AEPD - R/00189/2021

From GDPRhub
AEPD - R/00189/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 15 GDPR
Article 32 LOPD
Type: Complaint
Outcome: Partly Upheld
Decided:
Published: 09.04.2021
Fine: None
Parties: AMAZON SPAIN FULFILLMENT, S.L.U.
National Case Number/Name: R/00189/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA stated that it would consider opening an investigation into Amazon Spain for deleting personal data from one of its workers, meaning that it was later not able to provide such data following an access request.

English Summary[edit | edit source]

Facts[edit | edit source]

A complainant, a previous worker of Amazon Spain, made an access request to Amazon in order to obtain different pieces of information that Amazon owned in relation to the period in which they were working for the company. The worker needed this data to use it in a court proceeding regarding social security and disability issues.

Amazon answered to their access request extemporaneously, during the course of this procedure, alleging that they were not in possession of some of the data anymore. The respondent was able to provide some data relating to the claimant's production, but not the instructions and personal communications with Amazon's digital assistant.

The deleted information corresponds to operational instructions that are automatically generated by internal systems, relating to specific day-to-day tasks, which are displayed on the devices that employees use to work in the respondent's logistics centres. However, operational data and merely functional instructions are deleted after 7 days, for operational purposes and according to their retention policy.

Dispute[edit | edit source]

Was Amazon allowed to delete such data or should them had kept it?

Holding[edit | edit source]

The AEPD concluded that, even if the access request had been complied with in the end, they would investigate whether Amazon should had blocked and retained the data according to Article 32 of the Spanish Data Protection Act (LOPD). This Article obliges controllers to block and retain personal data when suppressing or rectifying it, when it may be necessary to comply with obligations or responsibilities regarding the processing coming from data protection authorities, judges, courts, and other public bodies.

They AEPD indicated that, regarding the requested data, they are only competent of the ones that are personal data. Therefore, on the one hand, functional or operative information, automatized instructions for day-to-day tasks, and work organization systems are excluded from the AEPD competence. On the other hand, personal communications and instructions from Amazon's digital assistant are included.

They AEPD decided to uphold the complaint for formal reasons, as the access request was answered extemporaneously, but did not impose any fine or warning on the respondent, as the rights of the complainant were not diminished, given that they had indeed answered.

They also remarked that sanction procedures shall have an exceptional character, and that shall be avoided unless there is no other solution or mechanism. For example, they may not necessary when the rights of the claimant have been fully restored.

Finally, the AEPD noted that, even if it is not their function to assess anything related to other kind of procedures, such as social security procedures, the data protection right may indeed have an instrumental character with regard to the exercise of other rights.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/7










     File No.: TD / 00254/2020



                              RESOLUTION NO: R / 00189/2021

Considering the appeal for reconsideration issued by the Director of the Agency
Spanish of Data Protection by which the Resolution of this is contested

Agency with reference number E / 10207/2019 dated November 26, 2020
that the claim presented by D.A.A.A., in front of AMAZON SPAIN is filed
FULFILLMENT, S.L.U., because your request for
exercise of rights established in the Regulation.

The procedural actions provided for in Title VIII of the Law have been carried out.

Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD), the following have been verified



                                      FACTS

FIRST: On September 25, 2019, D. A.A.A. (hereinafter, the part
claimant) exercised the right of access against AMAZON SPAIN FULFILLMENT,
S.L.U. with NIF B82170135 (hereinafter, the claimed one), without your request having

received the legally established reply.

The complaining party provides various documentation related to the claim made
before this Agency and on the exercise of the right exercised.

SECOND: On January 28, 2020, the complaining party files an appeal

optional of reinstatement, against the resolution relapsed in the file E / 10207/2019,
in which it shows its disagreement with the contested resolution, arguing that
the resolution has not resolved all the issues raised. Although the claimed yes
has provided data related to its production, in relation to the instructions and
personal communications to your digital assistant report that they have been deleted, such as

it follows from the answering brief provided by the respondent.
Argues the obligation of conservation of personal data by the person in charge of the

treatment when there is a legal provision that requires its conservation, as in
this case, a means of proof before the social jurisdiction.
THIRD: All the facts are fully known by the parties,

allegations and other documentation provided by the interested parties for their defense, at the
have been transferred to each of the interested parties in this procedure and
all of which is recorded in the file at this Agency.

