AEPD (Spain) - EXP202204836

From GDPRhub
Revision as of 10:36, 14 February 2024 by 84.113.103.211 (talk)
AEPD - EXP202204836
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 15 GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided:
Published:
Fine: n/a
Parties: EasyJet
National Case Number/Name: EXP202204836
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: EXP202204836 (in ES)
Initial Contributor: n/a

The Spanish DPA fined EasyJet a reduced fine of €8,000 for failing to reply to a data subject access request in due time.

English Summary

Facts

A data subject was denied boarding to an EasyJet flight. To ascertain why, he requested all the personal data that EasyJet held on him under Article 15 GDPR. This email was sent on the 28/12/2021. On 30/12/2021, EasyJet replied stating that it would take them time to reply to the access request as their staff was on holiday. On the 16/03/2022 the data subjecty sent EasyJet an email stating that he would file a complaint with the DPA given that he had still not received a reply.

EasyJet replied to the data subject stating that his original request had never come to the relevant team's attention as he had apparently sent the email to the wrong department. They asked the data subject to send it again so that they could resolve it promptly. When the data subject repeated the request, EasyJet stated on 01/04/2022 that they could not give him information related this boarding as claims relating to denied boarding complaints are not related to the GDPR.

Holding

The Spanish DPA initially fined EasyJet €10,000 for a breach of Article 15 GDPR. However, given that EasyJet voluntarily paid it and accepted responsibility for the infraction, it was reduced to €8,000.

First, EasyJet told the DPA that they responded to the complainant by 01/04/2022. The DPA pointed out that Article 12.3 GDPR requires controller's to reply to access requests within one month. EasyJet took almost four months after the data subject had submitted his request, on 12/28/2022, to reply.

Second, While it is true that on 30/12/2021 EASYJET responded to the complainant's e-mail, the e-mail limited itself to providing a generic response confirming receipt of the e-mail. The e-mail mentioned that the complaint would be and that it would be forwarded to the corresponding team for consultation. Thus, EasyJet already in December indicated an agreement to initiate the access request. The data subject was not provided an adequate response until April 2022.

Third, on the information related to the boarding, the DPA agreed that it was not related to the GDPR. For this reason, the DPA limited itself to focusing on Article 15 GDPR and the time that the controller took to reply to the access request.

Comment

It is the controller's responsibility to ensure that access requests are forwarded to the relevant department. EDPB guidelines state that it is not the data subject's job to prove that their request 'arrived on the responsible person's desk'. The data subject only needs to prove that they sent it to the controller/ relevant person, and in the case of Article 15, that the one month deadline has expired.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/19











     File No.: EXP202204836


       RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
                                   VOLUNTEER


From the procedure instructed by the Spanish Data Protection Agency and based
to the following
                                  BACKGROUND


FIRST: On March 9, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against EASYJET AIRLINE
COMPANY LIMITED (hereinafter the claimed party). Startup agreement notified
and after analyzing the allegations presented, on November 3, 2023,
issued the proposed resolution that is transcribed below:


<<


File No.: EXP202204836



       PROPOSED RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based

to the following:

                                  BACKGROUND

FIRST: On 03/21/2022, this Agency received a document submitted

by A.A.A. (hereinafter, the complaining party), through which the claim is made
against EASYJET AIRLINE COMPANY LIMITED with NIF N0066592G (hereinafter,
EASYJET), due to a possible non-compliance with the provisions of the regulations of
Personal data protection.


The reasons on which the claim is based are the following:

"Good morning.

On December 28, I requested access to my data in exercise of my right to

access, to the company Easyjet, in the framework of a claim for breach of
Regulation (EC) No 261/2004, to all data relating to me in your possession,
in addition to those related to said file. I received only a mere acknowledgment of
received on December 30 of the same year. To date I have not received
any response to my request.





C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/19








On March 18, I sent a reminder to the company and they answered me.
ignoring the access request, denying its existence, even
“acknowledgment of receipt exists.”


Along with the claim, provide, among others, the following documentation:

    - Email from the complaining party, dated 12/28/2021, sent to
       electronic addresses ***EMAIL.1 and ***EMAIL.2, with the subject “Claim
       Regulation (EC) nº261/2004-Right of Access Request”. Its content does

       allusion to a claim presented by the complaining party in relation to
       the fact that he was denied boarding on a company flight, as well as,
       to the request to exercise their right of access.

