AEPD - TD/00109/2020

From GDPRhub
AEPD - TD/00109/2020
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 15 GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Decided: n/a
Fine: None
Parties: EVO BANCO, S.A.U
National Case Number/Name: TD/00109/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) upheld a complaint where despite several appeals and decisions, their rights of access (Article 15) and erasure (Article 17) had still not been upheld.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant exercised their rights of access and erasure against a bank. When the bank failed to do this, the complainant filed a complaint with the AEPD, who rejected it. The complaint was then appealed at the Audiencia Nacional, who held that the APED had to deal with the rejected complaint.

Holding[edit | edit source]

The AEPD upheld the complaint.

The AEPD gave the controller ten days to either certify to the complainant that it had a complied with the complainant's rights of access and erasure, or it could refuse to do so provided they gave reasons why complying with the request would be inappropriate.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

File No.: TD/00109/2020
RESOLUTION Nº: R/00290/2020
Having regard to the complaint made to this Agency by Ms. A.A.A., (from
now the plaintiff), against EVO BANCO, S.A.U. (now the
claimed), because their right to access and
The procedural actions provided for in Title VIII of the Law have been carried out
Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of
digital rights (hereinafter referred to as LOPDGDD), the following have been found
FIRST: The complainant exercised the rights of access and deletion against the
claimed with NIF A70386024, without having received a reply
legally established.
The claimant provides various documentation relating to the claim
raised before this Agency and on the exercise of the right exercised.

SECOND: In accordance with the tasks provided for in Regulation (EU)
2016/679, of 27 April 2016, Data Protection General (RGPD),
particularly those that meet the principles of transparency and accountability
proactive on the part of the controller, you are required to inform
this Agency of the actions that have been taken to address the complaint
raised. As of the date of resolution of this complaint, no
FIRST: The Director of the Spanish Agency of
Data Protection, as laid down in Article 56(2) in
in relation to Article 57(1)(f), both of Regulation (EU) 2016/679 of
European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
natural persons with regard to the processing of personal data and the free
circulation of these data (hereinafter referred to as RGPD); and in article 47 of the
Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of
digital rights (hereinafter LOPDGDD).
SECOND: Article 64.1 of the LOPDGDD, provides that
"1. Where the procedure relates solely to the failure of
an application to exercise the rights laid down in Articles 15 to 22 of the
Regulation (EU) 2016/679, will be initiated by a formal admission agreement, which will
shall be adopted in accordance with the following Article.
In this case the period for deciding on the procedure shall be six months, counting
from the date on which the claimant was notified of the agreement to
admission to procedure. After this period, the interested party may consider
estimated your claim."
THIRD: Article 12 of Regulation (EU) 2016/679 of 27 April 2016
General Data Protection (RGPD), provides the following:
"1. The data controller shall take the appropriate measures to provide the
any information referred to in Articles 13 and 14, as well as any
communication pursuant to Articles 15 to 22 and 34 concerning processing, in
concise, transparent, intelligible and easily accessible form, with clear language and
simple, in particular any information directed specifically at a child. The
information shall be provided in writing or by other means, including, where appropriate
by electronic means. When requested by the interested party, the information may
be provided orally provided that the identity of the person concerned is proven by
other means.
2. The data controller shall facilitate the exercise of his
rights under Articles 15 to 22. In the cases referred to in
Article 11(2), the person responsible shall not refuse to act at the request of
The person concerned in order to exercise his or her rights under Articles 15 to 22,
unless you can prove that you are unable to identify the
3. The data controller shall provide the data subject with information concerning his
proceedings on the basis of an application under Articles 15 to 22, and
in any case, within one month from the receipt of the application.
This period may be extended by a further two months if necessary, taking into account
The complexity and number of applications is taken into account. The person in charge will inform the
of any such extension within one month of the date of the decision.
receipt of the application, indicating the reasons for the delay. When the
If the interested party submits the application by electronic means, the information
shall provide by electronic means where possible, unless the person concerned
request that it be provided otherwise.
4. If the data controller does not act on the request of the data subject, he
shall inform without delay, and at the latest after one month, of the receipt of the
application, the reasons for their failure to act and the possibility of submitting a
claim to a supervisory authority and to take legal action.
5. The information provided under Articles 13 and 14 and any communication and action taken under Articles 15 to 22 and 34 shall be free of charge. Where requests are manifestly unfounded or excessive, in particular on account of their repetitive nature, the person responsible for
treatment may:
(a) charge a reasonable fee commensurate with the administrative costs incurred
to provide the information or communication or to perform the requested action, or
(b) refuse to act on the request.
The controller shall bear the burden of proving the
manifestly unfounded or excessive.
6. Without prejudice to Article 11, where the person responsible for the
treatment has reasonable doubts as to the identity of the person
The physical person making the request referred to in Articles 15 to 21 may request
that the additional information necessary to confirm the identity of the
7. The information to be provided to interested parties under Articles
13 and 14 may be transmitted in combination with standardised icons allowing
provide an easily visible, intelligible and clearly readable
adequate overview of the planned treatment. The icons that are
presented in electronic format will be machine-readable.
8. The Commission is empowered to adopt delegated acts in accordance with
with Article 92 in order to specify the information to be submitted to
through icons and the procedures for providing standardised icons".

