AEPD (Spain) - EXP202203923: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PD-00110-2022 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/es/documento/pd-00110-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__...")
 
 
(One intermediate revision by one other user not shown)
Line 72: Line 72:


=== Facts ===
=== Facts ===
The data subject exercised its right to erasure against COFIDIS S.A., SUCURSAL EN ESPAÑA, a bank focusing on consumer credits (the controller). The controller did not reply to this request. Subsequently, the data subject lodged a complaint with the Spanish DPA and provided documents which proved that the right had been exercised.  
The data subject exercised its right to erasure against COFIDIS S.A., SUCURSAL EN ESPAÑA, a bank focusing on consumer credits (the controller). The controller did not reply to this request. Subsequently, the data subject lodged a complaint with the Spanish DPA and provided documents which proved that the right had been exercised.
 
The DPA then granted the controller a hearing, so that they could present their point of view. As their response, the controller sent the DPA an answer to the request by the data subject. However, the controller still did not send a response directly to the data subject.
The DPA then granted the controller a hearing, so that they could present their point of view. As their response, the controller sent the DPA an answer to the request by the data subject. However, the controller still did not send a response directly to the data subject.


=== Holding ===
=== Holding ===
First, the Spanish DPA pointed out that a controller needs to answer requests by a data subject within one month according to [[Article 12 GDPR]]. The authority also noted that a controller must not in any case ignore requests by a data subject. The controller bears the burden of proof of compliance with these provisions.
First, the Spanish DPA pointed out that a controller needs to answer requests by a data subject within one month according to [[Article 12 GDPR]]. The authority also noted that a controller must not in any case ignore requests by a data subject. The controller bears the burden of proof of compliance with these provisions.
Second, the DPA held that it is not acceptable that the reponse to a request is only made on the occasion of an administrative procedure, like the formulation of allegations in this case.
Second, the DPA held that it is not acceptable that the reponse to a request is only made on the occasion of an administrative procedure, like the formulation of allegations in this case.
Hence, the DPA upheld the complaint. The authority additionally urged the controller to inform the data subject whether the right to erasure is granted or not within ten working days.
Hence, the DPA upheld the complaint. The authority additionally urged the controller to inform the data subject whether the right to erasure is granted or not within ten working days.



Latest revision as of 10:50, 13 December 2023

AEPD - PD-00110-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR
Article 17 GDPR
Article 12 LOPDGDD
Article 15 LOPDGDD
Type: Complaint
Outcome: Upheld
Started: 07.03.2022
Decided:
Published: 07.09.2022
Fine: n/a
Parties: COFIDIS S.A., SUCURSAL EN ESPAÑA
National Case Number/Name: PD-00110-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Lukas Fiebiger

The Spanish DPA held that it is not sufficient when a controller only sends their response to a data erasure request to the DPA after a complaint has been lodged. The response should rather be directly sent to the data subject within one month.

English Summary

Facts

The data subject exercised its right to erasure against COFIDIS S.A., SUCURSAL EN ESPAÑA, a bank focusing on consumer credits (the controller). The controller did not reply to this request. Subsequently, the data subject lodged a complaint with the Spanish DPA and provided documents which proved that the right had been exercised.

The DPA then granted the controller a hearing, so that they could present their point of view. As their response, the controller sent the DPA an answer to the request by the data subject. However, the controller still did not send a response directly to the data subject.

Holding

First, the Spanish DPA pointed out that a controller needs to answer requests by a data subject within one month according to Article 12 GDPR. The authority also noted that a controller must not in any case ignore requests by a data subject. The controller bears the burden of proof of compliance with these provisions.

Second, the DPA held that it is not acceptable that the reponse to a request is only made on the occasion of an administrative procedure, like the formulation of allegations in this case.

