AEPD (Spain) - PS/00016/2022
AEPD - PS/00016/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 15 GDPR Article 56 GDPR Article 60 GDPR Article 83(2) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 05.01.2021 |
Decided: | 28.02.2023 |
Published: | |
Fine: | n/a |
Parties: | Holidays Edreams |
National Case Number/Name: | PS/00016/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | ls |
A controller who fails to respond to an access request due to an employee error is nonetheless liable for the violation of Article 15 GDPR.
English Summary
Facts
A data subject made a purchase from Edream (the controller). Slight after, he contacted the controller via phone. On January 5, 2021, the data subject requested access to the call recording but, after one month, he did not receive any response. He therefore filed a complaint with the French DPA. The case was then sent to the Spanish authority, under Articles 56 and 60 GDPR.
During the investigation, the controller explained that the data subject contacted the customer service department and not the privacy department and that the internal process for responding to the request was not followed due to a human error. He also stated that as soon as the relevant department was informed, i.e. in response to the proceeding, the controller responded to the access request and sent the records by email. Finally, he explained that he had put measures in place to prevent this from happening again.
Holding
In accordance with Article 60 GDPR, the Spanish DPA allowed the other supervisory authorities concerned to give their opinions, none of which reacted.
The DPA considered that human error on the part of an employee does not exonerate the controller from its responsibility for the protection of personal data. It acknowledged that measures had been taken to ensure that access requests would be properly managed in the future. These measures however did not allow the data subject to exercise his rights before the proceedings were initiated.
The DPA therefore concluded that the controller had violated Article 15 GDPR and, considering that the infringement was minor, issued a warning.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/20 Procedure No.: PS/00016/2022 IMI Reference: A60DD 403656 - A61VMA 298021 - Case Register 79805 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following: BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) filed a claim with the French data protection authority. The claim is directed against HOLIDAYS EDREAMS, S.L., with NIF B61965778 (hereinafter, EDREAMS). The reasons on which the claim are as follows: The claimant has requested EDREAMS by e-mail to access the recording of all telephone exchanges with the company, but, after a month, has not received no reply. Date on which the claimed events took place: January 5, 2021 Along with the claim, provide: - Capture of email sent by the complaining party to the addresses customerservice-fr@contact.edreams.com and service.client@edreams.com, dated 5 January 2021, in which you make a complaint about a purchase made in dollars Canadians and requests access to all conversations held between the party claimant and EDREAMS customer service on August 14, 2020, October 26, 2020, November 17, 2020 and December 28, 2020, and provides the following information for your identification: name and surname, date of birth and four last digits of your credit card. SECOND: Through the "Internal Market Information System" (hereinafter IMI System), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the Council, of October 25, 2012 (IMI Regulation), whose objective is to promote the cross-border administrative cooperation, mutual assistance between Member States and the exchange of information, the aforementioned claim was transmitted on May 21, 2021 and was given the date of registration of entry in the Spanish Agency for Data Protection (AEPD) that same day. The transfer of this claim to the AEPD is carried out in accordance with the provisions of article 56 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of Persons Physical with regard to the Processing of Personal Data and the Free Movement of these Data (hereinafter, GDPR), taking into account its cross-border nature and that this Agency is competent to act as main control authority, given that EDREAMS has its registered office and sole establishment in Spain. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/20 The data processing that is carried out affects interested parties in several States members. According to the information incorporated into the IMI System, in accordance with the established in article 60 of the GDPR, acts as a "control authority data subject”, in addition to the French data protection authority, the data protection authorities Portugal, Italy, Lower Saxony (Germany) and Denmark. All of them under article 4.22.b) of the GDPR, given that the interested parties residing in the territory of these authorities of control are substantially affected or are likely to be substantially affected affected by the treatment object of this procedure. THIRD: On June 1, 2021, in accordance with article 64.3 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of the digital rights (hereinafter, LOPDGDD), the claim filed was admitted for processing by the complaining party. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, in by virtue of the functions assigned to the control authorities in article 57.1 and of the powers granted in article 58.1 of Regulation (EU) 2016/679 (General Regulation of Data Protection, hereinafter GDPR), and in accordance with the provisions of the Title VII, Chapter I, Second Section, of the LOPDGDD, being aware of the following extremes: Response to the request for information presented on behalf of EDREAMS with entry registration O00007128e2100036021, with entry into the AEPD on August 27 2021, which provides, among other things, the following information: 1. Statement that they have not received any request from the complaining party through the privacy form on your website, so it has not been processed by an agent specialized but has been dealt with by customer service. 2. Statement that this request failed because the service agent customer service that responded to this request closed it manually without managing it properly according to internal processes; these internal processes indicate that, in these requests must be answered by referring to the privacy form or escalating the exercise of law internally. 3. Declaration that they have responded to the complaining party as a result of having knowledge of this claim. And they provide a screenshot of an email addressed to the party claimant in French (and its translation into Spanish), indicating that they are attached the recordings. 4. Regarding the causes that originated this incident, statement that it occurred due to human error that occurred in a situation where the service customer service tripled the number of requests received due to the cancellations caused in the travel agency by COVID-19. 