AEPD (Spain) - PS/00443/2021

From GDPRhub
Revision as of 08:51, 16 March 2023 by Ls (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00443/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR
Article 15 GDPR
Article 83(2) GDPR
Article 56 GDPR
Article 60 GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided:
Published:
Fine: n/a
Parties: Edreams
National Case Number/Name: PS/00443/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: ls

The Spanish DPA recalled that the exercise of GDPR rights is free of charge. Asking a data subject to pay a fee to rectify their data following a spelling mistake breaches Article 12 GDPR.

English Summary

Facts

A data subject purchased airline tickets on the website of the travel agency Vacaciones Edreams (controller). After detecting that there was an error in his name, he contacted the controller's customer service to have the mistake rectified. To make the change, the controller charged him an additional 50 euros.

The data subject therefore filed a complaint with the French DPA which was transferred to the Spanish DPA in accordance with Article 56 GDPR.

The investigation revealed that an employee of the controller made a typo and that is why the data subject's name was misspelled. The controller announced that he had since taken steps to prevent this from happening again and that he had compensated the data subject. It also added that the rectification fee was, in turn, decided by the airline company - not by the travel operator.

Holding

The DPA considered that the rights of data subjects under the GDPR must be granted free of charge. This is all the more so when the correction does not imply the change of a passenger for another but simply rectify inaccurate data. The DPA considered that there was indeed a breach of Article 12 GDPR but, taking into account the measures taken by the controller to prevent this from happening again, the DPA considered the breach to be minor for the purpose of Article 83(2) GDPR. It therefore issued a warning to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/14










     File No.: PS/00443/2021

IMI Reference: A56ID 149531- Case Register 163850


                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on

to the following

                                   BACKGROUND

FIRST: A.A.A. (hereinafter, the complaining party) dated July 4, 2019

filed a claim with the French data protection authority
(Commission Nationale de l'Informatique et des Libertès). The claim is directed
against VACACIONES EDREAMS, S.L., with NIF B61965778 (hereinafter, EDREAMS).

The reasons on which the claim is based are the following:


The claimant states that he purchased some plane tickets on the website
***URL.1. After detecting an error in his name, he contacted the service of
customer service to rectify the error. This modification motivated
they made an additional charge on the bill of 50 euros. Consider that the person responsible
would be complying with the provisions of art. 12.5 of Regulation (EU) 2016/679

of the European Parliament and of the Council of April 27, 2016 on the protection
of natural persons with regard to the processing of personal data and the
free circulation of these (GDPR) in terms of the gratuity of the action carried out in
under article 16 of this Regulation.


In addition, the complaining party points out that in the confirmation of the reservation of the 7th of
March 2019, despite having made the additional charge of 50 euros, the name
It's still misspelled.

Along with the claim, provide:


- Capture email sent from address no-***EMAIL.1 to
***EMAIL.2, dated February 11, 2019, with the subject “Your reservation is
confirmed (Reference ***REFERENCE.1” and the following text:
"You can go now.
Confirmed reservation

GoVoyages booking reference: ***REFERENCE.1 (…)” (in French in the original)
Attached to this email is the reservation of a travel itinerary in which it appears as
passenger "AAA."

- Capture email sent from address no-***EMAIL.1a

***EMAIL.2, dated March 7, 2019, with the subject “Your reservation is confirmed
(Reference ***REFERENCE.1” and the following text:
"You can go now.
Confirmed reservation

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/14








GoVoyages booking reference: ***REFERENCE.1 (…)” (in French in the original)
Attached to this email is the reservation of a travel itinerary in which it appears as
passenger "AAA."


- Capture email sent from address no-***EMAIL.1a
***EMAIL.2, dated April 4, 2019, with the subject “Your reservation is confirmed
(Reference ***REFERENCE.2” and the following text:
"You can go now.
Confirmed reservation

GoVoyages booking reference: ***REFERENCE.2 (…)” (in French in the original).
Attached to this email is the reservation of a travel itinerary in which it appears as
passenger "AAA."

