AEPD (Spain) - TD/00010/2020
AEPD - TD/00010/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 12 GDPR Article 18 GDPR Article 21 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | None |
Parties: | AAA Vodafone España |
National Case Number/Name: | TD/00010/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) ordered Vodafone España to stop processing the personal data of a subject who continued to receive invoices from Vodafone España for two years after terminating his contract with them.
English Summary
Facts
The complainant terminated his contractual relationship with Vodafone España in 2017, but continued to receive emails from the latter stating that invoices had been issued in his name. The complainant then filed a complaint with the AEPD in 2019 on the basis that he had been unable to exercise his right to oppose the processing of his personal data, as protected under Article 21 GDPR.
Dispute
Did Vodafone España violate the complainant's rights under Article 21 by continuing to issue the invoices?
Holding
The AEPD held that complaint was valid, as the complainant's right to object had not been met. The AEPD ordered Vodafone España to comply with Article 21 and stop the processing within ten working days following notification of this decision. If Vodafone España decided not to comply, they would have to give reasons for continuing to process the complainant's personal data. The AEPD concluded that failure to do one of these actions would result in further sanctioning of Vodafone España by the AEPD pursuant to Article 72(1)(m).
Comment
The AEPD does not specify the provision of Article 21 on which it bases its decision. Article 21 GDPR states that the data subject either has the right to object if the processing uses the legal bases of public or legitimate interest (Article 21(1)), or if the personal data is processed for direct marketing purposes (Article 21(2)).
However the question of whether either of these provisions apply in this case, which would confirm whether Article 21 definitively applies at all, is never examined by the AEPD.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Machine Translation provided by DeepL Case No: TD/00010/20201033-250719 RESOLUTION No: R/00183/2020 Having regard to the complaint lodged on 26 September 2019 with this Agency by Mr. A.A.A., (hereinafter the complainant), against VODAFONE ESPAÑA,S.A.U, After the procedural actions provided for in Title VIII of the Organic Law 3/2018 of December 5, 2008, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the following have been found FACTS FIRST: On June 24, 2019, the claimant filed a complaint against the claimed with NIF A8090739, because the right of opposition had not been attended. According to the claimant, in spite of having terminated the contractual relationship with the claimed party in 2017, he continues to receive e-mails telling him that an invoice has been issued in his name. After several attempts to clarify the situation and in the absence of a response, the claimant says that he presented a complaint to this Agency because he had not been given the right to oppose the processing of his personal data. SECOND: The complaint presented by the claimant was transferred to him from this Agency and it was collected by the claimant on November 12, 2019. In the absence of a reply, on January 21, 2019, the complaint was admitted for processing and this communication was also received on January 23, 2020. THIRD: In accordance with the functions provided for in Regulation (EU)2016/679, of 27 April 2016, General Data Protection Regulation (RGPD), particularly those that respond to the principles of transparency and proactive responsibility on the part of the data controller, you have been required to inform this Agency of the actions that have been carried out to deal with the complaint raised. In summary, the following allegations were made: -The representative/Delegate of Data Protection of the claimant states in the allegations made during the processing of the present procedure that they have not been informed of the complaint. Specifically: "...we have not received this complaint filed by Mr. A.A.A., and therefore we request the Agency to send us again the above mentioned letter of Request for Information, in order to be able to attend the request established by the claimant..." -The claimant has not presented any allegations. LEGAL FOUNDATIONS FIRST: The Director of the Spanish Data Protection Agency is competent to decide, in accordance with the provisions of Article 56(2) in relation to Article 57(1)(f), both of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the RGPD); anddin Article 47 of the Organic Law 3/2018 of December 5,,onnPersonal Data ProtectionnanddGuarantee of Digital Rights (hereinafter referred too as LOPDGDD). SECOND: Article 64.1 of the LOPDGDD, provides the following: "1. When the procedure refers exclusively to the lack of attention to a request to exercise the rights established in articles 15 to 22 of Regulation (EU) 2016/679, it will be initiated by an agreement of admission to procedure, which will be adopted in accordance with the provisions of the following article. Once this period has elapsed, the interested party may consider his claim to have been accepted". THIRD: Article 12 of Regulation (EU) 2016/679 of 27 April 2016, General Data Protection (GDPR), provides that: "1. The controller shall take appropriate measures to provide interested parties with any information referred to in Articles 13 and 14 and any communication pursuant to Articles 15 to 22 and 34 relating to the processing in a concise, transparent, intelligible and easily accessible form, using plain and simple language, in particular any information specifically addressed to a child. At the request of the data subject, the information may be provided orally provided that the identity of the data subject is established by other means.2. In the cases referred to in Article 11(2), the controller shall not refuse to act at the request of the data subject for the purpose of exercising his rights under Articles 15 to 22, unless he can prove that he is not able to identify the data subject.3. The controller shall provide the data subject with information concerning his or her actions on the basis of a request pursuant to Articles 15 to 22, and in any case within one month of receipt of the request. That period may be extended by a further two months if necessary, taking into account the complexity and number of requests. The person responsible shall inform the applicant of any such extension within one month of receipt of the application, stating the reasons for the delay. Where the applicant submits the application by electronic means, the information shall be provided by electronic means where possible, unless the applicant requests otherwise.4 If the data controller does not comply with the request of the data subject, he shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for his failure to act and of the possibility of lodging a complaint with a supervisory authority and of taking legal action.5 The information provided under Articles 13 and 14 as well as any communication and any action taken under Articles 15 to 22 and 34 shall be free of charge. (a) charge a reasonable fee commensurate with the administrative costs incurred in providing the information or communication or in carrying out the requested action; or (b) refuse to act on the request. Without prejudice to Article 11, where the controller has reasonable doubt as to the identity of the natural person making the request referred to in Articles 15 to 21, he may request that additional information necessary to confirm the identity of the data subject be provided. 