    - Email from the address ***EMAIL.2, dated 12/30/2021, in which

       indicates that the previous email will be forwarded to the competent team for
       query, but that, due to the holiday period, the answer may
       be delayed.

    - Email from the address ***EMAIL.3, dated 03/18/2022, whose
       content is as follows:



“Dear Mr. A.A.A.,

Thanks for your reply.


Please keep in mind that we are a different department and have not
received any request related to the Data Protection Policy in your
name. We are only responsible for the Data Protection Policy part and
Our team does not handle claims.


Please let us know if you would like to receive the information easyJet holds about you
in a request for access to the subject's data, and we will be happy to
help you.

For any other question or claim you may have, contact the

Privacy we cannot help you.

Please note that if we do not receive a response within 17 days, your
application will be automatically filed. (…)”


    - Email from the complaining party, dated 03/18/2022, sent to the
       email address ***EMAIL.3 and ***EMAIL.4, in which he answers “here you have
       the receipt of the request by your team (…)”.

SECOND: In view of the reported events, on 04/21/2022 this Agency agreed
to the website ***URL.1, being verified that the privacy policy indicates

as contact address ***EMAIL.2. However, to “exercise any of its
rights in relation to the data that easyJet holds about you” a
specific form.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/19









In accordance with article 65.4 of Organic Law 3/2018, of December 5, of
Protection of Personal Data and guarantee of digital rights (hereinafter

LOPDGDD), on 06/03/2022, said claim was transferred to EASYJET, so that
proceed to its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of

October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on 06/06/2022 as stated in the
acknowledgment of receipt that appears in the file.

THIRD: On 06/21/2022, in accordance with article 65 of the LOPDGDD,

The claim presented by the complaining party was admitted for processing.

FOURTH: On 07/05/2022, this Agency received a written response in the
which states the following:

“[…]


Second.- Notwithstanding the above and in relation to the content of your request, it has been
meaning that on the Easyjet website there is a specific form so that
Users can exercise the rights of the RGPD of access, information, rectification
and deletion, as shown below.


Likewise, the email address that is made available to the
users for any issue related to GDPR rights is the
following: ***EMAIL.2. (…).


Third.- However, as can be deduced from the information provided by the
complainant in its annex nº2 it seems that the emails requesting
access were sent to a different email, specifically to ***EMAIL.3, as well as to
customer service address: ***EMAIL.4.

On the other hand, in the communications sent to my client they have confused

claims related to the compensation required as a result of the
alleged denial of boarding suffered by the claimant together with the demand for
right of access to personal data, which is why it could have been altered
the system for handling this type of requests.


Fourth.- Having explained the above and regarding the questions raised to this part in
your request, we will answer them correlatively:

    1. (…) A request was received that was not clear and clarification was requested from the
       interested.


    2. (…) The claimant was asked to adequately inform what his
       specific request and see what specific element in your case you wanted to rectify
       to proceed accordingly.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/19









[…]”


FIFTH: On 03/09/2023, the Director of the Spanish Agency for the Protection of
Data agreed to initiate sanctioning proceedings against EASYJET, in accordance with the
provided in articles 63 and 64 of the LPACAP, for the alleged violation of article
15 of the RGPD, typified in article 83.5.b) of the RGPD.


This initiation agreement, which was notified in accordance with the rules established in the
LPACAP through electronic notification, was collected by EASYJET on 03/16/2023.

SIXTH: On 03/30/2023, EASYJET presented a written document, in a timely manner, before
this Agency in which it stated the following:


“[…]

First.- That in this procedure an initial agreement has been issued by which
It is agreed to set an initial penalty of €20,000 as a result of the facts and
infringement contemplated therein.


Second.- That following the provisions of the initiation agreement and in accordance with the
provided in article 85 of LPACAP, this party shows its willingness to avail itself of
the 40% reduction in the amount of the penalty, showing express recognition
of compliance responsibility as well as the payment of the fine of

voluntarily, waiving the filing of any action or resource
administrative matter where applicable.

[…]”


SEVENTH: On 05/05/2023, EASYJET presented a new document to this Agency
in which he stated the following:

“[…]

Second.- Attention to the exercise of the Claimant's right of access


As can be seen from the schedule included in the previous Allegation, the Company
attended to the exercise of the Claimant's right of access on April 1, 2022,
sending you all the information about you that it kept in its systems,
as well as the information required by article 15 of the GDPR.


