AEPD (Spain) - TD/00263/2020: Difference between revisions

From GDPRhub
m (AN - updated overview to include more information)
Line 50: Line 50:
}}
}}


The Spanish DPA decided that, in light of an access request, even if the controller does not have any data, they have the obligation to inform if and to whom it has been transferred.
The Spanish DPA decided where a data subject makes an access request and the controller does not hold any of the subject’s personal data, the controller is still required to give the data subject information the controller has about the subject’s personal data, such as whether the data has been transferred to other parties and the identity of those parties.  


== English Summary ==
== English Summary ==

Revision as of 17:08, 4 May 2021

AEPD - R/00214/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 28.05.2021
Fine: None
Parties: n/a
National Case Number/Name: R/00214/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA decided where a data subject makes an access request and the controller does not hold any of the subject’s personal data, the controller is still required to give the data subject information the controller has about the subject’s personal data, such as whether the data has been transferred to other parties and the identity of those parties.

English Summary

Facts

A data subject made an access request to a job portal for accessing the assessment that the company had carried out on her regarding her application to a job. The job offer was a blind offer, so the claimant did not know which company was behind the offer.

The job portal alleged that they did not store any of the data from the candidates or the companies, and that the companies were not allowed either to store or process any data outside the portal. Therefore, they could not give the data subject any data, given that they did not have any.

They said, however, that they could help the data subject contact the company that made the offer.

Holding

The AEPD concluded that, even if the portal did not have any data per se, the right to access includes the communications of such data and the recipients to which it is disclosed. Therefore, the controller should at least provide this information.

In their holding, they order the controller to comply with the right to access in this sense.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/7








     File No.: TD / 00263/2020


                           RESOLUTION NO: R / 00214/2021


Considering the claim made on August 18, 2020 before this Agency by Mr.
A.A.A. , against ADEVINTA SPAIN, S.L., for not having been duly attended to your
Right of access.


The procedural actions provided for in Title VIII of the Law have been carried out.
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD), the following have been verified



                                       FACTS

FIRST: On June 27, 2020, D. A.A.A. (hereinafter, the part
claimant) exercised the right of access against ADEVINTA SPAIN, S.L. with NIF

B83411652 (hereinafter, the claimed one), without your request having received the
legally established reply.

The complaining party provides various documentation related to the claim made
before this Agency and on the exercise of the right exercised, states that, participated

in a personnel selection procedure in InfoJobs and requested them, access to the
assessment made to your CV by the company that had offered the job,
since he did not know the entity that convened the position, he also points out that, given the
anonymous nature of the bidding company, you cannot exercise your right of access
before the company that processed your data, because the complainant does not provide them.


SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a
mechanism prior to the admission for processing of claims made before
the AEPD, consisting of transferring them to the Data Protection Delegates
designated by those responsible or in charge of the treatment, for the intended purposes
in article 37 of the aforementioned norm, or to these when they have not been designated,

transferred the claim to the claimed entity to proceed with its
analysis and respond to the complaining party and this Agency within a period of
month.

In summary, the defendant made the following allegations, they do not participate in the

selection process or in the evaluation of candidatures and that it does not request that
information in any case.

That the offers published with a "blind profile" of the company, the protection policy of
data explicitly informs the user about this point.


That the company in question cannot incorporate the CV into its database or extract the
the system itself, so there was no data communication, and there is no possibility
to request any right of access to third parties.

What is Infojobs who is responsible for the information, custody and facilitates

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/7








its users the exercise of their rights, and does not make any communication without their
explicit consent (when the job offers so require). Within
this framework of action, client companies that use Infojobs to recruit, only

have temporary access to candidate data, but do not have any rights
to extract that information or process it in other systems, nor of course they can
use the information for purposes other than those related to the
selection process. As the personal data of the affected party is related to said
candidacy solely and exclusively responsibility of Infojobs, so there is no
possibility of requesting the exercise of rights to any other entity, such and how the

candidate requested

That it does not store any information related to the subjective assessment of the
candidate and his selection process by client companies as
the affected party claims.


THIRD: The result of said transfer did not allow us to understand that the
claims of the complaining party. Consequently, for the purposes provided in its
Article 64.2 of the LOPDGDD, the Director of the Spanish Agency for the Protection of
Data agreed to admit the submitted claim for processing and it was granted to the entity
claimed hearing procedure, so that within fifteen business days

submit the allegations it deems appropriate.

In summary, the defendant made the following allegations, that the offer was
processed directly by the claimed and not in the company's database
client, it is necessary to differentiate the two types of inscriptions to job offers that

exist, in which it affects the complaining party, all selection process is managed
within the Infojobs environment, the other case, which is the one mentioned by the claimant
but not applicable to your case, the selection process is managed outside the environment of
Infojobs, allowing the client to store the data of the
candidate.


That both types of inscriptions have different characteristics.

