AEPD (Spain) - PS/00060/2020

From GDPRhub
AEPD - PS/00060/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 58(1)(a) GDPR
Article 58(2) GDPR
Article 83(1) GDPR
Article 83(2)(e) GDPR
Article 83(2)(f) GDPR
Article 83(2) GDPR
Article 83(2)(k) GDPR
Article 83(5)(e) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 40000 EUR
Parties: AAA
IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL
National Case Number/Name: PS/00060/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: Agencia Española de Protección de Datos (in ES)
Initial Contributor: Silvia López Arnao

Spanish DPA holds that the refusal by an airline to send the telephone recordings to a customer infringes the right of access provided for in Article 15 GDPR

English Summary

Facts

The complainant exercised the right to access his personal data by requesting access to four recordings of phone conversations with the airline., which did not comply with the right of access and did not inform the Spanish DPA of the actions taken, which resulted in a sanctioning file.

Dispute

Does the refusal to provide access to recordings of phone conversations constitute an infringement of the right to access one's personal data under Article 15 GDPR?

Holding

The Spanish DPA held that the airline company had not complied with the right to access in Article 15 GDPR when it refused to give the complainant access to the recordings of phone conversations between him and the company, so it imposed the airline a fine of 40000 EUR which was reduced to 24000 EUR for voluntary payment and admission of guilt

