AEPD (Spain) - EXP202201673: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202201673 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/ |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2= |Type=Complaint |Outco...")
 
mNo edit summary
 
(2 intermediate revisions by the same user not shown)
Line 11: Line 11:


|Original_Source_Name_1=AEPD
|Original_Source_Name_1=AEPD
|Original_Source_Link_1=https://www.aepd.es/
|Original_Source_Link_1=https://www.aepd.es/documento/pd-00197-2023.pdf
|Original_Source_Language_1=Spanish
|Original_Source_Language_1=Spanish
|Original_Source_Language__Code_1=ES
|Original_Source_Language__Code_1=ES
Line 80: Line 80:


Secondly, the AEPD found that the data subject’s request for the right of access concerned the geolocation data of his mobile phone line and that the reason for his request was irrelevant. Therefore, the AEPD rejected the controller’s argument  that they provided a “reasonable alternative” with a document containing roaming information about the country where the data subject connected to a mobile network. Moreover, the request was neither excessive nor unfounded so the controller could not refuse it.  
Secondly, the AEPD found that the data subject’s request for the right of access concerned the geolocation data of his mobile phone line and that the reason for his request was irrelevant. Therefore, the AEPD rejected the controller’s argument  that they provided a “reasonable alternative” with a document containing roaming information about the country where the data subject connected to a mobile network. Moreover, the request was neither excessive nor unfounded so the controller could not refuse it.  
Finally, the AEPD noted that the data subject exercised the right of restriction but the controller did not expressly reply to the request nor refused it with reasons. Therefore, the controller breached [[Article 18 GDPR|Article 18 GDPR]] as well as Article 12.4 LOPDGDD under which the controller must send a mandatory response to the data subject.


Therefore, the AEPD considered that the controller breached Article 15 and 18 GDPR.
Finally, the AEPD noted that the data subject exercised the right of restriction but the controller did not expressly reply to the request nor refused it with reasons. Therefore, the controller breached [[Article 18 GDPR]] as well as [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673&p=20230509&tn=0 Article 12.4 LOPDGDD] under which the controller must send a mandatory response to the data subject.
 
Therefore, the AEPD considered that the controller breached [[Article 15 GDPR|Articles 15]] and [[Article 18 GDPR|18 GDPR]].


== Comment ==
== Comment ==
The decision has not yet been published.
''Share your comments here!''


== Further Resources ==
== Further Resources ==

Latest revision as of 10:49, 6 March 2024

AEPD - EXP202201673
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 15 GDPR
Article 18 GDPR
Ley 25/2007, de 18 de octubre, de Conservación de Datos relativos a las comunicaciones electrónicas
Type: Complaint
Outcome: Upheld
Started:
Decided: 05.01.2024
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: EXP202201673
European Case Law Identifier: n/a
Appeal: Appealed - Confirmed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: nzm

The Spanish DPA decided that Law 25/2007 did not release the controller from its obligation to give access to geolocation data in the case of an access request.

English Summary

Facts

A data subject requested access to his personal data, specifically the geolocation data regarding his telephone number with Euskaltel (“controller”). A few days after this access request, he also exercised his right to restrict the processing and specifically requested that they do not proceed with the deletion of the data until he had been given access to it.

The controller responded that they could not provide the data subject with this information as Law 25/2007, of October 18, 2007, on the Conservation of Data related to electronic communications and public communications networks (Ley 25/2007, de 18 de octubre, de Conservación de Datos relativos a las comunicaciones electrónicas) would impose the obligation to retain certain data generated as a result of the activity of its users for the sole and exclusive purpose of making them available to the authorities for the detection, investigation and prosecution of serious crimes. Therefore, no access to personal data under Article 15 GDPR could be granted. Following this response, the data subject filed a complaint against the controller with the Spanish DPA (“AEPD”).

On 25 April 2022, the AEPD decided to archive the proceedings with regard to the reasoned refusal given by the controller. The data subject filed an administrative appeal against this decision with the Audencia Nacional (“AN”) who annulled the decision of the AEPD in January 2023.

As a result, the AEPD reopened the proceedings in order to take AN decision into account. The DPA heard both parties.

Holding

Firstly, the AEPD indicated that the controller did not dispute the personal data nature of the information requested by the data subject, therefore, once this nature is established, the only exceptions that may apply to the exercise of any GDPR rights are those established by the law. The AEPD found that Law 25/2007 does not establish a limitation to the exercise of the right of access other that the the data subject is not to be informed about the the transfer of the retained data to competent authorities. Moreover the law establishs that the right of erasure cannot be exercised. The AEPD therefore concluded that the telephone line location data could be subject of a right of access request under Article 15 GDPR.

Secondly, the AEPD found that the data subject’s request for the right of access concerned the geolocation data of his mobile phone line and that the reason for his request was irrelevant. Therefore, the AEPD rejected the controller’s argument that they provided a “reasonable alternative” with a document containing roaming information about the country where the data subject connected to a mobile network. Moreover, the request was neither excessive nor unfounded so the controller could not refuse it.

Finally, the AEPD noted that the data subject exercised the right of restriction but the controller did not expressly reply to the request nor refused it with reasons. Therefore, the controller breached Article 18 GDPR as well as Article 12.4 LOPDGDD under which the controller must send a mandatory response to the data subject.

Therefore, the AEPD considered that the controller breached Articles 15 and 18 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

The campaign, carried out by the Agency and the Spanish Association of Pediatrics, promotes the digital health of minors through raising the awareness of their fathers and mothers, reducing the risks posed on a physical, mental and social level by intensive and uncontrolled use. of the screens.