For these purposes, a copy of the email through the
which the corresponding response is sent to the Claimant, along with all the
information that is made available to you (see Annex I).


In accordance with the above, the Company is interested in highlighting that the request for
exercise of the right of access sent by the Complainant to the Company, was
attended to by the latter prior to receipt of the Information Request (15
June 2022) and, therefore, upon receipt of the Startup Agreement (March 17,
2023).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/19









Third.- Other considerations


Likewise, the Company is interested in highlighting that:

    (i) Although the claim was initially filed by the interested party on the day
           December 28, 2021, this only included in its penultimate paragraph a
           mention of the exercise of your right of access in accordance with the RGPD. Yes ok
           It is true that the Society treated the Complainant's message initially

           as a mere claim for damages and not as an exercise of rights
           of data protection, the Complainant also did not mention the
           exercise of his right in the subsequent conversations he had with
           the Company's customer service team. In fact, he didn't do it again.
           reference to the exercise of your right of access until March 17,

           2021, when he demanded payment of the compensation that had been awarded to him
           presumably recognized by AESA.

    (i) Throughout the management of the exercise of the Claimant's right of access,
           the Company, as can be seen from the emails exchanged between
           the Company and the Claimant, a copy of which is attached as Annex I, has

           received, from the Claimant, a multitude of warnings about the
           initiation of legal action, including a mention of the possibility of
           desist from them if he receives payment of the amounts claimed.
           In the opinion of the Society, these messages and the lack of cooperation by
           part of the Complainant when the data protection team of the

           Society contacted him to address his right, denote a
           little concern about this matter, and it can be concluded that his
           exclusive intention was the collection of the economic amounts claimed,
           nothing related to the protection of their fundamental right to
           Data Protection.


    (ii) Once the claimant's claim is received on March 17, 2021,
           The Company contacted him on two occasions (17 and 22
           March 2021) to apologize for the delay in responding to your
           Exercise of the right of access. Along with apologies, the team

           Data Protection Company attempted to confirm with the Complainant his
           claim to exercise the right of access, clarify the scope of its
           request, ask if you wish to exercise any other rights, and
           notify you that your management was being processed, since, from the request
           initial exercise of the right of access included within the writing of

           damage claim, the extent of the damage was not clear with certainty.
           same.

    (iii) On April 1, 2021, only 9 business days after receiving the

           confirmation by the Claimant of his desire to exercise his right to
           access and receive all the data that the Company maintains in its
           systems, it attended to said right and transferred the requested information
           (see attached Annexes I and II).


[…]”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/19









Along with the writing, provide the following documentation:


    - Email sent by EASYJET from the email address
       ***EMAIL.3, dated 04/01/2022 at 10:22 a.m., to the complaining party
       (***EMAIL.5), with the subject “Data Request-A.A.A.”. Its content does
       allusion to the information relating to the exercise of the right of access of the party
       claimant.


    - Copy of data stored in EASYJET systems in relation to
       the complaining party.

EIGHTH: A list of documents on file is attached as an annex.
procedure.


Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:


                                PROVEN FACTS


FIRST: On 12/28/2021, at 10:34 p.m., the complaining party sends an email
email (***EMAIL.5) to the addresses ***EMAIL.1 and ***EMAIL.2, with the subject
“Complaint Regulation (EC) nº261/2004-Request Right of Access”. His
content refers to a claim presented by the complaining party in

connection with the fact that he was denied boarding on a company flight, as well
as, to the request to exercise your right of access.

SECOND: On 12/30/2021, at 0:45 a.m., the complaining party receives an email
email address ***EMAIL.2, informing you that it has been moved

your request to the corresponding department, but that, due to the vacation period,
the response may be delayed.

THIRD: On 03/16/2022, at 0:13 a.m., the complaining party sends an email
email to the addresses ***EMAIL.1 and ***EMAIL.2, with the subject “NOTICE
FILING LEGAL ACTIONS/COMPLAINMENT TO THE PROTECTION AUTHORITY

DATA/RESOLUTION AESA/ Re: Complaint Regulation (EC) No. 261/2004-
Access right request.” In the text, the opinion is communicated to the claimed entity.
estimate of the Spanish Aviation Safety Agency in relation to the expenses
derived from the denial to board and, in addition, points out the following:


“Likewise, and in the absence of a response within the estimated period to the request for
exercise of the right of access contemplated in the General Protection Regulation
of Data (EU), the filing of the corresponding complaint to
the relevant data protection authorities.


