AEPD (Spain) - EXP202201987

From GDPRhub
Revision as of 10:59, 12 October 2022 by Fz (talk | contribs)
AEPD - PD-00099-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 15 GDPR
Article 17 GDPR
Article 3 LOPDGDD
Type: Complaint
Outcome: Upheld
Started: 31.01.2022
Decided:
Published: 29.09.2022
Fine: n/a
Parties: PEPEMOBILE. S.L.
National Case Number/Name: PD-00099-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA ordered a mobile network operator to comply with a request to access and erase the data of a deceased family member pursuant to Articles 15 and 17 GDPR. It held that in case of doubt regarding the identity of the requesting party, a controller has to ask for more information rather than leaving a request unanswered.

English Summary

Facts

The data subject's e-mail address was associated with a mobile phone line contracted by their aunt with a mobile network operator (the controller). After receiving an e-mail addressed to their deceased aunt, the data subject informed the controller about the passing away and requested access and subsequent deletion of their aunt's data.

In response, the controller asked for a copy of the death certificate, which was provided by the data subject. A few days later, the data subject received information that there was a possible identity theft incident because the controller had not sent out any commercial information by electronic means to the data subject's aunt. Allegedly, someone was trying to impersonate the controller. Eventually, the request to access and erase the personal data in question was not fulfilled despite the time limit for a reponse having passed.

Consequently, the data subject directed a complaint to the Spanish DPA in order to have their rights exercised.

Holding

First, the Spanish DPA reiterated the importance of safeguarding data subject rights, especially the right of access under Article 15 GDPR, in a timely manner as well as in clear and transparent form.

Second, the DPA looked at the right to erasure under Article 17 GDPR, which allows data subjects to have their personal data deleted after balancing the different interests at stake. In the present case, it was also important to consider Article 3 of the LOPDGDD, the Spanish data protection law, which allows family members of deceased persons to request deletion of their data from the controller or processor.

The DPA took into account the controller's argument that it did not comply with the request because it did not have any information on the service contracted by the deceased. The DPA concluded that in case of doubts about the identity of the requesting party, the controller should have requested more information from the data subject, rather than leave the request unanswered. Therefore, the controller had no valid reason to not comply with the access request and request for erasure.

The DPA officially called the controller to comply with the data subject requests in a timely manner.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/7










     File No.: EXP202201987



                           RESOLUTION No.: R/00772/2022

Considering the claim made on January 31, 2022 before this Agency by Mr.
A.A.A. (hereinafter, the claimant party), against PEPEMOBILE. SL (hereinafter, the

claimed party), for not having been duly attended to their right of suppression.

Carrying out the procedural actions provided for in Title VIII of the Law
Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD), the following have been verified



                                       FACTS

FIRST: The email address of the complaining party is associated with
a mobile line contracted by his aunt with the claimed party.


After receiving an email addressed to his aunt, he contacted the claimed entity
by the same means informing him of the death of the same, and requesting the
deletion of your data.


The respondent replied requesting a copy of the death certificate, which was
submitted by the claimant on November 30, 2021.

A few days later, given the lack of response, he contacted the
claimed, which replies indicating that the file you sent them is damaged and

They need me to send it back, I send the claimant the same day, December 3
of 2021.

Subsequently, the claimant has received an email from the entity
claimed, addressed to her aunt, informing her that they are suffering possible
identity theft.


SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a
mechanism prior to the admission to processing of the claims that are formulated before
the AEPD, consisting of transferring them to the Data Protection Delegates
designated by those responsible or in charge of the treatment, for the purposes foreseen

in article 37 of the aforementioned rule, or to these when they have not been designated,
transferred the claim to the claimed entity so that it could proceed with its
analysis and respond to the complaining party and this Agency within a
month.


The representative of the respondent states that "(...) the interested party does not provide
any information related to the owner of the line, or identifying data or
contracted line, so we cannot meet the right based on the information
provided in this claim without such information.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/7









However, we have moved the information about email attachments in the
claim to our customer service department to try to locate the

case and review what could have happened.

Regarding the sending of commercial communications, my client does not send
commercial information of any nature by policy or by electronic means or
telephone. However, when we receive news of possible usurpations of
our personality that may lead to deception of our customers or

former customers, if we inform them of these circumstances for preventive purposes. This
can be verified in the communication provided by the interested party. (…)”

THIRD: The result of the transfer process indicated in the previous Fact does not
allowed to understand satisfied the claims of the claimant. In

Consequently, on April 30, 2022, for the purposes provided in its article
64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection
agreed to admit the submitted claim for processing and informed the parties that the
maximum term to resolve this procedure, which is understood to have started
through said admission agreement, it will be six months.


