AEPD (Spain) - PD-00099-2022
|AEPD - PD-00099-2022|
|Relevant Law:||Article 15 GDPR|
Article 17 GDPR
Article 3 LOPDGDD
|National Case Number/Name:||PD-00099-2022|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA ordered a mobile network operator to comply with a request to access and erase the data of a deceased family member pursuant to Articles 15 and 17 GDPR. It held that in case of doubt regarding the identity of the requesting party, a controller has to ask for more information rather than leaving a request unanswered.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject's e-mail address was associated with a mobile phone line contracted by their aunt with a mobile network operator (the controller). After receiving an e-mail addressed to their deceased aunt, the data subject informed the controller about the passing away and requested access and subsequent deletion of their aunt's data.
In response, the controller asked for a copy of the death certificate, which was provided by the data subject. A few days later, the data subject received information that there was a possible identity theft incident because the controller had not sent out any commercial information by electronic means to the data subject's aunt. Allegedly, someone was trying to impersonate the controller. Eventually, the request to access and erase the personal data in question was not fulfilled despite the time limit for a reponse having passed.
Consequently, the data subject directed a complaint to the Spanish DPA in order to have their rights exercised.
Holding[edit | edit source]
First, the Spanish DPA reiterated the importance of safeguarding data subject rights, especially the right of access under Article 15 GDPR, in a timely manner as well as in clear and transparent form.
Second, the DPA looked at the right to erasure under Article 17 GDPR, which allows data subjects to have their personal data deleted after balancing the different interests at stake. In the present case, it was also important to consider Article 3 of the LOPDGDD, the Spanish data protection law, which allows family members of deceased persons to request deletion of their data from the controller or processor.
The DPA took into account the controller's argument that it did not comply with the request because it did not have any information on the service contracted by the deceased. The DPA concluded that in case of doubts about the identity of the requesting party, the controller should have requested more information from the data subject, rather than leave the request unanswered. Therefore, the controller had no valid reason to not comply with the access request and request for erasure.
The DPA officially called the controller to comply with the data subject requests in a timely manner.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 File No.: EXP202201987 RESOLUTION No.: R/00772/2022 Considering the claim made on January 31, 2022 before this Agency by Mr. A.A.A. (hereinafter, the claimant party), against PEPEMOBILE. SL (hereinafter, the claimed party), for not having been duly attended to their right of suppression. Carrying out the procedural actions provided for in Title VIII of the Law Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the following have been verified FACTS FIRST: The email address of the complaining party is associated with a mobile line contracted by his aunt with the claimed party. After receiving an email addressed to his aunt, he contacted the claimed entity by the same means informing him of the death of the same, and requesting the deletion of your data. The respondent replied requesting a copy of the death certificate, which was submitted by the claimant on November 30, 2021. A few days later, given the lack of response, he contacted the claimed, which replies indicating that the file you sent them is damaged and They need me to send it back, I send the claimant the same day, December 3 of 2021. Subsequently, the claimant has received an email from the entity claimed, addressed to her aunt, informing her that they are suffering possible identity theft. SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a mechanism prior to the admission to processing of the claims that are formulated before the AEPD, consisting of transferring them to the Data Protection Delegates designated by those responsible or in charge of the treatment, for the purposes foreseen in article 37 of the aforementioned rule, or to these when they have not been designated, transferred the claim to the claimed entity so that it could proceed with its analysis and respond to the complaining party and this Agency within a month. The representative of the respondent states that "(...) the interested party does not provide any information related to the owner of the line, or identifying data or contracted line, so we cannot meet the right based on the information provided in this claim without such information. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/7 However, we have moved the information about email attachments in the claim to our customer service department to try to locate the case and review what could have happened. Regarding the sending of commercial communications, my client does not send commercial information of any nature by policy or by electronic means or telephone. However, when we receive news of possible usurpations of our personality that may lead to deception of our customers or former customers, if we inform them of these circumstances for preventive purposes. This can be verified in the communication provided by the interested party. (…)” THIRD: The result of the transfer process indicated in the previous Fact does not allowed to understand satisfied the claims of the claimant. In Consequently, on April 30, 2022, for the purposes provided in its article 64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit the submitted claim for processing and informed the parties that the maximum term to resolve this procedure, which is understood to have started through said admission