AEPD (Spain) - EXP202204752

From GDPRhub
Revision as of 06:13, 10 June 2023 by Sarahgrundboeck (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PD-00148-2022 |ECLI= |Original_Source_Name_1=RESOLUCIÓN No: R/00934/2022 |Original_Source_Link_1=https://www.aepd.es/es/documento/pd-00148-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Or...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PD-00148-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law:
§ 15 RGPD; § 13 LOPDGDD
Type: Other
Outcome: n/a
Started:
Decided:
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: PD-00148-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: RESOLUCIÓN No: R/00934/2022 (in ES)
Initial Contributor: n/a

A.A.A (the data subject) submitted and filed a claim on April 6 2022 against the Universidad Autónoma de Madrid, a university (the controller) for not correctly and properly attending to his right of access.

English Summary

Facts

A.A.A (the data subject) submitted and filed a claim on April 6 2022 against the Universidad Autónoma de Madrid, a university (the controller) for not correctly and properly attending to its right of access. The data subject exercised its right of access against the controller, without receiving the legally established response. The data subject's request includes a physical format copy of the Motivation Act original and access to video call through the Microsoft Teams digital platform. The claim was transferred to the Spanish Data Protection Agency (DPA) so that it could respond to the parties within a period of one month. The claims of the claimant are not satisfied and the maximum term to resolve the present procedure will be six months. The controller partially denied the request and states that it has partially complied with the right and wants to dismiss the delivery of the physical copy of the recording through Microsoft Teams because the requested recording is no longer available and agreed to provide a copy of the motivated act original. The data subject shows its disagreement within e-mails where it requests the recording of the review and states that the requested document has not been provided. The claims of the claimant were not satisfied. On June 27, 2022, because of Article 64.2 of the LOPDGDD, the Director of the Spanish DPA agreed to the data subject to file a complaint filed. The DPA started an investigation and the controller is obliged to respond to requests made within one month the latest unless the controller can prove that it is unable to identify the data subject and therefore unable to respond to this request. The communication shall be expressed in concise, easily accessible, and simple language. The controller may ask the data subject to specify the data or activities to which it refers. The request is excessive if it entails a disproportionate cost because the affected party chooses other means than the one offered. The right of access was not carried out in the proper manner and the complaint is upheld.

Holding

First, the DPA held that the controller had violated Article 15 of the RGPD and Article 13 of the LOPDGDD says that the data subject has the right to obtain from the controller confirmation if or not its personal data are being processed, the right of access. The right of access is a highly personal right. The claimant exercised its right of access to a recording and a documentation. The controller can not comply with the request because it is erased even though the claimant requested it since it was produced.There is also a discrepancy between the parties and it seems that there is no agreement on the requested document. Second, the DPA considered that the purpose of this proceeding is to ensure that the guarantees and rights of the parties are duly restored and rights must be granted or denied. Finally, the authority considered that the right of access was not carried out in the proper manner so the complaint is upheld. The Director of the Spanish DPA uphelds the claim by the data subject and the controller must within ten working days send the claimant a certificate in which the right of access is either granted or denied. It should also include the reasons why.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

File No.: EXP202204752
RESOLUTION No: R/00934/2022
Having regard to the claim formulated on April 6, 2022 before this Agency by A.A.A., (hereinafter the claimant party), against UNIVERSIDAD AUTÓNOMA DE MADRID, (hereinafter the claimed party), for not having duly attended to his right of access.
Once the procedural actions provided for in Title VIII of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), have been verified:
FACTS
FIRST: The claimant exercised the right of access against the claimant with NIF Q2818013A, without his request having received the legally established response.
Your request includes: A PHYSICAL FORMAT COPY OF THE ORIGINAL MOTIVATIONAL ACT and access to the video call through the Microsoft Teams digital platform dated July 20, 2021.
It provides various documentation related to the claim filed with this Agency and on the exercise of the right exercised.
SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided a mechanism prior to the admission for processing of the claims that are formulated before the AEPD, consisting of transferring them to the Data Protection Delegates designated by those responsible or in charge of the treatment, for the purposes provided for in article 37 of the aforementioned regulation, or to them when they have not designated them, the claim was forwarded to the entity claimed so that it could proceed with its analysis and respond to the claimant and to this Agency in within one month.
THIRD: The result of the transfer procedure indicated in the previous Fact did not allow the claims of the claimant to be satisfied. Consequently, on June 27, 2022, for the purposes set forth in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit the claim submitted for processing and informed the parties that the maximum term to resolve this procedure, which is understood to have started through said agreement for admission to processing, will be six months.
The aforementioned agreement granted the defendant entity a hearing process, so that within fifteen business days it could present the allegations it deemed appropriate.
In the only response received in this Agency from the defendant, we have verified that the defendant states that he has partially complied with the right, namely:
"...FIRST: DISMISS the delivery of the physical copy of the recording of the review of the END of Degree Project (TFG) made on 07/20/2021 through the
  
