AEPD - R/00137/2020

From GDPRhub
AEPD - R/00137/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR
Article 15 GDPR
64(1) Spanish Law on Personal Data Protection (LOPDGDD)
13 Spanish Law on Personal Data Protection (LOPDGDD)
Type: Complaint
Outcome: Other Outcome
Decided: n/a
Published: 04.06.2020 [[Category:]]
Fine: None
Parties: Sage Spain, S.L.
National Case Number/Name: R/00137/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD resolution (in ES)
Initial Contributor: Miguel Garrido de Vega

4 June 2020 – Due to formal reasons, the Spanish Data Protection Agency (AEPD) decided to admit a claim against Sage Spain, S.L. (the defendant) for the non-compliance of the right of access [Article 5(1)(c) GDPR] of a Spanish citizen, but it decided not to impose any economic fine nor warning, because, during the AEPD's investigation process, such right of access was finally fulfilled by the defendant.

English Summary[edit | edit source]

Facts[edit | edit source]

The decision is the consequence of a complaint submitted by a Spanish citizen stating that the defendant had not complied with her right of access; such complaint included diverse documentation in order to prove it (i.e. she stopped receiving propaganda, but she did not receive an answer to her right of access).

Dispute[edit | edit source]

The defendant answered to the AEPD investigation request, stating that, before receiving the request for the right of access by the claimant, her email address had already been included in a Robinson list, but, due to a mistake, they had sent her an email without marketing content. It also stated that, since then, (i) it had reinforced the training of its staff in order to avoid new mistakes like that one, and that (ii) it had created a single email address only for data protection issues. Afterwards, the defendant finally answered the right of access, but the AEPD considered it not enough, so the defendant sent a second email to the claimant including (i) the origins of the email address, (ii) a declaration that the defendant did not process any other personal data of the claimant, and (iii) the defendant had not sent such personal data to third parties.

Holding[edit | edit source]

Thus, the AEPD understood that the right of access has been duly fulfilled, and so it decided not to impose any fine nor warning to the defendant.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

