AEPD (Spain) - E/00739/2021
AEPD - E/00739/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 12(5) GDPR Article 13 GDPR Article 15 GDPR |
Type: | Complaint |
Outcome: | Rejected |
Started: | |
Decided: | |
Published: | 15.04.2021 |
Fine: | None |
Parties: | UNIVERSIDAD MIGUEL HERNÁNDEZ DE ELCHE(UMH) |
National Case Number/Name: | E/00739/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | n/a |
The Spanish DPA found that an access request was abusive, taking into account the context and the background of the relationship between the data subject and the controller. The data subject had previously filed various claims and lawsuits against the controller in other fields of law.
English Summary
Facts
A data subject filed a complaint with the Spanish DPA (AEPD) against a university where they had had different roles. The university provided the data subject with certain information (partly non-personal data too) and asked them to specify what additional information they required. They rejected the rest of the generic request with grounds on Article 12(5). The university alleged that they had tried to answer to the request on time but that they didn't have the resources, given that they have 26000 students, 1122 teaching and research staff, 521 administrative staff, 269 project staff; with a teaching structure of 7 faculties, 2 schools, 4 research institutes, 27 departments, 33 services and administrative Units, and 4 management centres, and the data subject had had a role in many of them, as an alumni, worker, and litigant.
The controller also held that they were implementing a more efficient system to handle data subject request. They claim that the data subject is just trying to diminish the university's functioning via different requests, claims and lawsuits, also in law fields other than data protection.
The data subject reiterated the initial request in the same terms. To this, the controller again alleged Article 12(5) and stated that it constituted an abuse of rights.
Holding
The AEPD aligned with the controller and found that the data subject was abusively exercising their rights in bad faith. The AEPD brought forward Article 12(5) GDPR, as well as Article 7 of the Spanish Civil Code, that states that rights must be exercised in good faith, and that it cannot be done in a way that the natural limits of the right are respected.
They also based their decision in the interpretation of such Article by the Spanish Supreme Court, saying that the abuse of rights entails the exercise of a right that, while complying with the formal requirements of such right, the essence of the rights, and its ethos and nature are not respected.
In this regard, the AEPD's records show that the complainant had abnormally exercised their right, both in quantitative terms (this was not the first time they had complained against the respondent) and qualitative terms (given the submission of applications with numerous claims that are not subsequently clarified by the data subject in order to facilitate their processing when requested to do so).
The necessity of good faith is also stated by the Spanish Procedural Civil Act in its Article 247, also interpreted by the Spanish Supreme Court, that has stated in this regard that complainants shall act in good faith, saying that acting in good faith also means not claiming to access data in a generic way when it can be done through other means. In this case, the AEPD condemns the negative of the data subject to narrow their claim, given that they are aware of the roles they had had in such university and can possibly know what particular information the university holds on them and what specific information they want to access.
Based on these grounds, the AEPD decides not to uphold the data subject's claim and archives the proceeding.
Comment
An interesting decision, the background of which is delineated by a provision in Spanish law which explicitly states that when data controllers process large quantities of data they can ask data subjects to specify their access requests (Article 13(1) of the LOPDGDD).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 Procedure No.: E / 00739/2021 RESOLUTION OF ACTION FILE Of the actions carried out by the Spanish Agency for Data Protection and based on the following FACTS FIRST: The claim filed by A.A.A. (hereinafter, the claimant) has entry dated November 20, 2019 in the Spanish Agency for the Protection of Data. The claim is directed against the MIGUEL HERNÁNDEZ DE ELCHE UNIVERSITY (UMH), with NIF Q5350015C (hereinafter, the claimed one). The reasons on which the claim is based are the following: That he addressed several writings to the defendant, 6 months ago, related to questions referred to data protection. He was told that they needed some time, but he had not yet have answered. Accompany the request made to the defendant in which he asks: What data do you have about the claimant? Where are they stored? Who has access to data ?, Is any graphic document saved ?, In what location and with what measures of security?. As they were previously sanctioned, you want to know what measures were taken to prevent further infractions. Request. Data, charts, titles, courses, accesses made to files with your data, and related employees. SECOND: On December 2, 2019, the claimant submits the briefs of answer of the claimed. On November 5, 2019, the respondent communicates the following: - As data controllers, who must provide you with all the information established in article 13 and 14 of the European Data Protection Regulation. That since the University is a complex entity in matters of personal data management, and since the claimant has been an employee, an employee with a disciplinary record, undergraduate student, master's student, course assistant, interested in administrative procedures, participant in selective processes, litigating party, contrary, etc ..., it is difficult to attend to the exercise of the right of access. That according to established in article 13.2 of the LOPDGDD request that it be more specific in its request, specify the treatment you want to access, to proceed to facilitate the access. - The claimant answers by requesting exactly the same thing that he already requested. - Based on the provisions of article 12.5 of the RGPD, they reject the request for excessive. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/10 THIRD: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), with reference number E / 00952/2020, a transfer of said claim to the defendant, so that it could proceed to its analysis and inform this Agency within a month, of the actions carried out to adapt to the requirements provided in the data protection regulations. The defendant answered the request for information stating that they had already answered the claimant to complete their application, since they have more than 26,000 students, 1,122 teaching and research staff, 521 people in administration, 269 hired from Projects; with a teaching structure of 7 faculties, 2 SCHOOLS, 4 Institutes of Research, 27 Departments, 33 Services and Administrative Units, and 4 centers management. Since the claimant has had numerous roles at the University, he is answered various questions raised in his request that had nothing to do with the right of access and was asked to specify what data and treatments he wanted to access. Answer by reiterating what was requested and therefore the requested access is denied understanding that it is excessive. They have tried to meet the legally established deadlines to answer, although it has not been possible. For this reason they have established the possibility of exercise of rights through the electronic headquarters so that the requests to competent persons. A protocol is being developed so that all those affected to exercise their rights act. FOURTH: On June 2, 2020, the Director of the Spanish Agency for Data Protection agreed to accept for processing the claim presented by the claimant. FIFTH: The defendant presented a brief of allegations to said admission, on date 23 June 2021, stating the following: After reiterating what was indicated in previous writings, he specified that of all his requests he has responded who was responsible for data processing and the measures to be taken they had taken after the resolution of the sanctioning procedure; and all the Sections in which your data were recorded so that you could specify what you were referring to. The claimant should not use data protection regulations as a subterfuge to hinder the normal functioning of an entity such as the University claimed, requesting information that can be obtained through different channels. Has been a clear abuse of rights, as reflected in numerous judgments. In many resolutions of the AEPD it is stated that the requests cannot be generic. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of Regulation (EU) 2016/679 (Regulation- General Data Protection Mention, hereinafter RGPD), recognizes each Authority Control, and as established in articles 47, 48.1, 64.2 and 68.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Agency Data Protection is competent to initiate and resolve this procedure. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/10 Article 63.2 of the LOPDGDD determines that: «The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of the Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in their development and, as long as they do not contradict them, in a subsidiary, by the general rules on administrative procedures. " II This procedure has its origin in the exercise of the right of access to its data and numerous documentation exercised by the claimant against the claimed. Article 12 of Regulation (EU) 2016/679, of April 27, 2016, General of Data Protection (RGPD), provides that: "1. The person responsible for the treatment will take the appropriate measures to facilitate the interested party all information indicated in articles 13 and 14, as well as any communication in accordance with articles 15 to 22 and 34 regarding the treatment, in the form concise, transparent, intelligible and easily accessible, with a clear and simple language, in particular any information directed specifically to a child. Information will be provided in writing or by other means, including, if applicable, by means electronic When requested by the interested party, the information may be provided verbally provided that the identity of the interested party is proven by other means. 2. The person in charge of the treatment will facilitate the interested party the exercise of their rights under articles 15 to 22. In the cases referred to in article 11, section 2, the person in charge will not refuse to act at the request of the interested party in order to exercise your rights under articles 15 to 22, unless you can demonstrate that it is not in a position to identify the interested party. 3. The person responsible for the treatment will provide the interested party with information regarding their proceedings on the basis of a request pursuant to Articles 15 to 22, and, in In any case, within one month of receipt of the request. Saying The term may be extended for another two months if necessary, taking into account the complexity and number of requests. The person in charge will inform the interested party of any of said extensions within a period of one month from the receipt of the request, stating the reasons for the delay. When the interested party presents the request by electronic means, the information will be provided by electronic means when possible, unless the interested party requests that it be provided otherwise. 4. If the person responsible for the treatment does not comply with the request of the interested party, inform without delay, and no later than one month after receipt of the request, the reasons for not acting and the possibility of submitting a claim before a control authority and to exercise legal actions. 5. The information provided by virtue of articles 13 and 14 as well as all communication and any action carried out pursuant to articles 15 to 22 and 34 they will be free of charge. When the requests are manifestly unfounded or excessive, especially due to its repetitive nature, the person responsible for the treatment may: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/10 a) charge a reasonable fee based on the administrative costs incurred to facilitate information or communication or perform the requested action, or b) refuse to act on the request. The data controller will bear the burden of proving the character manifestly unfounded or excessive of the request. 6. Without prejudice to the provisions of article 11, when the person responsible for the treatment has reasonable doubts regarding the identity of the natural person making the request referred to in articles 15 to 21, may request that the provide the additional information necessary to confirm the identity of the interested party. 7. The information that must be provided to interested parties by virtue of articles 13 and 14 may be transmitted in combination with standard icons that allow provide in an easily visible, intelligible and clearly legible way a suitable overview of the planned treatment. Icons presented in the format electronic will be machine readable. 