5. Statement that the following actions have been taken: send a reminder in the weekly newsletter to customer service agents on the centralization of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 3/20 attention to data protection rights in the Privacy Formulation so that are attended by specialized agents; advance training in protection of data and include the case of this claim within a practical assumption in the training; inform the agent who handled the request and his manager at a meeting about what occurred; and include a reminder of the existence of the Privacy Form in the email that interested parties receive automatically in response to the emails received from customer service. As of December 30, 2021, a search is performed on the site https://web.archive.org of the historical data that appeared in the Privacy Policy of the EDREAMS website aimed at the Spanish public (https://www.edreams.es/politica-de- privacy/) on January 13, 2021 and addressed to the French public (https://www.edreams.fr/ politique-confidentialite/) on January 20, 2021, obtaining the following information: 6. Both privacy policies indicate that their last update took place in June of 2019. 7. Both privacy policies indicate two ways to exercise rights: a through an online form, or through a postal address. Specifically, in the privacy policy in Spanish indicates the following: "In order to exercise your rights, Click here or send your request by postal mail to the following address: Protection of data – Calle Bailén, 67, 08009 Barcelona, Spain, European Union. In your application you must clearly indicate your identity, specifying your full name and e-mail address email you used to make the purchase or create an account, and the rights you want exercise." FIFTH: On 01/12/2022, the Director of the AEPD adopted a project proposal decision to initiate disciplinary proceedings. Following the process established in the article 60 of the GDPR, on 02/09/2022 this proposal was transmitted through the IMI System and the concerned authorities were informed that they had two weeks from that time to make your comments. Within the period for this purpose, the authorities of control concerned made their comments in this regard. SIXTH: On 05/24/2022, the Director of the AEPD adopted a draft decision of initiation of disciplinary proceedings. Following the process established in article 60 of the GDPR, on 06/02/2022 this draft decision was transmitted through the IMI system and informed the concerned authorities that they had four weeks from that moment to formulate pertinent and reasoned objections. Within the term for this purpose, the control authorities concerned did not present pertinent and reasoned objections to the in this regard, so it is considered that all the authorities agree with said draft decision and are bound by it, in accordance with the provisions of the paragraph 6 of article 60 of the GDPR. This draft decision was notified to EDREAMS in accordance with the rules established in the Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP) on 05/25/2022, as stated in the acknowledgment of receipt in the file. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 4/20 SEVENTH: On 07/15/2022, the Director of the Spanish Agency for the Protection of Datos agreed to initiate a sanctioning procedure against EDREAMS, in accordance with the provisions of Articles 63 and 64 of the LPACAP, for the alleged violation of Article 15 of the GDPR, typified in Article 83.5 of the GDPR, in which it is indicated that you have a period of ten days to present claims. This start-up agreement, which was notified to EDREAMS in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, was collected on 07/18/2022, as stated in the acknowledgment of receipt that works in the file. EIGHTH: On 07/30/2022, this Agency receives, in due time and form, a written EDREAMS in which it alleges the initial agreement in which, in summary, stated that: "FIRST. - EXERCISE OF RIGHTS IN EDREAMS IN ACCORDANCE WITH THE NORMATIVE. EDREAMS centralizes the management of the exercise of rights (including the right of access) to through its Privacy Form. In this way, it is easier for users to exercise of said exercises, through this easily accessible tool, linked in our Notice of Privacy and managed through a defined process and by a team formed and dedicated for that purpose. The Privacy Form allows, in turn, to automate part of the process, in order to provide a better and faster response. Initially, the interested party exercises his right through the Privacy Form. Bliss The request is exclusively conditioned to the fact that the agents specialized in the management of these rights can confirm the information and have sufficient guarantees that the person claims to be who they are and/or that the representation of a third party is sufficiently accredited (normally the confirmation happens because the client, who receives an email verification email, confirm in your personal email registered in our systems that you have requested the corresponding right). After said confirmation, it connects with the appropriate departments, to execute the corresponding actions based on the right exercised. Finally, once the actions necessary have been carried out, we proceed to respond to the interested party according to a internal guide (in this case, the right of access guide). This process is carried out in accordance with our Privacy Notice and our Policy internal privacy policy (see Annex 1 - Index and applicable section of the Internal Privacy Policy privacy), as well as internal procedures; specifically the Internal Guide on the exercise of the right of access (see Annex 2 - Internal guide on the exercise of the right of access) and with the data protection regulations: Article 12 GDPR: "The controller will take the appropriate measures to provide the interested party with all the information indicated in articles 13 and 14, as well as any C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 5/20 communication pursuant to articles 15 to 22 and 34 relating to processing, in the form concise, transparent, intelligible and easily accessible, with clear and simple language, in particular any information directed specifically to a child. The information will be provided in writing or by other means, including, if applicable, by electronic means.” Article 11.1 LOPDGDD2: "When personal data is obtained from the affected party, the responsible for the treatment may comply with the duty of information established in article 13 of Regulation (EU) 2016/679 providing the affected party with basic information to referred to in the following section and indicating an electronic address or other means that allows easy and immediate access to the rest of the information.” Article 12.2 LOPDGDD: “2. The person in charge of the treatment will be obliged to inform the concerned about the means at his disposal to exercise the rights that correspond to him. The means must be easily accessible to the affected party. The exercise of the right It may be denied for the sole reason that the affected party opts for another means.” In this sense we want to insist that we do not deny the exercise of the right (which would also have been managed to be exercised by the Privacy Form by the