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

DECISION R/00304/2020 ON THE TERMINATION OF THE PROCEDURE FOR PAYMENT
VOLUNTEER
In the sanctioning procedure PS/00060/2020, instructed by the Agency
Spanish Data Protection Agency to IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A.
OPERADORA UNIPERSONAL, in view of the complaint submitted by A.A.A., and based on
the following,
BACKGROUND
FIRST: On March 17, 2020, the Director of the Spanish Agency of
Data Protection agreed to initiate sanctioning procedure to IBERIA LÍNEAS
AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL (hereinafter
claimed), by the Agreement as transcribed:
<<
Style ID: PS/00060/2020
935-090320
AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS
Of the actions carried out by the Spanish Agency for the Protection of
Data and based on the following
FACTS
FIRST: D. A.A.A. (hereinafter the Claimant) dated June 29, 2019
filed a complaint with the Spanish Data Protection Agency. The
claim is directed against Iberia Líneas Aéreas de España, S.A. Operadora
Single person with NIF A85850394 (hereinafter IBERIA).
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
2/11
The complainant states that the telephone recordings have not been forwarded to him, to
despite having exercised the right of access and which gave rise to the
TD/01965/2017.
SECOND: On 12 August 2017, the claimant exercised the right to
access to your personal data before the Iberia entity. Specifically, he requested access
to four recordings of telephone conversations on 8, 9 and 11 August
2017.
On August 15 and August 23, 2017, it answered the claimant's request,
stating that "Iberia cannot deal with your request unless you submit
a court order."
Well, on August 25, 2017, the claimant filed a complaint with
this Agency for not having been properly attended to in terms of its right of access.
The Director of the Spanish Data Protection Agency, issued on 5
February 2018, decision on protection of rights TD/01965/2017, proceeding
estimate the claim.
As a result, IBERIA did not comply with the right of access and did not inform the
Agency the actions taken, which resulted in the sanctioning file
PS/00399/2018, being sanctioned by Resolution dated 4 March 2019 with
7,500 for the commission of an infringement of Article 37.1.f of the LOPD, classified as
serious in Article 44.3.i of the LOPD.
THIRD: On July 24, 2019, it is agreed to admit this claim.
Once the term granted for the fulfillment of the mentioned
Resolution, compliance with which is not recorded in this Agency.
FOURTH: In view of the facts denounced in the complaint and the
documents provided by the claimant and of the facts and documents from which he
This Agency, the Subdirectorate General for Data Inspection
proceeded to carry out preliminary investigative actions for the
clarification of the facts in question under the powers of investigation
granted to the inspection authorities in Article 57(1) of the Regulation (EU)
2016/679 (General Data Protection Regulations, hereinafter referred to as GPRD), and
in accordance with the provisions of Title VII, Chapter I, Section Two of the Act
Organic 3/2018 of 5 December on the Protection of Personal Data and Guarantee of
digital rights (hereinafter LOPDGDD).
As a result of the investigative actions carried out, it was found that
that the person responsible for the processing is the one who is being claimed.
Information requested from Iberia on the details of the documentation sent to the
dated November 20, 2019 is received by this Agency, copy
of the letter sent by Iberia to the complainant providing him with access to the following
personal details: Iberia Plus/Iberia Joven Programme, booking details/flights,
Exchange of mail because of your claim.
And they attach the following documents:
Excel sheet with the data of the Iberia Plus/Iberia Joven Program.
 Excel sheet with the data of the flight reservations
Writing indicating that all mail was sent to the claimant
exchanged because of their claims but that the file is very heavy and not
have been able to present it through the headquarters of this Agency.
There is no evidence that the recordings have been provided to the complainant
The right of access to the information is not limited to the right of access to the information.
LEGAL GROUNDS
I
By virtue of the powers conferred on it by Article 58(2) of Regulation (EU) No 2016/679 of
European Parliament and of the Council of 27 April 2016 on the protection of
Individuals with regard to the processing of personal data and
Free circulation of these data (General Data Protection Regulations, in
hereinafter RGPD) recognises each supervisory authority and, as set out in the
Articles 47, 64.2 and 68.1 of the Organic Law 3/2018 of December 5, 2010, on the Protection
of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD),
the Director of the Spanish Data Protection Agency is competent to initiate
this procedure.
II
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
4/11
Article 58 of the RGPD, "Powers", says:
 "2 Each supervisory authority shall have all the following powers
corrections indicated below:
(…)
(b) sanction any person responsible for or in charge of the processing with a warning
where processing operations have infringed the provisions of this
Regulations;
(...)
(d) instruct the controller or processor to ensure that the processing operations
treatment are in accordance with the provisions of this Regulation, where applicable,
in a certain way and within a specified time frame.
(…)
(i) impose an administrative fine pursuant to Article 83 in addition to or instead of
the measures referred to in this paragraph, depending on the circumstances of the case
particular.
III
Article 58 of the RGPD deals with the powers of each authority to
control. Section 1(a) provides:
"Each supervisory authority shall have full powers of investigation
indicated below:
(a) to instruct the controller and the processor and, where appropriate, the
representative of the person in charge or of the person in charge, to provide any information
required for the performance of their duties.
The infraction for which the responsible entity IBERIA is held responsible, is
is defined in Article 83 of the RGPD which, under the heading "Conditions
general for the imposition of administrative fines," it says: 
with paragraph 2, with administrative fines of up to 20,000,000 Euros or,
in the case of a company, for an amount equivalent to a maximum of 4% of
total annual turnover for the previous financial year, opting for
the largest:
(e) failure to comply with a decision or limitation in time or in effect