8. The Commission is empowered to adopt delegated acts in accordance with Article 92 in order to specify the information to be submitted through icons and procedures for providing standard icons. " III Article 13 of the LOPDGDD determines the following: "1. The right of access of the affected party will be exercised in accordance with the provisions in article 15 of Regulation (EU) 2016/679. When the person in charge treats a large amount of data related to the affected person and it exercises its right of access without specifying whether it refers to all or a part of the data, the person in charge may request, before providing the information, that the affected specify the data or processing activities to which the request. 2. The right of access will be understood to be granted if the person responsible for the treatment provide the affected party with a system of remote, direct and secure access to data that guarantees, permanently, access to its entirety. Such effects, the communication by the person in charge to the affected party of the way in which he may Accessing said system will be enough to consider the request to exercise the right. However, the interested party may request from the person in charge the information referred to the points provided for in article 15.1 of Regulation (EU) 2016/679 that are not be included in the remote access system. 3. For the purposes established in article 12.5 of Regulation (EU) 2016/679, may consider the exercise of the right of access repetitive on more than one occasion during the period of six months, unless there is legitimate cause for it. 4. When the affected party chooses a means other than the one offered that involves a disproportionate cost, the request will be considered excessive, so that said affected will assume the excess costs that his election entails. In this case, only C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/10 The data controller will be required to satisfy the right of access without undue delay. " IV From the documentation provided by the claimant and the defendant, it is proven that the First, he went to the University requesting numerous information, both referring to the access to the data object of treatment by the claimed, as well as to other questions such as the measures taken by the defendant after the sanctioning procedure instructed by the Spanish Agency for Data Protection, people who have accessed to your data ... Regarding the exercise of the right of access, the complainant, in accordance with the established in article 13.1 of the LOPDGDD addressed the claimant informing him to specify what data he was referring to, adding that he had been a student, worker, litigant…; the claimant reiterates the initial request in the same terms, without specify which data you are requesting access to. Faced with this answer, the claimed resolves to deny the exercise of the requested right as it is considered excessive, and in accordance with the provisions of article 12.5 of the RGPD. Subsequently, the defendant submits a new statement of allegations in which he indicates that the claimant's request constitutes an abuse of rights, since in the multiple roles that he has maintained with the University, the litigating party stands out against it for different reasons, unrelated to data protection. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/10 Article 7 of the Civil Code (CC hereinafter), provides that: "1. The rights must be exercised in accordance with the requirements of good faith. 2. The Law does not protect the abuse of the right or the antisocial exercise of it. Any act or omission that, by the intention of its author, by its object or by the circumstances in which it is carried out manifestly exceeds the normal limits of the exercise of a right, with damage to a third party, will give rise to the corresponding compensation and the adoption of judicial or administrative measures that prevent persistence in abuse ”. Good faith is a general principle of law incorporated into positive law that translates into the imposition of a series of duties on whoever holds the ownership of a right. At the same time, the consideration that a right has been exercised in a abusive must be supported by objective, rigorous and true data, so that it is recorded proven that the right holder has manifestly exceeded the limits normal of this on the occasion of his exercise. In this regard, the ruling of the Supreme Court of 05/20/2002 states that “In this way, to the courts of this jurisdiction, the abuse of the right or the antisocial exercise of the same that the law does not protect (art. 7.2 of the CC), it supposes that even respecting the limits formalities with the actions carried out by those who are the holders of the rights produces a violation of the values or the axiological idea that is part of the content of the subjective right or of the norm whose objective is addressed ”. Therefore, sometimes, even while exercising the rights that the legal system recognizes and acting in a way that formally respects the requirements set by the law, its exercise is abusive. This, either because it is performed abnormally in relationship with the end pursued by the legal norm, or with the absence of an interest legitimate or exceeding in excess the natural limits of the right, to the point which is distorted in its essence. In this sense, the antecedents in this Agency regarding the claimant, an abnormal exercise of his right is revealed, both due to quantitative issues (it is not the first time that the defendant has been denounced) such as qualitative (submissions of applications with numerous claims that are not clarified to facilitate processing when requested). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/10 For its part, in the Civil Procedure Law (LEC, hereinafter) and within Book I, Title VIII, dedicated to procedural good faith, establishes in article 247 that: "1. Those involved in all types of processes must adjust in their actions to the rules of good faith. 