FOURTH: On 03/17/2022, at 09:45 a.m., EASYJET (***EMAIL.3) sends an email
email to the complaining party with the following content:

“Dear Mr. A.A.A.,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/19








We are writing to you from the easyJet privacy team regarding your incident,
but specifically in regards to your request regarding the Protection of
Data that you may have done with us. Unfortunately, this request
never came to the attention of our team and therefore we would like you to
will clarify your original request so that it can be resolved promptly. Please reply

directly to this email address. We thank you for your patience and
We apologize for this situation. We look forward to your prompt response to
in order to be able to follow up on your request. Best regards, Protection team
easyJeT Data Center.”

On that same date, at 09:51 a.m., the complaining party responded as follows:


"Dear
I have the acknowledgment of receipt of the request issued by your team. In fact, one
Once the grace period of one week that I have granted them has expired, I will report
easyJet to the competent data protection authority.”


On that same day, at 10:45 a.m., EASYJET responds to the complaining party:

“Dear Mr. A.A.A.,
We are writing to you from the easyJet privacy team regarding your incident,
but specifically in regards to your request regarding the Protection of

Data that you may have done with us. Unfortunately, this request
never came to the attention of our team and therefore we would like you to
will clarify your original request so that it can be resolved promptly. Please reply
directly to this email address. We thank you for your patience and
We apologize for this situation. We look forward to your prompt response to
in order to be able to follow up on your request. Best regards, Protection team

from easyJet Data

FIFTH: On 03/18/2022, at 11:50 a.m., the complaining party receives an email
email from the address ***EMAIL.3 in which, in summary, you are informed: “Please,
Please note that we are a different department and have not received
any request related to the Data Protection Policy on your behalf. Only

We are responsible for the Data Protection Policy part and our team
does not manage claims. Please let us know if you would like to receive the information
that easyJet has about you in a request for access to the subject's data, and
We will be happy to help you. For any other issue or claim that
you may have, the Privacy team cannot help you. Please keep in mind
Please note that if we do not receive a response within 17 days, your request will be

automatically archived. (…)”

That same day, at 1:23 p.m., the complaining party sends an email to
***EMAIL.3 and ***EMAIL.4, in which he informs his intention to sue EASYJET
before the corresponding judicial instance and before this Agency.


SIXTH: On 03/21/2022, at 12:13 p.m., the complaining party sends an email
email to the address ***EMAIL.3 and ***EMAIL.4, with the subject
“URGENT///COMMUNICATION OF COMPLAINT AND FIRING OF ACTIONS
JUDICIAL”. In the content it informs EASYJET of having presented a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/19








claim against the entity before this Agency in relation to your request for
access.


SEVENTH: On 03/22/2022, at 08:46 hours, EASYJET (***EMAIL.3) responds to the
complaining party:

“Dear Mr. A.A.A.,
Thanks for your reply. First of all, we would like to apologize for the delay.
that has occurred in ours and in case your initial complaint has not been interpreted

correctly. However, we believe that you are confusing the two issues, your
complaint and data protection request. From the Protection team
Data, we are trying to complete your request, but we need clarification
What specifically are you looking for? If you can help us by telling us what kind of
information you are looking for, we will be happy to help you. We have been able

find out that the Data Protection team has considered your email,
of which you have sent us the acknowledgment of receipt, as a claim, and therefore
has both reported it to the competent team at that time, which is that of
Claims.
Our team (Privacy Team) has not received clarification of your request
related to data protection. Please note that our team

is responsible for writing DSARs, which are requests for
access to subjects' data, which we disclose when a client wants to have
access to the information that easyJet has about him. Our team is also
responsible for removals, restrictions and corrections of addresses of
email in our clients' accounts. However, we do not

We handle claims. We appeal to your understanding of what has been explained.
above, and we will be happy to help you, if you have any request
related to the GDPR. Do you want to receive a document with the information you
easyJet has on you? Perform a deletion, restriction or correction of your
account? If so, please let us know and we will comply. But, as we have already indicated,

Please note that claims regarding denied boarding do not
are related to the GDPR, and our team only aims to help you in your
data request. Please reply directly to this email
letting us know how we can help you. Thank you for your collaboration and
comprehension. Best regards, Data Protection team”


That same day, at 10:35 a.m., the complaining party responds to the entity
claimed as follows:

"Good morning.
Question posed by the Easyjet data protection team, 03/22/2022

"Would you like to receive a document with the information that easyJet has about you?
Perform a deletion, restriction or correction of your account? If so, please let us know
know and we will fulfill it. But, as we have already indicated, keep in mind that the
Claims relating to denied boarding are not related to the
GDPR, and our team only aims to help you with your data request."

