AEPD - TD/00085/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 12 GDPR Article 13 GDPR Article 15 GDPR 64 (1) LOPDPGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 16.09.2020 |
Published: | 16.09.2020 |
Fine: | None |
Parties: | Baby Palace S.L. |
National Case Number/Name: | TD/00085/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Francesc Julve Falcó |
Spanish DPA (AEPD) held that companies must respect the right to access and provide information when a citizen demands it in line with Article 15 GDPR.
English Summary
Facts
The complainant asked a company to exercise his/her right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and to access these data in accordance with Article 15 GDPR.
The request did not receive the legally required response.
The claimant provided various documents relating to the complaint submitted to the Spanish DPA, which requested the company in question to inform the Agency of the actions taken to deal with the complaint submitted. There was also no response to this request.
Dispute
Can companies be sanctioned for not attending to a customer's claim to exercise his or her right of access to data?
Holding
The Spanish DPA admitted the claim and urged the controller to send the claimant a certificate stating that his/her request to exercise the right of access has been satisfied or to refuse it, indicating the reasons why his/her request should not be satisfied.
If the company complained of fails to comply with this resolution, this could lead to the commission of a very serious infringement, which will be sanctioned in accordance with art. 58 (2) of the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
File No: TD/00085/2020 1037-100919 RESOLUTION Nº: R/00417/2020 Having regard to the complaint lodged on 7 January 2020 with this Agency by Mr A.A.A., (hereinafter the complainant), against BABY PALACE, S.L., (hereinafter now the party complained of), because of its right to access. The procedural actions provided for in Title VIII of the Law have been carried out Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of digital rights (hereinafter referred to as LOPDGDD), the following have been found FACTS FIRST: The claimant exercised his right of access against the respondent without his request has received the legally established reply. The claimant provides various documentation relating to the claim raised before this Agency and on the exercise of the right exercised. SECOND: In accordance with the tasks provided for in Regulation (EU) 2016/679, of 27 April 2016, Data Protection General (RGPD), particularly those that meet the principles of transparency and accountability proactive on the part of the controller, you are required to inform this Agency of the actions that have been taken to address the complaint raised. As of the date of the resolution of this complaint, no allegations. LEGAL GROUNDS FIRST: The Director of the Spanish Agency of Data Protection, as laid down in Article 56(2) in relation to Article 57(1)(f), both of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter referred to as RGPD); and in article 47 of the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of digital rights (hereinafter LOPDGDD). SECOND: Article 64.1 of the LOPDGDD, provides the following: "1. When the procedure concerns exclusively the lack of attention of an application to exercise the rights laid down in Articles 15 to 22 of the Regulation (EU) 2016/679, will be initiated by a formal admission agreement, which will be adopted in accordance with the following Article. In this case, the period for deciding on the procedure shall be six months, counting from the date on which the claimant was notified of the agreement to admission to the procedure. After this period, the interested party may consider estimated his claim." THIRD: Article 12 of Regulation (EU) 2016/679 of 27 April 2016 General of Data Protection (RGPD), provides that: "1. The data controller shall take the appropriate measures to facilitate the person concerned any information referred to in Articles 13 and 14, as well as any communication pursuant to Articles 15 to 22 and 34 concerning processing, in the form concise, transparent, intelligible and easily accessible, with clear and simple language, in particular, any information directed specifically at a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic. At the request of the interested party, the information may be provided verbally, provided that the identity of the person concerned is proven by other means. 2. The data controller shall facilitate the exercise of his rights under Articles 15 to 22. In the cases referred to in Article 11 paragraph 2, the controller shall not refuse to act at the request of the data subject for the purpose to exercise his rights under Articles 15 to 22, unless he can prove who is not in a position to identify the person concerned. 3. The data controller shall provide the data subject with information concerning his proceedings on the basis of an application under Articles 15 to 22, and, in any case, within one month from the receipt of the application. Said this, the deadline may be extended by a further two months if necessary, taking into account the complexity and the number of applications. The person in charge shall inform the applicant of any such extension within one month of receipt of the request, indicating the reasons for the delay. When the interested party submits the request by electronic means, the information shall be provided by electronic means where possible, unless the person concerned requests otherwise. 4. If the data controller does not comply with the request of the data subject, he hall inform without delay, and at the latest after one month, of the receipt of the application, the reasons for their failure to act and the possibility of submitting a claim to a supervisory authority and to take legal action. 5. The information provided pursuant to Articles 13 and 14 and any communication and any action taken pursuant to Articles 15 to 22 and 34 will be free of charge. Where requests are manifestly unfounded or excessive, especially due to their repetitive nature, the person responsible for treatment may: (a) charge a reasonable fee commensurate with the administrative costs incurred to provide the information or communication or to perform the requested action, or (b) refuse to act on the request. The burden of proof of the character of the processing shall be on the controller manifestly unfounded or excessive. 6. Without prejudice to Article 11, where the person responsible for the treatment has reasonable doubts as to the identity of the natural person the application referred to in Articles 15 to 21, may request that the provide the additional information necessary to confirm the identity of the person concerned. 7. The information to be provided to the persons concerned under Articles 13 and 14 may be transmitted in combination with standardized icons allowing provide in an easily visible, intelligible, and clearly legible manner an adequate overview of the planned treatment. The icons presented in the format electronic will be mechanically readable. 