AEPD (Spain) - PD-00207-2022

From GDPRhub
AEPD - PD-00207-2022
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR
Article 15 GDPR
Article 15(3) GDPR
Article 17 GDPR
Article 31 GDPR
Article 39 GDPR
Article 55 GDPR
Article 56(2) GDPR
Article 57(1)(f) GDPR
Article 12 LOPDGDD
Article 13 LOPDGDD
Article 37 LOPDGDD
Article 47 LOPDGDD
Article 48(6) LOPDGDD
Article 50 LOPDGDD
Article 64(1) LOPDGDD
Article 64(2) LOPDGDD
Article 65(4) LOPDGDD
Type: Complaint
Outcome: Rejected
Started: 06.07.2022
Decided: 15.11.2024
Fine: n/a
National Case Number/Name: PD-00207-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: isabela.rosal.santos

Spanish DPA dismisses the complaint of a data subject since the data controller did respond to the access and erasure request. The existence of an outstanding debt with the controller justifies the processing of the personal data.

English Summary


The data subject requested the access and the erasure of their personal data from the list of insolvent persons. The data was initially handled by the data controller, but there was a posterior change of control. Even though the data subject affirmed that their requests were not properly addressed by the initial controller, the company stated that all the answers were timely provided, including the change of control over the data.


The DPA dismissed the complaint of the data subject. Since the controller did provide timely and relevant information to the data controller and they have an outstanding debt with the controller, the complaint should not be upheld.


The Spanish DPA highlighted that, whenever possible, alternative mechanisms should be enforced over administrative sanctioning.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     File No.: EXP202205064

                           RESOLUTION NO.: R/01128/2022

Considering the claim made on April 6, 2022 before this Agency by A.A.A. (in
hereinafter, the claiming party), against WORKING CAPITAL MANAGEMENT ESPAÑA,

S.L. (hereinafter, the claimed party), because their
right of access and deletion.

The procedural actions provided for in Title VIII of the Law have been carried out
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of

digital rights (hereinafter LOPDGDD), the following have been verified


FIRST: The complaining party exercised the right of access and deletion against the

claimed, without his request having received the legally established response.
The claimant states that his personal data is registered in systems
common credit information in relation to a debt owed to the claimed entity
which he does not know, so he requests the same information about the debt, as well as the
deletion of your data.

The complaining party provides various documentation related to the claim raised
before this Agency and on the exercise of the right exercised.

SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a
mechanism prior to the admission for processing of claims made before

the AEPD, consisting of transferring them to the Data Protection Delegates
designated by those responsible or in charge of the treatment, for the intended purposes
in article 37 of the aforementioned norm, or to these when they have not been designated,
transferred the claim to the claimed entity so that it could proceed with its
analysis and respond to the complaining party and this Agency within a period of one

THIRD: The result of the transfer procedure indicated in the previous Fact does not
allowed the claims of the complaining party to be understood as satisfied. In
consequently, dated July 6, 2022, for the purposes provided for in article 64.2

of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed
admit the claim presented for processing and the parties were informed that the deadline
maximum to resolve this procedure, which is understood to have been initiated by
said admission agreement for processing will be six months.

The aforementioned agreement granted the claimed entity a hearing process, to
that within a period of fifteen business days, present the allegations that it deems
convenient. Said entity formulated, in summary, the following allegations:

C/ Jorge Juan, 6
28001 – Madrid 2/6

The claimed party states and certifies that it has informed the claimant of all the
process by which the debt incurred passed from one company to another.
Furthermore, regarding the delinquency files, I informed you:

“…that your credit is included in the ASNEF asset solvency and credit file-
EQUIFAX, also providing a copy of the information about you
It appears at that time in the aforementioned asset solvency and credit file; and?
During the period of 15 days from the date of said letter, your data will not be
visible in the aforementioned file but that, if after said period it does not regularize its

situation, your data will be visible in said file, appearing as a creditor Working
Capital Management España, S.L…”

The defendant affirms that there is a certain and enforceable debt and that he is the creditor of the
same, documentary evidence in the allegations having requested the deletion of

the claimant's data from the asset solvency entity, but states that the
debt remains unpaid and therefore cannot delete the data.