FOURTH: After examining the allegations presented by the respondent, they are subject to
transfer to the complaining party, so that, within fifteen business days, it can formulate
allegations that it deems appropriate, without any record in this Agency
response.



                           FOUNDATIONS OF LAW

FIRST: The Director of the Spanish Agency for
Data Protection, in accordance with the provisions of section 2 of article 56 in

in relation to section 1 f) of article 57, both of Regulation (EU) 2016/679 of the
European Parliament and of the Council of April 27, 2016 on the protection of
individuals with regard to the processing of personal data and the free
circulation of these data (hereinafter GDPR); and in article 47 of the LOPDGDD.

SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency

Spanish Data Protection is competent to perform the functions that
are assigned to it in its article 57, among them, that of enforcing the Regulation and
promote awareness of controllers and processors
about the obligations incumbent on them, as well as dealing with claims
presented by an interested party and investigate the reason for them.


Correlatively, article 31 of the RGPD establishes the obligation of those responsible
and those in charge of the treatment to cooperate with the control authority that requests it in
the performance of their duties. In the event that they have appointed a
data protection delegate, article 39 of the RGPD attributes to it the function of

cooperate with that authority.

Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has
foreseen a mechanism prior to the admission to processing of the claims that are

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/7








formulated before the Spanish Agency for Data Protection, which consists of giving
transfer of the same to the data protection delegates designated by the
responsible or in charge of the treatment, for the purposes provided in article 37 of

the aforementioned norm, or to these when they have not been designated, so that they proceed to the
analysis of said claims and to respond to them within a month.

In accordance with this regulation, prior to the admission for processing of the
claim that gives rise to this procedure, it was transferred to the
responsible entity to proceed with its analysis, respond to this Agency

within a month and prove that they have provided the claimant with the due response,
in the event of exercising the rights regulated in articles 15 to 22 of the
GDPR.

The result of said transfer did not allow to understand satisfied the claims of the

claiming party. Consequently, on April 30, 2022, for the purposes
provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for
Data Protection agreed to admit the submitted claim for processing. Saying
agreement of admission to procedure determines the opening of the present procedure of
lack of attention to a request to exercise the rights established in the
articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the

which:

"1. When the procedure refers exclusively to the lack of attention of a
request to exercise the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, will start by agreement of admission to process, which will be

shall adopt in accordance with the provisions of the following article.

In this case, the term to resolve the procedure will be six months from
from the date on which the claimant was notified of the admission agreement to
Procedure. Once this period has elapsed, the interested party may consider their

claim".

The purging of administrative responsibilities in the framework of the
of a sanctioning procedure, whose exceptional nature implies that it is chosen,
whenever possible, due to the prevalence of alternative mechanisms that have
protection in current regulations.


It is the exclusive competence of this Agency to assess whether there are responsibilities
administrative that must be purged in a sanctioning procedure and, in
consequently, the decision on its opening, not existing obligation to initiate a
procedure before any request made by a third party. Such a decision must

be based on the existence of elements that justify said start of the activity
sanctioning, circumstances that do not concur in the present case, considering that
With this procedure, the guarantees and guarantees are duly restored.
claimant's rights.


THIRD: The rights of individuals in terms of data protection
personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the
LOPDGDD. The rights of access, rectification, deletion,
opposition, right to limitation of treatment and right to portability.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/7









The formal aspects related to the exercise of these rights are established in the
articles 12 of the RGPD and 12 of the LOPDGDD.


It also takes into account what is expressed in Considerations 59 and following of the
GDPR.

In accordance with the provisions of these rules, the data controller
must arbitrate formulas and mechanisms to facilitate the interested party in the exercise of their

rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3
of the RGPD), and is obliged to respond to the requests made no later than one
month, unless you can show that you are unable to identify the
interested party, and to express his reasons in case he was not going to attend said
request. The proof of compliance with the duty of

respond to the request to exercise their rights made by the affected party.

The communication addressed to the interested party on the occasion of their request must
be expressed in a concise, transparent, intelligible and easily accessible manner, with a
clear and simple language.


Regarding the right of access to personal data, in accordance with the
established in article 13 of the LOPDGDD, when the exercise of the right is
refers to a large amount of data, the person in charge may request the affected party to
specify the “data or treatment activities to which the request refers”. The
right will be understood granted if the person in charge provides remote access to the data,

taking the request as granted (although the interested party may request the information
referring to the ends provided for in article 15 of the RGPD).

