AEPD (Spain) - TD/00318/2019
AEPD - TD/00318/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 12 GDPR Article 15 GDPR LOPDGDD Article 13 LOPDGDD Article 64(1) |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | n/a |
Published: | 7. 2. 2020 |
Fine: | n/a |
Parties: | Anonymous Vs. Directorate General of the Police |
National Case Number/Name: | TD/00318/2019 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The AEPD found that the Directorate General of the Police failed to comply with their duties under GDPR by requiring a legitimate interest for granting an access request, and by not responding to an access request, thus denying the data subject its rights. The AEPD did not comment on the merit of the request itself.
English Summary
Facts
The data subject requested access to photographs and fingerprints. A total of seven request were sent, none of them including the information requested, thus being incomplete. The last request was not answered. The Directorate General of the Police did not reply when the AEPD sent the claim to them. As such, the complaint was decided on the basis of the claim and documentation provided by the complainant.
Holding
The AEPD instructed the Directorate General of the Police to respond to the access request within ten days following the notification of the decision. The AEPD noted that a failure to comply within ten days would be considered a violation pursuant to Article 72(1)(m) of the LOPDGDD, which would be sanctioned according to Article 58(2) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the **Spanish** original. Please refer to the **Spanish** original for more details.
• File Nº: TD / 00318/2019 1037-100919 RESOLUTION Nº: R / 00062/2020 Having regard to the claim made on June 9, 2019 before this Agency by D. AAA , against DIRECTORATE GENERAL OF THE POLICE, for not having been duly attended to your right of access. Performed the procedural actions provided for in Title VIII of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the following have been found ACTS FIRST: D. AAA (hereinafter, the complaining party) exercised the right of access in front of the POLICE GENERAL DIRECTORATE with NIF S2816015H (hereinafter, the claimed one), without your request having received the answer legally established. The complaining party provides various documentation related to the claim raised before this Agency and on the exercise of the right exercised and notes that, the The subject of the complaint is due to incomplete responses to repeated requests of access to personal data addressed to the claimed: The complaining party requests access to photographs and fingerprints of their person stored, as directed by the Local Police Brigade Scientist at the *** LOCALITY Police Station.1 , in the file PERPOL / PEOPLE, and referred to a police action. In each of the seven access requests submitted it has gone offering more information, but none of them has been granted access to these photographs and fingerprints. The last of the seven requests has not been answered, and the previous one was denied, in the absence of crediting a legitimate interest for that purpose, for having exercised the right in the previous twelve months. The complaining party emphasizes photographs and fingerprints or reviews. other type, without obtaining the mentioned information in any of the answers. SECOND : In accordance with the functions provided for in Regulation (EU) 2016/679, of April 27, 2016, General of Data Protection (GDPR), particularly those that respond to the principles of transparency and accountability proactive by the person responsible for the treatment, you have been required to inform 2/7 this Agency of the actions that have been carried out to address the claim raised. Without receiving an answer: On July 24, 2019, this Agency through the Service Support of Electronic Notifications and Enabled Address (Notified @ platform), made available to the complainant the claim presented by the party claimant, so that they proceed to their analysis and respond to the claiming party This Agency is already available within one month, as well as the relevant documentation vacancy related to the procedures carried out to facilitate the right exercised or motivated denial. And on August 4, 2019 the Notify @ system proceeds to rejection Automatic notification for ten calendar days after the provision of the notification without accessing its content. Since the aforementioned notification was not accessed, exceptionally, It was sent by mail, which was received on 09/10/2019, without have received written in this Agency allegations. THIRD: On October 16, 2019, in accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights and for the purposes set forth in article 64.2, the Director of the Spanish Agency for Data Protection agreed to admit the claim submitted by the complaining party against the claimed and agreed to give transfer of the claim, so that within fifteen business days submit the allegations it deems appropriate and the parties are informed that the maximum for Solve the procedure will be six months, without receiving an answer: On November 12, 2019, this Agency through the Support of the Electronic Notification Service and Enabled Address (platform Notified), proceeded to transfer the facts object of the claim, so that Within fifteen business days, submit the allegations you consider convenient. And on November 23, 2019 the Notify @ system proceeds to rejection Automatic notification for ten calendar days after the provision of the notification without accessing its content. Since the aforementioned notification was not accessed, it was sent by postal mail, which was received on December 4, 2019, without having received in This Agency written allegations. RIGHTS OF LAW FIRST: It is competent to resolve the Director of the Spanish Agency of Data Protection, in accordance with the provisions of section 2 of article 56 in in relation to Article 57 (1) f), both of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and free circulation of this data (hereinafter GDPR); and in article 47 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). SECOND: Article 64.1 of the LOPDGDD provides the following: "one. When the procedure refers exclusively to the lack of attention of a request to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, will be initiated by an admission agreement for processing, which will be shall adopt in accordance with the provisions of the following article. In this case, the period to resolve the procedure will be six months to count. from the date the claimant agreement had been notified admission to process. After this period, the interested party may consider Dear your claim. ” THIRD: Article 12 of Regulation (EU) 2016/679 of April 27, 2016, General Data Protection (GDPR), provides that: "one. The person responsible for the treatment will take appropriate measures to facilitate to the interested party all information indicated in articles 13 and 14, as well as any communication under articles 15 to 22 and 34 regarding treatment, in the form concise, transparent, intelligible and easily accessible, with clear and simple language, in particular any information specifically directed to a child. Information will be provided in writing or by other means, including, if appropriate, by means electronic When requested by the interested party, the information may be provided verbally whenever the identity of the interested party is demonstrated by other means. 2. The person responsible for the processing will facilitate the interested party the exercise of their rights under articles 15 to 22. In the cases referred to in article 11, section 2, the person in charge will not refuse to act at the request of the interested party for the purpose to exercise your rights under articles 15 to 22, unless you can prove that is not in a position to identify the interested party. 3. The data controller will provide the interested party with information regarding their actions based on an application under articles 15 to 22, and, in In any case, within one month of receiving the request. Saying term may be extended another two months if necessary, taking into account the complexity and the number of requests. The person responsible will inform the interested party of any of said extensions within one month of receipt of the request, indicating the reasons for the delay. When the interested party presents the request by electronic means, the information will be provided electronically when possible, unless the interested party requests that it be provided otherwise. 4. If the person responsible for the treatment does not process the request of the interested party, will inform without delay, and at the latest one month after receiving the request, the reasons for its non-performance and the possibility of presenting a claim before a supervisory authority and to bring legal actions. 5. The information provided under articles 13 and 14 as well as all communication and any action carried out under articles 15 to 22 and 34 They will be free of charge. When the requests are manifestly unfounded or excessive, especially due to its repetitive nature, the person in charge of Treatment may: a) charge a reasonable fee based on the administrative costs incurred to facilitate the information or communication or perform the requested action, or b) refuse to act on the request. The person responsible for the treatment will bear the burden of demonstrating the character manifestly unfounded or excessive request. 6. Without prejudice to the provisions of article 11, when the person responsible for treatment have reasonable doubts regarding the identity of the natural person When the application referred to in articles 15 to 21 is submitted, you may request that provide the additional information necessary to confirm the identity of the interested party. 7. Information to be provided to interested parties under the articles 13 and 14 may be transmitted in combination with standardized icons that allow provide an easily visible, intelligible and clearly readable form an adequate overview of the planned treatment. The icons presented in format electronic will be readable mechanically. 8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 in order to specify the information to be submitted through icons and procedures to provide standardized icons. ” FOURTH: Article 15 of the GDPR provides that: "one. The interested party will have the right to obtain from the controller confirmation of whether or not personal data concerning you is being processed and, in such case, right of access to personal data and the following information: a) the purposes of the treatment; b) the categories of personal data in question; c) recipients or categories of recipients to whom they communicated or personal data will be communicated, in particular recipients in third parties or international organizations; d) if possible, the expected term of conservation of personal data or, of if not possible, the criteria used to determine this term; e) the existence of the right to request rectification or deletion from the responsible party of personal data or the limitation of the processing of personal data related to interested, or oppose such treatment; f) the right to file a claim with a supervisory authority; g) when personal data has not been obtained from the interested party, any information available on its origin; h) the existence of automated decisions, including profiling, to referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information significant on the logic applied, as well as the importance and consequences provided for said treatment for the interested party. 2. When personal data is transferred to a third country or to an organization international, the interested party will have the right to be informed of the guarantees appropriate under article 46 regarding the transfer. 