AEPD (Spain) - EXP202315744: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202315744 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/pd-00238-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code...")
 
(Great summary, thank you! : ))
 
(One intermediate revision by one other user not shown)
Line 59: Line 59:
}}
}}


The AEPD dismissed an appeal since the data controller had made every necessary effort to delete images of the data subject from its social media, but faced issues due to an unrecoverable account, awaiting Meta's response.
The DPA dismissed an appeal concerning an erasure request, finding that the controller made every necessary effort to delete images of the data subject from its social media, but was unable to delete all of the requested data as it awaited Meta's response.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On May 10th, 2019, the data subject consent for the processing of his personal data for the use of his image captured in activities and interviews to be published in GABINETE DE NEUROCIENCIAS S.L. social networks and websites to disseminate the activities at hand.  
On 10 May 2019, the data subject consented to the processing of his personal data for the use of captured image in activities and interviews to be published in Gabinete de Neurociencias S.L.'s (the controller) social networks and websites to disseminate the sporting activities.  


On February 7th, 2023, the data subject exercise his right of objection and withdrawal his consent for the use of his personal images, claiming that on March 30th, 2023, his images still appear in the claimed companies.  
On 7 February 2023, the data subject exercised his right of objection and withdrew his consent for the use of his personal images, claiming that on 30 March 2023, his images still appeared in the claimed company social media.


The data controller, GABINETE DE NEUROCIENCIAS S.L., argued that they attempted to address the request appropriately and that technical and communication issues with META (the company behind the social networks used) prevented the timely deletion of the image. Despite their efforts, including multiple attempts to contact and requests for assistance from META, the corporate account in question could not be recovered or modified in time.
The controller argued that they attempted to address the request appropriately and that technical and communication issues with Meta (the company behind the social networks used) prevented the timely deletion of the image. Despite their efforts, including multiple attempts to contact and requests for assistance from META, the corporate account in question could not be recovered or modified in time.


On the first decision by AEPD, they dismissed the complaint since the data controller did respond to the data subject’s request, complying with the applicable deadlines stipulated by GDPR and that the completeness of the request depends on META’s return.  
The Spanish DPA (AEPD) dismissed the complaint because the data controller did respond to the data subject’s request, complying with the applicable deadlines stipulated by GDPR. It found that the completeness of the request depends on META’s return.  


The data subject filed an appeal, which was upheld, recognizing that the data controller had responded to the erasure request, but failed to delete all the images as requested, mainly due to technical problems with the META account.
The data subject filed an appeal. The data controller reiterated their documented attempts and efforts to delete the images and communicate with Meta, arguing that despite their efforts they faced issues in fully complying with the erasure request due to Meta's nonresponsiveness.  
 
After the appeal's resolution, the data controller was given another opportunity to respond, which reiterated their documented attempts and efforts to delete the images and communicate with META, but still faced issues in fully complying with the erasure request.
 
After presenting the measures taken to address the situation and ongoing efforts to remove the disputed images, the claimant did not submit further arguments within the given timeframe.


=== Holding ===
=== Holding ===
AEPD considered that the data controller has deleted part of the requested data, but not all of it. According to the data controller, they have put forth considerable effort to comply with the erasure request, as evidenced by the partial deletion achieved. Therefore, the resolution must consider to what extent this complaint can be upheld, given that the erasure is not complete due to reasons beyond the control of the respondent, as detailed in the facts presented.
The AEPD dismissed the appeal by the data subject. It found that the data controller had responded to the erasure request and was not able to fully address the request due to technical problems with Meta.  


AEPD decided to dismiss the appeal by the data subject given that the data controller has responded to the erasure request and was not able to fully address the request due to technical problems with META account.
The AEPD considered that the controller had put forth considerable effort to comply with the erasure request, as evidenced by the partial deletion achieved.  


== Comment ==
== Comment ==

Latest revision as of 08:17, 16 April 2024

AEPD - EXP202315744
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 17 GDPR
Type: Complaint
Outcome: Rejected
Started: 10.05.2019
Decided: 21.03.2024
Published: 21.03.2024
Fine: n/a
Parties: n/a
National Case Number/Name: EXP202315744
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mgrd

The DPA dismissed an appeal concerning an erasure request, finding that the controller made every necessary effort to delete images of the data subject from its social media, but was unable to delete all of the requested data as it awaited Meta's response.