Extract from my complaint EU Passenger Regulation/GDPR access request,
12/28/2022 "Finally, please serve this writing as a formal request for the purposes of the
General Data Protection Regulation or data protection regulations


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/19








corresponding, for the exercise of my right of access to all data relating
my person in the power of Easyjet."
Enjoy what has been reported. Any dismissal for reasons of form will be

appealed to the highest possible levels, posing a risk of a fine for
EasyJet, with the corresponding negative impact that it will have on the
media given the public interest in the matter, which in any case does not
will compensate for the refusal to repay the amounts legitimately recognized
by the aeronautical supervisory body.
By the way, it seems that your colleagues on the claims team have not received

the AESA opinion nor my warning of the filing of legal actions. Them
I would appreciate it if you would send them the opinion, which I attach below.
All the best,
A.A.A.


EIGHTH: On 04/01/2022, at 10:22 a.m., EASYJET responded to the right of
access of the complaining party, by email sent from the address
***EMAIL.3 to the complaining party (***EMAIL.5) with a copy of the data in their
can.

That same day, at 12:20 p.m., the complaining party sends an email to

the addresses ***EMAIL.6 and ***EMAIL.7, with the following content:

“Dear B.B.B.
Thank you very much for sending me the requested information. However, we will leave
to the Spanish Data Protection Agency to decide on the appropriateness of the action

of EasyJet regarding this exercise of the right of access.
However, I would like to tell you that the information contained in the report is
incorrect. It's not that I want to initiate the corresponding legal actions, I have already
formalized and the judicial process is already underway. You will be summoned to testify
by the competent court as soon as possible.

You can call me at ***PHONE.1 to coordinate the payment of the amounts
required and close this matter, or we will see each other in Court soon. If you want,
You can pass this information on to your colleagues.
All the best,
A.A.A.



                           FOUNDATIONS OF LAW

                                            Yo
                          Competition and applicable regulations


In accordance with the powers that article 58.2 of the RGPD grants to each authority of
control and as established in articles 47, 48.1, 64.2 and 68.1 of LOPDGDD, it is
competent to initiate and resolve this procedure the Director of the Agency
Spanish Data Protection.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/19








regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


                                           II
                                  Previous issues

Article 4 “Definitions” of the GDPR defines the following terms for the purposes of
Regulation:


"1) 'personal data': any information about an identified natural person or
identifiable ("the interested party"); Any person will be considered an identifiable natural person
whose identity can be determined, directly or indirectly, in particular by
an identifier, such as a name, an identification number, data
location, an online identifier or one or more elements of identity

physical, physiological, genetic, mental, economic, cultural or social of said person;”

“2) “treatment”: any operation or set of operations performed on
personal data or sets of personal data, whether by procedures
automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,

communication by transmission, broadcast or any other form of enabling
access, collation or interconnection, limitation, deletion or destruction;”

“7) “responsible for the treatment” or “responsible”: the natural or legal person,
public authority, service or other body that, alone or jointly with others, determines the

purposes and means of processing; whether Union or Member State law
determines the purposes and means of the treatment, the person responsible for the treatment or the
Specific criteria for their appointment may be established by Union Law.
or of the Member States;”


In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is
the processing of personal data, since EASYJET carries out the
collection and conservation of, among others, the following personal data: name and
surnames

EASYJET carries out this activity in its capacity as data controller, given

which is the one who determines the ends and means of such activity, by virtue of article 4.7 of the
GDPR.

                                           III
                                 Allegations alleged


In relation to the allegations alleged to the agreement at the beginning of this
sanctioning procedure, we proceed to respond to them.

