AEPD (Spain) - TD/00013/2021: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 25: Line 25:
|GDPR_Article_1=Article 12(6) GDPR
|GDPR_Article_1=Article 12(6) GDPR
|GDPR_Article_Link_1=Article 12 GDPR#6
|GDPR_Article_Link_1=Article 12 GDPR#6
|GDPR_Article_2=Article 17 GDPR
|GDPR_Article_2=Article 15 GDPR
|GDPR_Article_Link_2=Article 17 GDPR
|GDPR_Article_Link_2=Article 15 GDPR
 
|GDPR_Article_3=Article 17 GDPR
|GDPR_Article_Link_3=Article 17 GDPR





Revision as of 14:55, 10 August 2021

AEPD - R/00232/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12(6) GDPR
Article 15 GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 13.04.2021
Fine: None
Parties: GOKOAN EDUCATION, S. L.
National Case Number/Name: R/00232/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA decided that a controller could not require a data subject to identify themselves with their national ID, when this document had not been asked for in the first place. In this instance, the controller had no reason to doubt the identity of the data subject.

English Summary

Facts

A complainant asked a controller to erase all the personal data related to them. This included study and educational data and the subscription to a newsletter.

The controller accepted to erase the data related to the newsletter, therefore stopping such processing, but refused to delete the study and educational data without proof of the data subject identity, asking for their national ID card in order to verify it, with grounds in Article 12(6) GDPR.

Holding

The AEPD held that, given that the controller had not asked for their national ID card when obtaining the complainant's data, it was not necessary to ask for it for the exercise of their rights. The authority argued that there were no doubts regarding the identity of the data subject, as they had signed up for the services of the controller, and therefore provided their data, using the same email account used to lodge the erasure request.

Hence, the AEPD ordered the controller to comply with the erasure request without further requirements to the data subject.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/6










     File No.: TD / 00013/2021



                           RESOLUTION NO: R / 00232/2021

Considering the claim made on September 16, 2020 before this Agency by

A.A.A. (hereinafter, the complaining party), against GOKOAN EDUCATION, S. L. (in
hereinafter, the claimed party), for not having been duly attended to their right to
suppression.

The procedural actions provided for in Title VIII of the Law have been carried out.
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of

digital rights (hereinafter LOPDGDD), the following have been verified


                                      FACTS


FIRST: The complaining party exercised the right of deletion against the complained party,
without your request having received the legally established reply. Contributes
various documentation related to the claim made before this Agency and about
the exercise of the right exercised.


SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a
mechanism prior to the admission for processing of claims made before
the AEPD, consisting of transferring them to the Data Protection Delegates
designated by those responsible or in charge of the treatment, for the intended purposes
in article 37 of the aforementioned norm, or to these when they have not been designated,
transferred the claim to the claimed entity to proceed with its

analysis and respond to the complaining party and to this Agency within a period of
month.


THIRD: The result of the transfer procedure indicated in the previous fact does not

allowed to understand satisfied the claims of the complaining party. On
Consequently, dated January 22, 2021, for the purposes provided in its article
64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection
agreed to admit the submitted claim for processing and the parties were informed that the
maximum period to resolve this procedure, which is understood to have started

by means of said agreement of admission to processing, it will be of six months.

The aforementioned agreement granted the claimed entity a hearing procedure, to
that within a period of fifteen business days it present the allegations it deems
convenient. Said entity made, in summary, the following allegations:


The representative / Delegate of Data Protection of the claimed party states in
synthesis, have no problem in deleting the claimant's data provided that
Identify previously by providing a photocopy of the DNI.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/6













FOURTH: After examining the allegations presented by the defendant, they are the subject of
transfer to the complaining party, so that, within fifteen business days, it can formulate
allegations it deems appropriate.
The claimant insists arguing that, if the photocopy of the DNI was not requested to
to register, they do not have to ask you to unsubscribe.



                           FOUNDATIONS OF LAW

FIRST: The Director of the Spanish Agency for

Data Protection, in accordance with the provisions of section 2 of article 56 in
in relation to paragraph 1 f) of article 57, both of Regulation (EU) 2016/679 of the
European Parliament and of the Council of April 27, 2016 on the protection of
natural persons with regard to the processing of personal data and the free
circulation of these data (hereinafter, GDPR); and in article 47 of the LOPDGDD.


SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency
Spanish Data Protection is competent to perform the functions that
are assigned to it in its article 57, among them, that of enforcing the Regulation and
promote the awareness of those responsible and those in charge of the treatment
about their obligations, as well as dealing with claims

submitted by an interested party and investigate the reason for them.

Correlatively, article 31 of the RGPD establishes the obligation of those responsible
and those in charge of the treatment to cooperate with the control authority that requests it in
the performance of their duties. In the event that they have designated a

data protection officer, article 39 of the RGPD attributes to him the function of
cooperate with said authority.

Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has
Provided a mechanism prior to the admission for processing of the claims that are
made before the Spanish Agency for Data Protection, which consists of giving

transfer of the same to the data protection delegates designated by the
responsible or in charge of the treatment, for the purposes provided in article 37 of
the aforementioned norm, or to them when they have not designated them, to proceed to the
analysis of said claims and to respond to them within a month.


In accordance with these regulations, prior to the admission for processing of the
claim that gives rise to the present procedure, it was transferred to the
responsible entity to proceed with its analysis, provide a response to this Agency
within a month and certify having provided the claimant with the proper response,
in the event of exercise of the rights regulated in articles 15 to 22 of the

GDPR.

The result of said transfer did not allow for the satisfaction of the claims of the
complaining party. Consequently, on January 22, 2021, for the purposes

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/6








provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for
Data Protection agreed to admit the submitted claim for processing. Saying
The agreement of admission for processing determines the opening of the present procedure of

lack of attention to a request to exercise the rights established in the
Articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the
which:

"1. When the procedure refers exclusively to the lack of attention of a
request to exercise the rights established in articles 15 to 22 of the

Regulation (EU) 2016/679, will start by agreement of admission for processing, which will be
adopt in accordance with the provisions of the following article.
In this case, the term to resolve the procedure will be six months from
from the date the claimant was notified of the admission agreement to
Procedure. After this period, the interested party may consider their

claim".

The purging of administrative responsibilities in the framework of the
of a sanctioning procedure, whose exceptional nature implies that it is chosen,
whenever possible, due to the prevalence of alternative mechanisms that have
I amparo in the current regulations.


It is the exclusive competence of this Agency to assess whether there are responsibilities
administrative procedures that must be purged in a sanctioning procedure and, in
Consequently, the decision on its opening, there being no obligation to initiate a
procedure before any request made by a third party. Such a decision must

be based on the existence of elements that justify said start of the activity
sanctioning, circumstances that do not concur in the present case, considering that
With this procedure, the guarantees and
Claimant's rights.


THIRD: The rights of people in terms of data protection
Personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the
LOPDGDD. The rights of access, rectification, deletion,
opposition, right to limitation of treatment and right to portability.

The formal aspects relating to the exercise of these rights are established in the

Articles 12 of the RGPD and 12 of the LOPDGDD.

It also takes into account what is expressed in Considering paragraphs 59 and following of the
GDPR.


In accordance with the provisions of these rules, the person responsible for the treatment
should arbitrate formulas and mechanisms to facilitate the interested party the exercise of their
rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3
of the RGPD), and is obliged to respond to requests made no later than a
month, unless you can show that you are unable to identify the

interested party, and to express their reasons in case they were not to attend said
request. The person responsible is responsible for proof of compliance with the duty of
Respond to the request for the exercise of their rights made by the affected party.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/6








The communication addressed to the interested party on the occasion of their request must
express themselves in a concise, transparent, intelligible and easily accessible way, with a
clear and simple language.


In the case of the right of access to personal data, in accordance with the
established in article 13 of the LOPDGDD, when the exercise of the right is
refers to a large amount of data, the person in charge may request the affected party to
specify the “data or processing activities to which the request refers”. The
Right will be understood to be granted if the person in charge facilitates remote access to the data,

the request being considered accepted (although the interested party may request the information
referring to the extremes provided for in article 15 of the RGPD).

The exercise of this right may be considered repetitive on more than one occasion.
during the period of six months, unless there is legitimate cause for it.


On the other hand, the request will be considered excessive when the affected party chooses a medium
other than the one offered that involves a disproportionate cost, which must be
assumed by the affected party.

