AEPD (Spain) - R/00423/2021
|AEPD (Spain) - R/00423/2021|
|Relevant Law:||Article 17 GDPR|
Article 28(3) GDPR
Article 28(3)(e) GDPR
|Parties:||AMAZON WEB SERVICES EMEA SARL SUCURSAL EN ESPAÑA|
|National Case Number/Name:||R/00423/2021|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA ordered a processor (Amazon Web Services) to answer an erasure request from a data subject that had not been completed by the controller (a news website).
English Summary[edit | edit source]
Facts[edit | edit source]
A data subject filed a complaint against a controller with the Spanish DPA (AEPD) for not answering their erasure request. The data subject had tried to exercise their right to erasure against a news website that had allegedly published false facts about them. After receiving no answer, the data subject exercised their right against Amazon Web Services, whose services were being used by the controller.
AWS rejected the claim, alleging that they were not a controller but a processor, and that they were only following the instructions of the actual controller and could not unilaterally erase any data. The AEPD received the complaint and first sent it to the controller for them to provide an answer. Not having received a satisfactory answer, the DPA launched a proceeding.
Holding[edit | edit source]
The AEPD determined that, according to Article 28(3)(e), the processor has the obligation to assist the controller in the fulfilment of the controller's obligation to respond to rights requests, when possible. Therefore, Amazon Web Services should have answered the request of the data subject.
The DPA found that the processor had either not answered appropriately to the request, or had not responded to the erasure request, since they did not have any document proving that they did so. The DPA ordered the processor to give an adequate answer to the data subject's request, either upholding the request, or rejecting it in a reasoned way.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 File No.: TD / 00044/2021 RESOLUTION NO: R / 00423/2021 Considering the claim made before this Agency by A.A.A. (hereinafter, the part claimant), against AMAZON WEB SERVICES EMEA SARL SUCURSAL EN ESPAÑA (hereinafter, the claimed party), for not having been duly attended to their right suppression. The procedural actions provided for in Title VIII of the Law have been carried out. Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the following have been verified FACTS FIRST: The complaining party exercised the right of deletion against the complained party and, Faced with an unsatisfactory response, he filed a claim with this Agency. Bliss claim was inadmissible by: “… In the present case, after the analysis carried out on the documents provided and the concurrent circumstances, there are no rational indications of the existence of a infringement within the competence of the Spanish Agency for Data Protection, Therefore, in accordance with the provisions of article 65.2 of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of rights digital, IT IS AGREED to reject the claim ... " Later, the claimant presents an appeal for reconsideration which is favorable and gives place to the current claim. The claimant provides various documentation related to the claim made before this Agency and on the exercise of the right exercised. It requests the deletion and shows that: “… In *** URL.1 It is wrongly reported the membership of a criminal group or organization of our client, Mr. A.A.A .. This is completely false, this publication is based on the fact that Mr. A.A.A. owned an office in the building where this judicial operation, neither more nor less ... " SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a mechanism prior to the admission for processing of claims made before the AEPD, consisting of transferring them to the Data Protection Delegates designated by those responsible or in charge of the treatment, for the intended purposes in article 37 of the aforementioned norm, or to these when they have not been designated, transferred the claim to the claimed entity to proceed with its C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/7 analysis and respond to the complaining party and to this Agency within a period of month. Since the response provided to this Agency by the data controller does not accompanies the necessary communication that must be addressed to the complaining party, informing about the decision adopted on the occasion of the claim, it is reiterated again said request so that the affected party can respond to the claim formulated and a copy of said response is sent to this Agency. According to the defendant, he is not responsible for the treatment since: “… When the AWS customers use AWS services to process personal data, (…) acts as the person in charge of the treatment in relation to said personal data, since that does not determine the purposes or the means of treatment ... " That AWS as data controller cannot process exercise requests of rights. “… As AWS is not responsible for the treatment or have any relationship with the Claimant and being legally linked to the Client as in charge of the treatment of Customer, and obliged to follow Customer's instructions, AWS does not can unilaterally delete personal data of interested third parties, based on in claims of third parties such as the present one raised by the Claimant ... " Finally, according to the respondent: “… AWS collaborated with the Claimant and proceeded to notify the communication received to its client stating that it had received a request for the deletion of personal data by the Claimant ... " THIRD: After examining the allegations presented by the respondent, they are subject to transfer to the complaining party, so that, within fifteen business days, it can formulate allegations that it deems appropriate: The claimant states that after not receiving a response from the administrator of extraconfidencial.com, was forced to request the deletion of the complained (AWS) and who considers that they are the necessary cooperator. FOUNDATIONS OF LAW FIRST: The Director of the Spanish Agency for Data Protection, in accordance with the provisions of section 2 of article 56 in in relation to paragraph 1 f) of article 57, both of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter, GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish Data Protection is competent to perform the functions that are assigned to it in its article 57, among them, that of enforcing the Regulation and promote the awareness of those responsible and those in charge of the treatment about their obligations, as well as dealing with claims submitted by an interested party and investigate the reason for them. