AEPD - TD/00054/2020
|AEPD - TD/00054/2020|
|Relevant Law:||Article 12 GDPR|
Article 15 GDPR
|National Case Number/Name:||TD/00054/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA (AEPD) ordered a bank to finalise incomplete access requests under Articles 12 and 15 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainant sough to access information on themselves from CaixaBank. After receiving the information, she complained that the information was "insufficient, unrealistic, and that data are concealed". CaixaBank argued that they had already complied with the right of access.
Dispute[edit | edit source]
Has the complainant's right to access under Article 15 GDPR been violated?
Holding[edit | edit source]
The AEPD upheld the complaint on the basis that the reply from CaixaBank was incomplete, and that the "purpose of these proceedings is to ensure that the guarantees and rights of the persons concerned are duly restored". The AEPD gave CaixaBank ten working days to either comply with the request or refuse to comply and give reasons why it would be inappropriate to do so.
Comment[edit | edit source]
Scope of the AEPD's competences: The AEPD also noted that it is not competent to settle matters such as a dispute with the data controller on matters arising from a contractual relationship, such as the accuracy of the amount of debt owed or the determination of the conditions of a contractual or commercial provision.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
File No: TD/00054/2020 1037-100919 RESOLUTION Nº: R/00319/2020 Having regard to the complaint made to this Agency by Ms. A.A.A., (from now the complainant), against CAIXABANK, S.A. (now the claimed), because their right of access has not been duly attended to. The procedural actions provided for in Title VIII of the Law have been carried out Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of digital rights (hereinafter referred to as LOPDGDD), the following have been found FACTS FIRST: The complainant exercised her right of access against the respondent with a tax identification number (NIF) A08663619, without having received the legally established response to your request. The claimant provides various documentation relating to the claim raised before this Agency and on the exercise of the right exercised. On 3 April 2018, in view of the claim for the right of access, this Agency resolved: "In relation to your claim for protection of rights submitted to this Agency referring to CAIXABANK, S.A., from the analysis of the documentation provided It follows that it does not concern the exercise of the right recognised in Article 15.1 of Organic Law 15/1999, of 13 December, on the Protection of Personal Data Personal Data Protection Act (LOPD), and developed in the Regulations implementing the LOPD, approved by Royal Decree 1720/2007 of 21 December. The right of access, as specified in Article 27.1 of the Regulation, is the right of the person concerned to obtain information on whether his personal data are being processed, the purpose of which is to treatment being carried out, as well as the information available on the origin of such data and the communications made or planned by the themselves. Paragraph 3 of that Article specifies that this right is independent which grant those concerned special laws and, in particular, laws which regulate the administrative procedure. Furthermore, Article 29(3) makes it clear that the information must be provided by the data controller shall comprise all the basic data of the those resulting from any computer processing, as well as the information available on the origin of the data, the assignees of the data and the specification of the specific uses and purposes for which the data is stored. Thus, access to copies of certain documents or other information associated with a business, employment or administrative relationship is not part of the content of the access right regulated in the data protection regulations, This question is therefore outside the competence of this Agency. This is notwithstanding the fact that other legislation covers the obtaining of such documentation, and the person concerned must apply to the competent authorities, particularly the organs of consumption. Consequently, in accordance with Articles 18 and 37(1)(d) of the LOPD, it is agreed to INADMIT your claim. SECOND: As a consequence of the Inadmission, you claim before the Audiencia Nacional that fails: "...That by dismissing the cause of inadmissibility raised by the party co-defendant, the action in the main proceedings brought by the Procurator of the Courts doña (...) in the name and on behalf of DOÑA A.A.A., against the resolution of 7 May 2018 of the Director of the Agency Spanish Data Protection Authority, by which the claim of the claimant is rejected against CaixaBank, S.A., which was involved in the procedure for the protection of rights TD/01002/2018, and declare the above-mentioned resolution null and void on the grounds that it does not conform to right, agreeing instead that by the Spanish Data Protection Agency and in respect of the appellant, initiate proceedings for the protection of rights against CaixaBank S.A. with express imposition of the procedural costs to the defendants..." This ruling opens a procedure for the processing of this claim and gives transfer to the respondent to attend the right. THIRD: In accordance with the tasks laid down in Regulation (EU) 2016/679, of 27 April 2016, General Data Protection (RGPD), proactive by the data controller, you are required to inform the Agency of the actions that have been taken to address the complaint raised. In summary, the following allegations were made: - The representative/Data Protection Officer of the respondent in the allegations made during the processing of the These proceedings, which have already dealt with the right of access requested both now and earlier in 2017. They provide two letters sent to the complainant for this purpose, i.e. to comply with the right to access, one on 5 December 2017 and the current one on 7 April 2020. - The complainant, who is aware of the allegations of the transfer made by this Agency and, after having received the right In summary, the information received is insufficient, unrealistic and that data are hidden. "...That I do NOT agree with the information provided by CaixaBank in exercise my right to access personal data contained in your files. It provides data on a sheet of paper that does not match reality, so, they make it up, and the data, with the documents that support that alleged express authorisation, and that commercial contracting, which has been repeatedly requested, they hide it. I imagine they do because they don't have. They do not have any documents to prove the false claims which reflect in the sheet I received (...) that to