The defendant manifests in the allegations made during the processing of the

present procedure that, was duly complied with the obligation to attend the
right of access by providing the information requested by the complaining party, and
indicating why certain information could not be provided since it had been
erased in accordance with their retention policies.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/7









That this Agency confirmed that the respondent had correctly addressed the right
of access in its decision of January 27, 2020.

In particular, the Deleted Information corresponds to operational instructions that
are automatically generated by internal systems, related to specific tasks
day-to-day, displayed on the devices employees use to

work in the logistics centers of the claimed.
Issues of functional work operations are argued in the center and on

automated instructions in daily work and organization systems of the
job.
As they are merely functional instructions, the content of the

these instructions, being automatically deleted seven days after
have been sent, which is why the Information could not be provided as already
reported in the previous allegations.

That the interest of the complaining party is to process a disability application
with the Social Security authorities, a purpose completely unrelated to
the relationship with the claimed.

FOURTH: On January 11, 2021, this Agency through the Support of the
Electronic Notifications Service and Enabled Address (Notific @ platform),
made available to the complaining party the allegations presented by the
claimed and with the same date the complaining party accedes to the Notification

Electronic, so that within a period of fifteen days the
allegations that they consider appropriate, without receiving a response.

                           FOUNDATIONS OF LAW


FIRST: The Director of the Spanish Agency for
Data Protection, in accordance with the provisions of section 2 of article 56 in
in relation to paragraph 1 f) of article 57, both of Regulation (EU) 2016/679 of the
European Parliament and of the Council of April 27, 2016 on the protection of
natural persons with regard to the processing of personal data and the free

circulation of these data (hereinafter, GDPR); and in article 47 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).

SECOND: Article 64.1 of the LOPDGDD, provides the following:


"1. When the procedure refers exclusively to the lack of attention of a
request to exercise the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, will start by agreement of admission for processing, which will be
adopt in accordance with the provisions of the following article.


In this case, the term to resolve the procedure will be six months from
from the date the claimant was notified of the admission agreement to
Procedure. After this period, the interested party may consider their
claim."


The purging of administrative responsibilities in the framework of the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/7








of a sanctioning procedure, whose exceptional nature implies that it is chosen,
whenever possible, due to the prevalence of alternative mechanisms that have
I amparo in the current regulations.


It is the exclusive competence of this Agency to assess whether there are responsibilities
administrative procedures that must be purged in a sanctioning procedure and, in
Consequently, the decision on its opening, there being no obligation to initiate a
procedure before any request made by a third party. Such a decision must
be based on the existence of elements that justify said start of the activity

sanctioning, circumstances that do not concur in the present case, considering that
With this procedure, the guarantees and
Claimant's rights.

THIRD: Article 12 of Regulation (EU) 2016/679, of April 27, 2016,

General Data Protection (RGPD), provides that:

"1. The person responsible for the treatment will take the appropriate measures to facilitate the
interested party all information indicated in articles 13 and 14, as well as any
communication in accordance with articles 15 to 22 and 34 regarding the treatment, in the form
concise, transparent, intelligible and easily accessible, with a clear and simple language, in

particular any information directed specifically to a child. Information
will be provided in writing or by other means, including, if applicable, by means
electronic When requested by the interested party, the information may be provided
verbally provided that the identity of the interested party is proven by other means.


2. The person responsible for the treatment will facilitate the exercise of their rights to the interested party.
by virtue of articles 15 to 22. In the cases referred to in article 11, paragraph
2, the person in charge will not refuse to act at the request of the interested party in order to exercise
your rights under Articles 15 to 22, unless you can show that you are not
is in a position to identify the interested party.


3. The person responsible for the treatment will provide the interested party with information regarding their
proceedings on the basis of a request pursuant to Articles 15 to 22, and, in
In any case, within one month of receipt of the request. Saying
The term may be extended for another two months if necessary, taking into account the
complexity and number of requests. The person in charge will inform the interested party of

any of said extensions within a period of one month from the receipt of the
request, stating the reasons for the delay. When the interested party presents the
request by electronic means, the information will be provided by electronic means
when possible, unless the interested party requests that it be provided otherwise.