FOURTH: Article 12 of the LOPDGDD determines the following:
1. The rights recognised in Articles 15 to 22 of the Regulation (EU)
2016/679, may be exercised directly or through a legal representative or
2. The data controller shall be obliged to inform the data subject of the
means at its disposal to exercise its rights. The
means must be easily accessible to the person concerned. The exercise of
The right may not be denied on the sole ground that the person concerned chooses another
3. The person in charge may process, on behalf of the person in charge, requests for
exercise by the persons concerned of their rights if so provided for in the
contract or legal act that binds them.
4. Proof of compliance with the duty to respond to the request to exercise
their rights formulated by the person concerned shall be vested in the person responsible.
5. When the laws applicable to certain processing operations establish a
special arrangements affecting the exercise of the rights provided for in the Chapter
III of Regulation (EU) 2016/679, the provisions of the latter will be applied.
6. In any case, the holders of parental authority may exercise on behalf
and representation of children under fourteen years of age the rights of access,
rectification, cancellation, opposition or any other that could
correspond to them in the context of the present organic law.
7. The actions carried out by the person responsible for the
processing to meet requests to exercise these rights, without
without prejudice to Articles 12(5) and 15(3) of the EU Regulation
2016/679 and in Article 13(3) and (4) of this Organic Law".
FIFTH: Article 15 of the RGPD provides that
"1. The data subject shall have the right to obtain from the data controller
confirmation as to whether or not personal data concerning you are being processed and, if so
case, right of access to personal data and to the following information:
a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the data have been disclosed; or
personal data will be communicated, in particular to third parties or
international organisations;
(d) if possible, the intended period of retention of the personal data or, of
not be possible, the criteria used to determine this deadline;
(e) the existence of the right to request the person responsible to correct or delete
of personal data or the limitation of the processing of personal data relating to
or to oppose such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data have not been obtained from the data subject, any
information available on their origin;
(h) the existence of automated decisions, including profiling, to
referred to in Article 22(1) and (4) and, at least in such cases, information
The importance and consequences of the new system for the development of the
provided for such processing for the data subject.
2. When personal data are transferred to a third country or to an organisation
international, the person concerned shall have the right to be informed of the guarantees
appropriate under Article 46 concerning transfer.
3. The controller shall provide a copy of the personal data
object of treatment. The data controller may receive for any other copy requested
a reasonable fee based on administrative costs. When the
The application must be submitted electronically by the applicant, and unless the applicant requests
otherwise provided, the information shall be provided in an electronic format of
common use.
4. The right to obtain a copy referred to in paragraph 3 shall not affect
negatively to the rights and freedoms of others."
SIXTH: Article 13 of the LOPDGDD determines the following:
"The right of access of the person concerned shall be exercised in accordance with the provisions
in Article 15 of Regulation (EU) 2016/679.
Where the controller processes a large amount of data relating to the data subject and
he exercises his right of access without specifying whether it concerns all or part of
the data controller may request, before providing the information, that the
concerned specifies the data or processing activities to which the
2. The right of access shall be deemed to be granted if the data controller
provide the affected person with a system of remote, direct and secure access to the data
personal to guarantee, in a permanent way, access to its totality. To such
the communication by the person in charge to the person concerned of the way in which he may
access to this system will be sufficient to satisfy the request to exercise the
However, the person concerned may request from the person responsible information concerning
the points set out in Article 15(1) of Regulation (EU) 2016/679 which are not
be included in the remote access system.
3. For the purposes of Article 12(5) of Regulation (EU) 2016/679, the following shall apply
may consider the exercise of the right of access on more than one occasion to be repetitive
during the six-month period, unless there is legitimate cause to do so.
4. Where the person concerned chooses a means other than the one offered to him which entails