That the use of the service that is established in these cases the obligation of the client to
use the data of the candidates who apply for their offers only to
manage that specific selection process and always within the environment of the

claimed and once the selection process is closed, the client is not authorized to
use said data for other selection processes or to keep any type of data
of said candidacies. Therefore, and since client companies only
can temporarily view the candidate data, but cannot extract it or
process them in other systems, there should be no candidate data on that

selection process on any other platform or system.

That the claimed is solely responsible for the data and these should not be found
in systems other than the Infojobs platform. Therefore, any right
access to your personal data related to this selection process must

be attended exclusively by the claimed.

That the complaining party was informed that the company's assessment of its
candidacy does not exist, nor is it data that the platform processes or stores.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/7








That Infojobs client companies can view the candidate's data, and
they can advance it in the selection process or discard it, but not enter data
relating to the evaluation of the candidacy. Therefore, it is not possible to satisfy the

User request or provide data that has not been received or stored.

That I know from the user's privacy area, it is implemented in a
automated to extract your personal data available on the portal and data from
third parties that may intervene as data controllers, and
incorporates all the information in a single file.


That recruiters' ratings do not exist on the platform and should not
exist in any other because the client, taking into account the conditions of use, does not
it should store candidate data outside of the environment.


However, information regarding the identity of the company can be extracted from the
If you have signed up for a “blind profile” offer and if it is of interest to the
claimant, they can be assisted so that they can go directly to the company
to request confirmation regarding the treatment or not of your personal data.
However, it is important to note that said company should not keep
No specific data of the candidates, or evaluations, is stored.


FOURTH: After examining the allegations presented by the respondent, they are the subject of
transfer to the complaining party, so that, within fifteen business days, it can formulate
allegations it deems appropriate.


On 01/11/2021, this Agency through the Notification Service Support
Electronic and Enabled Address (Notific @ platform), made available to the
complaining party said allegations, and on 01/22/2021 the system proceeds to
automatic rejection of the notification because ten calendar days have elapsed since
making it available without accessing its content.



                            FOUNDATIONS OF LAW

FIRST: The Director of the Spanish Agency for
Data Protection, in accordance with the provisions of section 2 of article 56 in

in relation to paragraph 1 f) of article 57, both of Regulation (EU) 2016/679 of the
European Parliament and of the Council of April 27, 2016 on the protection of
natural persons with regard to the processing of personal data and the free
circulation of these data (hereinafter, GDPR); and in article 47 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of

digital rights (hereinafter LOPDGDD).

SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency
Spanish Data Protection is competent to perform the functions that
are assigned to it in its article 57, among them, that of enforcing the Regulation and

promote the awareness of those responsible and those in charge of the treatment
about their obligations, as well as dealing with claims
submitted by an interested party and investigate the reason for them.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7








Correlatively, article 31 of the RGPD establishes the obligation of those responsible
and those in charge of the treatment to cooperate with the control authority that requests it in
the performance of their duties. In the event that they have designated a

data protection officer, article 39 of the RGPD attributes to him the function of
cooperate with said authority.

Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has
Provided a mechanism prior to the admission for processing of the claims that are
made before the Spanish Agency for Data Protection, which consists of giving

transfer of the same to the data protection delegates designated by the
responsible or in charge of the treatment, for the purposes provided in article 37 of
the aforementioned norm, or to them when they have not designated them, to proceed to the
analysis of said claims and to respond to them within a month.


In accordance with these regulations, prior to the admission for processing of the
claim that gives rise to the present procedure, it was transferred to the
responsible entity to proceed with its analysis, provide a response to this Agency
within a month and certify having provided the claimant with the proper response,
in the event of exercise of the rights regulated in articles 15 to 22 of the
GDPR.


The result of said transfer did not allow for the satisfaction of the claims of the
complaining party. Consequently, on December 3, 2020, for the purposes
provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for
Data Protection agreed to admit the submitted claim for processing. Saying

The agreement of admission for processing determines the opening of the present procedure of
lack of attention to a request to exercise the rights established in the
Articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the
which:


"1. When the procedure refers exclusively to the lack of attention of a
request to exercise the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, will start by agreement of admission for processing, which will be
adopt in accordance with the provisions of the following article. In this case, the deadline for
resolve the procedure will be six months from the date on which there was
The claimant has been notified of the acceptance for processing agreement. After this period,

the interested party may consider their claim upheld ”.

The purging of administrative responsibilities in the framework of the
of a sanctioning procedure, whose exceptional nature implies that it is chosen,
whenever possible, due to the prevalence of alternative mechanisms that have

I amparo in the current regulations.

It is the exclusive competence of this Agency to assess whether there are responsibilities
administrative procedures that must be purged in a sanctioning procedure and, in
Consequently, the decision on its opening, there being no obligation to initiate a

procedure before any request made by a third party. Such a decision must
be based on the existence of elements that justify said start of the activity
sanctioning, circumstances that do not concur in the present case, considering that


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/7








With this procedure, the guarantees and
Claimant's rights.