date they have not fulfilled its obligation to provide me with my right of access. It does not provide the documents that were required, and the scarce data without documents to confirm their reality that they contribute to a non correspond to reality (...) CaixaBank SA invented the dates of products are invented, the numbering of those products is invented fictitious products, and do not provide any documents proving that the contracted such products with them and do not provide the authorisations and consents to be able to dispose of and give away my data which you must have of each of these alleged products that are said to have hired..." - From this Agency, the complainant's allegations were sent to claimed without, at the date of resolution of this claim, having Nothing has been said about this. LEGAL FOUNDATIONS FIRST: The Director of the Spanish Agency of Data Protection, as laid down in Article 56(2) in in relation to Article 57(1)(f), both of Regulation (EU) 2016/679 of European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter referred to as RGPD); and in article 47 of the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of digital rights (hereinafter LOPDGDD). SECOND: Article 64.1 of the LOPDGDD, provides the following: "1. Where the procedure relates solely to the failure of an application to exercise the rights laid down in Articles 15 to 22 of the Regulation (EU) 2016/679, will be initiated by a formal admission agreement, which will shall be adopted in accordance with the following Article. In this case the period for deciding on the procedure shall be six months, counting from the date on which the claimant was notified of the agreement to admission to procedure. After this period, the interested party may consider estimated your claim." THIRD: Article 12 of Regulation (EU) 2016/679 of 27 April 2016 General of Data Protection (RGPD), provides that: "1. The data controller shall take the appropriate measures to facilitate the person concerned any information referred to in Articles 13 and 14, as well as any communication pursuant to Articles 15 to 22 and 34 concerning processing, in the form concise, transparent, intelligible and easily accessible, with clear and simple language, in In particular, any information directed specifically at a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic. At the request of the interested party, the information may be provided verbally, provided that the identity of the person concerned is proven by other means. 2. The data controller shall facilitate the exercise of his rights under Articles 15 to 22. In the cases referred to in Article 11 paragraph 2, the controller shall not refuse to act at the request of the data subject for the purpose to exercise his rights under Articles 15 to 22, unless he can prove who is not in a position to identify the person concerned. 3. The data controller shall provide the data subject with information concerning his proceedings on the basis of an application under Articles 15 to 22, and, in in any case, within one month from the receipt of the application. Said This deadline may be extended by a further two months if necessary, taking into account the complexity and the number of applications. The person in charge shall inform the applicant of any such extension within one month of receipt of the request, indicating the reasons for the delay. When the interested party submits the request by electronic means, the information shall be provided by electronic means where possible, unless the person concerned requests otherwise. 4. If the data controller does not comply with the request of the data subject, he shall inform without delay, and at the latest after one month, of the receipt of the application, the reasons for their failure to act and the possibility of submitting a claim to a supervisory authority and to take legal action. 5. The information provided pursuant to Articles 13 and 14 and any communication and any action taken pursuant to Articles 15 to 22 and 34 will be free of charge. Where requests are manifestly unfounded or excessive, especially due to their repetitive nature, the person responsible for treatment may: (a) charge a reasonable fee commensurate with the administrative costs incurred to provide the information or communication or to perform the requested action, or (b) refuse to act on the request. The controller shall bear the burden of proving the manifestly unfounded or excessive. 6. Without prejudice to Article 11, where the person responsible for the treatment has reasonable doubts as to the identity of the natural person the application referred to in Articles 15 to 21, may request that the provide the additional information necessary to confirm the identity of the person concerned. 7. The information to be provided to the persons concerned under Articles 13 and 14 may be transmitted in combination with standardised icons allowing provide in an easily visible, intelligible and clearly legible manner an adequate overview of the planned treatment. The icons presented in the format electronic will be mechanically readable. 8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 to specify the information to be submitted through icons and the procedures for providing standardised icons". FOURTH: Article 15 of the RGPD provides that: "1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed and, if so case, right of access to personal data and to the following information: a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the data have been disclosed; or personal data will be communicated, in particular to third parties or international organisations; (d) if possible, the intended period of retention of the personal data or, of not be possible, the criteria used to determine this deadline; (e) the existence of the right to request the person responsible to correct or delete of personal data or the limitation of the processing of personal data relating to or to oppose such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data have not been obtained from the data subject, any information available on their origin; (h) the existence of automated decisions, including profiling, to referred to in Article 22(1) and (4) and, at least in such cases, information The importance and consequences of the new system for the development of the provided for such processing for the data subject. 2. Where personal data are transferred to a third country or to an organisation international, the person concerned shall have the right to be informed of the guarantees appropriate under Article 46 concerning transfer. 