AEPD (Spain) - EXP202203606

From GDPRhub
Revision as of 10:20, 7 November 2022 by L.fielden (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=R/006...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - R/00665/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 17(1)(a) GDPR
Article 17(2) GDPR
Article 55(1) GDPR
Article 15 Regulation 2016/679
Article 16 Regulation 2016/679
Article 17 Regulation 2016/679
Article 18 Regulation 2016/679
Article 19 Regulation 2016/679
Article 20 Regulation 2016/679
Article 21 Regulation 2016/679
Article 22 Regulation 2016/679
Articles 13-18 LOPDGDD
Type: Other
Outcome: n/a
Started: 21.02.2022
Decided: 22.04.2022
Published: 13.07.2022
Fine: n/a
Parties: A.A.A
Securitas Direct España, S.A
National Case Number/Name: R/00665/2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Leah Fielden

The claimant exercised his rights of access and deletion. The right of access was granted. However, the right for deletion could not be granted in accordance with Article 17 GDPR.

English Summary

Facts

Resolution No. R/00665/2022 is highlighted by a case concerning a claimant (namely A.A.A) and a respondent party (namely Securitas Direct España, S.A).

The claimant filed against the respondent party for not having been duly attended to his right of access and deletion enshrined in Articles 15 to 22 of the RGPD, Articles 13 to 18 LOPDGDD and Article 17 GDPR respectively. The conflict of law arose in this case when a sufficiently legally established response was not generated by the respondent to the claimants request.

Furthermore, the claim was transferred to the respondent so that the entity could proceed with its analysis and provide a response to the claimant within a period of one month. The Director of the Spanish Data Protection Agency agreed to admit the claim for processing and the parties concerned were informed of the maximum term for resolution, that being six months. The competence of the Spanish Data Protection Agency is refined by Article 55 GDPR in the promotion of an obligation between controllers and processors to deal with complaints issued by data subjects.

The result of the said transfer did not allow the claimants issues to be understood as satisfied. Consequently, due to the lack of attention delegated to the claimants rights further set forth in Articles 15 to 22 of EU Regulation 2016/679, an agreement to admit for processing was initiated.

Holding

The Director of the Spanish Data Protection Agency went on to note that considering the purpose of the outlined procedure was to ensure that the rights of affected parties were fully restored, the complaint that gave rise to this procedure should be upheld on formal grounds due to the fact that the right of access had been complied with and the right of erasure had been duly denied (on the applicable grounds of Article 17 GDPR).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/6








     File No.: EXP202203606



                           RESOLUTION No.: R/00665/2022

Considering the claim made on February 21, 2022 before this Agency by A.A.A.,
(hereinafter the claimant party), against SECURITAS DIRECT ESPAÑA, S.A., (to
from now on the claimed party), for not having been duly attended to
right of access and deletion.


Carrying out the procedural actions provided for in Title VIII of the Law
Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD), the following have been verified



                                       FACTS

FIRST: The complaining party exercised the rights of access and deletion against the
claimed with NIF A26106013, without your request having received the answer
legally established. Provide various documentation related to the claim

raised before this Agency and on the exercise of the exercised right.


SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a
mechanism prior to the admission to processing of the claims that are formulated before

the AEPD, consisting of transferring them to the Data Protection Delegates
designated by those responsible or in charge of the treatment, for the purposes foreseen
in article 37 of the aforementioned rule, or to these when they have not been designated,
transferred the claim to the claimed entity so that it could proceed with its
analysis and respond to the complaining party and this Agency within a

month.

The representative/Delegate of Data Protection of the claimed person responds to this
Agency dated April 22, 2022, explains the contractual relationship maintained
between the parties and regarding the rights requested, it only refers to the lack of
copy/photocopy of the DNI to identify the claimant in her application.

Namely:
“…it was not until June 18, 2021 that Securitas Direct received the first written
of exercise of the right of cancellation (no access) of personal data by
Mrs. Sánchez, which was answered on June 21, 2021 by email and
where he was asked to attach a copy of the DNI to be able to execute it.

Subsequently, the same request was received again, this time by mail on 23
August 2021 which was answered again on August 24, 2021 in terms
similar, that is, requesting a copy of your DNI again since it was not attached…”

The respondent also provides an email with the same date, April 22,

2022, where it sends to the complaining party its data referring to the right of access and,
justifies that it does not attend to the right of suppression due to the controversy between the
parties awaiting resolution.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/6








THIRD: The result of the transfer process indicated in the previous Fact does not
allowed to understand satisfied the claims of the claimant. In
Consequently, on May 21, 2022, for the purposes provided in its article

64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection
agreed to admit the submitted claim for processing and informed the parties that the
maximum term to resolve this procedure, which is understood to have started
through said admission agreement, it will be six months.

