AEPD (Spain) - TD/00054/2020

From GDPRhub
Revision as of 13:17, 22 October 2020 by SR (talk | contribs)
AEPD - TD/00054/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: None
Parties: CaixaBank S.A.
National Case Number/Name: TD/00054/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) ordered a bank to finalise incomplete access requests under Articles 12 and 15 GDPR.

English Summary

Facts

The complainant sought to access information from CaixaBank. After receiving the information, she complained that the information was "insufficient, unrealistic, and that data are concealed". CaixaBank argued that they had already complied with the access request.

Dispute

Has the complainant's right to access under Article 15 GDPR been violated?

Holding

The AEPD confirmed that CaixaBank's response was incomplete and that the "purpose of these proceedings is to ensure that the guarantees and rights of the persons concerned are duly restored". The AEPD gave CaixaBank ten working days to either comply with the request or refuse to comply and give reasons why it would be inappropriate to do so.

Comment

Scope of the AEPD's competences. The AEPD also noted that it is not competent to settle matters arising from a contractual relationship, such as the accuracy of the amount of debt owed or the determination of the conditions of a contractual or commercial provision.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

File No: TD/00054/2020
1037-100919
RESOLUTION Nº: R/00319/2020
Having regard to the complaint made to this Agency by Ms. A.A.A., (from
now the complainant), against CAIXABANK, S.A. (now the
claimed), because their right of access has not been duly attended to.
The procedural actions provided for in Title VIII of the Law have been carried out
Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of
digital rights (hereinafter referred to as LOPDGDD), the following have been found
FACTS
FIRST: The complainant exercised her right of access against the respondent with a tax identification number (NIF)
A08663619, without having received the legally established response to your request.
The claimant provides various documentation relating to the claim
raised before this Agency and on the exercise of the right exercised.
 On 3 April 2018, in view of the claim for the right of access, this
Agency resolved:
"In relation to your claim for protection of rights submitted to this
Agency referring to CAIXABANK, S.A., from the analysis of the documentation provided
It follows that it does not concern the exercise of the right recognised in Article
15.1 of Organic Law 15/1999, of 13 December, on the Protection of Personal Data
Personal Data Protection Act (LOPD), and developed in the Regulations implementing the LOPD,
approved by Royal Decree 1720/2007 of 21 December.
The right of access, as specified in Article 27.1 of the
Regulation, is the right of the person concerned to obtain information on whether his
personal data are being processed, the purpose of which is to
treatment being carried out, as well as the information available
on the origin of such data and the communications made or planned by the
themselves.
Paragraph 3 of that Article specifies that this right is independent
which grant those concerned special laws and, in particular, laws which
regulate the administrative procedure.
Furthermore, Article 29(3) makes it clear that the information
must be provided by the data controller shall comprise all the basic data of the
those resulting from any computer processing, as well as the
information available on the origin of the data, the assignees of the data and the
specification of the specific uses and purposes for which the
data is stored.
Thus, access to copies of certain documents or other information
associated with a business, employment or administrative relationship is not part of the
content of the access right regulated in the data protection regulations,
This question is therefore outside the competence of this Agency.
This is notwithstanding the fact that other legislation covers the obtaining of such
documentation, and the person concerned must apply to the competent authorities,
particularly the organs of consumption.
Consequently, in accordance with Articles 18 and 37(1)(d) of the
LOPD, it is agreed to INADMIT your claim.
SECOND: As a consequence of the Inadmission, you claim before the Audiencia Nacional
that fails:
"...That by dismissing the cause of inadmissibility raised by the party
co-defendant, the action in the main proceedings brought by
the Procurator of the Courts doña (...) in the name and on behalf of DOÑA
A.A.A., against the resolution of 7 May 2018 of the Director of the Agency
Spanish Data Protection Authority, by which the claim of the claimant is rejected
against CaixaBank, S.A., which was involved in the procedure for the protection of rights
TD/01002/2018, and declare the above-mentioned resolution null and void on the grounds that it does not conform to
right, agreeing instead that by the Spanish Data Protection Agency
and in respect of the appellant, initiate proceedings for the protection of
rights against CaixaBank S.A. with express imposition of the procedural costs to
the defendants..."
 This ruling opens a procedure for the processing of this claim and
gives transfer to the respondent to attend the right.
THIRD: In accordance with the tasks laid down in Regulation (EU)
2016/679, of 27 April 2016, General Data Protection (RGPD), proactive
by the data controller, you are required to inform the
Agency of the actions that have been taken to address the complaint
raised. In summary, the following allegations were made:
- The representative/Data Protection Officer of the respondent
in the allegations made during the processing of the
These proceedings, which have already dealt with the right of access
requested both now and earlier in 2017. They provide two letters
sent to the complainant for this purpose, i.e. to comply with the right to
access, one on 5 December 2017 and the current one on 7 April
2020.
- The complainant, who is aware of the allegations of the
transfer made by this Agency and, after having received the right
In summary, the information received is
insufficient, unrealistic and that data are hidden.
 "...That I do NOT agree with the information provided by CaixaBank in exercise my right to access personal data contained in your
files. It provides data on a sheet of paper that does not match reality,
so, they make it up, and the data, with the documents that support that
alleged express authorisation, and that commercial contracting, which has been
repeatedly requested, they hide it. I imagine they do because they don't
have. They do not have any documents to prove the false claims
which reflect in the sheet I received (...) that to date they have not
fulfilled its obligation to provide me with my right of access. It does not provide
the documents that were required, and the scarce data without documents
to confirm their reality that they contribute to a non
correspond to reality (...) CaixaBank SA invented the dates of
products are invented, the numbering of those products is invented
fictitious products, and do not provide any documents proving that the
contracted such products with them and do not provide the authorisations and
consents to be able to dispose of and give away my data which you must have of
each of these alleged products that are said to have
hired..."
- From this Agency, the complainant's allegations were sent to
claimed without, at the date of resolution of this claim, having
Nothing has been said about this.