- Copy of an invoice from GOVOYAGES in the name of A.A.A., dated February 11

of 2019, which contains a charge of 50 euros for a "Supplementary Service of
flight”, Dossier number ***REFERENCE.1.

SECOND: Through the "Internal Market Information System" (hereinafter
IMI), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the
Council, of October 25, 2012 (IMI Regulation), whose objective is to promote the

cross-border administrative cooperation, mutual assistance between States
members and the exchange of information, the aforementioned claim was transmitted on the 14th
September 2020 and was given a registration date at the Spanish Agency
of Data Protection (AEPD) on September 16, 2020. The transfer of this
claim to the AEPD is made in accordance with the provisions of article 56

of the GDPR, taking into account its cross-border nature and that this Agency is
competent to act as main control authority, given that EDREAMS
has its registered office and unique establishment in Spain.

The data processing that is carried out affects interested parties in various

Member states. According to the information incorporated into the IMI System, of
In accordance with the provisions of article 60 of the GDPR, they act as
“control authority concerned”, in addition to the French data protection authority
data, the authority of Italy, the latter under article 4.22 of the GDPR, given that
Data subjects residing in that Member State are likely to be
substantially affected by the treatment object of this procedure.


THIRD: On December 10, 2020, in accordance with article 64.3
of Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (LOPDGDD), the claim was admitted for processing
submitted by the complaining party.


FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)

2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following extremes:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/14








1. Regarding the procedure established by EDREAMS to address the rights of
rectification of personal data of its clients of ***URL.2


The representatives of EDREAMS declare that the rights to rectify
personal data, as well as those of any other personal data right,
centralized from the Privacy Form. In this way, it is easier for users
the exercise of said exercises, through this easily accessible and linked tool
with the Privacy Policy.


This form allows, in turn, to automate part of the process, in which a
XXXXXXXX ticket (exclusively conditioned to the fact that specialized agents
in the management of said rights can confirm the information and have
sufficient guarantees that the person claims to be who he is and/or that the representation of
a third party is sufficiently accredited), and subsequently connects with the

appropriate departments, according to the right exercised.

Once the appropriate actions have been carried out, we proceed to respond to the
interested in agreement following an internal guide. In this case, apply the guide of the
right of rectification.


Likewise, clients can exercise their rights by any means they consider
timely, as the claimant made it by telephone with his customer service team
to the client.

Call center agents have an internal policy that they must follow

In the event that the exercise of any personal data right is requested, in the
terms described above.

2. Regarding the quota established to attend said rectification of data


The right to rectify data, as well as any other right included in the
personal data protection regulations, is free.

3. Regarding the procedure established to correct errors in the name of the pa-
passenger on a ticket purchased through ***URL.2 indicating the fare to be paid
nar the client


The client can mainly fill in the Privacy Form or call the service
of customer service. The department that centralizes rights management
will contact, on a case-by-case basis, the departments that own the systems where the
find the data and proceed to take the appropriate action. In this case, the

correction of an error in the passenger name of a ticket, the change will be made
in our systems, as well as in that of the corresponding airline,
according to its terms and conditions. There is no associated fee
to proceed with said correction of errors on behalf of the passenger by
EDREAMS.


4. Regarding whether data rectification is considered to be the correction of an error in the
name appearing on tickets purchased through ***URL.2


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/14








In accordance with EDREAMS internal policies, the correction of an error in the
name that appears on tickets purchased on their web pages, under the terms
occurred in the case of the complaining party, it is considered an area within the

content of the right of rectification.

Any change that does not imply the change of one passenger for another, must
be understood as an exercise of the right of rectification and, therefore, must be
treated free.


Examples of this, and which are included in the internal policy, are: the typographical error
(such as XXXXX, for XXXXX), the inversion between first name and last name
(XXXXX, for XXXXX), or the change of surnames from maiden/or to married/or, or vice versa
(especially common in certain countries, such as France or the United Kingdom).