The exercise of this right may be considered repetitive on more than one occasion.
for a period of six months, unless there is legitimate cause for it.


On the other hand, the request will be considered excessive when the affected party chooses a means
other than the one offered that involves a disproportionate cost, which must be
assumed by the affected party.

FOURTH: Article 17 of the RGPD, which regulates the right to delete data

personal, establishes the following:

"1. The interested party shall have the right to obtain, without undue delay, from the person responsible for the
treatment the deletion of personal data that concerns you, which will be
obliged to delete personal data without undue delay when any

of the following circumstances:

a) the personal data is no longer necessary in relation to the purposes for which
were collected or otherwise treated;


b) the interested party withdraws the consent on which the treatment is based in accordance
with article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), and this is not
based on another legal basis;


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/7








c) the interested party opposes the treatment in accordance with article 21, paragraph 1, and does not
other legitimate reasons for the treatment prevail, or the interested party opposes the
treatment according to article 21, paragraph 2;


d) the personal data has been illicitly processed;

e) the personal data must be deleted for the fulfillment of a legal obligation
established in the Law of the Union or of the Member States that applies to the
data controller;


f) the personal data has been obtained in relation to the offer of services of the
information society referred to in article 8, paragraph 1.

2. When you have made the personal data public and are obliged, by virtue of the

provided in section 1, to delete said data, the data controller,
taking into account the available technology and the cost of its application, it will adopt
reasonable measures, including technical measures, with a view to informing users
Responsible for processing the personal data of the interested party's request for
deletion of any link to such personal data, or any copy or replica of
the same.


3. Sections 1 and 2 will not apply when the treatment is necessary:

a) to exercise the right to freedom of expression and information;


b) for the fulfillment of a legal obligation that requires the processing of data
imposed by the law of the Union or of the Member States that applies to the
responsible for the treatment, or for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers vested in the controller;


c) for reasons of public interest in the field of public health in accordance with
article 9, section 2, letters h) and i), and section 3;

d) for archival purposes in the public interest, scientific or historical research purposes or
statistical purposes, in accordance with Article 89(1), insofar as
the right indicated in section 1 could make it impossible or hinder

seriously the achievement of the objectives of said treatment, or

e) for the formulation, exercise or defense of claims”.

FIFTH: Article 3 of the LOPDGDD, Data of deceased persons, establishes in

section 1, first paragraph:

"1. People linked to the deceased for family reasons or de facto, as well as
their heirs may contact the person in charge or in charge of the treatment in order to
request access to the personal data of that and, where appropriate, its rectification or

suppression."

SIXTH: Article 12.4 of the RGPD provides that


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/7








"4. If the person in charge of the treatment does not process the request of the interested party,
will inform without delay, and no later than one month after receiving the
request, the reasons for its non-action and the possibility of presenting a

claim before a control authority and to exercise legal actions.”

SEVENTH: In the case analyzed here, it has been proven that the claimant
requested the deletion of the data of her deceased aunt, having provided a copy of the
death certificate.


During the processing of this procedure, the entity claimed, has indicated
that it has not fulfilled the right requested given that it does not have any information on the
deceased or the service contracted by the same.

Notwithstanding the foregoing, from the examination of the documentation provided, it is clear that the

The claimant submitted, twice, a copy of the death certificate of the deceased aunt.

Moreover, in the event that the claimed entity had doubts about the data to be
delete or the identity of the applicant, should have requested that information, and not
leave the exercise presented unanswered.


Consequently, given that there is no evidence that the respondent party attended the
right requested, or denied reasoned the same, it is appropriate to estimate the
claim that gave rise to this proceeding.

Considering the aforementioned precepts and others of general application,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: ESTIMATE the claim made by D. A.A.A. and urge
PEPEMOBILE. SL with NIF B85033470, so that, within ten days
working days following the notification of this resolution, send to the party

claimant certification stating that he has fulfilled the right to
deletion requested or is denied for reasons indicating the reasons why it is not
It is appropriate to attend to the request, in accordance with what is established in the body of the
this resolution. The actions carried out as a result of this
Resolution must be communicated to this Agency within the same period. The
Non-compliance with this resolution could lead to the commission of the infraction

considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, in accordance
with art. 58.2 of the GDPR.

SECOND: NOTIFY this resolution to D. A.A.A. and to PEPEMOBILE. S.L.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.









C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/7









Against this resolution, which puts an end to the administrative procedure in accordance with article 48.6
of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the

aforementioned Law.

                                                                                 1195-020622
Sea Spain Marti
Director of the Spanish Data Protection Agency















































28001 – Madrid 6 sedeagpd.gob.es