance with the provisions of article 65 of the LOPDGDD, the Director of the Spanish Data Protection Agency AGREES reject the claim for processing…” THIRD: The complaining party disagrees with the inadmissibility, files an appeal of replacement that is resolved in an estimatory manner and gives rise to the current claim: Namely: “…Consequently, when an interested party exercises the right to delete the personal data that concerns you before an entity responsible for processing, this will be obliged to delete personal data without undue delay when the data are not necessary to fulfill the purposes for which they were collected. By On the contrary, if the data continue to be necessary in relation to the purposes for which that were collected, their deletion would not proceed, the response being obligatory in the to be denied on a reasoned basis. In the present case, it has been proven that the claimed party responded to the request for deletion made by the appellant, but it has not been possible to delete all images requested and included in the corporate account, reason for which help has been requested from the META technical service. From the above it is deduced that the incident has not been resolved and, Consequently, the appellant's claim has not been satisfied. Therefore, in the present case, along with the appeal for reconsideration, new relevant documentation for the purposes of what was proposed, and the estimate of the appeal filed…” FOURTH: On November 7, 2023, the claimed part was transferred of the claim, of the appeal for reconsideration and of the resolution estimating the appeal and a hearing process was opened, so that within a period of ten business days present the allegations that it deems appropriate, formulating, in summary, the following allegations: The complained party continues to claim that it has deleted the corresponding images to YOU TUBE, but that, despite having tried, proves it documentary, continues to have problems deleting the complainant's image on the account that depends on META. However, he says he will continue trying. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/6 The claimed party sends a list of its actions to delete the data from the claimant. “…NEUROSCIENCE CABINET during the last few months, has taken the following measures against the META company, specifically, the following: - From 12/7/2022 to 02/28/2023, different claims have been submitted electronically to the META company, with the objective of eliminating a corporate account that was inactive (TEAM B.B.B.) - These profiles have been reported from other accounts, without obtaining result. - As of May 2023, the entity has continued to present different claims to META companies, without receiving a response. (Document 4 is provided with the actions carried out) - On September 27, 2023, a certified letter is sent to the department of Meta Data Protection, located in Ireland exercising the right of deletion, without obtaining a response. (Document 5) - On October 16, 2023, a new certified shipment is made to META Ireland, without obtaining, again, any response. (Document 6) - Finally, and as a consequence of the last request received by this Agency, it is has once again sent a certified letter to Ireland, Department of Privacy of META, exercising a second time the right to delete the account. (Document 7) Page 5 of 8 Likewise, a claim before this Agency against META for failure to pay attention to the exercise of rights deletion requested on September 27, 2023. (Document 8) It should be noted that prior to deleting the account, we have tried by all means means, and as we have provided in the evidence of the different writings filed with this Agency, rectify the data and access the account to exercise the right of deletion of the claimant…” FIFTH: Once the document presented by the claimed party has been examined, it is transferred to the complaining party, so that, within a period of ten business days, it formulates the allegations that you consider appropriate. The complaining party has not presented allegations. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1 and 64.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/6 regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Previous issues In accordance with the provisions of article 55 of the RGPD, the Spanish Agency for Data Protection is competent to perform the functions assigned to it in its article 57, among them, to enforce the Regulation and promote the awareness of those responsible and those in charge of processing about the obligations incumbent on them, as well as dealing with claims presented by a interested and investigate, to the appropriate extent, the reason for the same. Correlatively, article 31 of the RGPD establishes the obligation of those responsible and those in charge of processing to cooperate with the supervisory authority that requests it in the performance of their functions. In the event that they have designated a data protection officer, article 39 of the RGPD attributes to him the function of cooperate with said authority. Article 58.2 of the RGPD confers on the Spanish Data Protection Agency a series of corrective powers for the purposes of correcting any breach of the GDPR, among which includes “ordering the person responsible or in charge of the treatment to respond to requests to exercise the rights of the interested party under the this Regulation. III Rights of people regarding the protection of personal data The rights of people regarding the protection of personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the LOPDGDD. HE contemplate the rights of access, rectification, deletion, opposition, right to limitation of treatment and right to portability. The formal aspects related to the exercise of these rights are established in the articles 12 of the RGPD and 12 of the LOPDGDD. Furthermore, what is expressed in Considering 59 and following of the GDPR. In accordance with the provisions of these regulations, the person responsible for the treatment must arbitrate formulas and mechanisms to facilitate the interested party in the exercise of their rights. rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3 of the RGPD), and is obliged to respond to requests made no later than a month, unless you can demonstrate that you are not in a position to identify the interested, and to express his reasons in case he was not going to attend said application. It falls on the person responsible to prove compliance with the duty of respond to the request to exercise their rights made by the affected party. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/6 The communication addressed to the interested party on the occasion of their request must be expressed in a concise, transparent, intelligible and easily accessible manner, with a clear and simple language. IV Right to erasure Article 17 of the GDPR, which regulates the right to deletion of personal data, establishes the following: "1. The interested party will have the right to obtain without undue delay from the person responsible for the processing the deletion of personal data that concerns you, which will be obliged to delete personal data without undue delay when any of the following circumstances: a) the personal data are no longer necessary in relation to the purposes for which they were were collected or otherwise treated; b) the interested party withdraws the consent on which the treatment is based in accordance with Article 6(1)(a) or Article 9(2)(a) and this is not based on another legal basis; c) the data subject objects to the processing in accordance with Article 21(1) and does not other legitimate reasons for the processing prevail, or the interested party opposes the treatment pursuant to Article 21(2); d) the personal data have been processed unlawfully; e) personal data must be deleted for compliance with a legal obligation established in the law of the Union or of the Member States that applies to the responsible for the treatment; f) the personal data have been obtained in relation to the offer of services of the information society mentioned in Article 8, paragraph 1. 2. When you have made personal data public and are obliged, by virtue of the provided in section 1, to delete said data, the data controller, taking into account the available technology and the cost of its application, it will adopt reasonable measures, including technical measures, with a view to informing responsible parties who are processing the personal data of the interested party's request for deletion of any link to that personal data, or any copy or replication of the same. 3. Sections 1 and 2 will not apply when treatment is necessary: a) to exercise the right to freedom of expression and information; b) for compliance with a legal obligation that requires data processing imposed by Union or Member State law applicable to the responsible for the treatment, or for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the person responsible; c) for reasons of public interest in the field of public health in accordance with Article 9, paragraph 2, letters h) and i), and paragraph 3; d) for archival purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1), to the extent that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/6 the right indicated in paragraph 1 could make it impossible or hinder seriously the achievement of the objectives of said treatment, or e) for the formulation, exercise or defense of claims". V Conclusion During the processing of this procedure, the claimed entity has deleted part of what was requested, but not all of it. According to the claimed party, it is putting all its effort into addressing the right, thus he credits it and has already done so in part. Therefore, we must calibrate to what extent we can estimate this claim taking into account that the deletion is not complete for reasons beyond the control of the person claimed and exposed in the facts. Lastly, this Agency reserves the right to conduct an investigation if it so requires. considers it appropriate to leave aside this resolution regarding the null response of META, in which case it would inform the parties at the time. Considering the aforementioned precepts and others of general application, the Director of the Agency Spanish Data Protection RESOLVES: FIRST: DISMISS the claim made by A.A.A. against CABINET NEUROCIENCIAS, S.L. SECOND: NOTIFY this resolution to A.A.A. and to CABINET NEUROCIENCIAS, S.L. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 1381-090823 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es