AEPD - E-08210-2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(22) GDPR Article 15 GDPR Article 56(1) GDPR Article 60 GDPR §74 LOPDGDD |
Type: | Complaint |
Outcome: | Rejected |
Started: | 07.02.2020 |
Decided: | |
Published: | 26.10.2022 |
Fine: | n/a |
Parties: | Banc de Sabadell S.A |
National Case Number/Name: | E-08210-2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Michelle Ayora |
The Spanish DPA, as Lead Supervisory Authority, dismissed a complaint against a bank for alleged violation of Article 15 GDPR. It held that the controller sufficiently complied with the access request.
English Summary
Facts
The data subject logded a complaint with the Spanish DPA against Banco de Sabadell, the controller, whose main establishment is located in Spain. The complaint was based on the right of access executed by the data subject and the fact that the controller handed over a copy containing only the personal data from the data subject’s file and not the detailed transactions from the account.
Next, the complaint was sent to the Spanish DPA through a system aimed for cross-border administrative cooperation and mutual assistance between the Member States and according to Article 56(1) GDPR, due to the cross-border character of the complaint and the competence of the Spanish DPA as lead supervisor authority.
Under Article 60 GDPR, the following DPAs were identified as “concerned supervisory authorities” under Article 4(22) GDPR: the Netherlands, Italy, France and Portugal, since data subjects who reside on their territory might be substantially affected by the processing analysed in this case. On the other hand, the Polish DPA also claimed interest since the controller operated on its territory.
The controller claimed that the data subject did not specify the extent of the request in the sense of detailing either the data, purpose or processing operation which they wanted to access. Additionally, the controller interpreted the request as a demand for the “personal data used by the bank”, considering firstly, the information already provided on the website and in the contract according to Article 13 GDPR and, secondly, to avoid that the right to access results in excessive data disclosure, considering the amount of data handled.
Furthermore, in the same document, the controller provided information regarding the application “Banca a distancia” (long-distance banking) which allows to visualise and check the movements and operations on the account. The controller also stated to be at the client’s disposal to extend or clarify the request. Finally, the controller proceeded to hand over a copy containing all the information requested by the data subject.
Holding
In the first place, the Spanish DPA proposed the dismissal of the complaint to which the French DPA objected.
However, the Spanish DPA confirmed that the data subject did not specify the personal data expected, the controller attended to the request by providing a copy containing the personal data from the data subject’s file, and the same document communicated the possibility to extend the information. Moreover, the data subject had access to a secure and easy-access tool to get the information requested. The French DPA did not object this time.
The Spanish DPA also observed that with the second communication, on 1 September 2020, the controller satisfied the access request. Therefore, in case of a violation of Article 15 GDPR, that would be prescribed according to Article 74 of the national data protection law as the complaint was submitted on 7 February 2020.
Finally, the complaint was dismissed as unfounded. The Spanish DPA ordered to notify the controller of this outcome.
Comment
It seems from the reading of the decision that the Spanish DPA, as Lead Supervisory Authority, dismissed the complaint, despite Article 60(8) GDPR stating that "where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof."
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/9 File No.: E/08210/2021 IMI Reference: A56ID 162649- Case Register 353519 RESOLUTION OF FILE OF ACTIONS Of the actions carried out by the Spanish Agency for Data Protection and based on the following FACTS FIRST: A.A.A. (hereinafter, the claimant party) filed a claim with the Netherlands data protection authority. The claim is directed against BANK OF SABADELL, S.A. with NIF A08000143 (hereinafter, BANK OF SABADELL). The grounds on which the claim is based are as follows: When exercising the right of access in January 2019, Banco de Sabadell did not provide the answer the detail of the transactions carried out, although the data that appears in the customer file. The complaining party provides: - Copy of the document by which you requested the exercise of the right of access before BANCO DE SABADELL, S.A., dated January 29, 2019. - Exchange of emails between the address of the complaining party *** EMAIL.1 and the address exercise derechosprotecdatos@bancsabadell.com, in which the complaining party requests the exercise of the right of access before BANCO DE SABADELL and the latter confirms the sending of a burofax with the information requested, on February 13 and March 21, 2019. - Copy of the document provided by BANCO DE SABADELL with the information requested by the claimant, dated February 13, 2019. SECOND: Through the “Internal Market Information System” (hereinafter IMI system), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the Council, of October 25, 2012 (IMI Regulation), whose objective is to favor cross-border administrative cooperation, mutual assistance between States members and the exchange of information, the aforementioned complaint was transmitted on the 7th February 2020 and was given a date of entry registration at the Spanish Agency for Data Protection (AEPD) that same day. Transfer of this claim to the AEPD is carried out in accordance with the provisions of article 56 of the Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of Natural Persons with regard to Data Processing Personal and the Free Circulation of these Data (hereinafter, RGPD), having taking into account its cross-border nature and that this Agency is competent to act C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/9 as the main controlling authority, since BANCO DE SABADELL has its headquarters registered office and main establishment] in