5. In relation to whether the entity is aware of the exercise of the right to rectify data
of the complaining party and reason for which a charge of €50 has been invoiced

After internal investigations, it has been verified that indeed on 14
March 2020, the claimant was mistakenly charged 50 euros.


EDREAMS has proceeded to request the claimant's bank details to
correct the manual mistake caused by the agent when handling the request and,
in this way, proceed to make the transfer for an amount of 15 euros.

Unfortunately, XXXXX, like most airlines, imposes

charges relating to any name change. On this occasion, the costs of said
Change is 35 euros.

On the other hand, on January 21, 2021 (the day after the notification of the
requirement of this Agency), have taken advantage of this error to notify both the

agent who handled the claimant's request, like the rest of the agents, the
policy regarding correction of errors in names.

FIFTH: On December 10, 2021, the Director of the AEPD adopted a
draft decision to initiate disciplinary proceedings. following the process
established in article 60 of the GDPR, that same day it was transmitted through the

IMI system this draft decision and the authorities concerned were informed
that they had four weeks from that moment to formulate pertinent objections
and motivated. Within the term for this purpose, the control authorities concerned shall not
presented pertinent and reasoned objections in this regard, for which reason it is considered
that all supervisory authorities agree with said draft decision

and are bound by it, in accordance with the provisions of section 6 of the
Article 60 of the GDPR.

This draft decision, which was notified to EDREAMS in accordance with the rules
established in Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (LPACAP), was collected on the 10th of
December 2021, as stated in the acknowledgment of receipt in the file.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/14








SIXTH: On April 21, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against EDREAMS in order to
issue a warning, in accordance with the provisions of articles 63 and 64 of the

LPACAP, for the alleged violation of Article 12 of the GDPR, typified in Article
83.5 of the GDPR, in which he was indicated that he had a period of ten days to
submit claims.

This start-up agreement, which was notified to EDREAMS in accordance with the rules
established in the LPACAP, was collected on April 21, 2022, as stated

in the acknowledgment of receipt in the file.

SEVENTH: On May 5, 2022, it is received at this Agency, on time and
form, letter from EDREAMS in which it alleges allegations to the start-up agreement in the
which, in summary, stated that:


1.- EXERCISE OF RIGHTS IN EDREAMS IN ACCORDANCE WITH THE REGULATIONS

EDREAMS centralizes the management of the exercise of rights (including the right to
rectification) through its Privacy Form.


The Privacy Form allows, in turn, to automate part of the process, in which
a case is opened in the internal management tool. Said request is
exclusively conditioned to the fact that the agents specialized in the management of these
rights can confirm the information and there are sufficient guarantees that the
person claims to be who they are and/or that the representation of a third party is

sufficiently accredited (normally the confirmation goes through the fact that the client, who
receive a verification email, confirm in your personal email registered in our
systems that have applied for the corresponding entitlement). After said confirmation,
connects with the appropriate departments, according to the right exercised. Finally, a
Once the necessary actions have been carried out, we proceed to respond to the

interested in accordance with an internal guideline. In this case, apply the internal guidance of the
right of rectification.

All this in accordance with its Privacy Notice and its internal Privacy Policy,
as well as internal procedures; specifically the Internal Guide on the exercise
of the right of rectification.


Likewise, training and awareness actions are carried out by the
Customer Support.

Customers who contact customer service, and who want to exercise a

right to data protection, they are informed of the Privacy Form, and if they
they need, they are sent an email with the link to it so they can request
your rights so that the specialized team can manage your request.

2.- EXERCISE OF THE RIGHT OF RECTIFICATION IN EDREAMS AGREEMENT

WITH THE REGULATIONS

In any case, the right to rectify data, as well as any other
right included in the personal data protection regulations, is free.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/14









To correct the passenger's name, the customer can mainly fill in the
Privacy Form or call customer service.