team and process dedicated to that end) but rather the exceptional situation and a human error in an agent gave rise to not reiterating once again to the CLIENT, in accordance with our Notice of Privacy, the availability of the Privacy Form for the exercise of your rights. We will develop this point in the second argument. Likewise, we will establish why and how we have mitigated the risk of this happening again. European Commission - How should we process applications from people who exercise your rights in terms of data protection?: "When personal data is processed with electronic means, you must offer means so that the requests are submit electronically.” AEPD - Exercise your rights: "The person in charge is obliged to inform you about the means to exercise these rights. These means must be accessible and cannot be denied this right for the sole reason that you opt for another means”. Furthermore, EDREAMS is aware that customers can contact Contact us in different ways for different purposes. For this reason, we train our Customer Service agents and we carry out awareness actions regarding the exercise of rights. In the same way, we provide an answer guide to which you most we will refer to, with the purpose that they know how to detect the exercise of rights and know how to reiterate the information already collected in our Privacy Notice, regarding the Privacy Form as a means to exercise rights. SECOND.- EDREAMS MAKES EXTRA EFFORTS IN GENERIC CHANNELS OF CUSTOMER SERVICE IN ORDER TO GIVE THE BEST SERVICE TO ITS CUSTOMERS. First of all, it is necessary to confirm that after internal investigations we verified that the CLIENT did not exercise his right in accordance with our Privacy Notice, through our Privacy Form (mentioned in the first allegation and through which guarantees that a specialized agent manages the corresponding request). In Secondly, we have analyzed the generic Customer Service email inboxes client and we have verified that we received a request from the CLIENT. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 6/20 We have contacted the Customer Service team who have informed us that the agent manually closed the ticket without having handled it properly in based on our internal processes that guarantee the corresponding management of said request, referring to our Privacy Form (as indicated in the internal process of data protection rights management) or to escalate the exercise of right internally to the specialized department that is in charge of it. this mistake agent manual occurs upon receipt of the communication on January 5, 2021, in which the agent does not open internal response ticket and therefore does not instruct the CLIENT to exercise the right in the Privacy Form, as you should have done at that time. In addition, this occurs in a context of an exceptional situation in which he was EDREAMS given the unprecedented saturation of requests in our mailboxes Customer Service email that we received due to the situation caused by COVID-19. We have asked the Customer Service team for the number of emails received in our general Customer Service email inboxes and that We provide confidentially to the Spanish Agency for Data Protection: in the month in which the CLIENT communicated to the Customer Service department client, and due to the entire COVID-19 crisis, we had a reception traffic of communications consisting of a 450% increase with respect to communications received the same month of the previous year; Specifically, we received a total of 63,837 communications in the month of January 2021, this being an exceptional saturation without precedents. Despite these devastating circumstances both financially and organizationally, We have tried to continue responding in the best possible way to all requests of our clients, obtaining internal support from other teams for this management and We have tried to get out of these months as best as possible. In these Customer Service channels we try to answer as soon as possible but there is no no specific fixed term of answer, since it depends on the filtering of topics and the their prioritization, which is done manually by the Customer Service team. client and that carries risks of incorrect manual categorization unlike what occurs when they are exercised by the appropriate and proportionate means for the exercise of rights (the Privacy Form). And it is precisely for this reason that a specific medium was created (through the Form of Privacy), complying with the data protection regulations and in order to be capable of offering a mature process that is as guaranteed and transparent as possible so that customers exercise their data protection rights. In addition, we have automated this process with a privacy tool (***TOOL.1), to reduce risks and improve our responses, and It is managed with alerts to avoid deadlines and respond to customers as soon as possible possible and within a maximum period of thirty days. Evidence of the same is the management of the priority and immediate response to the exercise of right of the CLIENT as quickly as possible since we became aware of it: was assigned to a senior specialist to give treatment to this exercise of law C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 7/20 immediately, performing all internal actions in our systems, the timely checks and the CLIENT responded accordingly. Much to our regret, the CLIENT's case was not addressed correctly to the information timely and to the Privacy Form. Exceptional circumstances and manual error of the agent, as well as the measures implemented (which we will transfer to you below), make the risk of reproducing this case remote. THIRD.- CONTINUOUS IMPROVEMENT OF TRANSPARENCY REGARDING THE EXERCISE OF RIGHTS We take advantage of this case (produced by not exercising the right correctly and through of the appropriate means as well as a manual error by the agent who did not follow our internal policies and guidelines, in a context as well as exceptionality) as a opportunity to analyze all the causes and circumstances of this case, referred to above in the second allegation, and that have allowed us to take extra steps to prevent similar situations from occurring. We would like to emphasize that we believe our compliance program regulation in the field of privacy and data protection is based on the continuous monitoring and continuous improvement and learning in order to increase the levels of normative compliance. In this context of exercising rights, we also maintain the same philosophy and We take the rights of data subjects very seriously, not only as an action of essential regulatory compliance, but because it is the best way to ensure the trust of our clients. That is why we have a dedicated and specifically trained team, as well as an internal process for the exercise of data protection rights, to guarantee the best possible response to our clients, through the Privacy Form, and the systems Internal coordination to deal with such requests in accordance with the regulations. Likewise, as an extra effort to guarantee and safeguard the exercise of rights, it is forms and indicates to the Customer Service agents