AEPD (Spain) - R/00423/2021

From GDPRhub
AEPD (Spain) - R/00423/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 17 GDPR
Article 28(3) GDPR
Article 28(3)(e) GDPR
Type: Complaint
Outcome: Upheld
Decided: 04.06.2021
Published: 15.06.2021
Fine: None
Parties: AMAZON WEB SERVICES EMEA SARL SUCURSAL EN ESPAÑA
National Case Number/Name: R/00423/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA ordered a processor (Amazon Web Services) to answer an erasure request from a data subject that had not been completed by the controller (a news website).

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject filed a complaint against a controller with the Spanish DPA (AEPD) for not answering their erasure request. The data subject had tried to exercise their right to erasure against a news website that had allegedly published false facts about them. After receiving no answer, the data subject exercised their right against Amazon Web Services, whose services were being used by the controller.

AWS rejected the claim, alleging that they were not a controller but a processor, and that they were only following the instructions of the actual controller and could not unilaterally erase any data. The AEPD received the complaint and first sent it to the controller for them to provide an answer. Not having received a satisfactory answer, the DPA launched a proceeding.

Holding[edit | edit source]

The AEPD determined that, according to Article 28(3)(e), the processor has the obligation to assist the controller in the fulfilment of the controller's obligation to respond to rights requests, when possible. Therefore, Amazon Web Services should have answered the request of the data subject.

The DPA found that the processor had either not answered appropriately to the request, or had not responded to the erasure request, since they did not have any document proving that they did so. The DPA ordered the processor to give an adequate answer to the data subject's request, either upholding the request, or rejecting it in a reasoned way.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/7










     File No.: TD / 00044/2021



                           RESOLUTION NO: R / 00423/2021

Considering the claim made before this Agency by A.A.A. (hereinafter, the part

claimant), against AMAZON WEB SERVICES EMEA SARL SUCURSAL EN ESPAÑA
(hereinafter, the claimed party), for not having been duly attended to their right
suppression.

The procedural actions provided for in Title VIII of the Law have been carried out.
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of

digital rights (hereinafter LOPDGDD), the following have been verified


                                       FACTS


FIRST: The complaining party exercised the right of deletion against the complained party and,
Faced with an unsatisfactory response, he filed a claim with this Agency. Bliss
claim was inadmissible by:
“… In the present case, after the analysis carried out on the documents provided and the
concurrent circumstances, there are no rational indications of the existence of a

infringement within the competence of the Spanish Agency for Data Protection,
Therefore, in accordance with the provisions of article 65.2 of Organic Law 3/2018,
of December 5, Protection of Personal Data and guarantee of rights
digital, IT IS AGREED to reject the claim ... "

Later, the claimant presents an appeal for reconsideration which is favorable and gives

place to the current claim.
The claimant provides various documentation related to the claim made before
this Agency and on the exercise of the right exercised.

It requests the deletion and shows that:


“… In *** URL.1
It is wrongly reported the membership of a criminal group or organization of
our client, Mr. A.A.A .. This is completely false, this publication is
based on the fact that Mr. A.A.A. owned an office in the building where this

judicial operation, neither more nor less ... "


SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a
mechanism prior to the admission for processing of claims made before
the AEPD, consisting of transferring them to the Data Protection Delegates

designated by those responsible or in charge of the treatment, for the intended purposes
in article 37 of the aforementioned norm, or to these when they have not been designated,
transferred the claim to the claimed entity to proceed with its


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/7








analysis and respond to the complaining party and to this Agency within a period of
month.


Since the response provided to this Agency by the data controller does not
accompanies the necessary communication that must be addressed to the complaining party,
informing about the decision adopted on the occasion of the claim, it is reiterated
again said request so that the affected party can respond to the claim
formulated and a copy of said response is sent to this Agency.


According to the defendant, he is not responsible for the treatment since: “… When the
AWS customers use AWS services to process personal data, (…)
acts as the person in charge of the treatment in relation to said personal data, since
that does not determine the purposes or the means of treatment ... "


That AWS as data controller cannot process exercise requests
of rights.
“… As AWS is not responsible for the treatment or have any relationship with the
Claimant and being legally linked to the Client as in charge of the
treatment of Customer, and obliged to follow Customer's instructions, AWS does not
can unilaterally delete personal data of interested third parties, based on

in claims of third parties such as the present one raised by the Claimant ... "

Finally, according to the respondent: “… AWS collaborated with the Claimant and proceeded to
notify the communication received to its client stating that it had received a
request for the deletion of personal data by the Claimant ... "


THIRD: After examining the allegations presented by the respondent, they are subject to
transfer to the complaining party, so that, within fifteen business days, it can formulate
allegations that it deems appropriate:
The claimant states that after not receiving a response from the administrator of

extraconfidencial.com, was forced to request the deletion of the complained (AWS) and
who considers that they are the necessary cooperator.