EASYJET claims to have responded to the complaining party on 04/01/2022

Sending you all the personal information that appears in their systems and the necessary information
to address the right in question. It emphasizes that the access request was attended to
before receiving the request for information and, subsequently, the initiation agreement.
As proof, provide a copy of the email sent to the complaining party in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/19








indicated date, as well as the information provided to it in response to the request
of access.


In this regard, this Agency wishes to point out that article 12.3 of the RGPD grants the
responsible for the treatment one month from receiving the access request to give
response to the right exercised, without prejudice to the fact that it may be extended for another two
months if necessary, and the interested party must be informed of this. However, in the
In this case, EASYJET did not properly attend to the right of access exercised by the
complaining party until 04/01/2022, almost four months after there was

submitted your application on 12/28/2021.

Although it is true that on 12/30/2021 EASYJET responded to the email from the
complaining party in which it exercised its right of access, it is no less true that the
entity limited itself to giving him a generic response in which it confirmed receipt of the

email and that it would be forwarded to the corresponding team for consultation. So that,
As already indicated in the agreement to initiate this sanctioning procedure,
It is evident that it was not possible for the complaining party to access their data
nor was an adequate response provided until April.

EASYJET alleges that it has received a multitude of warnings from the complaining party regarding

the initiation of legal actions, including a mention of the possibility of withdrawing
of the same if he received payment of the amounts claimed in relation to the
denial to board a company flight.

In this regard, this Agency wishes to point out that it is not competent to resolve issues

that are not related to the matter of protection of personal data.

                                           IV
                                  Right of access


Article 15 “Right of access of the interested party” of the GDPR establishes:

"1. The interested party will have the right to obtain from the data controller
confirmation of whether or not personal data that concerns you are being processed and, as such
case, right of access to personal data and the following information:


    a) the purposes of the processing;

    a) the categories of personal data in question;

    b) the recipients or categories of recipients to whom they were communicated or

        personal data will be communicated, in particular recipients in
        third parties or international organizations;

    c) if possible, the expected period of conservation of the personal data or, if possible,
        If not possible, the criteria used to determine this period;


    d) the existence of the right to request rectification or deletion from the person responsible
        of personal data or the limitation of the processing of personal data
        relating to the interested party, or to oppose said treatment;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/19









    e) the right to file a claim with a supervisory authority;


    f) when the personal data have not been obtained from the interested party, any
        available information about its origin;

    g) the existence of automated decisions, including profiling, to
        referred to in article 22, paragraphs 1 and 4, and, at least in such cases,
        significant information about the logic applied, as well as the importance and

        foreseen consequences of said processing for the interested party.

2. When personal data is transferred to a third country or to an organization
international, the interested party will have the right to be informed of the guarantees
appropriate under Article 46 relating to transfer.


3. The person responsible for the treatment will provide a copy of the personal data subject to
treatment. The person responsible may receive any other copy requested by the
interested party a reasonable fee based on administrative costs. When the
interested party submits the request by electronic means, and unless requested
If otherwise provided, the information will be provided in an electronic format.

Common use.

4. The right to obtain a copy mentioned in section 3 will not negatively affect
to the rights and freedoms of others.”


For its part, article 13 “Right of access” of the LOPDGDD provides that:

"1. The right of access of the affected person will be exercised in accordance with the provisions of the
article 15 of Regulation (EU) 2016/679.


When the person responsible processes a large amount of data related to the affected person and this
exercise your right of access without specifying whether it refers to all or part of the
data, the person responsible may request, before providing the information, that the affected person
specify the data or processing activities to which the request refers.

2. The right of access will be understood to be granted if the person responsible for the treatment

will provide the affected person with a remote, direct and secure access system to the data
personal data that guarantees, permanently, access to its entirety. To such
effects, the communication by the person responsible to the affected party of the way in which the latter may
accessing said system will be enough to have the request to exercise the
right.


However, the interested party may request from the person responsible the information regarding the
extremes provided for in article 15.1 of Regulation (EU) 2016/679 that are not
included in the remote access system.


3. For the purposes established in article 12.5 of Regulation (EU) 2016/679,
The exercise of the right of access on more than one occasion may be considered repetitive.
during the period of six months, unless there is legitimate cause for it.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/19








4. When the affected person chooses a means other than the one offered that entails a cost
disproportionate, the request will be considered excessive, so said affected person
will assume the excess costs that its choice entails. In this case, it will only be

the person responsible for the treatment is required to satisfy the right of access without
undue delays.”