of the processing or suspension of data flows by the data protection authority
control in accordance with Article 58(2) or failure to provide access in breach
of Article 58(1).
The Organic Law 3/2018, on the Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72.1 m), under the heading "Infringements
considered to be very serious," he says:
"1. In accordance with the provisions of Article 83(5) of the Regulation (E.U.)
2016/679 are considered as very serious and will prescribe after three years the infringements that
constitute a substantial infringement of the articles mentioned in that
In particular, the following:
 (…)
(m) Failure to comply with decisions of the protection authority
of data competent in the exercise of its powers under Article 58(2)
of Regulation (EU) 2016/679.
IV
In this case, it has been proven that the claimant exercised
their right of access before the defendant entity, their request was not answered
legally enforceable.
Furthermore, following the evidence obtained, it is clear that the party complained of did not
The Commission did not comply with the right of access and did not inform the Agency of the actions taken,
which gave rise to the sanctioning file PS/00399/2018, being sanctioned by
Resolution dated 4 March 2019 with 7,500 euros for the commission of an offence
of Article 37.1.f of the LOPD, classified as serious in Article 44.3.i of the LOPD
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
6/11
The complainant has again stated that the recordings have not been forwarded to him
The following are the telephone numbers requested, despite the legal protection decision TD/01965/2017
issued by the Director of the Spanish Data Protection Agency.
V
In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, which are the provisions that indicate:
"Each supervisory authority shall ensure that the imposition of fines
administrative offences under this Article for violations of this
Regulation referred to in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.
"Administrative fines shall be imposed, depending on the circumstances of
each individual case, in addition to or instead of the measures referred to in
Article 58(2)(a) to (h) and (j) In deciding to impose a fine
and its amount in each individual case will be duly taken into account:
(a) the nature, gravity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation concerned
as well as the number of stakeholders affected and the level of damage and
damages they have suffered;
(b) the intentional or negligent nature of the infringement;
(c) any action taken by the controller or processor
to mitigate the damages suffered by those concerned;
(d) the degree of responsibility of the person responsible for or in charge of the
treatment, taking into account any technical or organisational measures
applied under Articles 25 and 32;
(e) any previous offence committed by the person responsible for or in charge of the
treatment;
 (f) the degree of cooperation with the supervisory authority in order to put
remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement,
(i) where the measures referred to in Article 58(2) have been
ordered in advance against the person responsible or the person in charge
in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct under Article 40 or to mechanisms
of certification approved in accordance with Article 42, and
(k) any other aggravating or mitigating factor applicable to the
circumstances of the case, such as the financial benefits obtained or
losses avoided, directly or indirectly, through the infringement."
With respect to section 83.2 (k) of the RGPD, the LOPDGDD, section 76,
"Sanctions and corrective measures," he says:
"In accordance with Article 83(2)(k) of the Regulation (EU)
2016/679 may also be taken into account:
(a) the continuing nature of the infringement
(b) The link between the activity of the offender and the carrying out of processing
of personal data.
(c) The profits obtained as a result of the commission of the offence.
(d) the possibility that the conduct of the person concerned might have led to the
commission of the offence.
(e) The existence of a post-commission merger process
of the infringement, which cannot be attributed to the absorber.
(f) Affecting the rights of minors.
g) Having, when it is not compulsory, a delegate for the protection of
data.
h) The submission by the person responsible or in charge, with
to alternative dispute resolution mechanisms, in those
in cases where there are disputes between them and any interested party."
In accordance with the precepts transcribed, and without prejudice to what may result from the
proceedings, for the purpose of setting the amount of the fine to be imposed on
impose in the present case on the entity claimed to be responsible for a
infringement of article 83.5.e) of the RGPD, in an initial assessment, the
The following factors are considered to be concurrent:
- No direct benefits (83.2 k) RGPD and 76.2.c) LOPDGDD).
- Any previous infraction committed by the person responsible or in charge of the
treatment (83.2 e, of the RGPD).
- The lack of cooperation with the AEPD in order to remedy the infringement and
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
8/11
mitigate its effects (Article 83(2)(f) GPRS).
The sanction to be imposed on Iberia Líneas Aéreas de España, S.A. should be graduated
Operadora Unipersonal and set it at the amount of 40,000 euros for the infringement of article 58.2
of the RGPD.
Therefore, in accordance with the above,
By the Director of the Spanish Data Protection Agency,
AGREED:
1. START PENALTY PROCEDURE against Iberia Líneas Aéreas de
España, S.A. Operadora Unipersonal with NIF A85850394, for the alleged
infringement of article 58.2 of the RGPD, typified in article 83.5 e) of the RGPD.
1. NAME D. B.B.B. as instructor and Dña. C.C.C. as secretary, indicating that any of them may be challenged, if appropriate, in accordance with the
established in Articles 23 and 24 of Law 40/2015, of 1 October, on the Legal Regime of the Public Sector (LRJSP)
2. TO INCORPORATE into the sanctioning file, for evidential purposes, the claim filed by the claimant and its documentation, as well as the one obtained
during the preliminary investigation proceedings, all of which is part of the file.
3. THAT for the purposes of Article 64.2 b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations,
40,000, without prejudice to the provisions of the Convention on the Rights of the Child.
resulting from the instruction.
4. NOTIFY this agreement to Iberia Líneas Aéreas de España, S.A.
Sole proprietorship operator with NIF A85850394, granting it a period of