2. The courts will fundamentally reject the petitions and incidents that are formulate with manifest abuse of rights or involve legal or procedural fraud ”. In relation to the principle of good faith (either in its material aspect, art. 7 CC or in its procedural-formal aspect, art. 247 LEC) and its adequacy in the performance of the claimant, it is enough to make a reference to the literality of the requests and clarifications presented collected in the Facts of this resolution for evidence the absence of this principle. The Judgment of the Supreme Court of February 4, 2011 being especially revealing relapse into Appeal No. 425/2007, which analyzes an alleged violation of the right of access by a Public University with respect to an administrator who had permanent access to your data as a computer-enabled user, considering that invoking the absence of satisfaction of the right of access is contrary to the principle of good faith, because precisely he had the means to "Access your data" autonomously without having to go to the person responsible for the file. Specifically, in its Fourth Law Foundation, it provides that: Since this fact has to be taken for granted, it is clear that the request for access to the personal data collected in the letter of February 9, 2004 was reiterative, when not merely rhetorical; and, for this same reason, present a claim before the AEPD for breach of the duty to allow access to the personal data is, without any doubt, a behavior contrary to good faith. It is not fair to reproach another for not having done something that, in fact, they have already done. Y justify this imputation in the non-observance of forms and deadlines provided for in the law it is no longer an abuse of formal requirements, something that has traditionally been seen as one of the archetypal assumptions of violation of the general principle of good faith. Moreover, it is not just that the applicant had the possibility permanent access to your personal data by computer means, but in your letter of February 9, 2004 did not specify by what specific means of access he wanted his right to be satisfied; and, in these circumstances, affirm that it is denied access within the legally established period is simply abusive deformation of reality. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/10 It is peaceful, moreover, that the general principle of good faith should not only guide the actions of the Administration with respect to the administered, such as provides art. 3 LRJ-PAC, but also has to preside over the exercise of all kinds of rights by individuals by imperative of art. 7 CC. Since the exercise unfair right of access to personal data by the individual is not worthy of guardianship, the AEPD, as an administrative entity in charge of ensuring due to compliance with data protection legislation, it should not have considered that the UNED had violated the right of Don Manuel; and the same can be said of the court to quo, since the aforementioned decision of the AEPD is deemed to be in accordance with the law. For all this, the second reason for this appeal has to be upheld, which leads to the annulment of the contested judgment. In the present case, as stated at the beginning of this Resolution, the claimant you can get the desired access if you clarify the terms of your request as it is knowledgeable of the numerous roles that he has exercised in the claimed entity. When Rights are exercised by formally adjusting to the requirements established by the Law, but in an abnormal way, in such a way that its essential content is distorted, incurs an abuse of rights that the legal system in no case can protect. V C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/10 The claimant requests that a sanctioning procedure be initiated against the defendant. In this regard, it should be remembered that the sanctioning procedure constitutes one of the manifestations of the "ius puniendi" of the State and it always starts ex officio by the Director of the Spanish Agency for Data Protection, in accordance with provided for in article 68.1 of the LOPDGDD, as the Hearing has maintained National in judgments such as, among others, the one handed down in March 2006 (REC 319/2004). Therefore, it is the exclusive competence of the Spanish Data Protection Agency. assess whether there are administrative responsibilities that have to be clarified in a sanctioning procedure and, consequently, the decision on its opening, not existing obligation to initiate procedure before any request made by third, but it must be based on the existence of elements that justify said initiation of sanctioning activity. On the other hand, it should be remembered that, to define the condition of "interested" to urge to the exercise of the sanctioning competence of this Agency, the STS of October 6 of 2009 provides that the complainant is not interested, and does so in the following terms: "the complainant of an infringement of data protection legislation lacks active standing to challenge the resolution of the Agency in what concerns the sanctioning result itself ”(imposition of a sanction, amount of the same, exoneration, etc.) " Applying the peaceful doctrine of the Supreme Court, according to which "the complaint does not make the complainant the holder of a subjective right or personal interest or legitimate that would have to translate into a benefit or utility "the circumstance of having presented several complaints in this Agency, does not grant you the condition of interested party, all without prejudice to the circumstances surrounding the presentation of the same indicated in the Acts of this Resolution. SAW Ultimately, from the background examined and the complaints submitted, it is it follows that there are circumstances that allow questioning the serious purpose and legitimacy of the claimant in the exercise of their rights, allowing to identify their behavior as abusive and lacking in good faith. The claimant may request the exercise of the right of access against the claimed specifying your request, given that it is a University that carries out numerous differentiated treatments with students, workers, teachers, hired ... what you know having worked in the claimed entity; and being able request all the desired accesses, well differentiated, in accordance with the provisions of the data protection regulations. Therefore, in accordance with the provisions, by the Director of the Spanish Agency for Data Protection, IT IS AGREED: FIRST: PROCEED WITH THE FILING of these actions. SECOND: NOTIFY this resolution to the claimant and claimed. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/10 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, and in accordance with the provisions of the arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may file, optionally, an appeal for reconsideration before the Director of the Agency Spanish Data Protection within a period of one month from the day following notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and paragraph 5 of the provision Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction Contentious-Administrative, within two months from the next day upon notification of this act, as provided in article 46.1 of the aforementioned Law. 940-0419 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es