Microsoft Teams platform because, given the elapsed time, the requested recording is no longer available.
SECOND: ESTIMATE the delivery to the interested party of a copy of the reasoned record of the court of claim justifying the qualification..."
FOURTH: The complaining party presents allegations in which it shows its disagreement.
He provides some emails exchanged with the claimant where he requests the recording of the review on the same day it occurs.
In addition, it adds that the requested document has not been provided. FUNDAMENTALS OF LAW
FIRST: The Director of the Spanish Data Protection Agency is competent to resolve, in accordance with the provisions of section 2 of article 56 in relation to section 1 f) of article 57, both of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter, GDPR); and in article 47 of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD).
SECOND: In accordance with the provisions of article 55 of the GDPR, the Spanish Agency for Data Protection is competent to carry out the functions assigned to it in article 57, including that of enforcing the Regulation and promoting public awareness. the managers and those in charge of the treatment about the obligations incumbent on them, as well as to treat the claims presented by an interested party and investigate the reason for them.
Correlatively, article 31 of the GDPR establishes the obligation of those responsible and in charge of the treatment to cooperate with the control authority that requests it in the performance of their functions. In the event that they have designated a data protection officer, article 39 of the GDPR attributes to the latter the function of cooperating with said authority.
In the same way, the internal legal system, in article 65.4 of the LOPDGDD, has provided for a mechanism prior to the admission for processing of the claims that are formulated before the Spanish Agency for Data Protection, which consists of transferring them to the data protection delegates appointed by those responsible or in charge of the treatment, for the purposes provided in article 37 of the aforementioned standard, or to them when they have not designated them, so that they proceed to the analysis of said claims and respond to them within the term of one month.
In accordance with this regulation, prior to the admission for processing of the claim that gives rise to this procedure, it was forwarded to the responsible entity so that it could proceed with its analysis, respond to this Agency within the period of one month and certify having provided the claimant with the due response, in the event of exercise of the rights regulated in articles 15 to 22 of the GDPR.

      
The result of said transfer did not make it possible to understand the claimants' claims satisfied. Consequently, on June 27, 2022, for the purposes provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit the claim submitted for processing. Said agreement for admission to processing determines the opening of this procedure for lack of attention to a request to exercise the rights established in articles 15 to 22 of the GDPR, regulated in article 64.1 of the LOPDGDD, according to which:
"1. When the procedure refers exclusively to the lack of attention to a request to exercise the rights established in articles 15 to 22 of Regulation (EU) 2016/679, it will begin with an agreement for admission to processing, which will be adopted in accordance with the established in the following article.
In this case, the term to resolve the procedure will be six months from the date on which the claimant was notified of the agreement for admission to processing. After that period, the interested party may consider his claim upheld.
The purification of administrative responsibilities within the framework of a disciplinary procedure is not deemed appropriate, the exceptional nature of which implies that, whenever possible, the prevalence of alternative mechanisms that are protected by current regulations is considered.
It is the exclusive competence of this Agency to assess whether there are administrative responsibilities that must be cleared in a disciplinary procedure and, consequently, the decision on its opening, there being no obligation to initiate a procedure before any request made by a third party. Said decision must be based on the existence of elements that justify said initiation of the sanctioning activity, circumstances that do not occur in the present case, considering that with this procedure the guarantees and rights of the claimant are duly restored.
THIRD: The rights of individuals regarding the protection of personal data are regulated in articles 15 to 22 of the GDPR and 13 to 18 of the LOPDGDD. The rights of access, rectification, deletion, opposition, right to limitation of treatment and right to portability are contemplated.
The formal aspects related to the exercise of these rights are established in articles 12 of the GDPR and 12 of the LOPDGDD.
Furthermore, what is expressed in Recitals 59 et seq. of the GDPR is taken into account.
In accordance with the provisions of these regulations, the person responsible for the treatment must arbitrate formulas and mechanisms to facilitate the exercise of their rights by the interested party, which will be free of charge (without prejudice to the provisions of articles 12.5 and 15.3 of the GDPR), and is obliged to to respond to requests made no later than one month, unless you can demonstrate that you are not in a position to identify the interested party, and to express your reasons in the event that you are not going to attend to said request
  