agreement, it will be six months. FOURTH: After examining the allegations presented by the respondent, they are subject to transfer to the complaining party, so that, within fifteen business days, it can formulate allegations that it deems appropriate, without any record in this Agency response. FOUNDATIONS OF LAW FIRST: The Director of the Spanish Agency for Data Protection, in accordance with the provisions of section 2 of article 56 in in relation to section 1 f) of article 57, both of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and the free circulation of these data (hereinafter GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish Data Protection is competent to perform the functions that are assigned to it in its article 57, among them, that of enforcing the Regulation and promote awareness of controllers and processors about the obligations incumbent on them, as well as dealing with claims presented by an interested party and investigate the reason for them. Correlatively, article 31 of the RGPD establishes the obligation of those responsible and those in charge of the treatment to cooperate with the control authority that requests it in the performance of their duties. In the event that they have appointed a data protection delegate, article 39 of the RGPD attributes to it the function of cooperate with that authority. Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has foreseen a mechanism prior to the admission to processing of the claims that are C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/7 formulated before the Spanish Agency for Data Protection, which consists of giving transfer of the same to the data protection delegates designated by the responsible or in charge of the treatment, for the purposes provided in article 37 of the aforementioned norm, or to these when they have not been designated, so that they proceed to the analysis of said claims and to respond to them within a month. In accordance with this regulation, prior to the admission for processing of the claim that gives rise to this procedure, it was transferred to the responsible entity to proceed with its analysis, respond to this Agency within a month and prove that they have provided the claimant with the due response, in the event of exercising the rights regulated in articles 15 to 22 of the GDPR. The result of said transfer did not allow to understand satisfied the claims of the claiming party. Consequently, on April 30, 2022, for the purposes provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit the submitted claim for processing. Saying agreement of admission to procedure determines the opening of the present procedure of lack of attention to a request to exercise the rights established in the articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the which: "1. When the procedure refers exclusively to the lack of attention of a request to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, will start by agreement of admission to process, which will be shall adopt in accordance with the provisions of the following article. In this case, the term to resolve the procedure will be six months from from the date on which the claimant was notified of the admission agreement to Procedure. Once this period has elapsed, the interested party may consider their claim". The purging of administrative responsibilities in the framework of the of a sanctioning procedure, whose exceptional nature implies that it is chosen, whenever possible, due to the prevalence of alternative mechanisms that have protection in current regulations. It is the exclusive competence of this Agency to assess whether there are responsibilities administrative that must be purged in a sanctioning procedure and, in consequently, the decision on its opening, not existing obligation to initiate a procedure before any request made by a third party. Such a decision must be based on the existence of elements that justify said start of the activity sanctioning, circumstances that do not concur in the present case, considering that With this procedure, the guarantees and guarantees are duly restored. claimant's rights. THIRD: The rights of individuals in terms of data protection personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the LOPDGDD. The rights of access, rectification, deletion, opposition, right to limitation of treatment and right to portability. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/7 The formal aspects related to the exercise of these rights are established in the articles 12 of the RGPD and 12 of the LOPDGDD. It also takes into account what is expressed in Considerations 59 and following of the GDPR. In accordance with the provisions of these rules, the data controller must arbitrate formulas and mechanisms to facilitate the interested party in the exercise of their rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3 of the RGPD), and is obliged to respond to the requests made no later than one month, unless you can show that you are unable to identify the interested party, and to express his reasons in case he was not going to attend said request. The proof of compliance with the duty of respond to the request to exercise their rights made by the affected party. The communication addressed to the interested party on the occasion of their request must be expressed in a concise, transparent, intelligible and easily accessible manner, with a clear and simple language. Regarding the right of access to personal data, in accordance with the established in article 13 of the LOPDGDD, when the exercise of the right is refers to a large amount of data, the person in charge may request the affected party to specify the “data or treatment activities to which the request refers”. The right will be understood granted if the person in charge provides remote access to the data, taking the request as granted (although the interested party may request the information referring to the ends provided for in article 15 of the RGPD). The exercise of this right may be