LEGAL FOUNDATIONS
FIRST: The Director of the Spanish Agency of
Data Protection, as laid down in Article 56(2) in
in relation to Article 57(1)(f), both of Regulation (EU) 2016/679 of
European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
natural persons with regard to the processing of personal data and the free
circulation of these data (hereinafter referred to as RGPD); and in article 47 of the
Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of
digital rights (hereinafter LOPDGDD).
SECOND: Article 64.1 of the LOPDGDD, provides the following:
"1. Where the procedure relates solely to the failure of
an application to exercise the rights laid down in Articles 15 to 22 of the
Regulation (EU) 2016/679, will be initiated by a formal admission agreement, which will
shall be adopted in accordance with the following Article.
In this case the period for deciding on the procedure shall be six months, counting
from the date on which the claimant was notified of the agreement to
admission to procedure. After this period, the interested party may consider
estimated your claim."
THIRD: Article 12 of Regulation (EU) 2016/679 of 27 April 2016
General of Data Protection (RGPD), provides that:
"1. The data controller shall take the appropriate measures to facilitate
the person concerned any information referred to in Articles 13 and 14, as well as any
communication pursuant to Articles 15 to 22 and 34 concerning processing, in the form
concise, transparent, intelligible and easily accessible, with clear and simple language, in
In particular, any information directed specifically at a child. The information
shall be provided in writing or by other means, including, where appropriate, by
electronic. At the request of the interested party, the information may be provided
verbally, provided that the identity of the person concerned is proven by other means.
2. The data controller shall facilitate the exercise of his
rights under Articles 15 to 22. In the cases referred to in Article 11
paragraph 2, the controller shall not refuse to act at the request of the data subject for the purpose
to exercise his rights under Articles 15 to 22, unless he can prove
who is not in a position to identify the person concerned.
3. The data controller shall provide the data subject with information concerning his
proceedings on the basis of an application under Articles 15 to 22, and, in
in any case, within one month from the receipt of the application. Said
This deadline may be extended by a further two months if necessary, taking into account the
complexity and the number of applications. The person in charge shall inform the applicant of
any such extension within one month of receipt of the
request, indicating the reasons for the delay. When the interested party submits the
request by electronic means, the information shall be provided by electronic means
where possible, unless the person concerned requests otherwise.
4. If the data controller does not comply with the request of the data subject, he
shall inform without delay, and at the latest after one month, of the receipt of the
application, the reasons for their failure to act and the possibility of submitting a
claim to a supervisory authority and to take legal action.
5. The information provided pursuant to Articles 13 and 14 and any
communication and any action taken pursuant to Articles 15 to 22 and 34
will be free of charge. Where requests are manifestly unfounded or
excessive, especially due to their repetitive nature, the person responsible for
treatment may:
(a) charge a reasonable fee commensurate with the administrative costs incurred
to provide the information or communication or to perform the requested action, or
(b) refuse to act on the request.
The controller shall bear the burden of proving the
manifestly unfounded or excessive.
6. Without prejudice to Article 11, where the person responsible for the
treatment has reasonable doubts as to the identity of the natural person
the application referred to in Articles 15 to 21, may request that the
provide the additional information necessary to confirm the identity of the person concerned.
7. The information to be provided to the persons concerned under Articles