application. The proof of compliance with the duty to respond to the request for the exercise of their rights made by the affected party falls on the person responsible.
The communication addressed to the interested party on the occasion of their request must be expressed in a concise, transparent, intelligible and easily accessible manner, with clear and simple language.
In the case of the right of access to personal data, in accordance with the provisions of article 13 of the LOPDGDD, when the exercise of the right refers to a large amount of data, the person responsible may request the affected party to specify the "data or activities treatment to which the request refers. The right will be understood as granted if the person in charge provides remote access to the data, taking the request for granted (although the interested party may request the information referring to the points provided in article 15 of the GDPR).
The exercise of this right may be considered repetitive on more than one occasion during the period of six months, unless there is legitimate cause for it.
On the other hand, the request will be considered excessive when the affected party chooses a means other than the one offered that entails a disproportionate cost, which must be borne by the affected party.
FOURTH: In accordance with the provisions of article 15 of the GDPR and article 13 of the LOPDGDD, "the interested party has the right to obtain from the data controller confirmation of whether or not personal data concerning him or her is being processed and, in such case, the right of access to personal data”.
Like the rest of the rights of the interested party, the right of access is a very personal right. It allows the citizen to obtain information about the treatment that is being made of their data, the possibility of obtaining a copy of the personal data that concerns them and that are being processed, as well as information, in particular, about the purposes of the treatment, the categories of personal data in question, the recipients or categories of recipients to whom the personal data was communicated or will be communicated, the expected term or conservation criteria, the possibility of exercising other rights, the right to file a claim with the control authority, the information available on the origin of the data (if these have not been obtained directly from the owner), the existence of automated decisions, including the preparation of profiles, and information on transfers of personal data to a third country or to an international organization. The possibility of obtaining a copy of the personal data subject to treatment will not negatively affect the rights and freedoms of others, that is, the right of access will be granted in such a way that it does not affect the data of third parties.
In the case analyzed here, the complaining party exercised its right of access to a recording and documentation.
The claimed party responds with respect to the recording that it cannot meet the right because it has been deleted despite the fact that the claimant requested it since it was produced. This is confirmed in the emails provided.
And with respect to the requested documentation, the claimed party refers to a "copy of the reasoned record of the court of claim justifying the qualification" and the claimant of "COPY IN PHYSICAL FORMAT OF THE ORIGINAL MOTIVATIONAL RECORD".

 In view of the discrepancies between the parties, it seems that there is no agreement in the requested document either, since the claimant literally states: "...not having proceeded to comply with either of the two Petitums Capitales...", referring to the documentation and recording.
Based on the foregoing, considering that the purpose of this procedure is to ensure that the guarantees and rights of those affected are duly restored and that the rights must be attended to or denied on grounds, the defendant must justify the reason why, despite having received the request for the copy of the recording for the first time while it was still in his possession, he did not provide it to the claimant. The claimant provides some emails that prove it.
And, it must also clarify whether what was requested by the claimant regarding the documentation corresponds to what was provided, clarifying the difference in the denomination or giving the correct documentation.
Since the right of access was not carried out properly, the claim is estimated.
Given the aforementioned precepts and others of general application, the Director of the Spanish Agency for Data Protection RESOLVES:
FIRST: ESTIMATE the claim made by A.A.A. and urge UNIVERSIDAD AUTÓNOMA DE MADRID with NIF Q2818013A, so that, within ten business days following the notification of this resolution, it sends the claimant a certification in which the requested right of access is addressed or denied reasonedly indicating the causes for which it is not appropriate to attend to the request, in accordance with the provisions of the body of this resolution. The actions carried out as a consequence of this Resolution must be communicated to this Agency within the same period. Failure to comply with this resolution could lead to the commission of the offense considered in article 72.1.m) of the LOPDGDD, which will be penalized, in accordance with art. 58.2 of the GDPR.
SECOND: NOTIFY this resolution to A.A.A. and the AUTONOMOUS UNIVERSITY OF MADRID.
In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified.
Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may optionally file an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of one month from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/ 1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law.