4. If the person responsible for the treatment does not comply with the request of the interested party,
inform without delay, and no later than one month after receipt of the
request, the reasons for not acting and the possibility of submitting a
claim before a control authority and to exercise legal actions.


5. The information provided by virtue of articles 13 and 14 as well as all
communication and any action carried out pursuant to articles 15 to 22 and 34
they will be free of charge. When the requests are manifestly unfounded or


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7








excessive, especially due to its repetitive nature, the person responsible for the
treatment may:


a) Charge a reasonable fee based on the administrative costs incurred for
facilitate information or communication or perform the requested action, or
b) refuse to act on the request.

The data controller will bear the burden of proving the character
manifestly unfounded or excessive of the request.


6. Without prejudice to the provisions of article 11, when the person responsible for the treatment
have reasonable doubts in relation to the identity of the natural person taking the
application referred to in articles 15 to 21, you may request that the
additional information necessary to confirm the identity of the interested party.


7. The information that must be provided to the interested parties by virtue of articles 13
and 14 may be transmitted in combination with standard icons that allow
provide in an easily visible, intelligible and clearly legible way a suitable
overview of the planned treatment. Icons presented in the format
electronic will be machine readable.


8. The Commission is empowered to adopt delegated acts in accordance with the
Article 92 in order to specify the information to be submitted through
icons and procedures for providing standard icons. "


FOURTH: Article 15 of the RGPD provides that:

"1. The interested party will have the right to obtain from the person responsible for the treatment
confirmation of whether or not personal data concerning you is being processed and, as such
case, right of access to personal data and the following information:


a) the purposes of the treatment;
b) the categories of personal data in question;
c) the recipients or categories of recipients to whom they were communicated or will be
communicated personal data, in particular recipients in third parties or
international organizations;

d) if possible, the expected period of conservation of personal data or, if not
if possible, the criteria used to determine this period;
e) the existence of the right to request from the person responsible the rectification or deletion of
personal data or the limitation of the processing of personal data relating to the
interested party, or to oppose said treatment;

f) the right to file a claim with a supervisory authority;
g) when the personal data have not been obtained from the interested party, any
information available on its origin;
h) the existence of automated decisions, including profiling, to which
referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information

significant on the applied logic, as well as the importance and consequences
provided for said treatment for the interested party.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/7








2. When personal data is transferred to a third country or to an organization
international, the interested party will have the right to be informed of the guarantees
appropriate under Article 46 relating to the transfer.


3. The person responsible for the treatment will provide a copy of the personal data object of
treatment. The person in charge may receive for any other copy requested by the
interested a reasonable fee based on administrative costs. When the
interested party submit the request by electronic means, and unless he requests
otherwise provided, the information will be provided in an electronic format of

Common use.

4. The right to obtain a copy mentioned in section 3 shall not negatively affect
to the rights and freedoms of others. "


FIFTH: Article 13 of the LOPDGDD determines the following:

"1. The right of access of the affected party will be exercised in accordance with the provisions of the
Article 15 of Regulation (EU) 2016/679.

When the person in charge treats a large amount of data related to the affected person and this

exercise your right of access without specifying whether it refers to all or part of the
data, the person in charge may request, before providing the information, that the affected
specify the data or processing activities to which the request refers.

2. The right of access will be understood to be granted if the person responsible for the treatment

provide the affected party with a system of remote, direct and secure access to data
that guarantees, permanently, access to its entirety. Such
effects, the communication by the person in charge to the affected party of the way in which he / she may
Accessing said system will be enough to consider the request to exercise the
right.


However, the interested party may request from the person in charge the information referred to the
extremes provided for in article 15.1 of Regulation (EU) 2016/679 that are not
be included in the remote access system.

3. For the purposes established in article 12.5 of Regulation (EU) 2016/679,

may consider the exercise of the right of access repetitive on more than one occasion
during the period of six months, unless there is legitimate cause for it.