 File No.: TD / 00317/20191037-100919RESOLUTION Nº: R / 00137/2020Considering the claim made on August 16, 2019 before this Agency byD. AAA , against SAGE SPAIN, SL, for not having duly attended to theirRight of access.Performed the procedural actions provided for in Title VIII of the LawOrganic 3/2018, of December 5, Protection of Personal Data and guarantee ofdigital rights (hereinafter LOPDGDD), the following have been foundACTSFIRST: On March 27 and May 6, 2019 D. AAA (hereinafter, thecomplaining party) exercised the right of access against SAGE SPAIN, SL with NIFB58836321 (hereinafter, the claimed), without your request having received thelegally established answer.The complaining party provides various documentation related to the claimraised before this Agency and on the exercise of the right exercised and manifeststhat he received no further publicity, but that his request has not been answered.SECOND : In accordance with the functions provided for in Regulation (EU)2016/679, of April 27, 2016, General Data Protection (RGPD),particularly those that respond to the principles of transparency and responsibilityproactive on the part of the controller, you have been required to informThis Agency of the actions that have been carried out to address the claimraised. In summary, the following allegations were made: The defendant manifests in the allegations made after the requestof information made by this Agency, that the electronic address of theclaimant was already on an internal list of persons who were notthey send communications, but due to an error they sent you a communication thatit had no commercial content.The training of its personnel has been reinforced so that they do not happen againsimilar incidents and a single email account has been created tocentralize emails related to data protection.An email is provided to the explanatory claimant, but without givingthe access.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/6THIRD: On October 30, 2019, in accordance with article 65.4 ofOrganic Law 3/2018, of December 5, on the Protection of Personal Data andguarantee of digital rights and for the purposes provided in article 64.2, theDirector of the Spanish Agency for Data Protection agreed to admit theclaim filed by the complaining party against the claimed and it is agreed to givetransfer of the claim, so that within fifteen business days it presents theallegations it deems appropriate and the parties are informed that the maximum forsolving the procedure will take six months, so, in summary, thefollowing allegations: The claimed manifests in the allegations made during the processingof the present procedure that, by email dated10/11/2019 it has been tried to attend the right of access indicating the partcomplainant that the email account is not available in the database.Given that this Agency has considered that theAnswer, on 11/15/2019 a new email has been sent again, expanding theinformation: origin of the email, which are not available to othersdata and that have not been provided to third parties.FOURTH: On November 22, 2019, this Agency through the Support of theElectronic Notifications Service and Enabled Address (Notific @ platform),made available to the complaining party the allegations presented by theresponsible and on November 30, 2019 the system rejectsautomatic notification for ten calendar days frommaking the notification available without accessing its content.Since the aforementioned notification was not accessed, it was forwarded forpostal mail, which was received on 12/19/2019, without having received this Agencybrief of allegations.FUNDAMENTALS OF LAWFIRST: The Director of the Spanish Agency ofData Protection, in accordance with the provisions of section 2 of article 56 inrelationship with paragraph 1 f) of article 57, both of Regulation (EU) 2016/679 ofEuropean Parliament and of the Council of April 27, 2016 on the protection ofnatural persons with regard to the processing of personal and free datacirculation of these data (hereinafter, RGPD); and in article 47 of the LawOrganic 3/2018, of December 5, Protection of Personal Data and guarantee ofdigital rights (hereinafter LOPDGDD).SECOND: Article 64.1 of the LOPDGDD , provides the following:"one. When the procedure refers exclusively to the lack of attention ofa request to exercise the rights established in articles 15 to 22 of theRegulation (EU) 2016/679, will be initiated by an admission to process agreement, which willshall adopt in accordance with the provisions of the following article.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/6In this case, the term to resolve the procedure will be six months fromfrom the date on which the claimant had been notified of theadmission to process. After this period, the interested party may considerestimated your claim. "THIRD: Article 12 of Regulation (EU) 2016/679, of April 27, 2016,General Data Protection (RGPD), provides that:"one. The controller will take appropriate measures to facilitateto the interested party all information indicated in articles 13 and 14, as well as anycommunication pursuant to articles 15 to 22 and 34 regarding treatment, in the formconcise, transparent, intelligible and easily accessible, with clear and simple language, inparticularly any information specifically directed at a child. InformationIt will be provided in writing or by other means, including, if appropriate, by meanselectronic. When requested by the interested party, the information may be providedverbally whenever the identity of the interested party is demonstrated by other means.2. The person responsible for the treatment will facilitate the data subject's exerciserights under articles 15 to 22. In the cases referred to in article 11,section 2, the person in charge will not refuse to act at the request of the interested party in orderto exercise your rights under articles 15 to 22, unless you can demonstratethat it is not in a position to identify the interested party.3. The controller shall provide the data subject with information regarding theiractions on the basis of a request pursuant to articles 15 to 22, and, inin any case, within a month of receiving the request. SayingThis period may be extended for another two months if necessary, taking into account thecomplexity and the number of requests. The person responsible will inform the interested party ofany of said extensions within one month of receiving therequest, stating the reasons for the delay. When the interested party presents therequest by electronic means, the information will be provided by electronic meanswhen possible, unless the interested party requests that it be provided otherwise.4. If the controller does not process the interested party's request,inform without delay, and no later than one month after receipt of therequest, the reasons for not acting and the possibility of filing aclaim before a control authority and to exercise legal actions.5. The information provided under articles 13 and 14 as well as allcommunication and any action taken pursuant to articles 15 to 22 and 34They will be free of charge. When the requests are manifestly unfounded orexcessive, especially due to its repetitive nature, the person responsible forTreatment may:a) charge a reasonable