AEPD (Spain) - TD/00325/2019

From GDPRhub
AEPD - TD/00325/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR

Article 15 GDPR

Article 56(2) GDPR

Article 57(1)(f) GDPR

Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 3.02.2020
Fine: None
Parties: Health Department of Madrid Vs. Anonymous
National Case Number: TD/00325/2019
European Case Law Identifier n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

The DPA ordered a bank (KUTXABANK S.A.) to respond to a subject access request.

English Summary

Facts

A bank's client complained that they could not exercise their right to access after the bank has blocked his account due to debts. The bank refused to fulfill the request, claiming that it does not process personal data anymore since the account was blocked.

Dispute

Could the controller refuse to answer to a request for access because the requested data is part of a "blocked" account?

Holding

The AEPD found that as there is an ongoing relationship, the bank still holds personal data. The DPA ordered the bank to fulfill the data subject’s request within the ten working days following the decision. It further ordered the company to inform the AEPD during the same time period on its compliance with the decision. Lastly, it decided that the fact that the controller blocked the account cannot is irrelevant and the controller must comply with the request of access, as required by Article 15 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

1/6 File No.: TD/00325/20191037-100919RESOLUTION No.: R/00657/2019Having regard to the complaint filed on 9 May 2019 with this Agency by D.A.A.A., (hereinafter the complaining party), against CONSEJERÍA DE SANIDAD DELA COMUNIDAD DE MADRID - SERVICIO MADRILEÑO DE SALUD, (hereinafter the complaining party), for failure to comply with its right of access.

Once the procedural actions provided for in Title VIII of the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights (hereinafter LOPDGDD) have been carried out, the following have been established

FACTS 

FIRST: On April 15, 2019, the claimant exercised his right of access to the claimant with NIF S7800001E, without having received the legally established reply.  The claimant provides various documentation relating to the claim made before this Agency and on the exercise of the right exercised.           

Specifically, he requests access to his medical records by e-mail at the PUERTA DE HIERRO MAJADAHONDA UNIVERSITY HOSPITAL. On May 8, 2019, the respondent replies: "...It is impossible for us to send this documentation by mail.  We could deliver the documentation to some person authorized by you and it would have a period of one month from this date. After this time, if it has not been collected, it will be destroyed...".

SECOND: In accordance with the functions provided for in Regulation (EU)2016/679, of 27 April 2016, General Data Protection Regulation (RGPD), particularly those that respond to the principles of transparency and proactive responsibility on the part of the person responsible for the processing, you have been required to inform this Agency of the actions that have been carried out to deal with the complaint raised. In summary, the following allegations were made:
-The representative/Delegate of Data Protection of the claimant states in the allegations made during the processing of the present procedure: That they cannot send the documentation to Honduras, (place that the claimant had requested because he was residing there).       
That they need to prove the identity of the applicant and, they doubt such identification with the electronic systems used.
 They ask the claimant the possibility that someone, previously authorized, collect the documentation on their behalf and that they have never denied the request for access