8. The Commission is empowered to adopt delegated acts in accordance with Article 92 to specify the information to be submitted through icons and the procedures for providing standardized icons". FOURTH: Article 15 of the RGPD provides that: "1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed and, if so case, right of access to personal data and to the following information: a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the data have been disclosed; or personal data will be communicated, in particular to third parties or international organizations; (d) if possible, the intended period of retention of the personal data or, of not be possible, the criteria used to determine this deadline; (e) the existence of the right to request the person responsible to correct or delete of personal data or the limitation of the processing of personal data relating to or to oppose such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data have not been obtained from the data subject, any information available on their origin; (h) the existence of automated decisions, including profiling, to referred to in Article 22(1) and (4) and, at least in such cases, information about the importance and consequences of the new system for the development of the provided for such processing for the data subject. 2. Where personal data are transferred to a third country or to an organization international, the person concerned shall have the right to be informed of the guarantees appropriate under Article 46 concerning the transfer. 3. The controller shall provide a copy of the personal data object of treatment. The data controller may receive for any other copy requested a reasonable fee based on administrative costs. When the application must be submitted electronically by the applicant, and unless the applicant requests otherwise provided, the information shall be provided in an electronic format of common use. 4. The right to obtain a copy referred to in paragraph 3 shall not affect negatively to the rights and freedoms of others." FIFTH: Article 13 of the LOPDGDD determines the following: "1. The right of access of the affected party shall be exercised in accordance with the provisions in Article 15 of Regulation (EU) 2016/679. Where the controller processes a large amount of data relating to the data subject and he exercises his right of access without specifying whether it concerns all or part of the data controller may request, before providing the information, that the concerned specifies the data or processing activities to which the application. 2. The right of access shall be deemed granted if the data controller provide the affected person with a system of remote, direct and secure access to the data personal to guarantee, in a permanent way, access to its totality. To such the communication by the person in charge to the person concerned of the way in which he may access to this system will be sufficient to satisfy the request to exercise the right. However, the person concerned may request from the person responsible information concerning the points set out in Article 15(1) of Regulation (EU) 2016/679 which are not be included in the remote access system. 3. For the purposes of Article 12(5) of Regulation (EU) 2016/679, the following shall apply may consider the exercise of the right of access on more than one occasion to be repetitive during the six-month period, unless there is legitimate cause to do so. 4. Where the person concerned chooses a means other than the one offered to him which entails disproportionate cost, the application will be considered excessive, and therefore affected will assume the excess costs that its choice entails. In this case, only the controller shall be required to satisfy the right of access without undue delay." SIXTH: The complainant requested the right of access to his personal data and the regulatory period has elapsed in accordance with the above-mentioned standards, the request did not receive the legally required response. The exercise of the right of access, like all other rights, is a very personal right consists of the citizen's right to obtain information on the processing of your data, the possibility of obtaining a copy of the personal data concerning you that is being the object of processing, as well as information, in particular, on the purposes of the processing, the categories of data, the recipients, any transfers, the time the possibility of exercising other rights, the information available on the origin of the data (if not obtained directly from the holder) or the existence of automated decisions, including profiling, without affecting the data of third parties. In the case analyzed here, the complainant has exercised its right to access and the response received was an acknowledgement of receipt. From this Agency made on The complaint is transferred without a response, and is admitted for processing so that the claimant is entitled to attend to the right. As of the date of the resolution of this claim, no obtained a response. On the basis of the foregoing, considering that the present proceedings have to ensure that the guarantees and rights of those concerned are duly restored, combining the information on file with the regulations referred to in the preceding paragraphs, this complaint must be upheld, since it does not a response has been issued. Finally, if there is a dispute with the data controller on matters arising from the contractual relationship, they should be aware that the Agency Española de Protección de Datos is not competent to settle civil matters, such as those relating to the civil or commercial validity of the contract, the accuracy of the amount of the debt, the proper provision of the services contracted or the interpretation of contractual clauses. The determination of the conditions of the contractual or commercial service, based on an interpretation of the contract signed between the parties and their correct application, should be brought before the administrative or judicial authorities, as it exceeds the scope of the Agency. The bodies that issue binding decisions to this effect include Consumer Arbitration Boards (provided that the creditor voluntarily submits them), the Telecommunications User Support Office (www.usuariosteleco.gob.es) or the judicial bodies. They are not binding, between others, the decisions of consumer organisations and offices municipal consumer goods. It is, therefore, appropriate to uphold the claim which gave rise to this procedure. Having regard to the above-mentioned and other generally applicable provisions, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO ESTIMATE the claim made by Mr A.A.A. and to urge BABY PALACE, S.L. with NIF B62686290, so that within ten working days following the notification of this decision, refer the complainant certification stating that you have complied with the right of access exercised by or is refused, with reasons, indicating the reasons why it is not appropriate to attend to your request. The actions carried out as a result of this resolution must be communicated to this Agency within the same time limit. The failure to comply with this resolution could lead to the commission of the infringement considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, according to art. 58.2 of the RGPD. SECOND: NOTICE this resolution to A.A.A. and BABY PALACE, S.L. in accordance with the provisions of article 50 of the LOPDGDD, the Resolution will be made public after it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to art. 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may lodge, on an optional basis, an appeal for a reversal to the Director of the Spanish Data Protection Agency within a period of a month from the day following notification of this resolution or directly contentious-administrative appeal to the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46(1) of the referred to Law. Mar España Martí Director of the Spanish Data Protection Agency