The aforementioned agreement granted the respondent entity a hearing procedure, to

that within a period of fifteen business days present the allegations that it deems
convenient. As of the resolution date of this claim, there have been
allegations where they confirm everything stated above and state that they do not
understand why the claim was admitted for processing in view of the above.



                           FOUNDATIONS OF LAW

FIRST: The Director of the Spanish Agency for
Data Protection, in accordance with the provisions of section 2 of article 56 in
in relation to section 1 f) of article 57, both of Regulation (EU) 2016/679 of the

European Parliament and of the Council of April 27, 2016 on the protection of
individuals with regard to the processing of personal data and the free
circulation of these data (hereinafter GDPR); and in article 47 of the Law
Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).


SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency
Spanish Data Protection is competent to perform the functions that
are assigned to it in its article 57, among them, that of enforcing the Regulation and
promote awareness of controllers and processors

about the obligations incumbent on them, as well as dealing with claims
presented by an interested party and investigate the reason for them.

Correlatively, article 31 of the RGPD establishes the obligation of those responsible
and those in charge of the treatment to cooperate with the control authority that requests it in
the performance of their duties. In the event that they have appointed a

data protection delegate, article 39 of the RGPD attributes to it the function of
cooperate with that authority.

Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has
foreseen a mechanism prior to the admission to processing of the claims that are

formulated before the Spanish Agency for Data Protection, which consists of giving
transfer of the same to the data protection delegates designated by the
responsible or in charge of the treatment, for the purposes provided in article 37 of
the aforementioned norm, or to these when they have not been designated, so that they proceed to the
analysis of said claims and to respond to them within a month.


In accordance with this regulation, prior to the admission for processing of the
claim that gives rise to this procedure, it was transferred to the
responsible entity to proceed with its analysis, respond to this Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/6








within a month and prove that they have provided the claimant with the due response,
in the event of exercising the rights regulated in articles 15 to 22 of the
GDPR.


The result of said transfer did not allow to understand satisfied the claims of the
claiming party. Consequently, on May 21, 2022, for the purposes
provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for
Data Protection agreed to admit the submitted claim for processing. Saying
agreement of admission to procedure determines the opening of the present procedure of

lack of attention to a request to exercise the rights established in the
articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the
which:

"1. When the procedure refers exclusively to the lack of attention of a

request to exercise the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, will start by agreement of admission to process, which will be
shall adopt in accordance with the provisions of the following article.
In this case, the term to resolve the procedure will be six months from
from the date on which the claimant was notified of the admission agreement to
Procedure. Once this period has elapsed, the interested party may consider their

claim".

The purging of administrative responsibilities in the framework of the
of a sanctioning procedure, whose exceptional nature implies that it is chosen,
whenever possible, due to the prevalence of alternative mechanisms that have

protection in current regulations.

It is the exclusive competence of this Agency to assess whether there are responsibilities
administrative that must be purged in a sanctioning procedure and, in
consequently, the decision on its opening, not existing obligation to initiate a

procedure before any request made by a third party. Such a decision must
be based on the existence of elements that justify said start of the activity
sanctioning, circumstances that do not concur in the present case, considering that
With this procedure, the guarantees and guarantees are duly restored.
claimant's rights.


THIRD: The rights of individuals in terms of data protection
personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the
LOPDGDD. The rights of access, rectification, deletion,
opposition, right to limitation of treatment and right to portability.


The formal aspects related to the exercise of these rights are established in the
articles 12 of the RGPD and 12 of the LOPDGDD.

It also takes into account what is expressed in Considerations 59 and following of the
GDPR.


In accordance with the provisions of these rules, the data controller
must arbitrate formulas and mechanisms to facilitate the interested party in the exercise of their
rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/6








of the RGPD), and is obliged to respond to the requests made no later than one
month, unless you can show that you are unable to identify the
interested party, and to express his reasons in case he was not going to attend said

request. The proof of compliance with the duty of
respond to the request to exercise their rights made by the affected party.

The communication addressed to the interested party on the occasion of their request must
be expressed in a concise, transparent, intelligible and easily accessible manner, with a
clear and simple language.


Regarding the right of access to personal data, in accordance with the
established in article 13 of the LOPDGDD, when the exercise of the right is
refers to a large amount of data, the person in charge may request the affected party to
specify the “data or treatment activities to which the request refers”. The

right will be understood granted if the person in charge provides remote access to the data,
taking the request as granted (although the interested party may request the information
referring to the ends provided for in article 15 of the RGPD).

The exercise of this right may be considered repetitive on more than one occasion.
for a period of six months, unless there is legitimate cause for it.