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/7 Correlatively, article 31 of the RGPD establishes the obligation of those responsible and those in charge of the treatment to cooperate with the control authority that requests it in the performance of their duties. In the event that they have designated a data protection officer, article 39 of the RGPD attributes to him the function of cooperate with said authority. Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has Provided a mechanism prior to the admission for processing of the claims that are made before the Spanish Agency for Data Protection, which consists of giving transfer of the same to the data protection delegates designated by the responsible or in charge of the treatment, for the purposes provided in article 37 of the aforementioned rule, or to them when they have not designated them, to proceed to the analysis of said claims and to respond to them within a month. In accordance with these regulations, prior to the admission for processing of the claim that gives rise to the present procedure, it was transferred to the responsible entity to proceed with its analysis, provide a response to this Agency within a month and certify having provided the claimant with the proper response, in the event of exercise of the rights regulated in articles 15 to 22 of the GDPR. The result of said transfer did not allow for the satisfaction of the claims of the complaining party. Consequently, for the purposes provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit The submitted claim has been processed. Said admission for processing agreement determines the opening of the present procedure of inattention to an exercise request of the rights established in articles 15 to 22 of the RGPD, regulated in the Article 64.1 of the LOPDGDD, according to which: "1. When the procedure refers exclusively to the lack of attention of a request to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, will start by agreement of admission for processing, which will be adopt in accordance with the provisions of the following article. In this case, the term to resolve the procedure will be six months from from the date the claimant was notified of the admission agreement to Procedure. After this period, the interested party may consider their claim". The purging of administrative responsibilities in the framework of the of a sanctioning procedure, whose exceptional nature implies that it is chosen, whenever possible, due to the prevalence of alternative mechanisms that have protection in current regulations. It is the exclusive competence of this Agency to assess whether there are responsibilities administrative procedures that must be purged in a sanctioning procedure and, in Consequently, the decision on its opening, there being no obligation to initiate a procedure before any request made by a third party. Such a decision must be based on the existence of elements that justify said start of the activity sanctioning, circumstances that do not concur in the present case, considering that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/7 with this procedure, the guarantees and Claimant's rights. THIRD: The rights of people in terms of data protection Personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the LOPDGDD. The rights of access, rectification, deletion, opposition, right to limitation of treatment and right to portability. The formal aspects related to the exercise of these rights are established in the Articles 12 of the RGPD and 12 of the LOPDGDD. It also takes into account what is expressed in Considering paragraphs 59 and following of the GDPR. In accordance with the provisions of these rules, the person responsible for the treatment should arbitrate formulas and mechanisms to facilitate the interested party the exercise of their rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3 of the RGPD), and is obliged to respond to requests made no later than a month, unless you can show that you are unable to identify the interested party, and to express their reasons in case they were not to attend said request. The person responsible is responsible for the proof of compliance with the duty of Respond to the request for the exercise of their rights made by the affected party. The communication addressed to the interested party on the occasion of their request must express themselves in a concise, transparent, intelligible and easily accessible way, with a clear and simple language. In the case of the right of access to personal data, in accordance with the established in article 13 of the LOPDGDD, when the exercise of the right is refers to a large amount of data, the person in charge may request the affected party to specify the “data or processing activities to which the request refers”. The Right will be understood to be granted if the person in charge facilitates remote access to the data, the request being considered accepted (although the interested party may request the information referring to the extremes provided for in article 15 of the RGPD). The exercise of this right may be considered repetitive on more than one occasion. during the period of six months, unless there is legitimate cause for it. On the other hand, the request will be considered excessive when the affected party chooses a medium other than the one offered that involves a disproportionate cost, which must be assumed by the affected party. FOURTH: Article 17 of the RGPD, which regulates the right to delete data personal, establishes the following: "1. The interested party shall have the right to obtain without undue delay from the person responsible for the treatment the deletion of personal data that concerns you, which will be obliged to delete without undue delay the personal data when there is any of the following circumstances: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/7 a) the personal data is no longer necessary in relation to the purposes for which were collected or otherwise treated; b) the interested party withdraws the consent on which the treatment in accordance is based with Article 6, paragraph 1, letter a), or Article 9, paragraph 2, letter a), and this is not based on another legal basis; c) the interested party opposes the treatment in accordance with article 21, paragraph 1, and does not other legitimate reasons for the treatment prevail, or the interested party opposes the treatment in accordance with Article 21 (2); d) the personal data has been unlawfully processed; e) personal data must be deleted to comply with a legal obligation established in the law of the Union or of the Member States that applies to the responsible for the treatment; f) the personal data have been obtained in relation to the offer of services of the information society mentioned in article 8, paragraph 1. 