                           FOUNDATIONS OF LAW


FIRST: The Director of the Spanish Agency for
Data Protection, in accordance with the provisions of section 2 of article 56 in
in relation to paragraph 1 f) of article 57, both of Regulation (EU) 2016/679 of the
European Parliament and of the Council of April 27, 2016 on the protection of
natural persons with regard to the processing of personal data and the free

circulation of these data (hereinafter, GDPR); and in article 47 of the LOPDGDD.

SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency
Spanish Data Protection is competent to perform the functions that
are assigned to it in its article 57, among them, that of enforcing the Regulation and

promote the awareness of those responsible and those in charge of the treatment
about their obligations, as well as dealing with claims
submitted by an interested party and investigate the reason for them.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/7








Correlatively, article 31 of the RGPD establishes the obligation of those responsible
and those in charge of the treatment to cooperate with the control authority that requests it in
the performance of their duties. In the event that they have designated a

data protection officer, article 39 of the RGPD attributes to him the function of
cooperate with said authority.

Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has
Provided a mechanism prior to the admission for processing of the claims that are
made before the Spanish Agency for Data Protection, which consists of giving

transfer of the same to the data protection delegates designated by the
responsible or in charge of the treatment, for the purposes provided in article 37 of
the aforementioned rule, or to them when they have not designated them, to proceed to the
analysis of said claims and to respond to them within a month.


In accordance with these regulations, prior to the admission for processing of the
claim that gives rise to the present procedure, it was transferred to the
responsible entity to proceed with its analysis, provide a response to this Agency
within a month and certify having provided the claimant with the proper response,
in the event of exercise of the rights regulated in articles 15 to 22 of the
GDPR.


The result of said transfer did not allow for the satisfaction of the claims of the
complaining party. Consequently, for the purposes provided for in article 64.2 of the
LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit
The submitted claim has been processed. Said admission for processing agreement determines the

opening of the present procedure of inattention to an exercise request
of the rights established in articles 15 to 22 of the RGPD, regulated in the
Article 64.1 of the LOPDGDD, according to which:

"1. When the procedure refers exclusively to the lack of attention of a

request to exercise the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, will start by agreement of admission for processing, which will be
adopt in accordance with the provisions of the following article.
In this case, the term to resolve the procedure will be six months from
from the date the claimant was notified of the admission agreement to
Procedure. After this period, the interested party may consider their

claim".

The purging of administrative responsibilities in the framework of the
of a sanctioning procedure, whose exceptional nature implies that it is chosen,
whenever possible, due to the prevalence of alternative mechanisms that have

protection in current regulations.

It is the exclusive competence of this Agency to assess whether there are responsibilities
administrative procedures that must be purged in a sanctioning procedure and, in
Consequently, the decision on its opening, there being no obligation to initiate a

procedure before any request made by a third party. Such a decision must
be based on the existence of elements that justify said start of the activity
sanctioning, circumstances that do not concur in the present case, considering that


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7








with this procedure, the guarantees and
Claimant's rights.


THIRD: The rights of people in terms of data protection
Personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the
LOPDGDD. The rights of access, rectification, deletion,
opposition, right to limitation of treatment and right to portability.

The formal aspects related to the exercise of these rights are established in the

Articles 12 of the RGPD and 12 of the LOPDGDD.

It also takes into account what is expressed in Considering paragraphs 59 and following of the
GDPR.


In accordance with the provisions of these rules, the person responsible for the treatment
should arbitrate formulas and mechanisms to facilitate the interested party the exercise of their
rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3
of the RGPD), and is obliged to respond to requests made no later than a
month, unless you can show that you are unable to identify the
interested party, and to express their reasons in case they were not to attend said

request. The person responsible is responsible for the proof of compliance with the duty of
Respond to the request for the exercise of their rights made by the affected party.

The communication addressed to the interested party on the occasion of their request must
express themselves in a concise, transparent, intelligible and easily accessible way, with a

clear and simple language.

In the case of the right of access to personal data, in accordance with the
established in article 13 of the LOPDGDD, when the exercise of the right is
refers to a large amount of data, the person in charge may request the affected party to

specify the “data or processing activities to which the request refers”. The
Right will be understood to be granted if the person in charge facilitates remote access to the data,
the request being considered accepted (although the interested party may request the information
referring to the extremes provided for in article 15 of the RGPD).

The exercise of this right may be considered repetitive on more than one occasion.

during the period of six months, unless there is legitimate cause for it.

On the other hand, the request will be considered excessive when the affected party chooses a medium
other than the one offered that involves a disproportionate cost, which must be
assumed by the affected party.