fee based on the administrative costs incurredto facilitate the information or communication or perform the requested action, orb) refuse to act on the request.The controller will bear the burden of demonstrating charactermanifestly unfounded or excessive of the request.6. Without prejudice to the provisions of article 11, when the person responsible fortreatment has reasonable doubts regarding the identity of the natural personthat the application referred to in articles 15 to 21 refers to, may request thatProvide the additional information necessary to confirm the identity of the interested party.7. The information that must be provided to the interested parties under the articles13 and 14 may be transmitted in combination with standard icons allowingC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/6provide easily visible, intelligible and clearly legible suitableoverview of the planned treatment. Icons presented in formatelectronic will be mechanically readable.8. The Commission shall be empowered to adopt delegated acts in accordance withArticle 92 in order to specify the information to be submitted throughicons and the procedures for providing standardized icons. ”FOURTH: Article 15 of the RGPD provides that:"one. The interested party will have the right to obtain from the controllerconfirmation of whether or not personal data concerning you is being processed and, in suchcase, right of access to personal data and the following information:a) the purposes of the processing;b) the categories of personal data in question;c) the recipients or categories of recipients to whom they were communicated orpersonal data, in particular recipients in third parties orinternational organizations;d) if possible, the anticipated period of conservation of personal data or, ofnot being possible, the criteria used to determine this term;e) the existence of the right to request rectification or deletion from the person responsibleof personal data or the limitation of the processing of personal data relating tointerested, or to oppose said treatment;f) the right to file a claim with a supervisory authority;g) when the personal data has not been obtained from the interested party, anyinformation available on its origin;h) the existence of automated decisions, including profiling, toreferred to in Article 22, paragraphs 1 and 4, and, at least in such cases, informationsignificant about applied logic as well as importance and consequencesplanned of said treatment for the interested party.2. When personal data is transferred to a third country or to an organizationinternational, the interested party will have the right to be informed of the guaranteesappropriate under article 46 relating to transfer.3. The controller will provide a copy of the personal dataobject of treatment. The person in charge may receive for any other copy requestedfor the interested party a reasonable fee based on administrative costs. When theinterested party submit the application electronically, and unless the applicant requestsotherwise provided, the information will be provided in an electronic formatCommon use.4. The right to obtain a copy mentioned in section 3 will not affectnegatively to the rights and freedoms of others. ”FIFTH: Article 13 of the LOPDGDD determines the following:"one. The affected person's right of access will be exercised in accordance with the provisionsin article 15 of Regulation (EU) 2016/679.When the person responsible processes a large amount of data related to the affected party andit exercises its right of access without specifying whether it refers to all or part of itof the data, the person in charge may request, before providing the information, that theaffected specify the data or treatment activities to which therequest.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/62. The right of access will be understood as granted if the controllerprovide the affected with a remote, direct and secure access to data systempersonal that guarantees, permanently, access to its entirety. To sucheffects, the communication by the person in charge to the affected person in the way in which the latter mayaccessing said system will suffice to consider the request to exercise thestraight.However, the interested party may request from the person in charge the information referred tothe points provided for in Article 15.1 of Regulation (EU) 2016/679 that are notincluded in the remote access system.3. For the purposes established in article 12.5 of Regulation (EU) 2016/679,may consider repetitive the exercise of the right of access on more than one occasionduring the period of six months, unless there is legitimate cause for it.4. When the affected person chooses a different medium than the one offered, which impliesdisproportionate cost, the request will be considered excessive, so saidaffected will assume the excess costs that their choice entails. In this case, justthe data controller shall be required to satisfy the right of access withoutundue delay. ”SIXTH: In the case analyzed here, the complaining party exercised its right toaccess, and that, after the period established in accordance with the rules beforeindicated, his request did not obtain the legally required response, since it was notprovided the required access.On the other hand, during the processing of this procedure, the entity hasanswered the right of access requested, said allegation being the object of transferto the claimant by means of an exit letter dated December 3, 2019, withouthas presented any claim against it, therefore, with the measuresadopted by the responsible, the rights of the affected are dulyrestored.Therefore, this claim must be considered for formal reasons.tion since the response was issued extemporaneously without requiring thezation of additional actions by the person responsible for the file.Having regard to the aforementioned precepts and others of general application,the Director of the Spanish Agency for Data Protection RESOLVES:FIRST: ESTIMATE for formal reasons, the claim made by D. AAA ,against the entity SAGE SPAIN, SL. However, the issuance of newcertification by said entity, as the response has been issuedextemporaneously, without requiring additional actions byresponsible party.SECOND: NOTIFY this resolution to D. AAA and SAGE SPAIN, SL.In accordance with the provisions of article 50 of the LOPDGDD, theThis Resolution will be made public once the interested parties have been notified.Against this resolution, which ends the administrative procedure pursuant to art.48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 6
6/6LPACAP, interested parties may file, optionally, appeal for reversalbefore the Director of the Spanish Agency for Data Protection within onemonth from the day after notification of this resolution or directlyadministrative contentious appeal before the Contentious-administrative Chamber of theNational Court, in accordance with the provisions of article 25 and section 5 ofthe fourth additional provision of Law 29/1998, of July 13, regulating theContentious-administrative jurisdiction, within two months fromday after notification of this act, as provided in article 46.1 of thereferred Law.

Mar España Martí
Director of the Spanish Agency for Data Protection