4. When the affected party chooses a means other than the one offered that entails a cost
disproportionate, the request will be considered excessive, so that said affected

You will assume the excess costs that your choice entails. In this case, it will only be
The satisfaction of the right of access is required from the person responsible for the treatment without
undue delay. "


SIXTH: Before going into the substance of the questions raised, it should be noted
that the present procedure is instructed as a consequence of the denial of
any of the rights regulated by data protection regulations (access,
rectification, deletion, limitation, portability and opposition) and is intended to be

adopt the corresponding measures so that the guarantees and rights of the affected
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/7








are properly restored. Therefore, in the present case, only
and assessed those issues raised by the complaining party that remain
included within the object of the aforementioned complaints procedure regarding

Data Protection.
Likewise, the right of access, in particular, offers the possibility of obtaining a
pia of the personal data that concerns you and that is being processed

to, as well as information, in particular, on the purposes of the treatment, the categories
of data, the recipients, the planned period of conservation, the possibility of exercising
other rights, the information available on the origin of the data (if these are not
have obtained directly from the complaining party) or the existence of self-determined decisions
nuanced, including profiling.

That said, in the case analyzed here, the complaining party exercised its
right of access, and that, after the period established in accordance with the regulations
aforementioned, your request did not obtain the legally required response.


However, during the processing of this procedure, the entity has
answered the right of access requested, said allegation being subject to transfer
to the complaining party through the Notification Support, without having submitted
any allegation against it.

Despite this, once the documentation in the procedure has been examined, the
complaining party, specifically requests that the operational instructions that

are automatically generated by internal systems, related to specific tasks,
displayed on devices that employees use for work, and that,
are necessary for a litigation in the social jurisdiction, and adds that the claimed has
the obligation to keep the data while legal responsibilities may arise
of the treatment, as in this case, a means of proof before a litigation in said

jurisdiction.
In relation to the instructions and personal communications of the digital assistant that
have been deleted, it should be noted that, for the purposes of the RGPD, "data

personal: any information about an identified or identifiable natural person ("the
interested"); an identifiable natural person shall be considered any person whose identity
can be determined, directly or indirectly, in particular by means of an identifier,
such as a name, an identification number, location data, a
online identifier or one or more elements of physical identity,
physiological, genetic, psychic, economic, cultural or social of said person; ”, therefore

Therefore, the instructions and communications through the digital assistant are messages
that have been sent to the perfectly identified complaining party, therefore,
information about you, information that should have been blocked
As established in the art. 32 of the LOPDGDD and not proceed to its deletion.

This Agency will assess whether there are administrative responsibilities that should be
purified in the relevant procedure and determine if the commission has occurred
or not of an infraction.

Furthermore, it should be noted that questions of a functional nature or of
operational work in the center and on automated instructions in the work
daily and work organization systems, does not fall within the scope of competence

of the Spanish Agency for Data Protection to settle the conflict that underlies between
the parties, or enter into assessments regarding the validity of the employment contract, which

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/7








must be filed before the labor or judicial authority, as it exceeds the scope of competence
of this Agency.


However, in relation to what was stated by the defendant that, it has nothing to do with
with the request to process a request for temporary disability before the authority
Social Security, it is not the responsibility of this Agency to assess said issue, but the
The right to data protection also has an instrumental character for the exercise
of other rights.

Consequently, the present claim must be upheld for formal reasons at
the response has been issued extemporaneously, where it is reported that no
has the data related to the instructions and personal communications of the

digital assistant, without requiring the performance of additional actions by
of the person responsible for the file.


Considering the cited precepts and others of general application,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: ESTIMATE for formal reasons, the claim made by D. A.A.A.,

against the entity AMAZON SPAIN FULFILLMENT, S.L.U. However, the
issuance of new certification by said entity, having issued the
extemporaneous response, without requiring the performance of actions
additional by the person in charge.


SECOND: NOTIFY this resolution to D.A.A.A. and AMAZON SPAIN
FULFILLMENT, S.L.U.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to

counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.


                                                                                 1037-100919
Mar Spain Martí

Director of the Spanish Agency for Data Protection






C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es