In no case is there any associated fee to proceed with said correction of
errors in the name of the passenger by EDREAMS.

3.- MANUAL ERROR BY THE AGENT AND PARTICULAR CONTEXT OF EDREAMS


Following internal investigations, it was found that, indeed, on March 14,
2020 the EDREAMS agent mistakenly charged the complaining party.

He got the airline mixed up and, according to the notes we have from the agent regarding the
call, the agent did not make it clear to the complaining party that the cost was not a cost of

EDREAMS but from the airline. As soon as the agent manual error was detected, the
reviewed the policy again and all appropriate measures were put in place to prevent
reproduced again (among others, an internal communication was sent to all
agents remembering internal policy). In addition, they contacted Mr.
A.A.A. to provide the bank details to carry out the corresponding
reimbursement and you will be paid, not only the charge of 50 euros, but the entire trip in

compensation concept. For all these reasons, EDREAMS considers that it acted
diligently about it.

On January 21, 2021 (the day after the notification of the
requirement of this Agency), the Customer Service team took advantage of this error

to notify both the agent who handled the claimant's request and the
to the rest of the agents, the policy regarding the correction of errors in the names.

Likewise, since then, the agents have had the annual protection training
of data (carried out between the months of September and December 2021) in which one

of the practical cases is the correction of errors in the name of passengers; and the
annual review of internal policies, as well as various recurring communications
remembering the mentioned correction.

EDREAMS, in the context of its role as a travel agency that offers services
international, suffers from a variety of airline policies with terms and conditions

very varied conditions, which led the agent, together with his carelessness, to said error
manual.

The complaining party made a reservation for a XXXXX flight on one of the pages
EDREAMS websites with a typo in their name.


EDREAMS, as a travel agency, booked on behalf of the complaining party the
flight, in the XXXXX systems, with the data provided by it. Saying
treatment is carried out within the legitimizing basis of execution of the contract of
in accordance with article 6.1.b of the GDPR.


In this case, the roles, contractual relationships and responsibilities are summarized as
continuation:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/14








       1. EDREAMS acts as an agent, as an intermediary, on behalf of the
       client, and within its scope of management and systems, is responsible for the
       processing of personal data, since it determines the means and purposes of

       according to the agent contract.

       2. XXXXX acts as air carrier and determines the means and purposes
       in this field, for which reason it is responsible for the treatment within the framework of the
       air transportation contract.


EDREAMS informs its clients of said roles, contractual relationships and
responsibilities, on its website.

While the correction in EDREAMS systems is managed according to
with article 16 of the GDPR, the correction in the systems of the airline (in

this case of XXXXX) is managed when possible and is free of charge according to the Terms and
Conditions of the airline. When EDREAMS cannot correct directly in
the airline's systems, EDREAMS notifies the airline in accordance with
Article 19 of the GDPR.

In any case, EDREAMS cannot guarantee nor can it be held responsible for the

rectification in the computer systems used by the airlines, since
are governed by their own Terms and Conditions, and act as responsible for the
processing of personal data.

Of the hundreds of airlines that customers can book through the services

EDREAMS travel agent, there is a disparity regarding the correctness of the
number of passengers On many occasions, they are met with the refusal of the
airlines to correct errors in the name or request a management fee.

Unfortunately, most airlines ask for a fee or cost

before a request to change the data of the passenger's owner.

When you have to deal with airlines blocking name correction,
EDREAMS insists on the application of data protection regulations, in defense
of your clients.


EDREAMS regrets what happened in this exceptional case, but understands that it is not
must reproduce. He affirms that he works tirelessly to improve his processes,
with the aim of not only complying with the regulations, but also strengthening the trust of its
clients in us. For this reason, it will continue to monitor and continuously improve the
policies, processes, actions and measures referred to herein.