2. When you have made the personal data public and are obliged, by virtue of the provided in section 1, to delete said data, the data controller, taking into account the available technology and the cost of its application, it will adopt reasonable measures, including technical measures, with a view to informing responsible who are treating the personal data of the request of the interested party deletion of any link to such personal data, or any copy or replica of the same. 3. Sections 1 and 2 will not apply when the treatment is necessary: a) to exercise the right to freedom of expression and information; b) to comply with a legal obligation that requires data processing imposed by the law of the Union or of the Member States that applies to the responsible for the treatment, or for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the person in charge; c) for reasons of public interest in the field of public health in accordance with Article 9, paragraph 2, letters h) and i), and paragraph 3; d) for archival purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89 (1), insofar as the right indicated in section 1 could make it impossible or hinder seriously achieving the goals of such treatment, or e) for the formulation, exercise or defense of claims ”. FIFTH: In the case analyzed here, it is necessary to assess whether the response of the respondent is sufficient based on your responsibility in handling the data and the information that is published regarding the claimant. On the one hand, the respondent points out that they act as the person in charge of the treatment and the responsible is the administrator and journalist of the site https://extraconfidencial.com/ that published your personal data and to whom you should contact to exercise your rights. In accordance with the definition in charge of the treatment contained in article 4.8 of the RGPD, provides: “in charge of the treatment or in charge: the natural or legal person, public authority, service or other body that processes personal data on behalf of the responsible for the treatment. " and in article 28.3 e) it provides: “will assist the person in charge, taking into account the nature of the treatment, through technical measures and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/7 appropriate organizational arrangements, whenever possible so that it can comply with their obligation to respond to requests that have as their object the exercise of the rights of the interested parties established in chapter III; " Therefore, in accordance with the regulations set forth, in the case under examination, it has it has been established that the complaining party requested the deletion of the information contained in the url, and that, after the period established in accordance with the regulations above, your request got a response. The complained party claims to have met the required right by communicating to the client the right requested, but does not prove it documentary. However, from this Agency we consider that in the absence of response from the entity that produced the news object of the claim, “… The claimant states that after receiving no response from the administrator of extraconfidencial.com, he was forced to request the deletion of the complained (AWS)… ”, it is not possible that the complained now (AWS), consider that you have met the criteria established in the transcribed precepts, either for not giving an answer or for not having transferred the request to the person in charge of the treatment, affirmation that they make but do not accredit. The aforementioned rules do not allow the request to be ignored as if it were not would have raised, leaving it without the answer that must be issued by the responsible, even in those cases in which it does not meet the requirements provided, in which case the recipient of this is also obliged to request the correction of the deficiencies observed. Therefore, the request that is formulated obliges the person responsible in question to give express response, in any case, using any means that justifies receipt of the reply. Based on the foregoing, considering that the present procedure is intended to object that the guarantees and rights of those affected are duly restored, and since the claimed does not provide a response from his client (responsible for the information), as you are informed of the request of the claimant, nor has he documented documentary evidence of having done it, it is appropriate to estimate this claim. Considering the cited precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: ESTIMATE the claim made by A.A.A. and urge AMAZON WEB SERVICES EMEA SARL BRANCH IN SPAIN with CIF W0185696B, so that, in within the ten business days following notification of this resolution, Send to the complaining party a certification stating that you have attended the right of deletion requested or justified denial indicating the causes for which it is not appropriate to attend the request, in accordance with the provisions of the body of this resolution. The actions carried out as a consequence of This Resolution must be communicated to this Agency within the same period. The Failure to comply with this resolution could lead to the commission of the offense considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, in accordance with art. 58.2 of the GDPR. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/7 SECOND: NOTIFY this resolution to A.A.A. and AMAZON WEB SERVICES EMEA SARL BRANCH IN SPAIN. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 1195-180321 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es