AEPD (Spain) - AEPD PS-00006-2022
|AEPD - AEPD PS-00006-2022|
|Relevant Law:||Article 12 GDPR|
Article 17 GDPR
|Parties:||COOLTRA MOTOSHARING, S.L.U.|
|National Case Number/Name:||AEPD PS-00006-2022|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
|Initial Contributor:||Teresa López|
In an Article 60 GDPR procedure, the Spanish DPA reprimanded a controller for the failure to meet a data deletion request under Article 17 GDPR in a timely manner despite six different attempts by the data subject.
English Summary[edit | edit source]
Facts[edit | edit source]
In the process of registering for an account through the controller's website, a motorcycle sharing company, the data subject was asked for further personal information besides that already provided (driver's license and credit card details), and thus decided to delete their account. Since neither the controller's website nor the app provided for an account cancellation option, the data subject requested the deletion of all their data and payment details at the general information email address of the company.
On 19 February 2019, the data subject filed a complaint before the Italian DPA against the controller. On 19 October 2020, the data subject's complaint was forwarded and registered at the Spanish DPA because the controller's registered office and main establishment was located in Spain. The Spanish DPA was, therefore, the lead supervisory authority and the Italian DPA was a concerned authority for the purposes of Article 60 GDPR.
Holding[edit | edit source]
The Spanish DPA noted that it was a cross-border matter as the controller provided services in multiple EU Member States. Since the controller's main establishment was located in Spain, the Spanish DPA was the lead supervisory authority under the one stop-shop mechanism in Article 56(1) GDPR, competent to handle the complaint.
Taking into account that the data subject submitted a total of six different erasure requests, the DPA held that the controller failed to delete the data subject's account in due time, in breach of Article 17 GDPR. Moreover, the controller failed to notify the data subject once their account was deleted, in violation of Article 12 GDPR.
The DPA considered that the infringement was minor under Article 83(2) GDPR given several circumstances. Namely, the controller had no previous history of non-compliance, there were temporary lay-offs due to Covid-19 pandemic, the data subject sent some requests to a wrong e-mail address, the erasure had been dealt with in March 2019 even though the data subject had not been duly notified and, as soon as the controller became aware of the complaint, it informed the data subject of the deletion and modified its protocols to avoid a repetition of an incident of this nature.
Therefore, the DPA issued a reprimand (Article 58(2)(b) GDPR) against the controller instead of a fine.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.