EIGHTH: On August 19, 2022, the investigating body of the procedure
sanctioner formulated a proposal for a resolution, in which he proposes that the Director
AEPD sends a warning to VACACIONES EDREAMS, S.L., with NIF
B61965778, for a violation of article 12 of the GDPR, typified in article 83.5

of the GDPR.

This proposed resolution, which was notified to EDREAMS in accordance with the rules
established in Law 39/2015, of October 1, on Administrative Procedure

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/14








Common Public Administrations (LPACAP), was collected on the 22nd of
August 2022, as stated in the acknowledgment of receipt in the file.


NINTH: Notification of the aforementioned resolution proposal in accordance with the rules
established in the LPACAP and after the term granted for the formulation of
allegations, it has been verified that no allegation has been received from
EDREAMS.





In view of all the proceedings, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts:



                                PROVEN FACTS

FIRST: On February 11, 2019 an email was sent from the address
no-***EMAIL.1 to ***EMAIL.2, dated February 11, 2019, with the subject “Your
reservation is confirmed (Reference ***REFERENCE.1” and the following text:

"You can go now.
Confirmed reservation
GoVoyages booking reference: ***REFERENCE.1 (…)” (in French in the original)
Attached to this email is the reservation of a travel itinerary in which it appears as
passenger "AAA."


SECOND: On February 11, 2019, GOVOYAGES issues an invoice in the name of
A.A.A., which includes a charge of 50 euros for a "Supplementary Service of
flight”, Dossier number ***REFERENCE.1.


THIRD: On March 7, 2019, an email was sent from the address
no-***EMAIL.1 to ***EMAIL.2, dated March 7, 2019, with the subject “Your reservation
is confirmed (Reference ***REFERENCE.1” and the following text:
"You can go now.
Confirmed reservation
GoVoyages booking reference: ***REFERENCE.1 (…)” (in French in the original)

Attached to this email is the reservation of a travel itinerary in which it appears as
passenger “XXXXXXXXX”.

FOURTH: On April 4, 2019, an email was sent from the address not-
***EMAIL.1a ***EMAIL.2, dated April 4, 2019, with the subject “Your reservation is

confirmed (Reference ***REFERENCE.2” and the following text:
"You can go now.
Confirmed reservation
GoVoyages booking reference: ***REFERENCE.2 (…)” (in French in the original).
Attached to this email is the reservation of a travel itinerary in which it appears as

passenger "AAA."




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/14








FIFTH: The right to rectify data exercised before EDREAMS, as well as
Any other right included in the personal data protection regulations, is
gratuitous.


In the present case, the correction of an error in the name of the passenger of a ticket,
the change will be made in the EDREAMS systems, as well as in the company's
corresponding airline, according to its terms and conditions. There is no
any associated fees to proceed with such error correction on behalf of the
passenger by EDREAMS.


SIXTH: XXXXX imposes charges related to any name change. In it
In the present case, the costs of said change were 35 euros.

SEVENTH: On March 14, 2020, the EDREAMS agent collected the change in the

name to the complaining party and failed to make it clear to the complaining party that the cost was not
a cost of EDREAMS but of the airline.

EIGHTH: As soon as this circumstance was detected, the policy was reviewed again and the
An internal communication was sent to all agents on January 21, 2021
remembering the internal policy of correction of errors in the names.


Likewise, the agents have had the annual data protection training (carried out
between the months of September and December 2021) in which one of the cases
practical is the correction of errors in the name of passengers; and the annual review of
internal policies, as well as various recurring communications recalling the

mentioned correction.

NINTH: EDREAMS has proceeded to request the claimant's bank details.
rios to make the corresponding refund and pay you, not just the charge of 50 eu-
rivers, but the entire trip as compensation.




                           FUNDAMENTALS OF LAW

                                            Yo

                          Competition and applicable regulations

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47 and 48.1 of the Law

Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: "Procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/14









                                           II
                                  previous questions


In the present case, in accordance with the provisions of article 4.1 of the GDPR, there is
the processing of personal data, since EDREAMS performs
the collection of, among other personal data of natural persons, name and surname and
email, among other treatments.