13 and 14 may be transmitted in combination with standardised icons allowing
provide in an easily visible, intelligible and clearly legible manner an adequate
overview of the planned treatment. The icons presented in the format
electronic will be mechanically readable.
8. The Commission shall be empowered to adopt delegated acts in accordance with
Article 92 to specify the information to be submitted through
icons and the procedures for providing standardised icons".
FOURTH: Article 15 of the RGPD provides that:
"1. The data subject shall have the right to obtain from the controller
confirmation as to whether or not personal data concerning you are being processed and, if so
case, right of access to personal data and to the following information:
a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the data have been disclosed; or
personal data will be communicated, in particular to third parties or
international organisations;
(d) if possible, the intended period of retention of the personal data or, of
not be possible, the criteria used to determine this deadline;
(e) the existence of the right to request the person responsible to correct or delete
of personal data or the limitation of the processing of personal data relating to
or to oppose such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data have not been obtained from the data subject, any
information available on their origin;
(h) the existence of automated decisions, including profiling, to
referred to in Article 22(1) and (4) and, at least in such cases, information
The importance and consequences of the new system for the development of the
provided for such processing for the data subject.
2. Where personal data are transferred to a third country or to an organisation
international, the person concerned shall have the right to be informed of the guarantees
appropriate under Article 46 concerning transfer.
3. The controller shall provide a copy of the personal data
object of treatment. The data controller may receive for any other copy requested
a reasonable fee based on administrative costs. When the
The application must be submitted electronically by the applicant, and unless the applicant requests
otherwise provided, the information shall be provided in an electronic format of
common use.
4. The right to obtain a copy referred to in paragraph 3 shall not affect
negatively to the rights and freedoms of others."
FIFTH: Article 13 of the LOPDGDD determines the following:
"1. The right of access of the affected party shall be exercised in accordance with the provisions
in Article 15 of Regulation (EU) 2016/679.
Where the controller processes a large amount of data relating to the data subject and
he exercises his right of access without specifying whether it concerns all or part of
the data controller may request, before providing the information, that the
concerned specifies the data or processing activities to which the
application.
2. The right of access shall be deemed granted if the data controller
provide the affected person with a system of remote, direct and secure access to the data
personal to guarantee, in a permanent way, access to its totality. To such the communication by the person in charge to the person concerned of the way in which he may
access to this system will be sufficient to satisfy the request to exercise the
right.
However, the person concerned may request from the person responsible information concerning
the points set out in Article 15(1) of Regulation (EU) 2016/679 which are not
be included in the remote access system.
3. For the purposes of Article 12(5) of Regulation (EU) 2016/679, the following shall apply
may consider the exercise of the right of access on more than one occasion to be repetitive
during the six-month period, unless there is legitimate cause to do so.
4. Where the person concerned chooses a means other than the one offered to him which entails
disproportionate cost, the application will be considered excessive, and therefore
affected will assume the excess costs that its choice entails. In this case, only
the controller shall be required to satisfy the right of access without
undue delay."