In the present case, it is clear that the complaining party requested EASYJET access to
your personal data, on 12/28/2021, via email sent to
the addresses ***EMAIL.2 and ***EMAIL.5. Not only did it indicate in the subject of the email

“Complaint Regulation (EC) No. 261/2004-Request Right of Access” (the
emphasis is from the Agency), but also, at the end of the content, it says
textually “that this writing serves as a formal request for the purposes of the
General Data Protection Regulation or data protection regulations
corresponding, for the exercise of my right of access to all data relating

to my person in the hands of Easyjet.” In this sense, the electronic address to which
directed by the complaining party is one of the means that EASYJET makes available to
those affected to exercise their GDPR rights, along with a form
request specific. This is stated in the privacy policy of their website.
(***URL.2).


For its part, EASYJET limited itself to sending you a generic response on 12/30/2021 in the
confirming receipt of your email and that it would be forwarded to the team
corresponding for your consultation. However, after the complaining party
communicate its intention to the claimed entity to file a claim with
this Agency in the absence of a response to your access request, on 03/17/2022, one day

Later, EASYJET responded indicating that it had not received the access request and
asking him to clarify his original request. It was not until 04/01/2022 when
EASYJET gave the complaining party access to the requested information.

In accordance with the evidence available at this time

proposed resolution of sanctioning procedure, it is considered that the facts
known could constitute an infringement, attributable to EASYJET, for
violation of article 15 of the RGPD.

                                           V
                 Classification of the violation of article 15 of the GDPR


If confirmed, the aforementioned violation of article 15 of the RGPD could mean the
commission of the infraction classified in article 83.5.b) of the RGPD that under the rubric
“General conditions for the imposition of administrative fines” provides:


“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:


    to) (…)

    a) the rights of the interested parties under articles 12 to 22; (…)”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/19









For the purposes of the limitation period, article 72.1 “Infringements considered very
serious” of the LOPDGDD indicates the following:


"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:


(…)

    k) The impediment or obstruction or repeated failure to attend to the exercise of
       the rights established in articles 15 to 22 of the Regulation (EU)

       2016/679; (…)”

                                           SAW
                  Penalty for violation of article 15 of the GDPR

The corrective powers available to the Spanish Agency for the Protection of

Data, as a supervisory authority, is established in article 58.2 of the GDPR. Between
They have the power to impose an administrative fine in accordance with the
article 83 of the RGPD -article 58.2 i)-, or the power to order the person responsible or
processor that the processing operations comply with the
provisions of the GDPR, where applicable, in a certain manner and within a

specified period -article 58.2 d)-.

According to the provisions of article 83.2 of the GDPR, the measure provided for in article 58.2
d) of the aforementioned Regulation is compatible with the sanction consisting of a fine
administrative.


In the present case, taking into account the facts presented and without prejudice to what
results from the instruction of the procedure, it is considered that the sanction that
It would be appropriate to impose an administrative fine. The fine imposed must
be, in each individual case, effective, proportionate and dissuasive, in accordance with the
article 83.1 of the GDPR. In order to determine the administrative fine to be imposed,

to observe the provisions of article 83.2 of the RGPD, which indicates:

"2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine

administrative and its amount in each individual case will be duly taken into account:

a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as
such as the number of interested parties affected and the level of damages that

have suffered;

b) intentionality or negligence in the infringement;



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/19








c) any measure taken by the person responsible or in charge of the treatment to
alleviate the damages and losses suffered by the interested parties;


d) the degree of responsibility of the person responsible or in charge of the treatment,
taking into account the technical or organizational measures that have been applied under
of articles 25 and 32;

e) any previous infringement committed by the controller or processor;


f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;


h) the way in which the supervisory authority became aware of the infringement, in
particular whether the controller or processor notified the infringement and, if so, in what
extent;

i) when the measures indicated in Article 58, paragraph 2, have been ordered
previously against the person responsible or the person in charge in question in relation to the

same matter, compliance with said measures;

j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with article 42,


k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, direct or
indirectly, through infringement.”

For its part, in relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in

its article 76, “Sanctions and corrective measures”, provides:

"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.