FOURTH: Once the allegations presented by the defendant have been examined, they are the subject of
transfer to the complaining party, so that, within a period of fifteen business days, it can formulate
allegations that he considers appropriate. As of the date of resolution of this claim,

allegations have been made.

                           FOUNDATIONS OF LAW

FIRST: The Director of the Spanish Agency for
Data Protection, in accordance with the provisions of section 2 of article 56 in
in relation to section 1 f) of article 57, both of Regulation (EU) 2016/679 of the
European Parliament and of the Council of April 27, 2016 regarding the protection of
natural persons with regard to the processing of personal data and the free

circulation of this data (hereinafter referred to as GDPR); and in article 47 of the LOPDGDD.

SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency
Spanish Data Protection Agency is competent to perform the functions that
are assigned to it in its article 57, among them, to enforce the Regulation and
promote awareness of data controllers and those in charge of processing

about their obligations, as well as dealing with claims
presented by an interested party and investigate the reason for them.

Correlatively, article 31 of the RGPD establishes the obligation of those responsible
and those in charge of processing to cooperate with the supervisory authority that requests it in

the performance of their functions. In the event that they have designated a
data protection officer, article 39 of the RGPD attributes to him the function of
cooperate with said authority.

In accordance with this regulation, prior to the admission for processing of the
claim that gives rise to this procedure, it was transferred to the
responsible entity to proceed with its analysis, provide a response to this Agency
within a period of one month and proves that it has provided the claimant with the appropriate response,

C/ Jorge Juan, 6
28001 – Madrid 3/6

in the event of exercise of the rights regulated in articles 15 to 22 of the

Said agreement of admission to processing determines the opening of this procedure
of lack of attention to a request to exercise the rights established in the
articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the

"1. When the procedure refers exclusively to the lack of attention of a

request to exercise the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, will begin by agreement of admission to processing, which will be
will be adopted in accordance with the provisions of the following article.
In this case, the period to resolve the procedure will be six months from
from the date on which the claimant was notified of the admission agreement to

Procedure. After this period, the interested party may consider his

It is not considered appropriate to clarify administrative responsibilities within the framework
of a sanctioning procedure, the exceptional nature of which implies that it is opted,
whenever possible, due to the prevalence of alternative mechanisms that have

protection in current regulations.

It is the exclusive responsibility of this Agency to assess whether there are responsibilities
administrative actions that must be purged in a sanctioning procedure and, in
consequently, the decision on its opening, there being no obligation to initiate a

procedure for any request made by a third party. Such a decision must
be based on the existence of elements that justify said start of the activity
sanctioning, circumstances that do not occur in the present case, considering that
With this procedure, the guarantees are duly restored and
rights of the claimant.

THIRD: The rights of people regarding data protection
personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the
LOPDGDD. The rights of access, rectification, deletion,
opposition, right to limitation of processing and right to portability.

The formal aspects related to the exercise of these rights are established in the
articles 12 of the RGPD and 12 of the LOPDGDD.

Furthermore, what is expressed in Considering 59 and following of the

In accordance with the provisions of these regulations, the person responsible for the treatment
must arbitrate formulas and mechanisms to facilitate the interested party in the exercise of their rights.
rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3
of the RGPD), and is obliged to respond to requests made no later than a

month, unless you can demonstrate that you are not in a position to identify the
interested, and to express his reasons in case he was not going to attend said
application. It falls on the person responsible to prove compliance with the duty of
respond to the request to exercise their rights made by the affected party.

C/ Jorge Juan, 6
28001 – Madrid 4/6

The communication addressed to the interested party on the occasion of their request must
be expressed in a concise, transparent, intelligible and easily accessible manner, with a

clear and simple language.

