AEPD (Spain) - REPOSICION-TD-00293-2021
|AEPD - REPOSICION-TD-00293-2021|
|Relevant Law:||Article 4(1) GDPR|
Ley 16/2011, de 24 de junio, de contratos de crédito al consumo (law on consumer credit contracts)
|Parties:||4Finance Spain Financial Services, S.A.U.|
|National Case Number/Name:||REPOSICION-TD-00293-2021|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA ordered a bank to answer a customer's request to access personal financial documents, reversing its previous assessment that the GDPR's right of access did not apply to the data under the principle of lex specialis.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller, a bank, sent an incomplete response to the data subject's access request, prompting the data subject to file a complaint with the Spanish DPA.
Initially, the DPA held that the controller was not obliged to fulfill the data subject's access request because the data were documents relating to a contractual relationship between the two parties. The DPA had agreed with the controller, who argued that, for the data requested, the right of access (Article 15 GDPR) was overridden by more specific provisions in the Spanish law 16/2011, of June 24, on consumer credit contracts (LCCC).
However, the DPA issued a final decision in response to a "recurso de reposición" (an appeal to an administrative authority to reconsider its own decision) lodged by the data subject.
On appeal, the data subject argued that the LCCC did not control because the data at issue related to a contract that had already been concluded, not an ongoing contractual relationship. In support of their claim, the data subject pointed out that, while the LCCC has provisions specifically governing access to contractual documents prior to and during their validity, it does not mention documents relating to a concluded contract.
Holding[edit | edit source]
The DPA reversed its previous decision, upholding the data subject's appeal for reconsideration and requiring the controller to answer the data subject's access request within 10 business days.
The DPA noted that bank transactions are personal data under Article 4(1) GDPR and are as such subject to the right of access guaranteed by Article 15 GDPR. The DPA did not, however, explicitly decide on the parties' arguments regarding the LCCC.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/4 Procedure no.: TD/00293/2021 SUBJECT: Appeal for Replenishment No.: EXP202101467 Examined the appeal for reconsideration filed by A.A.A. against the decision issued by the Director of the Spanish Agency for Data Protection in the file TD/00293/2021, and based on the following FACTS FIRST: On January 26, 2022, a resolution was issued by the Director of the Spanish Data Protection Agency in file TD/00293/2021, in which it was agreed to dismiss the claim for Protection of Rights made by D. A.A.A. against 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U. SECOND: The resolution now appealed was reliably notified to D.A.A.A. on January 31, 2022, as stated in the proof of notification. THIRD: The appellant has filed an appeal for reconsideration on February 28 2022, with entry into this Agency on February 28, 2022, in which it indicates, in synthesis, that "(...) our interested party has the right to be provided with all the information regarding the processing of your data, being obliged to comply with the responsible for the treatment, that is, the aforementioned financial entity. Our represented, current interested party and owner of the data, also has the right to receive the information by the requested means. In the event that the application is submitted by digital means, you should obtain it by the same means, unless expressly requested in contrary. The rights granted by access to information are not limited to mere consultation. In addition, the interested party must receive a copy of their personal information, which may be save privately. And in the event that access to personal data involves certain complexity, the data controller may request that the interested party specify the files you want to query. In that case, you will need to provide a list with all the files so that the individual can identify them. (...) is not a reason to deny access to the aforementioned contracts on the basis that They were paid for and closed. (...) Although it is true that the Spanish Data Protection Regulation provides that when the laws applicable to certain treatments establish a regime that affects the exercise of rights, the provisions of those will be followed; in the present cannot be a reason for denial of the claim presented by us, since the specific regulations referenced by the claimed entity, Law 16/2011, of June 24, of credit contracts to the consumption, at no time expressly mentions the non-compulsory nature of submit consumer credit contracts, once they have been finalized, paid and closed. If this is the case, please provide us with information on the specific articles that make such a reference. The specific regulations do C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/4 reference to the obligation to deliver the referenced documents before starting the contractual relationship and during the term of this relationship, a fact that We acknowledge that it has been fulfilled by the aforementioned financial entity claimed; however, there is no mention at any time of the non-compulsory nature of delivery of the documents once the contractual relations have been finalized.” FOURTH: Transferred to the claimed party the appeal for reconsideration filed by the claimant party to express what it deems appropriate, it is ratified in what already exposed during the