AEPD (Spain) - TD/00325/2019
AEPD - TD/00325/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 12 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Decided: | n/a |
Published: | 3.02.2020 |
Fine: | None |
Parties: | Health Department of Madrid Vs. Anonymous |
National Case Number: | TD/00325/2019 |
European Case Law Identifier | n/a |
Appeal: | n/a |
Original Language: |
Spanish |
Original Source: | AEPD (in ES) |
The DPA ordered a bank (KUTXABANK S.A.) to respond to a subject access request.
English Summary
Facts
A bank's client complained that they could not exercise their right to access after the bank has blocked his account due to debts. The bank refused to fulfill the request, claiming that it does not process personal data anymore since the account was blocked.
Dispute
Could the controller refuse to answer to a request for access because the requested data is part of a "blocked" account?
Holding
The AEPD found that as there is an ongoing relationship, the bank still holds personal data. The DPA ordered the bank to fulfill the data subject’s request within the ten working days following the decision. It further ordered the company to inform the AEPD during the same time period on its compliance with the decision. Lastly, it decided that the fact that the controller blocked the account cannot is irrelevant and the controller must comply with the request of access, as required by Article 15 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the Spanish original for more details.
1/6 File No.: TD/00325/20191037-100919RESOLUTION No.: R/00657/2019Having regard to the complaint filed on 9 May 2019 with this Agency by D.A.A.A., (hereinafter the complaining party), against CONSEJERÍA DE SANIDAD DELA COMUNIDAD DE MADRID - SERVICIO MADRILEÑO DE SALUD, (hereinafter the complaining party), for failure to comply with its right of access. Once the procedural actions provided for in Title VIII of the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights (hereinafter LOPDGDD) have been carried out, the following have been established FACTS FIRST: On April 15, 2019, the claimant exercised his right of access to the claimant with NIF S7800001E, without having received the legally established reply. The claimant provides various documentation relating to the claim made before this Agency and on the exercise of the right exercised. Specifically, he requests access to his medical records by e-mail at the PUERTA DE HIERRO MAJADAHONDA UNIVERSITY HOSPITAL. On May 8, 2019, the respondent replies: "...It is impossible for us to send this documentation by mail. We could deliver the documentation to some person authorized by you and it would have a period of one month from this date. After this time, if it has not been collected, it will be destroyed...". SECOND: In accordance with the functions provided for in Regulation (EU)2016/679, of 27 April 2016, General Data Protection Regulation (RGPD), particularly those that respond to the principles of transparency and proactive responsibility on the part of the person responsible for the processing, you have been required to inform this Agency of the actions that have been carried out to deal with the complaint raised. In summary, the following allegations were made: -The representative/Delegate of Data Protection of the claimant states in the allegations made during the processing of the present procedure: That they cannot send the documentation to Honduras, (place that the claimant had requested because he was residing there). That they need to prove the identity of the applicant and, they doubt such identification with the electronic systems used. They ask the claimant the possibility that someone, previously authorized, collect the documentation on their behalf and that they have never denied the request for access