EDREAMS carries out this activity in its capacity as data controller, given
who is the one who determines the purposes and means of such activity, by virtue of article 4.7 of the
GDPR. In addition, it is a cross-border treatment, since EDREAMS
is established in Spain, although it provides services to other countries of the Union
European.


The GDPR provides, in its article 56.1, for cases of cross-border processing,
provided for in its article 4.23), in relation to the competence of the authority of
main control, that, without prejudice to the provisions of article 55, the authority of
control of the main establishment or of the only establishment of the person in charge or of the
The person in charge of the treatment will be competent to act as control authority

for the cross-border processing carried out by said controller or
commissioned in accordance with the procedure established in article 60. In the case
examined, as has been exposed, EDREAMS has its only establishment in
Spain, so the Spanish Agency for Data Protection is competent to
act as the main supervisory authority.


For its part, the right to rectify personal data is regulated in the
article 16 of the RGPD and the modalities of exercise of the rights of the
interested parties are detailed in article 12 of the GDPR.


                                           II
                       Allegations adduced to the initiation agreement

In relation to the allegations adduced to the agreement to initiate this
disciplinary procedure, EDREAMS alleges that after the internal investigations
verified that, indeed, on March 14, 2020, the EDREAMS agent collected

by mistake to the complaining party.

It alleges that this agent confused the airline and did not make it clear to the party
complainant that the cost was not a cost of EDREAMS but of the airline.


But as soon as the agent's manual error was detected, the policy was revised
new and an internal communication was sent to all the agents reminding the policy
internal. Likewise, Mr. A.A.A. to provide the data
bank to make the corresponding reimbursement and will be paid, not only the charge
of 50 euros, but the entire trip as compensation. For all this,

considers EDREAMS to have acted diligently in this regard.

It is also alleged that, since then, the officers have undergone the annual training of
data protection (carried out between the months of September and December 2021) in

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/14








which one of the practical cases is the correction of errors in the name of
passengers; and the annual review of internal policies, as well as various communications
recurring recalling the aforementioned correction.


In this regard, this Agency wishes to point out that it positively values the measures
adopted by EDREAMS to prevent the error that occurred in the present case
not be reproduced again and that the complaining party be compensated for the collection
improper.


However, it is undeniable that, regardless of the policy of the airlines
Regarding the name change of the passengers, EDREAMS charged the party
claimant a charge for having rectified what the company itself recognizes as
erratum.


It is true that EDREAMS cannot be held responsible for the collection that
carried out in this sense by the airlines in question (in the present case, XXXXX), but
In the present case, the truth is that part of that payment corresponded to the efforts
carried out by EDREAMS, as the company acknowledges. And that, furthermore, I don't know
had duly informed the claiming party of the breakdown of said collection.


For all the foregoing, this claim is dismissed.

                                           IV.
                                Right of rectification


Article 16 "Right to rectification" of the GDPR establishes:

"The interested party shall have the right to obtain without undue delay from the person responsible for the
processing the rectification of inaccurate personal data concerning you.
Taking into account the purposes of the treatment, the interested party will have the right to

complete personal data that is incomplete, including through a
additional statement”.

In the present case, it is clear that the complaining party had made a purchase of
tickets through the EDREAMS website and, upon receiving them, verified that there were
an error in his name, for which he requested EDREAMS to correct such error,

duly exercising your right to rectify your personal data.

                                           V
                Modalities of exercise of the rights of the interested party


Article 12 "Transparency of information, communication and modalities of
exercise of the rights of the interested party" of the GDPR, in its section 5, establishes:

"5. The information provided under articles 13 and 14 as well as any
communication and any action carried out under articles 15 to 22 and 34

they will be free of charge.