3. The controller shall provide a copy of the personal data object of treatment. The data controller may receive for any other copy requested a reasonable fee based on administrative costs. When the The application must be submitted electronically by the applicant, and unless the applicant requests otherwise provided, the information shall be provided in an electronic format of common use. 4. The right to obtain a copy referred to in paragraph 3 shall not affect negatively to the rights and freedoms of others." FIFTH: Article 13 of the LOPDGDD determines the following: "1. The right of access of the affected party shall be exercised in accordance with the provisions in Article 15 of Regulation (EU) 2016/679. Where the controller processes a large amount of data relating to the data subject and he exercises his right of access without specifying whether it concerns all or part of the data controller may request, before providing the information, that the concerned specifies the data or processing activities to which the application. 2. The right of access shall be deemed granted if the data controller provide the affected person with a system of remote, direct and secure access to the data personal to guarantee, in a permanent way, access to its totality. To such the communication by the person in charge to the person concerned of the way in which he may access to this system will be sufficient to satisfy the request to exercise the right. However, the person concerned may request from the person responsible information concerning the points set out in Article 15(1) of Regulation (EU) 2016/679 which are not be included in the remote access system. 3. For the purposes of Article 12(5) of Regulation (EU) 2016/679, the following shall apply may consider the exercise of the right of access on more than one occasion to be repetitive during the six-month period, unless there is legitimate cause to do so. 4. Where the person concerned chooses a means other than the one offered to him which entails disproportionate cost, the application will be considered excessive, and therefore affected will assume the excess costs that its choice entails. In this case, only the controller shall be required to satisfy the right of access without undue delay." SEVENTH: Before going into the substance of the issues raised, it should be noted that these proceedings are being conducted following the refusal to any of the rights regulated by data protection regulations (access, correction, deletion, limitation, portability and opposition) and aims to take appropriate measures to ensure that the guarantees and rights of the person concerned are properly restored. Therefore, in the present case, only and assessed those issues raised by the complainant that remain included in the subject matter of the above-mentioned complaints procedure in respect of data protection. The exercise of the right of access, like all other rights, is a The very personal right consists of the citizen's right to obtain information on the processing of your data, the possibility of obtain a copy of the personal data concerning you that is being object of processing, as well as information, in particular, on the purposes of the processing, the categories of data, the recipients, any transfers, the time the possibility of exercising other rights, the information available on the origin of the data (if not obtained directly from holder) or the existence of automated decisions, including profiling, without affecting the data of third parties. In the case analysed here, the complainant has exercised its right to access and the response received is considered to be incomplete and lacking in reality. This Agency informs the complainant of this fact so that he can complete your reply or clarify the points raised by the complainant. On the date of the resolution of this no contribution has been made by the party complained of to the effect that the right of access requested has been fully met. On the basis of the foregoing, considering that the present proceedings have to ensure that the guarantees and rights of those concerned are duly restored, combining the information in the file with the regulations referred to in the preceding paragraphs, this complaint must be upheld, as an incomplete response has been issued. Finally, if there is a dispute with the controller on matters arising from the contractual relationship, they should be aware that the Spanish Data Protection Agency is not competent to resolve civil matters, such as those relating to the civil or commercial validity of the contract, the accuracy of the amount of the debt, the proper provision of the services contracted or the interpretation of contractual clauses. The determination of the conditions of the contractual or commercial service, based on an interpretation of the contract signed between the parties and their correct application, should be brought before the administrative or judicial authorities, as it exceeds the scope of the Agency. The bodies that issue binding decisions to this effect include Consumer Arbitration Boards (provided that the creditor voluntarily submits them), the Telecommunications User Assistance Office (www.usuariosteleco.gob.es) or the judicial bodies. They are not binding, between other, the decisions of consumer organisations and offices municipal consumer goods. It is therefore appropriate to uphold the claim which gave rise to this procedure. Having regard to the above-mentioned and other generally applicable provisions, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: ESTIMATE the claim made by Ms. A.A.A. and urge CAIXABANK, S.A. with NIF A08663619, so that, within ten working days of notification of the present resolution, send to the complaining party certification in the to record that he has complied with the right of access exercised by him or refuse, with reasons, to comply with your request, indicating why your request should not be dealt with request. The actions taken as a result of this Resolution must be communicated to this Agency within the same time limit. Failure to comply with this resolution could lead to the commission of the offence referred to in Article 72.1.m) of the LOPDGDD, which will be sanctioned in accordance with Article 58.2 of the RGPD. SECOND: TO NOTIFY this resolution to Ms. A.A.A. and CAIXABANK, S.A. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public after it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may lodge, on an optional basis, an appeal for reversal to the Director of the Spanish Data Protection Agency within a period of month from the day following notification of this resolution or directly contentious-administrative appeal to the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating Contentious-Administrative Jurisdiction, within two months from day following notification of this act, as provided for in Article 46(1) of the referred to Law. Mar España Martí Directora de la Agencia Española de Protección de Datos Translated with www.DeepL.com/Translator (free version)