so that in the event of receiving any matter of protection of personal data, they must direct the client to the Form of Privacy so that he can exercise his rights. Despite understanding that this case occurs in the exceptional circumstances before mentioned, and having received several manual errors from Customer Service agents in generic channels of said service, we have taken the opportunity to implement a Customer Service Form, which customers will access, either via the Customer Help Center Customer service, either by sending an email to the email inboxes generic Customer Care still available. Said form has assessed categories, among which is the exercise option of rights that redirects you to our Privacy Form (as the only means that must be used for the exercise of any right of the interested parties for the purposes of personal data protection; since it is managed by a specialized and dedicated team C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 8/20 for this purpose) (see Annex 3 - Customer Service Form and Annex 4 - Help Center and frequently asked questions). In this way, we guarantee a specialized and guarantee procedure, while We also redirect our customers who contact us by other means (such as the general means of contact for Customer Service) in order to to have a system that allows anyone who wants to exercise their rights to do so without problems and mitigating the risks of manual errors by Customer Service agents. Likewise, we train annually on a mandatory basis on data protection and specialized in the exercise of rights, including practical cases such as this case, as well as awareness actions by the Customer Service team (see Annex 5 - Awareness articles on the exercise of rights), such as, covering topics such as “what is an exercise of data protection rights” and “how accompany clients to exercise them via the Privacy Form”. On the other hand, in recent months we have carried out a migration of the Privacy and rights management form, going from a generic to a specialized in privacy (such as ***TOOL.1) in which apart from being managed by a specialized and highly qualified team aware of data protection, we work on process automation to be more agile and reduce risks of human errors. We are sorry for what happened in this exceptional case. At the same time we understand that given the circumstances and the measures described above, EDREAMS complies with the regulations of data protection as well as the guidelines of the AEPD itself (previously referred to in the first allegation) and that the closure of the disciplinary proceedings against EDREAMS with a warning, entails a disproportionate interpretation of maximums of the data protection regulations, in a context of a global pandemic with effects never lived, especially by the tourist industry in which it carries out its activity, said company, as well as for the efforts made by it, especially when we have mitigated that the risk of cases similar to this occurring again, with a Form of Customer Service that guides customers in the event that, without having read or ignoring the Privacy Notice, want to exercise their rights, and can be guided accordingly and their rights managed, through the Privacy Form. We reiterate the commitment of the EDREAMS team to work tirelessly regarding to learning and continuous improvement of our processes, with the aim of not only complying with the regulations, but to strengthen the trust of our customers in us. And in this one context, we will continue to monitor and continuously improve policies, processes, actions and measures referred to herein.” NINTH: On 09/02/2022, the instructing body of the disciplinary procedure formulated a resolution proposal, in which the Director of the AEPD is proposed to direct a warning to EDREAMS, with NIF B61965778, for a violation of article 15 of the GDPR, typified in Article 83.5 of the GDPR. This proposed resolution, which was notified to EDREAMS in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 9/20 of Public Administrations (LPACAP), was collected on 09/02/2022, as stated in the acknowledgment of receipt in the file. TENTH: On 09/16/2022, this Agency receives, in due time and form, a written EDREAMS in which it makes allegations to the motion for a resolution in which, in summary, stated that: “ SOLE.- EXERCISE OF RIGHTS IN EDREAMS IN ACCORDANCE WITH THE REGULATIONS GOES. EDREAMS reiterates its previous allegations and understands that it complies with the regulations in the terms described below. On the one hand, it has an official channel, the Privacy Form (Annex 1 – Privacy Form), which is transparently informed and made available position of the interested parties in our Privacy Notice, resulting in easy access for the interested party (Annex 2 - Privacy Notice: exercise of rights). On the other, it has processes, tools, training materials and other measures. opportune days in which it is contemplated that the hypothetical cannot be denied exercise of rights by the simple fact that it is exercised through other channels that are not the official channel. In this last direction, EDREAMS works tirelessly in continuous improvement of the previously mentioned measures, and that were confirmed in accordance with the third argument of our response to the agreement to initiate proceedings sanctioning document dated July 29, 2022 (with registration number O00007128e22P0006395), so that in all its Customer Service channels customers are redirected to the official and dedicated channel for their management (the aforementioned Privacy Form), in the event that they were used for the exercise of rights. We agree that an organization should have an official channel that collects a pro- guarantor transfer in the terms included in the protection regulations of data, as well as appropriate measures that guide the actions of any employee thereof to inform any interested party on how to exercise their data protection rights. However, an interpretation in which requires the same degree of diligence that the official channel must have (as long as when it is transparently informed in the Privacy Notice) to any another channel of the organization, would entail, on the one hand, an overload and dedication disproportionate allocation of resources of the organization and, on the other, we understand which would be contrary to the fact that the regulations require an official channel for the exercise of rights. The interpretation that we collect previously is based on the fact that the rule in question (article 12.2 LOPDGDD) clearly establishes that the res- responsible for the treatment can determine an official channel, as long as be easily accessible (as it is in our case). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 10/20 It is clear that the standard has wanted to go further and therefore requires organizations tions greater cooperation to enhance the effectiveness of rights and, therefore, Therefore, it has been collected that organizations cannot hide behind the fact that that the corresponding right had been exercised through another official channel, to directly deny it without further ado, without having internal controls in this regard (in the aforementioned article 12.2 LOPDGDD). But does that mean that an organization must have in any channel a ticket filtration and management system that is not only extremely urgent -due to the urgent nature of the period of exercise of rights included in the regulations of data protection-, but that it is also infallible, because otherwise disciplinary proceedings against the organization are opened, despite having measures appropriate for said channels not specially dedicated to the exercise of rights. chos (despite having an official channel, which is transparently informed in the Privacy Notice and easily accessible in accordance with the regulations, as well as measures to reduce the risk of potential manual error by an agent that manages an unofficial channel)? This part considers disproportionate an interpretation that entails a positive response to the previous question, so please reconsider di- interpretative position, understanding that said con- clusion that, in practice, would result in there not being an official channel, but any company communication channel would automatically become an official channel for the exercise of rights. If the law had intended such a conclusion, requiring the same level of diligence for any channel of the organization, the wording should have included the following position: "The person responsible for the treatment will be obliged to inform the affected party about the fact that in any means of contact of the organization may exercise the rights that correspond to it, as well as facilitate the list of them." In the case at hand, it is necessary to insist that these Customer Service channels to the customer are intended for consumption purposes, and therefore cannot be have an expectation of channel privacy due to its nature, and require the same level of high diligence that supports a channel dedicated to the exercise of rights. Even so, in order to try to guarantee that the interested party has the Privacy at hand even despite a possible exceptional oversight of an agent Customer Service, we have implemented a note at the bottom of our emails generic emails from Customer Service, in which the customer is informed again client, once again, of the existence of the Privacy Form for a management simple control of the exercise of rights and that allows the correct verification of the identity of the interested parties (Annex 3 - Note at the foot of the emails of Customer Support). For all these reasons, this party considers that the precept in question requires a duty of reasonable diligence, but not maximalist. And, in this logic, without prejudice to the previously recognized position regarding the interpretation of the precept in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 11/20 matter, we want to insist that we are sorry for what happened in this exceptional case, and we reiterate EDREAMS' commitment to continue working tirelessly- in the continuous improvement of its processes, tools, and training in all two of its Customer Service channels so that, in the event that they are used for the exercise of rights, customers are directed to the special and dedicated channel for their management (the aforementioned Privacy Form). For final clarification purposes, we understand that in the proposed resolution there is a mistake in the reference to article 112.1 of the LPACAP (which refers to the final resolution), only article 89.2 of the LPACAP being applicable (referring to the proposed resolution) and, according to it, present- Here we present the present claim. For all this, this part: REQUEST 1. That this allegation be considered submitted in due time and form. 2. That it be considered in the final resolution, taking into account that it is about an exceptional manual error of non-compliance with our policies and procedures internal proceedings, caused by not having exercised the right of access by the channel intended and described in our Privacy Notice (Privacy Form- ity) having addressed generic Customer Service channels in which the expectation of response to the exercise of rights cannot be the same when be intended for consumer issues. Also, let it be good that EDREAMS has acted and acts diligently in the respect, defense and exercise of the rights of the interested parties and always in collaboration with the AEPD and that all this is not diminished by this exceptional case.” Of the actions carried out in this procedure and of the documentation in hand In the file, the following have been accredited: PROVEN FACTS FIRST: The claiming party, on January 5, 2021, sent to the addresses customerservice-fr@contact.edreams.com and service.client@edreams.com, each email emails in which you make a complaint about a purchase made in dollars Canadians and requests access to all conversations held between the party claimant and EDREAMS customer service on August 14, 2020, October 26, 2020, November 17, 2020 and December 28, 2020, and provides the following information for your identification: name and surname, date of birth and four last digits of your credit card. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 12/20 SECOND: EDREAMS did not provide the complaining party with access to the recording of all the telephone exchanges maintained with the company, without the complaining party received no reply within a month. THIRD: As stated by EDREAMS in its allegations, the lack of attention to the exercise of the right of access occurred because “…the ticket was manually closed by the agent without having handled it properly... This manual agent error occurs when receive the communication on January 5, 2021, in which the agent does not open a ticket internal response. FOURTH: According to the search carried out on December 30, 2021, on the site https:// web.archive.org of the historical data that appeared in the Privacy Policy of the site EDREAMS website aimed at the Spanish public (https://www.edreams.es/politica-de- privacy/) on January 13, 2021 and addressed to the French public (https://www.edreams.fr/ politique-confidentialite/) on January 20, 2021, it was possible to obtain the following information: - In both privacy policies it is indicated that their last update took place in June 2019. - Both privacy policies indicate two ways to exercise your rights: through an online form, or through a postal address. Specifically, in the privacy policy in Spanish indicates the following: "In order to exercise your rights, click here or send your request by postal mail to the following address: Data protection – Calle Bailén, 67, 08009 Barcelona, Spain, European Union. In your request you must clearly indicate your identity, specifying your name full name and the e-mail address you used to make the purchase or create a account, and the rights you wish to exercise.” FUNDAMENTALS OF LAW Yo Competition and applicable regulations In accordance with the provisions of articles 58.2 and 60 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and free movement of these data (hereinafter, GDPR), and as established in articles 47, 48.1, 64.2 and 68.1 and 68.2 of Organic Law 3/2018, of December 5, on Data Protection Personal