THIRD: The rights of people in terms of data protection
Personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the
LOPDGDD. The rights of access, rectification, deletion,
opposition, right to limitation of treatment and right to portability.

The formal aspects relating to the exercise of these rights are established in the

Articles 12 of the RGPD and 12 of the LOPDGDD.

It also takes into account what is expressed in Considering paragraphs 59 and following of the
GDPR.


In accordance with the provisions of these rules, the person responsible for the treatment
should arbitrate formulas and mechanisms to facilitate the interested party the exercise of their
rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3
of the RGPD), and is obliged to respond to requests made no later than a
month, unless you can show that you are unable to identify the
interested party, and to express their reasons in case they were not to attend said

request. The person responsible is responsible for proof of compliance with the duty of
Respond to the request for the exercise of their rights made by the affected party.

The communication addressed to the interested party on the occasion of their request must
express themselves in a concise, transparent, intelligible and easily accessible way, with a

clear and simple language.

FOURTH: Article 15 of the RGPD provides that:

"1. The interested party will have the right to obtain from the person responsible for the treatment

confirmation of whether or not personal data concerning you is being processed and, as such
case, right of access to personal data and the following information:
a) the purposes of the treatment;
b) the categories of personal data in question;
c) the recipients or categories of recipients to whom they were communicated or will be
communicated personal data, in particular recipients in third parties or

international organizations;
d) if possible, the expected period of conservation of personal data or, if not
if possible, the criteria used to determine this period;
e) the existence of the right to request from the person responsible the rectification or deletion of
personal data or the limitation of the processing of personal data relating to the

interested party, or to oppose said treatment;
f) the right to file a claim with a supervisory authority;
g) when the personal data have not been obtained from the interested party, any
information available on its origin;
h) the existence of automated decisions, including profiling, to which

referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information
significant on the applied logic, as well as the importance and consequences
provided for said treatment for the interested party.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/7








2. When personal data is transferred to a third country or to an organization
international, the interested party will have the right to be informed of the guarantees
appropriate under Article 46 relating to the transfer.

3. The person responsible for the treatment will provide a copy of the personal data object of
treatment. The person in charge may receive for any other copy requested by the
interested a reasonable fee based on administrative costs. When the
interested party submit the request by electronic means, and unless he requests
otherwise provided, the information will be provided in an electronic format of
Common use.


4. The right to obtain a copy mentioned in section 3 shall not negatively affect
to the rights and freedoms of others. "

FIFTH: Once the documentation in the procedure has been examined, the

verifies that the response to the access request is incomplete. You are not informed
the complaining party to whom your personal data was communicated.

Before going into the merits of the issues raised here, it should be noted that the
art. 4.2 of the RGPD defines treatment, as “any operation or set of
operations carried out on personal data or personal data sets, already

whether by automated procedures or not, such as collection, registration, organization,
structuring, conservation, adaptation or modification, extraction, consultation,
use, communication by transmission, broadcast or any other form of
authorization of access, collation or interconnection, limitation, deletion or destruction. "


12.5 of the RGPD provides that, “The information provided by virtue of articles 13
and 14 as well as all communication and any action carried out by virtue of the
Articles 15 to 22 and 34 will be free of charge. […] "

The exercise of the right of access, like the rest of the rights, is a right
very personal, consists of the right of the citizen to obtain information
about the treatment that is being made of your data, the possibility of obtaining a

copy of the personal data that concerns you and that is being subject to
treatment, as well as information, in particular, about the purposes of the treatment, the
categories of data, recipients, possible communications, the expected period
conservation, the possibility of exercising other rights, the information available
on the origin of the data (if these have not been obtained directly from the owner) or the

existence of automated decisions, including profiling, without
affect third-party data.

That said, data communication is understood as any mechanism that
provide access to the data of a file to an interested third party, therefore, the

responsible is obliged to inform the interested party about the treatment and about
who has communicated your personal data, as well as related information
with the.

Given that, access to the personal data of the complaining party is incomplete,
the claim that originated the present procedure should be upheld and the

requested access.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/7








The rest of the questions raised by the parties do not result from the competence of
this Agency, having to settle and resolve by the corresponding instances.


Considering the cited precepts and others of general application,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: ESTIMATE the claim made by D. A.A.A. and urge ADEVINTA
SPAIN, S.L. with NIF B83411652, so that, within ten business days
following notification of this resolution, send the complaining party

certification stating that you have complied with the right of access exercised, of
in accordance with the provisions of the body of this resolution. The
Actions carried out as a result of this Resolution must be
communicated to this Agency within the same period. Failure to comply with this resolution

could lead to the commission of the offense considered in article 72.1.m) of the
LOPDGDD, which will be sanctioned, in accordance with art. 58.2 of the GDPR.


SECOND: NOTIFY this resolution to D.A.A.A. and ADEVINTA SPAIN,
S.L ..

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


                                                                                  1034-080719

Mar Spain Martí
Director of the Spanish Agency for Data Protection















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es