AEPD (Spain) - TD/00293/2021
From GDPRhub
| AEPD - REPOSICION-TD-00293-2021 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 4(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 26.01.2022 |
| Decided: | |
| Published: | 01.07.2022 |
| Fine: | n/a |
| Parties: | 4Finance Spain Financial Services, S.A.U. |
| National Case Number/Name: | REPOSICION-TD-00293-2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | sofi.gk |
The Spanish DPA ordered a bank to honor a customer's access request, reversing a prior decision that documents relating to a concluded contract between the bank and its customer were not governed by the GDPR.
English Summary
Facts
The data subject appealed a decision by the DPA that the controller, a bank, was not obliged to provide a copy of documents or information associated with a contractual relationship between the data subject and the controller. The DPA had agreed with the controller, who argued that the requested documents were not regulated under the GDPR and as such not subject to the right of access.
Spanish law states that when a special regime applies to certain processing operations and that regime affects the exercise of rights, the provisions of those special laws shall apply. The special law applicable in this case is Law 16/2011, of June 24, on consumer credit contracts. The controller alleged that the applicable Law only granted access rights to personal data when the contract was not yet concluded.
On appeal, the data subject pointed out that the law on consumer contracts never mentions that the controller is not obliged to provide information about the consumer credit contracts once they have been finalized.
Holding
After reviewing its previous decision, the DPA held that the financial movements are personal data under Article 4(1) GDPR and found that the information at issue in the case before them, relating to bank statements of the data subject, falls under this definition. Consequently, the controller was obliged to grant the data subject access to the documents.
Following this logic, the DPA upheld the data subject's claim on appeal and ordered the controller to honor the right of access within 10 business days.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/4
Procedure no.: TD/00293/2021
SUBJECT: Appeal for Replenishment No.: EXP202101467
Examined the appeal for reconsideration filed by A.A.A. against the decision issued
by the Director of the Spanish Agency for Data Protection in the file
TD/00293/2021, and based on the following
FACTS
FIRST: On January 26, 2022, a resolution was issued by the Director of the
Spanish Data Protection Agency in file TD/00293/2021, in which
it was agreed to dismiss the claim for Protection of Rights made by D. A.A.A.
against 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U.
SECOND: The resolution now appealed was reliably notified to D.A.A.A.
on January 31, 2022, as stated in the proof of notification.
THIRD: The appellant has filed an appeal for reconsideration on February 28
2022, with entry into this Agency on February 28, 2022, in which it indicates, in
synthesis, that "(...) our interested party has the right to be provided with all the
information regarding the processing of your data, being obliged to comply with the
responsible for the treatment, that is, the aforementioned financial entity. Our
represented, current interested party and owner of the data, also has the right to receive
the information by the requested means. In the event that the application is submitted by
digital means, you should obtain it by the same means, unless expressly requested in
contrary.
The rights granted by access to information are not limited to mere consultation.
In addition, the interested party must receive a copy of their personal information, which may be
save privately. And in the event that access to personal data involves
certain complexity, the data controller may request that the interested party
specify the files you want to query. In that case, you will need to provide a
list with all the files so that the individual can identify them.
(...) is not a reason to deny access to the aforementioned contracts on the basis that
They were paid for and closed.
(...) Although it is true that the Spanish Data Protection Regulation provides that
when the laws applicable to certain treatments establish a regime
that affects the exercise of rights, the provisions of those will be followed;
in the present cannot be a reason for denial of the claim
presented by us, since the specific regulations referenced by the
claimed entity, Law 16/2011, of June 24, of credit contracts to the
consumption, at no time expressly mentions the non-compulsory nature of
submit consumer credit contracts, once they have been finalized, paid
and closed. If this is the case, please provide us with information on the
specific articles that make such a reference. The specific regulations do
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/4
reference to the obligation to deliver the referenced documents before starting
the contractual relationship and during the term of this relationship, a fact that
We acknowledge that it has been fulfilled by the aforementioned financial entity
claimed; however, there is no mention at any time of the non-compulsory nature of
delivery of the documents once the contractual relations have been finalized.”
FOURTH: Transferred to the claimed party the appeal for reconsideration filed by the
claimant party to express what it deems appropriate, it is ratified in what
already exposed during the processing of the procedure.