On the other hand, the request will be considered excessive when the affected party chooses a means
other than the one offered that involves a disproportionate cost, which must be
assumed by the affected party.


FOURTH: Article 17 of the RGPD, which regulates the right to delete data
personal, establishes the following:

"1. The interested party shall have the right to obtain, without undue delay, from the person responsible for the
treatment the deletion of personal data that concerns you, which will be

obliged to delete personal data without undue delay when any
of the following circumstances:
a) the personal data is no longer necessary in relation to the purposes for which
were collected or otherwise treated;
b) the interested party withdraws the consent on which the treatment is based in accordance
with article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), and this is not

based on another legal basis;
c) the interested party opposes the treatment in accordance with article 21, paragraph 1, and does not
other legitimate reasons for the treatment prevail, or the interested party opposes the
treatment according to article 21, paragraph 2;
d) the personal data has been illicitly processed;

e) the personal data must be deleted for the fulfillment of a legal obligation
established in the Law of the Union or of the Member States that applies to the
data controller;
f) the personal data has been obtained in relation to the offer of services of the
information society referred to in article 8, paragraph 1.


2. When you have made the personal data public and are obliged, by virtue of the
provided in section 1, to delete said data, the data controller,
taking into account the available technology and the cost of its application, it will adopt

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/6








reasonable measures, including technical measures, with a view to informing users
Responsible for processing the personal data of the interested party's request for
deletion of any link to such personal data, or any copy or replica of

the same.

3. Sections 1 and 2 will not apply when the treatment is necessary:
a) to exercise the right to freedom of expression and information;
b) for the fulfillment of a legal obligation that requires the processing of data
imposed by the law of the Union or of the Member States that applies to the

responsible for the treatment, or for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers vested in the controller;
c) for reasons of public interest in the field of public health in accordance with
article 9, section 2, letters h) and i), and section 3;
d) for archival purposes in the public interest, scientific or historical research purposes or

statistical purposes, in accordance with Article 89(1), insofar as
the right indicated in section 1 could make it impossible or hinder
seriously the achievement of the objectives of said treatment, or
e) for the formulation, exercise or defense of claims”.

FIFTH: In accordance with the provisions of article 15 of the RGPD and article 13 of the

LOPDGDD, "the interested party has the right to obtain from the data controller
confirmation of whether or not personal data concerning you is being processed and, in such
case, right of access to personal data”.

Like the rest of the rights of the interested party, the right of access is a

personal right. Allows the citizen to obtain information about the treatment
what is being done with your data, the possibility of obtaining a copy of the data
that concern you and that are being processed, as well as
information, in particular, on the purposes of the treatment, the categories of data
individuals in question, the recipients or categories of recipients to whom

communicated or will be communicated the personal data, the foreseen term or criteria
of conservation, the possibility of exercising other rights, the right to present a
claim before the control authority, the information available on the origin of
the data (if these have not been obtained directly from the owner), the existence of
automated decisions, including profiling, and information about
transfers of personal data to a third country or to an international organization.

The possibility of obtaining a copy of the personal data subject to treatment does not
will adversely affect the rights and freedoms of others, that is, the right to
Access will be granted in such a way that it does not affect the data of third parties.

In the case analyzed here, the complaining party exercised its rights of access and

suppression. In accordance with the documentation provided by the claimed party
during the processing of the procedure, the right of access was met on the date
April 22, 2022,
Regarding the right of suppression, on the same date, the complaining party was informed
that the request could not be met until the issues related to

contractual disputes arising and payment of the amount due. Of
in accordance with the provisions of article 17 of the RGPD, paragraph 3:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/6








“Sections 1 and 2 will not apply when the treatment is necessary:
e) for the formulation, exercise or defense of claims

Therefore, the right of suppression is also considered answered.

Based on the foregoing, considering that this procedure has as
object that the guarantees and rights of those affected are duly
restored, it is appropriate to estimate for formal reasons the claim that originated the
this procedure considering that the right of access has been met and the

of suppression denied reasoned.

In view of the aforementioned precepts and others of general application, the Director of the Agency
Spanish Data Protection RESOLVES:


FIRST: ESTIMATE for formal reasons, the claim made by A.A.A. a
against the entity SECURITAS DIRECT ESPAÑA, S.A.
However, the issuance of a new certification by said entity is not appropriate,
as the response was issued extemporaneously, without the completion of
of additional actions by the controller.


SECOND: NOTIFY this resolution to A.A.A. and SECURITAS DIRECT
SPAIN, S.A.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.


                                                                               1037-020622
Sea Spain Marti

Director of the Spanish Data Protection Agency












C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es