English Summary

Facts

On 10 May 2019, the data subject consented to the processing of his personal data for the use of captured image in activities and interviews to be published in Gabinete de Neurociencias S.L.'s (the controller) social networks and websites to disseminate the sporting activities.

On 7 February 2023, the data subject exercised his right of objection and withdrew his consent for the use of his personal images, claiming that on 30 March 2023, his images still appeared in the claimed company social media.

The controller argued that they attempted to address the request appropriately and that technical and communication issues with Meta (the company behind the social networks used) prevented the timely deletion of the image. Despite their efforts, including multiple attempts to contact and requests for assistance from META, the corporate account in question could not be recovered or modified in time.

The Spanish DPA (AEPD) dismissed the complaint because the data controller did respond to the data subject’s request, complying with the applicable deadlines stipulated by GDPR. It found that the completeness of the request depends on META’s return.

The data subject filed an appeal. The data controller reiterated their documented attempts and efforts to delete the images and communicate with Meta, arguing that despite their efforts they faced issues in fully complying with the erasure request due to Meta's nonresponsiveness.

Holding

The AEPD dismissed the appeal by the data subject. It found that the data controller had responded to the erasure request and was not able to fully address the request due to technical problems with Meta.

The AEPD considered that the controller had put forth considerable effort to comply with the erasure request, as evidenced by the partial deletion achieved.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/6










     File No.: EXP202315744



                RESOLUTION OF RIGHTS PROCEDURE

The procedural actions provided for in Title VIII of the Law have been carried out

Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD), the following have been verified



                                      FACTS


FIRST: A.A.A. (hereinafter, the complaining party) exercised the right of Deletion
in front of CABINETE DE NEUROCIENCIAS, S.L. (hereinafter, the claimed party) without
that your request has received the legally established response.


The claiming party states that on May 10, 2019, it authorized the
processing of your personal data to, ADVANCED ORAL HEALTH UNIT,
S.L.P., and GABINETE DE NEUROCIENCIAS S.L., for the use of your image captured in
activities and/or interviews related to the activity of the B.B.B. TEAM, and may
be published on the company's social networks, corporate website

and publications, with the purpose of disseminating these activities.

On February 7, 2023, he requested the deletion of the consent granted to
the use of his personal image, stating that as of March 30, 2023, they continue
Their images appearing in those claimed, GABINETE DE NEUROCIENCIAS, S.L. and

ADVANCED ORAL HEALTH UNIT, S.L.P.

SECOND: Once the claim presented by this Agency has been analyzed, it concludes:

CABINET OF NEUROCIENCIAS S.L. has reported:

"(...) The entity wants to show that at no time has it intended not to
consciously attend to the request for deletion of the consent of the
claimant.
That since the facts became known, all efforts have been made
means to respond to it and give satisfaction to the exercise of your right, as well
how to give him complete explanations about what happened, eliminating the image from the

account that we can manage.
That the entity establishes the technical and organizational measures necessary for the response
to the Exercise of the rights of the interested parties in accordance with their Procedure of
Claims and Exercises of GDPR rights, regretting that sometimes
problems arise beyond the control of the entity.

That all necessary actions have been taken to prevent this from happening.
again. That it became impossible to recover one of the corporate accounts, and the
technical support of the social network did not respond, and this is shown in the document where
Screenshots of the requests made to the support team are inserted.
META companies, asking them to recover said account.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/6








All personnel of the entity involved in this type of requests remain
Strict internally established management procedures.
The facts that have motivated the claim that has been transferred to us mean the

only incident that is recorded due to not having been managed in a timely manner
request for withdrawal of consent for reasons beyond our control.
At all times it has been carried out in accordance with what was established internally and always
complying with the established legal and application deadlines. Although it has exercised its
right of deletion by the entity, we are waiting for the
entity in charge of activating our account again, give us a response in a

reasonable time.
We want to record that the attempt to recover said account has been
carried out on several occasions, prior to the exercise of the claimant's right,
without having any success (…)
Once the reasons presented by the claimed party have been analyzed, which appear in the

file, this Agency considers that the person responsible has attended to the claim
presented. For this reason, in accordance with the provisions of article 65 of the
LOPDGDD, the Director of the Spanish Data Protection Agency AGREES
reject the claim for processing…”