7. The information to be provided to data subjects under Articles 13 and 14 may be transmitted in combination with standardised icons which provide an easily visible, intelligible and clearly legible overview of the intended processing. Icons presented in electronic form shall be mechanically legible.8 The Commission shall be empowered to adopt delegated acts in accordance with Article 92 to specify the information to be displayed by means of icons and the procedures for providing standardised icons.” FOURTH: Article 12 of the LOPDGDD determines the following: 1. The rights recognised in Articles 15 to 22 of Regulation (EU)2016/679, may be exercised directly or through a legal or voluntary representative.2 The data controller shall be obliged to inform the data subject of the means available to him/her to exercise the rights to which he/she is entitled. The means must be easily accessible to the data subject. The exercise of the right may not be denied on the sole ground that the data subject has opted for otromedio.3. The person in charge may process, on behalf of the person responsible, the requests for the exercise of his rights made by the affected parties if this is established in the contract or legal act that binds them.4. When the laws applicable to certain processing operations establish a special regime affecting the exercise of the rights provided for in Chapter III of Regulation (EU) 2016/679, the provisions of those laws shall apply.6. In any case, the holders of parental authority may exercise the rights of access, rectification, cancellation, opposition or any other rights that may correspond to them in the context of this organic law in the name and on behalf of minors under fourteen years of age. FIFTH: Article 18 of the GDPR, which refers to the right to limit processing, provides that: "1. The data subject shall have the right to obtain from the controller the limitation of the processing of the data where one of the following conditions is met: (a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the data; (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the limitation of their use; (c) the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the formulation, exercise or defence of complaints 2. Where the processing of personal data has been restricted by virtue of paragraph 1, such data may be processed, with the exception of their retention, only with the consent of the data subject or for the purpose of lodging, exercising or defending complaints or for the protection of the rights of any other natural or legal person or for reasons of substantial public interest of the Union or of a Member State. 3 Any data subject who has obtained a restriction to processing pursuant to paragraph 1 shall be informed by the controller before the restriction is lifted.” SIXTH: Article 21 of the GDPR, which refers to the right of objection, provides that: '1. The data subject shall have the right to object at any time on grounds relating to his particular situation to the processing of personal data relating to him which is based on Article 6(1)(e) or (f), including profiling on the basis of those provisions. The controller shall cease to process personal data unless he establishes compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject or for the lodging, pursuit or defence of complaints. Where the processing of personal data has as its purpose direct marketing, the data subject shall have the right to object at any time to the processing of personal data relating to him/her, including profiling insofar as it relates to such marketing. Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. No later than the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly mentioned to the data subject and shall be clearly presented in addition to any other information. In the context of the use of information society services, and notwithstanding the provisions of Directive 2002/58/EC, the data subject may exercise his right to object by automated means applying technical specifications. 6. Where personal data are processed for the purposes of scientific or historical research or statistical purposes pursuant to Article 89(1), the data subject shall have the right, on grounds relating to his or her particular situation, to object to the processing of personal data concerning him or her, except where such processing is necessary for the performance of a task carried out in the public interest.” SEVENTH: In the case analyzed here, the complainant requests the right to oppose the processing of his personal data. The claimant proves that he has requested the right and provides a document dated June 24, 2019, in which the stamp of receipt of the claimant appears. Also from this Agency the claim was transferred having the certification of the Folder or DEH as a proof of the reception by the claimant, in spite of which and only after the admission to procedure, the claimant replies to say that he has not received the claim. Therefore, the claim should be upheld as the right has not been met. In view of the above and other generally applicable provisions, the Director of the Spanish Data Protection Agency hereby RESOLVES: FIRST: TO ESTIMATE the claim made by Mr. A.A.A. and to urge VODAFONEESPAÑA, S.A.U. with NIF A80907397, so that, within ten working days following notification of this resolution, it sends the claimant a certificate stating that it has complied with the right of objection exercised by the latter or refuses to do so, indicating the reasons why its request should not be dealt with. The actions carried out as a result of this Resolution must be communicated to this Agency within the same period of time. Failure to comply with this resolution could lead to the commission of the infringement considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, in accordance with article 58.2 of the RGPD.SECOND: NOTICE this resolution to Mr. A.A.A. and VODAFONE ESPAÑA,S.A.U. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with Article 48 . 6 of the LOPDGDD, and in accordance with that established in article 123 of theLPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month as from the day following notification of this resolution or the directing of the contentious administrative proceedings before the Contentious Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in Article 46.1 of the above-mentioned Law. Mar España Martí Director of the Spanish Data Protection Agency