Spain. The data processing that is carried out affects interested parties in various Member states. According to the information included in the IMI System, in accordance with the provisions of article 60 of the RGPD, acts as "interested control authority", in addition to the data protection authority of Netherlands, the authorities of Italy, France and Portugal. All of these under article 4.22 of the RGPD, since the interested parties who reside in the territory of these supervisory authorities are likely to be substantially affected by the treatment object of this procedure. For its part, the supervisory authority of Poland was also interested, since the bank operates on its territory. THIRD: The General Subdirectorate for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in question, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following extremes: According to the representatives of the BANCO DE SABADELL, the claimant exercised his right of access to his personal data on January 29, 2019, without specifying any data, treatment or purpose that you wish to know specifically. He was informed of the contracts signed with the entity, including the Banking contract Remote, which allows you to view and check at any time the movements of your accounts, positions and other operations. In the response provided, the BANCO DE SABADELL remained at your disposal to make clarifications, extensions, limitations or any other designation specific to your personal data, purposes and treatments of which you wish to have information, so if he had specifically requested it, it would have been provided to through the same medium. That, being a client and holder of a Distance Banking contract, the claimant information was available through a secure and easily accessible remote medium relating to the movements of all the positions held with the entity, including the data of the transactions carried out. With the existing availability through the means of Remote Banking, and the response to the exercise of the right carried out with documents gave by responded to the request of the complaining party, which did not specify that it required the data of the transactions carried out and that will be facilitated if specifically requested. In relation to the reason why the complainant has not been provided with all of the the information, the representatives of BANCO DE SABADELL state that: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/9 1) The complaining party exercised a right of access to their personal data with date January 29, 2019, using certain paragraphs of the literal collected in article 15 of European Regulation 679/2016. Due to the large amount of data that the data controller, such as financial entity, deals with its clients and the information itself in terms of Data Protection that, in accordance with article 13 of the RGPD, the BANK OF SABADELL provides, both on its website and in the documentation contractual, to the interested parties about the numerous treatments that it carries out, led to the interpretation that the answer given covered the exercise of the right of access of the complaining party understanding that he already knew the general information about the data processing carried out by the entity and that its interest was focused on know exactly what personal data is used by the bank. (In the currently consider this interpretation to have been erroneous). The claimant's own request, revealing a certain familiarity with the RPGD made them trust that by providing the personal data object of the treatment responded to the request adequately, without trying to close the possibility of being able to offer greater detail on any specific treatment that could be of interest. The experience acquired by the entity in dealing with the exercise of rights in matter of data protection as well as the change of culture that both interested as entities have experienced leads to a continuous review of their action in the matter and, in order to avoid that due to the large amount of data they deal with, the exercise of the right of access of the interested parties can be seen distorted by an offer of excess information, they offer the interested party the possibility of contacting the entity again if the expectation of information has not been fulfilled. 2) Once it is understood that the response to the exercise of the right of access has not been correct, they have proceeded to provide all the information requested by the claimant, remaining at your disposal to provide further details on any issue you deem appropriate. This information would have been equally provided if it had been requested directly from the entity without submitting claim before the Data Protection Authorities. On September 2, 2020, the BANCO DE SABADELL sent a email informing the complaining party that a complaint had been sent certified letter with the response to the exercise of the right of access. The representatives of the entity provide documentation with compliance with the exercise of the right of access sent to the complaining party and proof of shipment dated September 1, 2020. FOURTH: On July 23, 2021, the Director of the AEPD declared the expiration of the proceedings, as more than twelve months have elapsed since their inception, and new investigative actions were opened with number E/08210/2021, and incorporated into these new actions the documentation in the E/02669/2020. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/9 This resolution, which was notified to the BANCO DE SABADELL in accordance with the regulations established in Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (LPACAP), was collected on July 26 of 2021, as stated in the acknowledgment of receipt that is in the file. FIFTH: On August 16, 2021, the Director of the AEPD adopted a draft decision to archive the proceedings. Following the established process in article 60 of the RGPD, on August 20, 2021 it was transmitted through the system IMI this draft decision and the concerned authorities were informed that they had four weeks from that moment to formulate relevant objections and motivated. Within the deadline for this purpose, the French supervisory authority submitted their pertinent and motivated objections for the purposes of the provisions of article 60 of the GDPR. SIXTH: On July 20, 2022, the Director of the AEPD adopted a project revised decision to file the proceedings. Following the established process in article 60 of the RGPD, on July 21, 2022 it was transmitted through the system IMI this draft decision and the concerned authorities were informed that they had two weeks from that moment to formulate relevant objections and motivated. Within the period for this purpose, the control authorities concerned presented pertinent and motivated objections in this regard, for which it is considered that all authorities agree with the said revised draft decision and are bound by this, in accordance with the provisions of section 6 of the article 60 of the RGPD. FOUNDATIONS OF LAW Yo Competition and applicable regulations In accordance with the provisions of article 60.8 of the RGPD and according to the provisions of the Article 47 and 48 of the LOPDGDD, is competent to resolve these actions of investigation by the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II Previous issues In the present case, in accordance with the provisions of article 4.1 and 4.2 of the RGPD, there is evidence of the processing of personal data, whenever the BANK DE SABADELL collects and stores, among others, the following data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/9 personal data of natural persons: name and surname and financial data, among others treatments. BANCO DE SABADELL carries out this activity in its capacity as responsible for the treatment, since it is who determines the purposes and means of such activity, by virtue of article 4.7 of the RGPD. In addition, it is a cross-border treatment, given that BANCO DE SABADELL is established in Spain, although it provides services to other countries of the European Union. The RGPD provides, in its article 56.1, for cases of cross-border processing, provided for in its article 4.23), in relation to the competence of the authority of main control, that, without prejudice to the provisions of article 55, the authority of control of the main establishment or of the only establishment of the person in charge or of the The person in charge of the treatment will be competent to act as a control authority principal for cross-border processing carried out by said controller or commissioned in accordance with the procedure established in article 60. In the case examined, as has been stated, the BANCO DE SABADELL has its establishment main in Spain, so the Spanish Agency for Data Protection is the competent to act as the main supervisory authority. For its part, article 15 of the RGPD and article 13 of the LOPDGDD regulate the right of access of the interested parties to their personal data. III Right of access Article 15 “Right of access of the interested party” of the RGPD establishes: "1. The interested party shall have the right to obtain from the data controller confirmation of whether or not personal data concerning you is being processed and, in such case, right of access to personal data and the following information: a) the purposes of the treatment; b) the categories of personal data in question; c) the recipients or categories of recipients to whom they were communicated or the personal data will be communicated, in particular recipients in third countries or international organizations; d) if possible, the expected term of conservation of the personal data or, if not possible, the criteria used to determine this period; e) the existence of the right to request from the controller the rectification or deletion of personal data or limitation of data processing personal information related to the interested party, or to oppose said treatment; f) the right to file a claim with a supervisory authority; g) when the personal data has not been obtained from the interested party, any available information about its origin; h) the existence of automated decisions, including the preparation of profiles, referred to in article 22, sections 1 and 4, and, at least in such cases, significant information about the applied logic, as well as the significance and anticipated consequences of such processing for the interested. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/9 2. When personal data is transferred to a third country or to an organization international, the interested party shall have the right to be informed of the guarantees appropriate under Article 46 relating to the transfer. 3. The data controller will provide a copy of the personal data object of treatment. The person in charge may receive for any other copy requested by the concerned a reasonable fee based on administrative costs. When the The interested party submits the request by electronic means, and unless he requests provided otherwise, the information will be provided in an electronic format of Common use. 4. The right to obtain a copy mentioned in section 3 will not negatively affect to the rights and freedoms of others”. In this regard, article 13 "Right of access" of the LOPDGDD provides that: "1. The right of access of the affected party will be exercised in accordance with the provisions of the Article 15 of Regulation (EU) 2016/679. When the person in charge processes a large amount of data related to the affected party and this exercise your right of access without specifying whether it refers to all or part of the data, the person in charge may request, before providing the information, that the affected party specify the data or treatment activities to which the request refers. 2. The right of access shall be deemed granted if the data controller will provide the affected party with a remote, direct and secure access system to the data that guarantees, permanently, access to its entirety. to such effects, the communication by the person in charge to the affected of the way in which the latter may accessing said system will suffice to consider the request to exercise the law. However, the interested party may request from the person in charge the information referring to the ends provided for in article 15.1 of Regulation (EU) 2016/679 that are not included in the remote access system. 