3. The controller will provide a copy of the personal data object of treatment The person in charge may receive for any other requested copy for the interested party a reasonable fee based on administrative costs. When he interested submit the application electronically, and unless it requests otherwise provided, the information will be provided in an electronic format of Common use. 4. The right to obtain a copy mentioned in section 3 shall not affect negatively to the rights and freedoms of others. ” FIFTH: Article 13 of the LOPDGDD determines the following: "one. The access right of the affected party will be exercised in accordance with the provisions in Article 15 of Regulation (EU) 2016/679. When the person responsible processes a large amount of data related to the affected party and this exercises your right of access without specifying whether it refers to all or a party of the data, the person in charge may request, before providing the information, that the affected specify the data or treatment activities to which the request. 2. The right of access shall be deemed granted if the person responsible for the treatment provide the affected with a remote, direct and secure data access system personnel that permanently guarantee access to its entirety. To such effects, the communication by the person responsible to the affected one of the way in which this may access to this system will be enough to consider the request to exercise the right. However, the interested party may request information from the person responsible for the extremes provided for in Article 15.1 of Regulation (EU) 2016/679 that are not included in the remote access system. 3. For the purposes set out in Article 12.5 of Regulation (EU) 2016/679, may consider the exercise of the right of access repetitive on more than one occasion for a period of six months, unless there is legitimate cause for it. 4. When the affected person chooses a different means than the one offered to him that supposes a disproportionate cost, the request will be considered excessive, so that Affected will assume the excess costs that your choice involves. In this case, just the satisfaction of the right of access without the undue delay. ” SIXTH: Before entering the merits of the issues raised, it should be noted that the present procedure is instructed as a result of the denial of any of the rights regulated by the data protection regulations (access, rectification, deletion, limitation, portability and opposition) and is intended to be adopt the corresponding measures so that the guarantees and rights of the affected party are properly restored. Therefore, in the present case, they will only be analyzed and assessed those issues raised by the complaining party that remain included within the object of the aforementioned claims procedure regarding Data Protection. In addition, the right of access, in particular, offers the possibility of obtaining a copy of the personal data that concerns you and that are being subject to treatment, as well as information, in particular, about the purposes of the treatment, data categories, recipients, the expected period of conservation, the possibility to exercise other rights, the information available on the origin of the data (if these have not been obtained directly from the complaining party) or the existence of automated decisions, including profiling. That said, in the case analyzed here, the complaining party exercised in repeatedly his right of access, and that, after the deadline In accordance with the rules mentioned above, your request did not get the answer legally enforceable, given that of the documentation provided by the complaining party, it follows that, the access granted is incomplete, as the photographs and fingerprints or motivated denial. This circumstance has not been refuted by the claim and although this Agency transferred the claim filed in the manner provided for in paragraph 1 of article 39 of the GDPR, by means of writings through the Service Support of Electronic Notifications and E-mail Address Enabled and by postal mail, exceeded, in excess of the period indicated without receiving an answer; therefore, it must be taken for not fulfilling the requirement, estimating, consequently that the claimed opts for not objecting to the claim of the complaining party, so that this Agency proceeds to issue an opinion on the basis of the claim and documentation Attached by the complaining party. As for the substance, the request for access to personal data that is formulate obliges the person responsible for the treatment in question to give an express response, in In any case, using any means attesting to the duty of response, even in those cases in which it did not meet the requirements, in whose In case the recipient of this is also obliged to require the correction of the deficiencies observed or otherwise, motivate the refusal to address it. On the other hand, this Agency, in accordance with the functions provided in the Regulation (EU) 2016/679, of April 27, 2016, General of Data Protection (GDPR), particularly those that respond to respect, by the person responsible for treatment, of the principles of transparency and proactive responsibility, has been required to this, report the actions that have been carried out to attend the claim raised by the complaining party, without receiving a response from that institution Therefore, combining the information in the file with the regulations referred to in the preceding sections, it is appropriate to estimate the claim, at not record that the right of access exercised or its motivated refusal Having regard to the aforementioned precepts and others of general application, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: ESTIMATE the claim made by D. AAA and urge DIRECTORATE GENERAL OF THE POLICE with NIF S2816015H, so that, within ten days following the notification of this resolution, refer to the party complainant certification stating that he has fully attended the right of access exercised by the latter or denied motivatedly indicating the causes for which it is not appropriate to attend your request. The actions performed as Consequence of this Resolution must be communicated to this Agency at identical term. Failure to comply with this resolution could entail the commission of the violation considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, of according to art. 58.2 of the GDPR.