Hence, the DPA upheld the complaint. The authority additionally urged the controller to inform the data subject whether the right to erasure is granted or not within ten working days.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/4








     File No.: EXP202203923

                              RESOLUTION Nº: R/00738/2022



Having regard to the claim made on March 7, 2022 before this Agency by A.A.A. (to
from now on the claiming party), against COFIDIS S.A., SUCURSAL EN ESPAÑA
(from now on the claimed party), for not having been duly attended to
request to exercise the rights established in Regulation (EU) 2016/679 of the

European Parliament and of the Council of April 27, 2016 on the protection of
natural persons with regard to the processing of personal data and the free
circulation of these data (hereinafter GDPR).

The procedural actions provided for in Title VIII of the Law have been carried out

Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD), the following have been verified:


                                      FACTS


FIRST: The complaining party exercised the right of Suppression against the defendant,
without your request having received the legally established response.

The claimant provides various documentation related to the claim raised
before this Agency and on the exercise of the exercised right.


SECOND: Once the procedure provided for in article 65.4 of the LOPDGDD has been completed,
the claim was admitted for processing and the requested entity was granted processing of
hearing, so that within a period of fifteen business days he could present the allegations that
deemed convenient.


With its statement of allegations, the claimed entity has sent to this Agency the
response to the exercised right. However, it does not provide documentation proving
that the request for the exercise of rights has been duly answered to the
interested.



                           FUNDAMENTALS OF LAW

FIRST: The Director of the Spanish Agency for
Data Protection, in accordance with the provisions of section 2 of article 56 in

relation to section 1 f) of article 57, both of the GDPR; and in article 47 of the
LOPDGDD.

SECOND: In accordance with the provisions of article 55 of the GDPR, the Agency
Española de Protección de Datos is competent to perform the functions that

are assigned to it in its article 57, among them, that of enforcing the Regulation and
promote awareness of controllers and processors
about the obligations incumbent upon them, as well as dealing with claims
presented by an interested party and investigate the reason for them.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/4









Correlatively, article 31 of the GDPR establishes the obligation of those responsible
and those in charge of the treatment to cooperate with the control authority that requests it in

the performance of their functions. In the event that they have designated a
data protection delegate, article 39 of the GDPR attributes to him the function of
cooperate with said authority.

In the same way, the internal legal system, in article 65.4 of the LOPDGDD, has
provided a mechanism prior to the admission for processing of the claims that are

formulated before the Spanish Agency for Data Protection, which consists of giving
transfer of the same to the data protection delegates designated by the
responsible or in charge of the treatment, for the purposes provided in article 37 of
the aforementioned norm, or to them when they have not designated them, so that they proceed to the
analysis of said claims and to respond to them within a month.


In accordance with this regulation, prior to the admission for processing of the
claim that gives rise to this procedure, it was transferred to the
responsible entity to proceed with its analysis, respond to this Agency
within a month and certify having provided the claimant with the due response,
in the event of exercise of the rights regulated in articles 15 to 22 of the

GDPR.

The result of said transfer did not allow us to understand satisfied the claims of the
complaining party. Consequently, on May 20, 2022, for the purposes of
provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for

Data Protection agreed to admit the claim submitted for processing. Saying
agreement for admission to processing determines the opening of this procedure of
lack of attention to a request to exercise the rights established in the
articles 15 to 22 of the GDPR, regulated in article 64.1 of the LOPDGDD, according to the
which:


"1. When the procedure refers exclusively to the lack of care of a
request to exercise the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, will begin with an agreement for admission to processing, which will be
adopt in accordance with the provisions of the following article.
In this case, the term to resolve the procedure will be six months from

from the date the claimant was notified of the admission agreement to
Procedure. After that period, the interested party may consider his
claim".

The depuration of administrative responsibilities within the framework is not considered opportune.

of a disciplinary procedure, the exceptional nature of which implies that a choice be made,
whenever possible, due to the prevalence of alternative mechanisms that have
under the current regulations.