hearing within ten working days to make the allegations and to present the
evidence that you deem appropriate. In your pleading you must
provide your VAT number and the procedure number under the heading
of this document.
If you do not make representations to this initiating agreement within the stipulated time, it
may be considered as a motion for resolution, as set out in Article
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
9/11
64.2(f) of Law 39/2015 of 1 October on the Common Administrative Procedure of
the Public Administration (hereinafter LPACAP).
In accordance with Article 85 of the LPACAP, if the
penalty to be imposed other than a fine, may acknowledge its responsibility within the
period granted for the formulation of arguments to the present agreement of beginning; the
which will be accompanied by a 20% reduction in the penalty to be imposed in
the present procedure, equivalent in this case to 8,000 euros. With the application of
of this reduction, the penalty would be set at 32,0000 euros, with the decision being taken on
procedure with the imposition of this penalty.
Similarly, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed penalty, which
will result in a 20% reduction in its amount, equivalent in this case to
8,000 euros. With the application of this reduction, the penalty would be set at
32,000 and its payment will imply the termination of the procedure.
The reduction for the voluntary payment of the penalty can be cumulated with that for
apply for recognition of liability, provided that this recognition
of the responsibility becomes apparent within the time allowed for formulating
allegations to the opening of the procedure. The voluntary payment of the amount referred to
in the preceding paragraph may be made at any time prior to the resolution. At
in this case, if both reductions were to be applied, the amount of the penalty would be
established at 24,000 euros.
In any case, the effectiveness of either of the two reductions mentioned will be
conditional upon the withdrawal or waiver of any action or remedy in the
administrative sanction against the sanction.
If you choose to proceed with the voluntary payment of any of the amounts
(32,0000 euros or 24,000) euros, you must make it effective
by depositing it in the account nº ES00 0000 0000 0000 0000 open to
name of the Spanish Data Protection Agency at CAIXABANK Bank,
S.A., indicating in the concept the reference number of the procedure in
the heading of this document and the reason for the reduction in the amount to which
welcomes.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
10/11
Likewise, you must send the proof of payment to the Subdirectorate General of
Inspection to continue the procedure in accordance with the quantity
admitted.
The procedure will last a maximum of nine months from the
date of the agreement to initiate or, where appropriate, the draft agreement to initiate.
Once this period has elapsed, the agreement will expire and, consequently, the
actions; in accordance with the provisions of Article 64 of the LOPDGDD.
Finally, it is noted that in accordance with Article 112.1 of the LPACAP,
No administrative appeal is possible against this act.
Mar Spain Martí
Director of the Spanish Data Protection Agency
>>
 SECOND: On July 3, 2020, the claimant paid the
24,000 by making use of the two reductions provided
in the above transcribed Inception Agreement, which implies recognition of the
responsibility.
THIRD: The payment made, within the period granted to make allegations to
the opening of the procedure, entails the waiver of any action or appeal in
administrative sanctioning and acknowledgement of responsibility in relation to
the facts referred to in the Agreement to Initiate.
LEGAL FOUNDATIONS
I
By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the
control, and in accordance with Article 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and Guarantee of Digital Rights (in
(hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency
is competent to penalise infringements committed against it
Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General
of Telecommunications (hereinafter referred to as LGT), in accordance with the
Article 84.3 of the GLT, and the infractions defined in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of 11 July, on services of the company of the
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
11/11
information and electronic commerce (hereinafter referred to as the ISESA), as provided for in
43.1 of the said Act.
II
Article 85 of Law 39/2015 of 1 October on Administrative Procedure
Commonwealth of Independent States (hereinafter LPACAP), under the heading
"Termination in sanctioning proceedings" provides the following:
"1. Penalty proceedings are initiated if the offender acknowledges his
responsibility, the proceedings may be terminated with the imposition of the penalty
as appropriate.
2. Where the penalty is solely pecuniary in nature or where it is
impose a financial penalty and a non-pecuniary penalty but has been justified
the impropriety of the second, voluntary payment by the alleged perpetrator, in
any time before the resolution, will imply the termination of the procedure,
except as regards the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the penalty is solely of a pecuniary nature,
the body competent to decide on the procedure shall apply reductions of, at
at least 20 % of the amount of the proposed penalty, which may be cumulated
with each other. These reductions shall be determined in the notification of
initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or
waiver of any action or appeal in administrative proceedings against the sanction.
The percentage of reduction provided for in this paragraph may be increased
by regulation.
In accordance with the above,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the completion of procedure PS/00060/2020, of
in accordance with Article 85 of the LPACAP.
SECOND: TO NOTIFY this resolution to IBERIA LÍNEAS AÉREAS DE
SPAIN, S.A. SINGLE OPERATOR.
In accordance with the provisions of Article 50 of the LOPDGDD, this
The decision will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
Article 114(1)(c) of Law 39/2015 of 1 October on Administrative Procedure
The interested parties may lodge an appeal with the
administrative litigation before the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the
Contentious-Administrative Jurisdiction, within two months of
day following notification of this act, as provided for in Article 46(1) of
referred to Law.
Mar Spain Martí
Director of the Spanish Data Protection Agency