THIRD: The complaining party disagrees with the inadmissibility, files an appeal

of replacement that is resolved in an estimatory manner and gives rise to the current claim:
Namely:
“…Consequently, when an interested party exercises the right to delete the
personal data that concerns you before an entity responsible for processing, this
will be obliged to delete personal data without undue delay when the data

are not necessary to fulfill the purposes for which they were collected. By
On the contrary, if the data continue to be necessary in relation to the purposes for which
that were collected, their deletion would not proceed, the response being obligatory in the
to be denied on a reasoned basis.
In the present case, it has been proven that the claimed party responded to the

request for deletion made by the appellant, but it has not been possible to
delete all images requested and included in the corporate account, reason
for which help has been requested from the META technical service.
From the above it is deduced that the incident has not been resolved and,
Consequently, the appellant's claim has not been satisfied.
Therefore, in the present case, along with the appeal for reconsideration, new

relevant documentation for the purposes of what was proposed, and the estimate of the
appeal filed…”

FOURTH: On November 7, 2023, the claimed part was transferred
of the claim, of the appeal for reconsideration and of the resolution estimating the

appeal and a hearing process was opened, so that within a period of ten business days
present the allegations that it deems appropriate, formulating, in summary, the
following allegations:

The complained party continues to claim that it has deleted the corresponding images

to YOU TUBE, but that, despite having tried, proves it documentary,
continues to have problems deleting the complainant's image on the account that
depends on META. However, he says he will continue trying.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/6








The claimed party sends a list of its actions to delete the data from the
claimant.


“…NEUROSCIENCE CABINET during the last few months, has taken the following
measures against the META company, specifically, the following:
- From 12/7/2022 to 02/28/2023, different claims have been submitted
electronically to the META company, with the objective of eliminating a corporate account
that was inactive (TEAM B.B.B.)
- These profiles have been reported from other accounts, without obtaining

result.
- As of May 2023, the entity has continued to present different claims to
META companies, without receiving a response. (Document 4 is provided with the
actions carried out)
- On September 27, 2023, a certified letter is sent to the department

of Meta Data Protection, located in Ireland exercising the right of
deletion, without obtaining a response. (Document 5)
- On October 16, 2023, a new certified shipment is made to META
Ireland, without obtaining, again, any response. (Document 6)
- Finally, and as a consequence of the last request received by this Agency, it is
has once again sent a certified letter to Ireland, Department of

Privacy of META, exercising a second time the right to delete the
account. (Document 7) Page 5 of 8 Likewise, a
claim before this Agency against META for failure to pay attention to the exercise of rights
deletion requested on September 27, 2023. (Document 8)
It should be noted that prior to deleting the account, we have tried by all means

means, and as we have provided in the evidence of the different writings
filed with this Agency, rectify the data and access the account to exercise
the right of deletion of the claimant…”

FIFTH: Once the document presented by the claimed party has been examined, it is transferred to the

complaining party, so that, within a period of ten business days, it formulates the allegations
that you consider appropriate. The complaining party has not presented allegations.


                           FOUNDATIONS OF LAW


                                           Yo
                                     Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679

(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1 and 64.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/6








regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."



                                           II
                                   Previous issues

In accordance with the provisions of article 55 of the RGPD, the Spanish Agency for

Data Protection is competent to perform the functions assigned to it
in its article 57, among them, to enforce the Regulation and promote the
awareness of those responsible and those in charge of processing about the
obligations incumbent on them, as well as dealing with claims presented by a
interested and investigate, to the appropriate extent, the reason for the same.


Correlatively, article 31 of the RGPD establishes the obligation of those responsible
and those in charge of processing to cooperate with the supervisory authority that requests it in
the performance of their functions. In the event that they have designated a
data protection officer, article 39 of the RGPD attributes to him the function of
cooperate with said authority.


Article 58.2 of the RGPD confers on the Spanish Data Protection Agency a
series of corrective powers for the purposes of correcting any breach of the GDPR,
among which includes “ordering the person responsible or in charge of the treatment to
respond to requests to exercise the rights of the interested party under the

this Regulation.