It is the exclusive competence of this Agency to assess whether there are responsibilities

administrative procedures that must be purged in a disciplinary proceeding and, in
Consequently, the decision on its opening, there being no obligation to initiate a
procedure for any request made by a third party. Such a decision must
be based on the existence of elements that justify the start of the activity

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/4








disciplinary action, circumstances that do not exist in the present case, considering that
With this procedure, the guarantees and
claimant's rights.


THIRD: The rights of individuals in terms of data protection
personal data are regulated in articles 15 to 22 of the GDPR and 13 to 18 of the
LOPDGDD. The rights of access, rectification, deletion,
opposition, right to limitation of treatment and right to portability.


The formal aspects related to the exercise of these rights are established in the
Articles 12 of the GDPR and 12 of the LOPDGDD.

It also takes into account what is stated in Considering 59 et seq. of the
GDPR.


In accordance with the provisions of these regulations, the data controller
must arbitrate formulas and mechanisms to facilitate the exercise of their rights by the interested party.
rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3
of the GDPR), and is obliged to respond to requests made no later than a
month, unless you can demonstrate that you are unable to identify the

concerned, and to express their reasons in the event that they were not to attend said
application. The proof of compliance with the duty of
respond to the request to exercise their rights made by the affected party.

The communication addressed to the interested party on the occasion of his request must

express themselves in a concise, transparent, intelligible and easily accessible way, with a
clear and simple language.

FOURTH: In the case analyzed, the claimant exercised the right to
Suppression regulated in article 17 of the GDPR and article 15 of the LOPDGDD.


After the period established in the reviewed regulations, your request did not obtain the
legally required response.

During the processing of this procedure, the defendant entity has answered
to this Agency, but does not certify having met the request of the claimant

sending you the required response to your request.

In this regard, it should be noted that it cannot be accepted that the corresponding answer
perform can manifest itself on the occasion of a mere administrative procedure, such as the
formulation of allegations on the occasion of this proceeding, initiated

precisely for not properly addressing the request in question.

The aforementioned rules do not allow the request to be ignored as if it were not
would have raised, leaving her without the answer that must be issued by the
responsible, even in the event that there is no data of the interested party in the

files of the entity or even in those cases in which it did not meet the
established requirements, in which case the addressee of said request is also
obliged to require the correction of the deficiencies observed or, where appropriate,


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/4








deny the request with reasons indicating the reasons why it is not appropriate
consider the law in question.


Therefore, the request made obliges the controller to give an express response, in
in any case, using any means that justifies the receipt of the
reply.


Given that a copy of the necessary communication that must be addressed to the
claimant informing him about the decision he has adopted regarding the
request to exercise rights, it is appropriate to estimate the claim that originated the
present procedure.



Given the aforementioned precepts and others of general application,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: ESTIMATE the claim made by A.A.A. and urge COFIDIS S.A.,

BRANCH IN SPAIN, with NIF W0017686G, so that, within ten
business days following the notification of this resolution, send to the party
claimant certification in which the right of Suppression exercised is addressed or
reasonedly deny indicating the causes for which it is not appropriate to address the
request, in accordance with the provisions of the body of this resolution. The

actions carried out as a consequence of this Resolution must be
communicated to this Agency in the same term. Failure to comply with this resolution
could lead to the commission of the offense considered in article 72.1.m) of the
LOPDGDD, which will be sanctioned, in accordance with art. 58.2 of the GDPR.


SECOND: NOTIFY this resolution to A.A.A. and COFIDIS S.A.,
BRANCH IN SPAIN.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.


Against this resolution, which puts an end to the administrative procedure (article 18.4 of the LOPD),
and in accordance with the provisions of article 123 of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations,
may optionally file an appeal for replacement before the Director of the

Director of the Spanish Agency for Data Protection, within a period of one month from
count from the day following the notification of this resolution, or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the Fourth Additional Provision of Law 29/1998, of July 13, regulating the

Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred legal text.


                                                                               1164-050321
Mar Spain Marti

Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es