considered repetitive on more than one occasion. for a period of six months, unless there is legitimate cause for it. On the other hand, the request will be considered excessive when the affected party chooses a means other than the one offered that involves a disproportionate cost, which must be assumed by the affected party. FOURTH: Article 17 of the RGPD, which regulates the right to delete data personal, establishes the following: "1. The interested party shall have the right to obtain, without undue delay, from the person responsible for the treatment the deletion of personal data that concerns you, which will be obliged to delete personal data without undue delay when any of the following circumstances: a) the personal data is no longer necessary in relation to the purposes for which were collected or otherwise treated; b) the interested party withdraws the consent on which the treatment is based in accordance with article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), and this is not based on another legal basis; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/7 c) the interested party opposes the treatment in accordance with article 21, paragraph 1, and does not other legitimate reasons for the treatment prevail, or the interested party opposes the treatment according to article 21, paragraph 2; d) the personal data has been illicitly processed; e) the personal data must be deleted for the fulfillment of a legal obligation established in the Law of the Union or of the Member States that applies to the data controller; f) the personal data has been obtained in relation to the offer of services of the information society referred to in article 8, paragraph 1. 2. When you have made the personal data public and are obliged, by virtue of the provided in section 1, to delete said data, the data controller, taking into account the available technology and the cost of its application, it will adopt reasonable measures, including technical measures, with a view to informing users Responsible for processing the personal data of the interested party's request for deletion of any link to such personal data, or any copy or replica of the same. 3. Sections 1 and 2 will not apply when the treatment is necessary: a) to exercise the right to freedom of expression and information; b) for the fulfillment of a legal obligation that requires the processing of data imposed by the law of the Union or of the Member States that applies to the responsible for the treatment, or for the fulfillment of a mission carried out in the interest public or in the exercise of public powers vested in the controller; c) for reasons of public interest in the field of public health in accordance with article 9, section 2, letters h) and i), and section 3; d) for archival purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1), insofar as the right indicated in section 1 could make it impossible or hinder seriously the achievement of the objectives of said treatment, or e) for the formulation, exercise or defense of claims”. FIFTH: Article 3 of the LOPDGDD, Data of deceased persons, establishes in section 1, first paragraph: "1. People linked to the deceased for family reasons or de facto, as well as their heirs may contact the person in charge or in charge of the treatment in order to request access to the personal data of that and, where appropriate, its rectification or suppression." SIXTH: Article 12.4 of the RGPD provides that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/7 "4. If the person in charge of the treatment does not process the request of the interested party, will inform without delay, and no later than one month after receiving the request, the reasons for its non-action and the possibility of presenting a claim before a control authority and to exercise legal actions.” SEVENTH: In the case analyzed here, it has been proven that the claimant requested the deletion of the data of her deceased aunt, having provided a copy of the death certificate. During the processing of this procedure, the entity claimed, has indicated that it has not fulfilled the right requested given that it does not have any information on the deceased or the service contracted by the same. Notwithstanding the foregoing, from the examination of the documentation provided, it is clear that the The claimant submitted, twice, a copy of the death certificate of the deceased aunt. Moreover, in the event that the claimed entity had doubts about the data to be delete or the identity of the applicant, should have requested that information, and not leave the exercise presented unanswered. Consequently, given that there is no evidence that the respondent party attended the right requested, or denied reasoned the same, it is appropriate to estimate the claim that gave rise to this proceeding. Considering the aforementioned precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: ESTIMATE the claim made by D. A.A.A. and urge PEPEMOBILE. SL with NIF B85033470, so that, within ten days working days following the notification of this resolution, send to the party claimant certification stating that he has fulfilled the right to deletion requested or is denied for reasons indicating the reasons why it is not It is appropriate to attend to the request, in accordance with what is established in the body of the this resolution. The actions carried out as a result of this Resolution must be communicated to this Agency within the same period. The Non-compliance with this resolution could lead to the commission of the infraction considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, in accordance with art. 58.2 of the GDPR. SECOND: NOTIFY this resolution to D. A.A.A. and to PEPEMOBILE. S.L. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/7 Against this resolution, which puts an end to the administrative procedure in accordance with article 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. 1195-020622 Sea Spain Marti Director of the Spanish Data Protection Agency 28001 – Madrid 6 sedeagpd.gob.es