When the requests are manifestly unfounded or excessive, especially
Due to its repetitive nature, the data controller may:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/14








       a) charge a reasonable fee based on administrative costs
       faced to facilitate the information or communication or carry out the action
       requested, or

       b) refuse to act on the request.

The controller shall bear the burden of proving the character
manifestly unfounded or excessive of the request”.

In the present case, it is clear that the claimant was charged €50 for correcting

a typo in his name, without proving that such request had been
manifestly unfounded or excessive.

Therefore, according to the evidence available at this time
resolution of the disciplinary procedure, it is considered that the known facts

constitute an infringement, attributable to EDREAMS, for violation of the
Article 12 of the GDPR.

                                            SAW
                  Classification of the infringement of article 12 of the GDPR


If confirmed, the aforementioned infringement of article 12 of the GDPR could lead to the
commission of the offenses typified in article 83.5 of the GDPR that under the
The heading "General conditions for the imposition of administrative fines" provides:

Violations of the following provisions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
       (…)

        b) the rights of the interested parties in accordance with articles 12 to 22; (…)”

In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that:

"The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result

contrary to this organic law”.

For the purposes of the limitation period, article 72 "Infractions considered very
serious” of the LOPDGDD indicates:


"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that
a substantial violation of the articles mentioned therein and, in particular, the
following:
    (…)

    j) The requirement to pay a fee to provide the data subject with the information to which
        referred to in articles 13 and 14 of Regulation (EU) 2016/679 or by
        Respond to the requests for the exercise of the rights of the affected parties provided for in


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/14








       articles 15 to 22 of Regulation (EU) 2016/679, apart from the assumptions
       established in its article 12.5. (…)”


                                          VII
                  Penalty for violation of article 12 of the GDPR

Without prejudice to the provisions of article 83 of the GDPR, the aforementioned Regulation provides
in section 2.b) of article 58 "Powers" the following:


"Each control authority will have all the following corrective powers
indicated below:
       (…)
       b) send a warning to any person in charge or person in charge of the treatment
       when the processing operations have infringed the provisions of the

       this Regulation; (…)”

For its part, recital 148 of the GDPR indicates:

“In the event of a minor infraction, or if the fine likely to be imposed
constitutes a disproportionate burden on a natural person, rather than

sanction by means of a fine, a warning may be imposed. should however
special attention should be paid to the nature, seriousness and duration of the infringement, to its
intentional nature, to the measures taken to alleviate the damages suffered,
to the degree of responsibility or any relevant prior infringement, to the manner in which
that the supervisory authority has become aware of the infringement, to compliance

of measures ordered against the person in charge or in charge, to adherence to codes of
conduct and any other aggravating or mitigating circumstances.”

According to the evidence available at the present time of
disciplinary procedure resolution, it is considered that the offense in question

is slight for the purposes of article 83.2 of the GDPR given that in the present case,
taking into account that there is no record in this EDREAMS Agency for having
charged to the interested party when exercising their right of rectification and that, as soon as they had
knowledge of the claim, EDREAMS proceeded to return the amount collected
for the rectification of the name to the claiming party as well as the rest of the ticket to
compensation mode and took steps to prevent such an incident from

could occur again, it can be considered a reduction of guilt in the
facts, for which reason it is considered in accordance with the law not to impose a consistent sanction
in an administrative fine and replace it by directing a warning to EDREAMS.



Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: ADDRESS VACACIONES EDREAMS, S.L., with NIF B61965778, for a

infringement of article 12 of the GDPR, typified in article 83.5 of the GDPR, a
warning.

SECOND: NOTIFY this resolution to VACACIONES EDREAMS, S.L.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/14









In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once the interested parties have been notified.

Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may optionally file an appeal for reversal before the
Director of the Spanish Agency for Data Protection within a period of one month from
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-

administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative proceedings within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.


                                                                                938-120722

Mar Spain Marti
Director of the Spanish Data Protection Agency






















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es