2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

a) The continuous nature of the infringement.


b) The linking of the offender's activity with the performance of medical treatments.
personal information.

c) The benefits obtained as a consequence of the commission of the infraction.


d) The possibility that the conduct of the affected person could have included the commission
of the infringement.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/19








e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity


f) The impact on the rights of minors

g) Have, when not mandatory, a data protection delegate.

h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which

"There are disputes between those and any interested party."

These are aggravating circumstances:

    - The duration of the infringement (article 83.2.a) of the RGPD): However, and all

       once this aggravating circumstance was taken into account in the initial agreement
       of this sanctioning procedure due to EASYJET not having responded to the
       right of access, it is considered that the severity of the same is diminished
       when the attention of the right exercised by the complaining party is proven, if
       Well this took place almost four months after the deadline established in the
       regulations in force.


    - The linking of the offender's activity with the performance of treatment
       personal data (article 76.2.b) of the LOPDGDD): EASYJET is an entity
       that processes personal data systematically and continuously
       and that it must take extreme care in fulfilling its obligations in

       data protection matters.

The balance of the circumstances contemplated allows us to establish as an initial assessment a
fine of €10,000 (ten thousand euros) for violating article 15 of the RGPD.


In view of the above, the following is issued:

                           MOTION FOR RESOLUTION

That by the Director of the Spanish Data Protection Agency EASYJET
AIRLINE COMPANY LIMITED, with NIF N0066592G, for a violation of article 15

of the RGPD, typified in article 83.5 of the RGPD, with a fine of €10,000 (ten thousand
euros).

Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be
informs that it may, at any time prior to the resolution of this

procedure, carry out the voluntary payment of the proposed sanction, which
It will mean a 20% reduction in the amount. With the application of this
reduction, the penalty would be established at €8,000 (eight thousand euros) and its payment
will imply the termination of the procedure. The effectiveness of this reduction will be
conditioned upon the withdrawal or waiver of any action or appeal pending.

administrative against the sanction.

In the event that you choose to proceed with the voluntary payment of the specified amount
above, in accordance with the provisions of article 85.2 cited, you must do so

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/19









effective by depositing it into the restricted account IBAN number: ES00 0000 0000 0000
0000 0000 (BIC/SWIFT Code: XXXXXXXXXXXX) opened in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A., indicating
in the concept the reference number of the procedure that appears in the

heading of this document and the cause, for voluntary payment, of reduction of the
amount of the penalty. Likewise, you must send proof of entry to the
General Subdirectorate of Inspection to proceed to close the file. In its virtue
You are notified of the above, and the procedure is made clear to you so that

Within a period of TEN DAYS you can allege whatever you consider in your defense and present
the documents and information that it considers relevant, in accordance with the article
89.2 of the LPACAP.


In its virtue, you are notified of the above, and the procedure is made clear to you.
so that within a period of TEN DAYS you can allege whatever you consider in your defense and
present the documents and information that you consider pertinent, in accordance with
article 89.2 of the LPACAP.



                                                                                926-170223
C.C.C.
INSPECTOR/INSTRUCTOR






































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/19










                                       EXHIBIT
File index EXP202204836

03/21/2022 Claim from A.A.A.
03/06/2022 Transfer of claim to EASYJET AIRLINE SPAIN, S.E.E.
06/21/2022 Communication to A.A.A.
07/05/2022 Response to request from EASYJET AIRLINE CO LTD
03/10/2023 A. opening to AINHOA BILBAO RANDEZ

03/16/2023 Info. Claimant to A.A.A.
03/30/2023 Written by EASYJET AIRLINE CO LTD
05/05/2023 Written by EASYJET AIRLINE CO LTD

>>


SECOND: On November 14, 2023, the claimed party has proceeded to
payment of the penalty in the amount of 8,000 euros making use of the planned reduction
in the proposed resolution transcribed above.

THIRD: The payment made entails the waiver of any action or resource pending.

administrative against the sanction, in relation to the facts referred to in the
resolution proposal.

                           FOUNDATIONS OF LAW


                                           Yo
                                    Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


                                          II
                            Termination of the procedure

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), under the heading

“Termination in sanctioning procedures” provides the following:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/19








"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely pecuniary in nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,

except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.

3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,

20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.


The reduction percentage provided for in this section may be increased
“regularly.”

According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: DECLARE the termination of procedure EXP202204836, of
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to EASYJET AIRLINE COMPANY

LIMITED.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


                                                                                968-171022

Sea Spain Martí
Director of the Spanish Data Protection Agency






C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es