FOURTH: Article 17 of the RGPD, which regulates the right to delete data

personal, establishes the following:

"1. The interested party shall have the right to obtain without undue delay from the person responsible for the
treatment the deletion of personal data that concerns you, which will be
obliged to delete without undue delay the personal data when there is any

of the following circumstances:
a) the personal data is no longer necessary in relation to the purposes for which
were collected or otherwise treated;
b) the interested party withdraws the consent on which the treatment in accordance is based
with Article 6, paragraph 1, letter a), or Article 9, paragraph 2, letter a), and this is not

based on another legal basis;
c) the interested party opposes the treatment in accordance with article 21, paragraph 1, and does not
other legitimate reasons for the treatment prevail, or the interested party opposes the
treatment in accordance with Article 21 (2);
d) the personal data has been unlawfully processed;
e) personal data must be deleted to comply with a legal obligation

established in the law of the Union or of the Member States that applies to the
responsible for the treatment;
f) the personal data have been obtained in relation to the offer of services of the
information society mentioned in article 8, paragraph 1.


2. When you have made the personal data public and are obliged, by virtue of the
provided in section 1, to delete said data, the data controller,
taking into account the available technology and the cost of its application, it will adopt
reasonable measures, including technical measures, with a view to informing
responsible who are processing the personal data of the request of the interested party

deletion of any link to such personal data, or any copy or replica of
the same.

3. Sections 1 and 2 will not apply when the treatment is necessary:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/6








a) to exercise the right to freedom of expression and information;
b) to comply with a legal obligation that requires data processing
imposed by the law of the Union or of the Member States that applies to the

responsible for the treatment, or for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the person in charge;
c) for reasons of public interest in the field of public health in accordance with
Article 9, paragraph 2, letters h) and i), and paragraph 3;
d) for archival purposes in the public interest, scientific or historical research purposes or
statistical purposes, in accordance with Article 89 (1), insofar as

the right indicated in section 1 could make it impossible or hinder
seriously achieving the goals of such treatment, or
e) for the formulation, exercise or defense of claims ”.

FIFTH: In the case analyzed here, the complaining party exercised its right to

deletion and your request was not fully honored. The defendant told him that, without
Provide a photocopy of the DNI, you could only delete your data so as not to receive advertising
but not for the rest of the activities that they had maintained.
Namely:
“… Regarding the conditions for the definitive elimination of data (including
all your activity log regarding your study, progress in the syllabus, etc.) the

conditions are those established by the legal department of Gokoan which is
knowledgeable and fully competent in terms of regulations. So it is
It is absolutely essential that the request be accompanied by your document of
identity. In case you only request that the deletion be referred to
marketing campaigns, newsletter and commercial actions it is not necessary to

identification document…"

The claimant had requested to be registered in the free trial version placed at his
provision on the platform, therefore, when registering with acceptance of the
privacy policy and conditions of use, you only provided your email

according to the defined procedure.

However, as established in article 12.6 of the RGPD, “without prejudice to the
provided in article 11, when the data controller has doubts
reasonable in relation to the identity of the natural person making the request to
referred to in articles 15 to 21, you may request that the information be provided

additional necessary to confirm the identity of the interested party ”.

Although this article could justify the petitioner's request to request a photocopy of the
DNI to the claimant, it does not do so if we take into account the phrase in the included "... doubts
reasonable in relation to the identity of the natural person… ”, And, does not show the

claimed no doubt regarding the deletion of the claimant's data so as not to send
publicity, did not show any doubts when the claimant registered. Therefore,
From this Agency, this doubt regarding the identity of the
claimant to unsubscribe and have their data deleted.
Therefore, based on the foregoing, considering that the present proceeding

Its purpose is that the guarantees and rights of those affected remain
duly restored, and given that the right requested in its
The entire claim is estimated.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/6








Considering the cited precepts and others of general application,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: ESTIMATE the claim made by A.A.A. and urge GOKOAN
EDUCATION, S. L. with CIF B40557506, so that, within ten business days
following notification of this resolution, send the complaining party

certification stating that you have complied with the requested right of deletion
or is motivatedly denied indicating the reasons why it is not appropriate to address the
petition, in accordance with the provisions of the body of this resolution. The
Actions carried out as a result of this Resolution must be
communicated to this Agency within the same period. Failure to comply with this resolution

could lead to the commission of the offense considered in article 72.1.m) of the
LOPDGDD, which will be sanctioned, in accordance with art. 58.2 of the GDPR.

SECOND: NOTIFY this resolution to A.A.A. and GOKOAN EDUCATION,

S. L.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly

contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.


                                                                                  1195-180321
Mar Spain Martí
Director of the Spanish Agency for Data Protection



















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es