In the case of the right of access to personal data, in accordance with the
established in article 13 of the LOPDGDD, when the exercise of the right is
refers to a large amount of data, the person responsible may request the affected person to
specify the “data or processing activities to which the request refers”. He

The right will be deemed granted if the person responsible provides remote access to the data,
considering the request has been attended to (although the interested party may request the information
referring to the extremes provided for in article 15 of the RGPD).

The exercise of this right may be considered repetitive on more than one occasion.

during the period of six months, unless there is legitimate cause for it.

On the other hand, the request will be considered excessive when the affected party chooses a means
different from the one offered that entails a disproportionate cost, which must be
assumed by the affected person.

FOURTH: Article 17 of the RGPD, which regulates the right to deletion of data
personal, establishes the following:

"1. The interested party will have the right to obtain without undue delay from the person responsible for the
processing the deletion of personal data that concerns you, which will be

obliged to delete personal data without undue delay when any
of the following circumstances:
a) the personal data are no longer necessary in relation to the purposes for which they were
were collected or otherwise treated;
b) the interested party withdraws the consent on which the treatment is based in accordance

with Article 6(1)(a) or Article 9(2)(a) and this is not
based on another legal basis;
c) the data subject objects to the processing in accordance with Article 21(1) and does not
other legitimate reasons for the processing prevail, or the interested party opposes the
treatment pursuant to Article 21(2);
d) the personal data have been processed unlawfully;

e) personal data must be deleted for compliance with a legal obligation
established in the law of the Union or of the Member States that applies to the
responsible for the treatment;
f) the personal data have been obtained in relation to the offer of services of the
information society mentioned in Article 8, paragraph 1.

2. When you have made personal data public and are obliged, by virtue of the
provided in section 1, to delete said data, the data controller,
taking into account the available technology and the cost of its application, it will adopt
reasonable measures, including technical measures, with a view to informing

responsible parties who are processing the personal data of the interested party's request for
deletion of any link to that personal data, or any copy or replication of
the same.

C/ Jorge Juan, 6
28001 – Madrid 5/6

3. Sections 1 and 2 will not apply when treatment is necessary:
a) to exercise the right to freedom of expression and information;
b) for compliance with a legal obligation that requires data processing

imposed by Union or Member State law applicable to the
responsible for the treatment, or for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the person responsible;
c) for reasons of public interest in the field of public health in accordance with
Article 9, paragraph 2, letters h) and i), and paragraph 3;
d) for archival purposes in the public interest, scientific or historical research purposes or

statistical purposes, in accordance with Article 89(1), to the extent that
the right indicated in paragraph 1 could make it impossible or hinder
seriously the achievement of the objectives of said treatment, or
e) for the formulation, exercise or defense of claims.”

FIFTH: In the case analyzed here, the complaining party exercised its rights of
access and deletion and these have been addressed, access has been facilitated and
reasonedly denied deletion. The claimed entity certifies that it gave
response to the claimant's request by letter dated 02/19/2022 and that in
dated 09/15/2022 sent the response again.

The claimant incurred a debt with one entity and the debt was assigned to another. This
second entity, current creditor of the debt and party claimed in this
claim, proves having informed the claimant of the entire claim procedure.
change of credit institution, likewise, proves having informed the claimant of the
inclusion in a file of asset solvency in the event of non-payment.

Based on the foregoing, considering that this procedure has as its
object that the guarantees and rights of those affected are duly
restored, and since there is an outstanding debt and the claimed party complies with
the regulations denying with reasons, this claim is rejected.

Considering the aforementioned precepts and others of general application,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DISMISS the claim made by A.A.A. vs. WORKING

SECOND: NOTIFY this resolution to A.A.A. and WORKING CAPITAL

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

C/ Jorge Juan, 6
28001 – Madrid 6/6

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the

day following the notification of this act, as provided for in article 46.1 of the
referred Law.

Sea Spain Martí
Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6
28001 – Madrid