and guarantee of digital rights (hereinafter, LOPDGDD) is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 13/20 Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures.” II previous questions In the present case, in accordance with the provisions of article 4.1 of the GDPR, the processing of personal data, since EDREAMS carries out the Collection and storage of, among others, the following personal data of natural persons: name and surname, email and call recordings, among others treatments. EDREAMS carries out this activity in its capacity as data controller, given that is the one who determines the purposes and means of such activity, by virtue of article 4.7 of the GDPR. In addition, it is a cross-border treatment, since EDREAMS is established in Spain, although it provides services to other countries of the European Union. The GDPR provides, in its article 56.1, for cases of cross-border processing, provided for in article 4.23), in relation to the competence of the supervisory authority principal, that, without prejudice to the provisions of article 55, the supervisory authority of the main establishment or the only establishment of the person in charge or of the person in charge of the treatment will be competent to act as main control authority for the cross-border processing carried out by said controller or processor pursuant to to the procedure established in article 60. In the case examined, as has been stated, EDREAMS has its only establishment in Spain, so the Spanish Agency for Data Protection is competent to act as the main control authority. For its part, the right of access to personal data is regulated in article 15 of the GDPR. II Allegations adduced In relation to the allegations made in the agreement to initiate this proceeding disciplinary action, we proceed to respond to them according to the order set forth by EDREAMS: 1.- EXERCISE OF RIGHTS IN EDREAMS IN ACCORDANCE WITH THE REGULATIONS. The existence of a "Privacy Form", through which EDREAMS centralizes the management of the exercise of rights, should not prevent a request to exercise rights regarding the protection of personal data must be addressed when present by other means. As EDREAMS itself states in its allegations, the Article 12.2 of the LOPDGDD provides that: "The controller will be obliged to to inform the affected party about the means at their disposal to exercise the rights that correspond. The means must be easily accessible to the affected party. The exercise of the right may not be denied for the sole reason that the affected party opts for another means.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 14/20 The negligent action of the employee in attending to the request for the exercise of the right access does not exempt EDREMAS from responsibility. The responsibility of the company in the scope of sanctions for the negligent action of an employee that implies the breach of data protection regulations has been confirmed by the jurisprudence of the Supreme Court. In this regard, it is worth mentioning the Judgment of the Supreme Court no. 188/2022 (Contentious Chamber, Section 3), of February 15, 2022 (rec. 7359/2020), whose Fourth Law Foundation provides: "The fact that was the negligent action of an employee does not exempt her from her responsibility regarding responsible for the correct use of security measures that should have Guaranteed the proper use of the designed data recording system. as already we sustained in STS no. 196/2020, of February 15, 2021 (rec. 1916/2020) the person in charge of the treatment is also responsible for the actions of its employees and cannot be excused in its diligent performance, separately from the performance of its employees, but it is the "guilty" action of these, consequence of the violation of security measures existing ones, which bases the responsibility of the company in the disciplinary field by "own" acts of its employees or positions, not of third parties." The sentence continues arguing about the responsibility of individuals laws in our legal system: "...It simply happens that, being admitted in our Administrative Law the direct responsibility of legal entities, to which that, therefore, infringing capacity is recognized, the subjective element of the infringement is plasma in these cases in a different way from what happens with respect to natural persons, so that, as indicated by the constitutional doctrine that we have reviewed before -SsTC STC 246/1991, of December 19 (F.J. 2) and 129/2003, of June 30 (F.J. 8)- the direct reproach derives from the legal right protected by the norm that is infringed and the the need for such protection to be truly effective and the risk that, in Consequently, the legal entity that is subject to compliance with said rule". 2.- EDREAMS MAKES EXTRA EFFORTS IN GENERIC SERVICE CHANNELS TO THE CUSTOMER IN ORDER TO GIVE THE BEST SERVICE TO ITS CUSTOMERS. The measures adopted by EDREAMS in order to ensure due compliance by part of its employees of the data protection regulations, without undermining its responsibility in the facts, along with prompt attention to the exercise of the right of access due to the information request made by this Agency, have been taken into account for the purpose of deciding the corrective power to apply, considering the warning as more appropriate than the fine. 3.-CONTINUOUS IMPROVEMENT OF TRANSPARENCY REGARDING THE EXERCISE OF RIGHTS As stated in response to the above allegation, the measures adopted by EDREAMS to facilitate the exercise of rights regarding data protection, without distort the responsibility derived from the commission of the infraction, have been taken into account for the purposes of deciding the corrective power to apply, considering the warning as more appropriate than the fine. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 15/20 Formulated resolution proposal by the instructor of this procedure, in the hearing process for the interested party, allegations are presented by EDREAMS reiterating his previous allegations. It should be noted that the need for requests for exercise of the right of access to personal data are not limited to requests carried out through a certain channel, is a criterion shared with the Committee European Data Protection Agency (hereinafter, CEPD), which, in compliance with the objective to guarantee the coherent application of the General Data Protection Regulation (according to article 70 of the GDPR), is developing guidelines to provide a clear and transparent basis on the exercise of the right of access (Guidelines 01/2022 on the rights of the interested parties - the right of access) “Guidelines 01/2022 on data subject rights - Right of access”. In section 3.1.2 (paragraphs 52 to 57) of the version submitted to public consultation of the aforementioned Guidelines (https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of- access_0.pdf), the following is expressed about the requirements of the exercise request of the right of access (unofficial translation): “52. As noted above, the GDPR does not impose any requirements on data subjects in relation to the request form for access to personal data. Therefore, In principle, there are no GDPR requirements that interested parties must observe when choosing a communication channel through which they come into contact with the person in charge. 