SEVENTH: Before going into the substance of the issues raised, it should be noted
that these proceedings are being conducted following the refusal to
any of the rights regulated by data protection regulations (access,
correction, deletion, limitation, portability and opposition) and aims to
take appropriate measures to ensure that the guarantees and rights of the person concerned
are properly restored. Therefore, in the present case, only
and assessed those issues raised by the complainant that remain
included in the subject matter of the above-mentioned complaints procedure in respect of
data protection.
 The exercise of the right of access, like all other rights, is a
The very personal right consists of the citizen's right to obtain
information on the processing of your data, the possibility of
obtain a copy of the personal data concerning you that is being
object of processing, as well as information, in particular, on the purposes of the
processing, the categories of data, the recipients, any transfers, the time
the possibility of exercising other rights, the information
available on the origin of the data (if not obtained directly from
holder) or the existence of automated decisions, including profiling,
without affecting the data of third parties.
 In the case analysed here, the complainant has exercised its right to
access and the response received is considered to be incomplete and lacking in reality.
This Agency informs the complainant of this fact so that he can complete
your reply or clarify the points raised by the complainant. On the date of the resolution of this
no contribution has been made by the party complained of to the effect that the
right of access requested has been fully met.
On the basis of the foregoing, considering that the present proceedings have
to ensure that the guarantees and rights of those concerned are duly
restored, combining the information in the file with the regulations
referred to in the preceding paragraphs, this complaint must be upheld, as
an incomplete response has been issued.
Finally, if there is a dispute with the controller
on matters arising from the contractual relationship, they should be aware that the Spanish Data Protection Agency is not competent to resolve civil matters,
such as those relating to the civil or commercial validity of the contract, the accuracy of
the amount of the debt, the proper provision of the services contracted or the
interpretation of contractual clauses. The determination of the conditions of the
contractual or commercial service, based on an interpretation of the contract signed
between the parties and their correct application, should be brought before the
administrative or judicial authorities, as it exceeds the scope of the
Agency.
The bodies that issue binding decisions to this effect include
Consumer Arbitration Boards (provided that the creditor voluntarily submits
them), the Telecommunications User Assistance Office
(www.usuariosteleco.gob.es) or the judicial bodies. They are not binding, between
other, the decisions of consumer organisations and offices
municipal consumer goods.
It is therefore appropriate to uphold the claim which gave rise to this
procedure.
Having regard to the above-mentioned and other generally applicable provisions,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: ESTIMATE the claim made by Ms. A.A.A. and urge CAIXABANK,
S.A. with NIF A08663619, so that, within ten working days of
notification of the present resolution, send to the complaining party certification in the
to record that he has complied with the right of access exercised by him or
refuse, with reasons, to comply with your request, indicating why your request should not be dealt with
request. The actions taken as a result of this Resolution
must be communicated to this Agency within the same time limit. Failure to comply with this
resolution could lead to the commission of the offence referred to in Article
72.1.m) of the LOPDGDD, which will be sanctioned in accordance with Article 58.2 of the RGPD.
SECOND: TO NOTIFY this resolution to Ms. A.A.A. and CAIXABANK, S.A.
In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public after it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the
LPACAP, the interested parties may lodge, on an optional basis, an appeal for reversal
to the Director of the Spanish Data Protection Agency within a period of
month from the day following notification of this resolution or directly
contentious-administrative appeal to the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating
Contentious-Administrative Jurisdiction, within two months from
day following notification of this act, as provided for in Article 46(1) of the
referred to Law.
Mar España Martí
Directora de la Agencia Española de Protección de Datos

Translated with www.DeepL.com/Translator (free version)