                                           III
        Rights of people regarding the protection of personal data


The rights of people regarding the protection of personal data are
regulated in articles 15 to 22 of the RGPD and 13 to 18 of the LOPDGDD. HE
contemplate the rights of access, rectification, deletion, opposition, right to
limitation of treatment and right to portability.

The formal aspects related to the exercise of these rights are established in the

articles 12 of the RGPD and 12 of the LOPDGDD.

Furthermore, what is expressed in Considering 59 and following of the
GDPR.


In accordance with the provisions of these regulations, the person responsible for the treatment
must arbitrate formulas and mechanisms to facilitate the interested party in the exercise of their rights.
rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3
of the RGPD), and is obliged to respond to requests made no later than a
month, unless you can demonstrate that you are not in a position to identify the

interested, and to express his reasons in case he was not going to attend said
application. It falls on the person responsible to prove compliance with the duty of
respond to the request to exercise their rights made by the affected party.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/6








The communication addressed to the interested party on the occasion of their request must
be expressed in a concise, transparent, intelligible and easily accessible manner, with a
clear and simple language.


                                            IV
                                  Right to erasure

Article 17 of the GDPR, which regulates the right to deletion of personal data,

establishes the following:

"1. The interested party will have the right to obtain without undue delay from the person responsible for the
processing the deletion of personal data that concerns you, which will be
obliged to delete personal data without undue delay when any
of the following circumstances:


a) the personal data are no longer necessary in relation to the purposes for which they were
were collected or otherwise treated;
b) the interested party withdraws the consent on which the treatment is based in accordance
with Article 6(1)(a) or Article 9(2)(a) and this is not

based on another legal basis;
c) the data subject objects to the processing in accordance with Article 21(1) and does not
other legitimate reasons for the processing prevail, or the interested party opposes the
treatment pursuant to Article 21(2);
d) the personal data have been processed unlawfully;

e) personal data must be deleted for compliance with a legal obligation
established in the law of the Union or of the Member States that applies to the
responsible for the treatment;
f) the personal data have been obtained in relation to the offer of services of the
information society mentioned in Article 8, paragraph 1.


2. When you have made personal data public and are obliged, by virtue of the
provided in section 1, to delete said data, the data controller,
taking into account the available technology and the cost of its application, it will adopt
reasonable measures, including technical measures, with a view to informing
responsible parties who are processing the personal data of the interested party's request for

deletion of any link to that personal data, or any copy or replication of
the same.

3. Sections 1 and 2 will not apply when treatment is necessary:


a) to exercise the right to freedom of expression and information;
b) for compliance with a legal obligation that requires data processing
imposed by Union or Member State law applicable to the
responsible for the treatment, or for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the person responsible;
c) for reasons of public interest in the field of public health in accordance with

Article 9, paragraph 2, letters h) and i), and paragraph 3;
d) for archival purposes in the public interest, scientific or historical research purposes or
statistical purposes, in accordance with Article 89(1), to the extent that


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/6








the right indicated in paragraph 1 could make it impossible or hinder
seriously the achievement of the objectives of said treatment, or

e) for the formulation, exercise or defense of claims".

                                          V
                                      Conclusion


During the processing of this procedure, the claimed entity has deleted
part of what was requested, but not all of it.
According to the claimed party, it is putting all its effort into addressing the right, thus
he credits it and has already done so in part. Therefore, we must calibrate to what extent
we can estimate this claim taking into account that the deletion is not

complete for reasons beyond the control of the person claimed and exposed in the facts.

Lastly, this Agency reserves the right to conduct an investigation if it so requires.
considers it appropriate to leave aside this resolution regarding the null response of
META, in which case it would inform the parties at the time.


Considering the aforementioned precepts and others of general application, the Director of the Agency
Spanish Data Protection RESOLVES:

FIRST: DISMISS the claim made by A.A.A. against CABINET

NEUROCIENCIAS, S.L.

SECOND: NOTIFY this resolution to A.A.A. and to CABINET
NEUROCIENCIAS, S.L.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.



                                                                              1381-090823
Sea Spain Martí
Director of the Spanish Data Protection Agency






C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es