53. The CEPD encourages data controllers to provide channels of most appropriate and user-friendly communication, in accordance with article 12, paragraph 2, and article 25, to allow the interested party to make an effective request. Nevertheless, if the interested party makes a request through a communication channel provided by the person in charge that is different from the one indicated as preferable, the request will be considered, in general, effective and the person in charge of the treatment must process said request. In Consequently, data controllers must make all reasonable efforts reasonable to ensure that the exercise of the rights of the interested party is facilitated (for example, in the event that the interested party sends the data of the request to an employee who is on leave, an automatic message informing the interested party about a channel of alternative communication for your request may be a reasonable effort). 54. It should be noted that the controller is not required to act in response to a randomly sent request or incorrect email (or postal) address, we will not provided directly by the person in charge, or to any communication channel that is It is evident that it is not intended to receive requests regarding the rights of the interested party, whether the data controller has provided an appropriate communication channel, that can be used by the interested party. 55. The data controller is also not obliged to respond to a request sent to the email address of your employees who are unable to participate in the processing of requests relating to the rights of data subjects (eg drivers, cleaning staff, etc.). Said requests will not be considered effective, if the person in charge of the treatment has clearly provided the interested party with the channel of communication appropriate. However, if the data subject sends a request to the employee of the controller who deals with the data subject's affairs on a daily basis (one-time customer contact, such as example, personal account manager), such contact should not be considered C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 16/20 as random and the person in charge must make all reasonable efforts to process said request so that it can be redirected to the point of contact and respond within of the deadlines established by the GDPR. 56. However, the CEPD recommends, as a good practice, that those responsible for the treatment introduce, to the extent possible, mechanisms to improve the internal communication between employees on requests received by those who may not be competent to meet such requests, in order to facilitate the exercise of the rights of the interested parties. 57. The date of receipt of the request by the active data controller, as a general rule, a period of one month for the data controller to provide information on actions taken in response to a request, in accordance with article 12, paragraph 3 of the GDPR. The CEPD considers as good practices of the data controllers confirm receipt of requests in writing, by example, by sending emails (or information by mail, if applicable) to the applicants, who confirm that their applications have been received and that the period of a month goes from day X to day Y”. These criteria determine a broad interpretation regarding the acceptance of the requests for the exercise of the right of access addressed by an interested party to the person responsible for the treatment. In general, the request to exercise the right of access to data personal information must be considered effective, so those responsible for the treatment must make all reasonable efforts to ensure that the exercise of the rights is facilitated. rights of the interested parties. The claimant sent the request to two emails emails belonging to EDREAMS, specifically to its customer service customer. This service cannot be understood as excluded from the obligation to care for the requests for the exercise of rights made by EDREAMS clients, either directly or by transfer to the corresponding unit. According to section 55 of the Guide 01/2022, the controller is not obliged to respond to a request, sent to the email address of your employees, who cannot participate in the treatment of requests related to the rights of the interested parties, such as drivers or Housekeeping. However, a department whose activity is customer service, such as EDREAMS customer service, which performs functions that involve the processing of personal data of citizens, cannot be excluded from the obligation to attend to the requests of its clients in the exercise of the right of access to your personal data. In this way, EDREAMS itself, as explained in its SECOND allegation, it has internal processes so that the customer service team manage requests for the exercise of rights in terms of data protection, which do not were applied to the request made by the complaining party: “…We have contacted contacted the Customer Service team who informed us that the agent closed for manual error the ticket without having managed it properly based on our processes that guarantee the corresponding management of said request, making reference to our Privacy Form (as indicated in the internal process of managing data protection rights) or to escalate the exercise of right internally to the specialized department that is in charge of it.” In the present case, despite the measures referred to by EDREAMS, the lack of response to the exercise of the right of access by the complaining party within a period of one month from from the receipt of the application has been accredited in this procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 17/20 These allegations do not distort any of the proven facts, having been taken into consideration for the purpose of assessing the concurrent circumstances in the commission of the infringement. For all the above, all the allegations are dismissed. IV. Right of access Article 15 "Right of access of the interested party" of the GDPR establishes: "1. The interested party shall have the right to obtain from the data controller confirmation of whether or not personal data concerning you is being processed and, in such a case, the right to access to personal data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom they were communicated or personal data will be communicated, in particular to third party recipients countries or international organizations; d) if possible, the expected period of conservation of personal data or, if not if possible, the criteria used to determine this term; e) the existence of the right to request from the person in charge the rectification or deletion of personal data or the limitation of the processing of personal data relating to the interested party, or to oppose said treatment; f) the right to file a claim with a control authority; g) when the personal data has not been obtained from the interested party, any available information on its origin; h) the existence of automated decisions, including profiling, to referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, information significant about the applied logic, as well as the importance and consequences provisions of said treatment for the interested party. 