processing of the procedure. “(…) the right of access does not cover, in general, “obtaining a copy of certain documents or other information associated with a business relationship, labor, contractual or administrative”. The affected person must go to the authorities competent since, as the Agency indicates, "the requested documents do not are part of the access regulated in the data protection regulations as they are documents linked to the contractual relationship between the parties.” FOUNDATIONS OF LAW Yo The Director of the Spanish Agency is competent to resolve this appeal. Data Protection, in accordance with the provisions of article 123 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP). II Due to operational reasons of the administrative body, therefore, no attributable to the appellant party, to date the mandatory statement of this Agency regarding the claim of the appellant. In accordance with the provisions of article 24 of the LPACAP, the meaning of silence in the proceedings to challenge acts and provisions is dismissive. However, and despite the time that has elapsed, the Administration is obliged to issue an express resolution and to notify it in all procedures whatever its form of initiation, as provided in article 21.1 of the aforementioned Law. Therefore, it is appropriate to issue the resolution that ends the appeal procedure replacement filed. III Based on these rules and in consideration of the facts considered proven, determined that: “In the present case, from the examination of the documentation in the file, it was notes that the right of access was met. The documents requested by the claimant are not part of that regulated access in the data protection regulations, as they are documents linked to the relationship C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/4 agreement between the parties, and the claimant must go to the authorities corresponding to your request. Therefore, taking into account the provisions of the preceding paragraphs, that access to said contractual data is independent of the right of access regulated in the data protection regulations, and that the respondent has provided access to their data, it is appropriate to dismiss the claim of rights.” IV The purpose of this resolution is the reversal appeal filed on the date February 28, 2022 against the resolution dated January 26, 2022, issued by the Director of the Spanish Data Protection Agency, agreeing to the dismissal of the claim initially filed. In the arguments presented by the defendant, in relation to the appeal for replacement presented by the appellant, ratifies what was already stated during the processing of the procedure. “(…) the right of access does not cover, in general, “obtaining a copy of certain documents or other information associated with a business relationship, labor, contractual or administrative”. The affected person must go to the authorities competent since, as the Agency indicates, "the requested documents do not are part of the access regulated in the data protection regulations as they are documents linked to the contractual relationship between the parties.” IV Article 4, Definitions, of the GDPR, provides that: “For the purposes of this Regulation, the following shall be understood as: 1) "personal data": any information about an identified natural person or identifiable ("the interested party"); An identifiable natural person shall be deemed to be any person whose identity can be determined, directly or indirectly, in particular by an identifier, such as a name, an identification number, location, an online identifier or one or more elements of the identity physical, physiological, genetic, psychic, economic, cultural or social of said person; (…)” After reviewing the documentation in the file again, it is verified that, taking into account that bank movements are data of a personal and that must be supplied by the data controller, and given that the information was partially provided, it is appropriate to uphold the present appeal of replacement so that the claimed entity provides the claimant with the information requested. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 4/4 Considering the aforementioned precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: ESTIMATE the motion for reversal filed by D. A.A.A. against Resolution of this Spanish Agency for Data Protection issued on the 26th of January 2022, in file TD/00293/2021, which rejects the claim of protection of rights formulated by the same against 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U. so that, within ten business days following the notification of this resolution, send the claimant the right to requested access, in accordance with the provisions of the body of this resolution. The actions carried out as a result of this Resolution must be communicated to this Agency within the same period. The breach of this resolution could lead to the commission of the offense considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, in accordance with article 58.2 of the GDPR. SECOND: NOTIFY this resolution to D. A.A.A. and 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure, it may be filed in the period of two months from the day following the notification of this act according to the provisions of article 46.1 of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, contentious-administrative appeal before the Contentious-administrative Chamber of the National High Court, in accordance with the provided for in article 25 and in section 5 of the fourth additional provision of the aforementioned legal text. 185-170919 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es