FOURTH: Article 17 of the RGPD, which regulates the right to delete data
personal, establishes the following:

"1. The interested party shall have the right to obtain without undue delay from the person responsible for the

treatment the deletion of personal data that concerns you, which will be
obliged to delete without undue delay the personal data when there is any
of the following circumstances:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/7








a) the personal data is no longer necessary in relation to the purposes for which
were collected or otherwise treated;
b) the interested party withdraws the consent on which the treatment in accordance is based

with Article 6, paragraph 1, letter a), or Article 9, paragraph 2, letter a), and this is not
based on another legal basis;
c) the interested party opposes the treatment in accordance with article 21, paragraph 1, and does not
other legitimate reasons for the treatment prevail, or the interested party opposes the
treatment in accordance with Article 21 (2);
d) the personal data has been unlawfully processed;

e) personal data must be deleted to comply with a legal obligation
established in the law of the Union or of the Member States that applies to the
responsible for the treatment;
f) the personal data have been obtained in relation to the offer of services of the
information society mentioned in article 8, paragraph 1.


2. When you have made the personal data public and are obliged, by virtue of the
provided in section 1, to delete said data, the data controller,
taking into account the available technology and the cost of its application, it will adopt
reasonable measures, including technical measures, with a view to informing
responsible who are treating the personal data of the request of the interested party

deletion of any link to such personal data, or any copy or replica of
the same.

3. Sections 1 and 2 will not apply when the treatment is necessary:
a) to exercise the right to freedom of expression and information;

b) to comply with a legal obligation that requires data processing
imposed by the law of the Union or of the Member States that applies to the
responsible for the treatment, or for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the person in charge;
c) for reasons of public interest in the field of public health in accordance with

Article 9, paragraph 2, letters h) and i), and paragraph 3;
d) for archival purposes in the public interest, scientific or historical research purposes or
statistical purposes, in accordance with Article 89 (1), insofar as
the right indicated in section 1 could make it impossible or hinder
seriously achieving the goals of such treatment, or
e) for the formulation, exercise or defense of claims ”.


FIFTH: In the case analyzed here, it is necessary to assess whether the response of the respondent
is sufficient based on your responsibility in handling the data and the
information that is published regarding the claimant.


On the one hand, the respondent points out that they act as the person in charge of the treatment and the
responsible is the administrator and journalist of the site https://extraconfidencial.com/ that
published your personal data and to whom you should contact to exercise your rights.


In accordance with the definition in charge of the treatment contained in article 4.8 of the
RGPD, provides: “in charge of the treatment or in charge: the natural or legal person,
public authority, service or other body that processes personal data on behalf of the

responsible for the treatment. " and in article 28.3 e) it provides: “will assist the person in charge,
taking into account the nature of the treatment, through technical measures and
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/7








appropriate organizational arrangements, whenever possible so that it can comply with
their obligation to respond to requests that have as their object the exercise of the

rights of the interested parties established in chapter III; "

Therefore, in accordance with the regulations set forth, in the case under examination, it has
it has been established that the complaining party requested the deletion of the information
contained in the url, and that, after the period established in accordance with the regulations

above, your request got a response.
The complained party claims to have met the required right by communicating to the client the
right requested, but does not prove it documentary.
However, from this Agency we consider that in the absence of response from the
entity that produced the news object of the claim, “… The claimant states that
after receiving no response from the administrator of extraconfidencial.com, he was forced to

request the deletion of the complained (AWS)… ”, it is not possible that the complained now (AWS),
consider that you have met the criteria established in the transcribed precepts,
either for not giving an answer or for not having transferred the request to the person in charge
of the treatment, affirmation that they make but do not accredit.


The aforementioned rules do not allow the request to be ignored as if it were not
would have raised, leaving it without the answer that must be issued by the
responsible, even in those cases in which it does not meet the requirements
provided, in which case the recipient of this is also obliged to request the
correction of the deficiencies observed.


Therefore, the request that is formulated obliges the person responsible in question to give
express response, in any case, using any means that justifies
receipt of the reply.

Based on the foregoing, considering that the present procedure is intended to

object that the guarantees and rights of those affected are duly
restored, and since the claimed does not provide a response from his client
(responsible for the information), as you are informed of the request of the
claimant, nor has he documented documentary evidence of having done it, it is appropriate to estimate
this claim.


Considering the cited precepts and others of general application,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: ESTIMATE the claim made by A.A.A. and urge AMAZON WEB

SERVICES EMEA SARL BRANCH IN SPAIN with CIF W0185696B, so that, in
within the ten business days following notification of this resolution,
Send to the complaining party a certification stating that you have attended the
right of deletion requested or justified denial indicating the causes
for which it is not appropriate to attend the request, in accordance with the provisions of the
body of this resolution. The actions carried out as a consequence of

This Resolution must be communicated to this Agency within the same period. The
Failure to comply with this resolution could lead to the commission of the offense
considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, in accordance
with art. 58.2 of the GDPR.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/7









SECOND: NOTIFY this resolution to A.A.A. and AMAZON WEB
SERVICES EMEA SARL BRANCH IN SPAIN.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the

National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the

referred Law.


                                                                                   1195-180321
Mar Spain Martí
Director of the Spanish Agency for Data Protection





































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es