2. When personal data is transferred to a third country or to an organization international, the interested party shall have the right to be informed of the adequate guarantees in under article 46 relating to the transfer. 3. The data controller shall provide a copy of the personal data object of treatment. The person in charge may receive for any other copy requested by the interested party a reasonable fee based on administrative costs. When the interested submit the application by electronic means, and unless the latter requests that it be provided Otherwise, the information will be provided in a commonly used electronic format. 4. The right to obtain a copy mentioned in section 3 will not negatively affect the rights and liberties of others. In the present case, it is clear that the claimant sent an email to the addresses customerservice-fr@contact.edreams.com and service.client@edreams.com, with dated January 5, 2021, in which you make a complaint about a purchase made on Canadian dollars and, in turn, requests access to all conversations held between the claimant and EDREAMS customer service on August 14 of 2020, October 26, 2020, November 17, 2020 and December 28, 2020. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 18/20 EDREAMS only responded to this request once the request for information from this Agency. Therefore, according to the evidence available at this time in disciplinary procedure resolution, it is considered that the known facts are constituting an infringement, attributable to EDREAMS, for violation of article 15 of the GDPR. V Classification of the infringement of article 15 of the GDPR The aforementioned infringement of article 15 of the GDPR supposes the commission of the infringements typified in article 83.5 of the GDPR that under the heading "General conditions for the imposition of administrative fines” provides: Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, for an amount equal to a maximum of 4% of the total turnover annual global of the previous financial year, opting for the one with the highest amount: (…) b) the rights of the interested parties in accordance with articles 12 to 22; (…)” In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that: "Infractions are the acts and conducts referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law”. For the purposes of the limitation period, article 74 "Infringements considered minor" of the LOPDGDD indicates: "The remaining infractions of a merely of the articles mentioned in sections 4 and 5 of article 83 of the Regulation (EU) 2016/679 and, in particular, the following: (…) c) Failure to respond to requests to exercise the rights established in the Articles 15 to 22 of Regulation (EU) 2016/679, unless it is applicable provided in article 72.1.k) of this organic law. (…)” SAW Penalty for violation of article 15 of the GDPR Without prejudice to the provisions of article 83 of the GDPR, the aforementioned Regulation provides in the section 2.b) of article 58 "Powers" the following: "Each control authority will have all the following corrective powers indicated next: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 19/20 (…) b) send a warning to any person in charge or person in charge of the treatment when the processing operations have infringed the provisions of this Regulation; (…)” For its part, recital 148 of the GDPR indicates: In the case of a minor offence, or if the fine likely to be imposed constitutes a disproportionate burden on a natural person, instead of sanction by a fine may impose a warning. However, special attention should be paid to the nature, seriousness and duration of the infringement, its intentional nature, the measures taken to alleviate the damages suffered, the degree of responsibility or any infringement above, to the way in which the supervisory authority has learned of the infringement, compliance with measures ordered against the person in charge or manager, the adherence to codes of conduct and any other aggravating or mitigating circumstance.” According to the evidence available at the present time of disciplinary procedure resolution, it is considered that the offense in question is minor for the purposes of article 83.2 of the GDPR given that in the present case, given that there is no This Agency has evidence that procedures for similar offenses have been resolved of EDREAMS in the year prior to the facts, to which the complaining party sent the request to customer service email addresses instead of the one indicated on the privacy policy or through the form for this purpose and that the request for access in The matter was diligently addressed once the request for information was received from this Agency, all of which allows considering a reduction of guilt in the facts, for what is considered in accordance with the law, not imposing a sanction consisting of a fine administration and replace it by directing a warning to EDREAMS. Therefore, in accordance with the applicable legislation and assessed graduation criteria of the sanctions whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: ADDRESS a warning to VACACIONES EDREAMS, S.L., with NIF B61965778, for a violation of Article 15 of the GDPR, typified in Article 83.5 of the GDPR. SECOND: NOTIFY this resolution to VACACIONES EDREAMS, S.L. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution It will be made public once the interested parties have been notified. In accordance with the provisions of article 60.7 of the GDPR, this information will be resolution, once it is final, to the control authorities concerned and to the European Committee of Data Protection. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 20/20 Interested parties may optionally file an appeal for replacement before the Director of the Spanish Agency for Data Protection within a period of one month from the day following the notification of this resolution or directly contentious appeal before the Contentious-Administrative Chamber of the National Court, with in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following the notification of this act, according to the provisions of article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, it may be provisionally suspend the final resolution in administrative proceedings if the interested party expresses their intention to file a contentious-administrative appeal. If this is the case, the The interested party must formally communicate this fact by writing to the Agency Spanish Protection of Data, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the filing effective of the contentious-administrative appeal. If the Agency were not aware of the filing of the contentious-administrative appeal within a period of two months from the day following the notification of this resolution, would terminate the suspension precautionary 938-120722 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es