“(…) the right of access does not cover, in general, “obtaining a copy of
certain documents or other information associated with a business relationship,
labor, contractual or administrative”. The affected person must go to the authorities
competent since, as the Agency indicates, "the requested documents do not
are part of the access regulated in the data protection regulations as they are
documents linked to the contractual relationship between the parties.”
FOUNDATIONS OF LAW
Yo
The Director of the Spanish Agency is competent to resolve this appeal.
Data Protection, in accordance with the provisions of article 123 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP).
II
Due to operational reasons of the administrative body, therefore, no
attributable to the appellant party, to date the mandatory
statement of this Agency regarding the claim of the appellant.
In accordance with the provisions of article 24 of the LPACAP, the meaning of silence
in the proceedings to challenge acts and provisions is
dismissive. However, and despite the time that has elapsed, the Administration is
obliged to issue an express resolution and to notify it in all procedures
whatever its form of initiation, as provided in article 21.1 of the aforementioned
Law. Therefore, it is appropriate to issue the resolution that ends the appeal procedure
replacement filed.
III
Based on these rules and in consideration of the facts considered proven,
determined that:
“In the present case, from the examination of the documentation in the file, it was
notes that the right of access was met.
The documents requested by the claimant are not part of that regulated access
in the data protection regulations, as they are documents linked to the relationship
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/4
agreement between the parties, and the claimant must go to the authorities
corresponding to your request.
Therefore, taking into account the provisions of the preceding paragraphs, that access to
said contractual data is independent of the right of access regulated in the
data protection regulations, and that the respondent has provided access to their
data, it is appropriate to dismiss the claim of rights.”
IV
The purpose of this resolution is the reversal appeal filed on the date
February 28, 2022 against the resolution dated January 26, 2022, issued by
the Director of the Spanish Data Protection Agency, agreeing to the
dismissal of the claim initially filed.
In the arguments presented by the defendant, in relation to the appeal for
replacement presented by the appellant, ratifies what was already stated during the
processing of the procedure.
“(…) the right of access does not cover, in general, “obtaining a copy of
certain documents or other information associated with a business relationship,
labor, contractual or administrative”. The affected person must go to the authorities
competent since, as the Agency indicates, "the requested documents do not
are part of the access regulated in the data protection regulations as they are
documents linked to the contractual relationship between the parties.”
IV
Article 4, Definitions, of the GDPR, provides that:
“For the purposes of this Regulation, the following shall be understood as:
1) "personal data": any information about an identified natural person or
identifiable ("the interested party"); An identifiable natural person shall be deemed to be any person
whose identity can be determined, directly or indirectly, in particular by
an identifier, such as a name, an identification number,
location, an online identifier or one or more elements of the identity
physical, physiological, genetic, psychic, economic, cultural or social of said person;
(…)”
After reviewing the documentation in the file again, it is verified
that, taking into account that bank movements are data of a
personal and that must be supplied by the data controller, and given that
the information was partially provided, it is appropriate to uphold the present appeal of
replacement so that the claimed entity provides the claimant with the information
requested.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 4/4
Considering the aforementioned precepts and others of general application,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: ESTIMATE the motion for reversal filed by D. A.A.A. against
Resolution of this Spanish Agency for Data Protection issued on the 26th of
January 2022, in file TD/00293/2021, which rejects the claim of
protection of rights formulated by the same against 4FINANCE SPAIN FINANCIAL
SERVICES, S.A.U. so that, within ten business days following the
notification of this resolution, send the claimant the right to
requested access, in accordance with the provisions of the body of this
resolution. The actions carried out as a result of this Resolution
must be communicated to this Agency within the same period. The breach of this
resolution could lead to the commission of the offense considered in article
72.1.m) of the LOPDGDD, which will be sanctioned, in accordance with article 58.2 of the
GDPR.
SECOND: NOTIFY this resolution to D. A.A.A. and 4FINANCE SPAIN
FINANCIAL SERVICES, S.A.U.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure, it may be filed in the
period of two months from the day following the notification of this act
according to the provisions of article 46.1 of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, contentious-administrative appeal before the
Contentious-administrative Chamber of the National High Court, in accordance with the
provided for in article 25 and in section 5 of the fourth additional provision of the
aforementioned legal text.
185-170919
Sea Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