3. For the purposes established in article 12.5 of Regulation (EU) 2016/679, may consider repetitive the exercise of the right of access on more than one occasion for a period of six months, unless there is legitimate cause for it. 4. When the affected party chooses a means other than the one offered that involves a cost disproportionate, the request will be considered excessive, for which said affected will assume the excess costs that your choice entails. In this case, it will only be required from the person responsible for the treatment the satisfaction of the right of access without undue delays”. In the present case, once the reasons stated by the BANCO DE SABADELL, which are in the file, it has been verified that on 02/13/2019 he answered the bank to the complaining party providing the data that appeared in the file of customers, although the details of the transactions were not provided in that response. made. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/9 However, the claimant exercised a right of access to their data personal data dated January 29, 2019, generic, without specifying any data, treatment or purpose that you wish to know specifically. And in his reply, BANCO DE SABADELL informed him of the contracts signed with this entity, among them the Distance Banking contract, which allows you to view and check in any time the movements of your accounts, positions and other operations of this entity. In any case, being a client and holder of a Distance Banking contract, the party claimant had available through a secure and easily accessible remote means information regarding the movements of all the positions held with the BANK OF SABADELL, including the details of the transactions carried out. Furthermore, due to the large amount of data that the person in charge of treatment, as a financial institution, deals with its clients and the information itself regarding Data Protection that BANCO DE SABADELL provides, both on its website and in the contractual documentation, to interested parties about the numerous treatments that he carries out, led him to interpret, today they see that inadequately, that the response given in 2019 covered the exercise of the right to access of the complaining party when understanding that the interested party already knew the information general about the processing of data carried out by the entity and that their interest is focused on knowing exactly what personal data is used by the bank. The claimant's own request, revealing a certain familiarity with the RPGD made them trust that by providing the personal data object of the treatment responded to the request adequately, without trying to close the possibility of being able to offer greater detail on any specific treatment that could be of interest. The experience acquired during these years by the BANK OF SABADELL in the attention of the exercise of rights in the matter of protection of data as well as the change of culture that both stakeholders and entities have experienced, has led them to carry out a continuous review of their performance in the matter and, therefore, in order to avoid that, due to the large amount of data that treat, the exercise of the right of access of the interested parties can be seen, in a certain way, distorted by an excess offer of information, they offer the interested the new possibility of contacting the bank again if the expectation of information has not been fulfilled, to maintain a channel of open communication. In any case, once it is understood that the response to the exercise of the right of access had not satisfied the complaining party, the BANCO DE SABADELL facilitated, on September 1, 2020, a new response to the exercise of rights of the claimant party, in which all the aspects included in art. 15 of the RGPD, remaining at your disposal to offer more detail about any matter that he deems appropriate. IV Classification of a possible infringement of article 15 of the RGPD C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/9 The aforementioned infringement of article 15 of the RGPD could lead to the commission of the offenses typified in article 83.5 of the RGPD that under the heading "Conditions rules for the imposition of administrative fines” provides: “The infractions of the following dispositions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the largest amount: (…) b) the rights of the interested parties according to articles 12 to 22; (…)” In this regard, the LOPDGDD, in its article 71 "Infringements" establishes that “The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law. For the purposes of the limitation period, article 74 "Infringements considered minor" of the LOPDGDD indicates: “They are considered minor and the remaining infractions of a legal nature will prescribe after a year. merely formal of the articles mentioned in paragraphs 4 and 5 of article 83 of Regulation (EU) 2016/679 and, in particular, the following: (…) c) Failure to respond to requests to exercise the rights established in the Articles 15 to 22 of Regulation (EU) 2016/679, unless it resulted from application of the provisions of article 72.1.k) of this organic law. (…)” In the present case, on September 1, 2020, the BANCO DE SABADELL would have duly attended to the right of access requested by the complaining party. By Therefore, in the event that there is an infringement of article 15 of the RGPD, such infringement would be prescribed, in accordance with the provisions of the aforementioned article 74 of the LOPDGDD. Thus, in accordance with what was indicated, by the Director of the Spanish Agency for Data Protection, HE REMEMBERS: FIRST: PROCEED TO FILE these proceedings. SECOND: NOTIFY this resolution to BANCO DE SABADELL, S.A. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common to Public Administrations, and in accordance with the provisions of the art. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may file, optionally, an appeal for reconsideration before the Director of the Agency Spanish Data Protection Authority within a month from the day C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/9 following the notification of this resolution or directly contentious appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and paragraph 5 of the provision additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction Contentious-Administrative, within two months from the day after to the notification of this act, as provided in article 46.1 of the aforementioned Law. 940-110422 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es