disproportionate cost, the application will be considered excessive, and therefore
affected will assume the excess costs that its choice entails. In this case, only
the controller shall be required to satisfy the right of access without
undue delay."
SEVENTH: Article 17 of the RGPD provides that:
"The data subject shall have the right to obtain without undue delay from the controller
of the processing the deletion of personal data concerning him, which
shall be obliged to delete personal data without undue delay when
any of the following circumstances apply:
(a) the personal data are no longer necessary in relation to the purposes for which they were
that were collected or otherwise treated;
(b) the data subject withdraws the consent on the basis of which the processing of
in accordance with Article 6(1)(a) or Article 9(2)(a)
a), and this is not based on any other legal basis;
(c) the data subject opposes the processing pursuant to Article 21(1); and
no other legitimate grounds for processing prevail, or the data subject
to oppose processing under Article 21(2);
(d) the personal data have been processed unlawfully;
(e) the personal data must be deleted in order to comply with an obligation
established in Union law or in the law of the Member States to be ratified
apply to the data controller;
(f) the personal data have been obtained in connection with the provision of
the information society referred to in Article 8(1).
2. Where he has made personal data public and is required under
the provisions of paragraph 1, to delete such data, the person responsible for
treatment, taking into account the available technology and the cost of its
implementation, take reasonable measures, including technical measures, with a view to
inform the persons responsible for processing the personal data of the
request from the person concerned to delete any link to these personal data,
or any copies or replicas thereof. 3. Paragraphs 1 and 2 shall not apply where processing is necessary:
(a) in order to exercise the right to freedom of expression and information;
(b) for the fulfilment of a legal obligation requiring the processing of
data imposed by Union law or by the Member States which are
apply to the controller, or for the performance of a task
carried out in the public interest or in the exercise of public authority conferred on the
(c) for reasons of public interest in the field of public health in accordance with
with Articles 9(2)(h) and (i) and 9(3)
(d) for archiving purposes in the public interest, for scientific research purposes or
historical or statistical purposes, in accordance with Article 89(1) in the
to the extent that the right referred to in paragraph 1 would make it impossible or
seriously undermine the achievement of the objectives of such treatment, or
(e) for the formulation, exercise or defence of claims.
EIGHTH: Before going into the substance of the issues raised, it should be noted that
that these proceedings are being conducted following the refusal to
any of the rights regulated by data protection regulations (access,
correction, deletion, limitation, portability and opposition) and aims to
take appropriate measures to ensure that the guarantees and rights of the person concerned
are properly restored. Therefore, in the present case, only
and assessed those issues raised by the complainant that remain
included in the subject matter of the above-mentioned complaints procedure in respect of
data protection.
 In the case analysed here, the complainant has exercised its right to
access and deletion and, after the deadline set in accordance with the rules above
The Commission has not received the legally required response to its request.
It should be noted that the complaint was in principle rejected by the
Agency and, subsequently, the decision of the Audiencia Nacional is upheld
submitted in this respect by the complainant. The judgment states that this Agency must
to deal with the complaint which it rejected.
On the basis of the foregoing, considering that the present proceedings have
to ensure that the guarantees and rights of those concerned are duly
restored, combining the information on file with the regulations
referred to in the preceding paragraphs, it is appropriate to uphold the claim that originated the
present procedure as the rights have not been met.
Having regard to the above-mentioned and other generally applicable provisions,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO ESTIMATE the claim made by Ms. A.A.A. and to urge EVO BANCO,
S.A.U. with NIF A70386024, so that within ten working days following
the notification of the present resolution, send to the complaining party certification in the
to record that it has complied with the rights of access and deletion exercised by
or is refused, with reasons, indicating the reasons why it is not appropriate
to attend to your request. The actions carried out as a consequence of this Resolution must be communicated to this Agency within the same period of time. The
failure to comply with this resolution could lead to the commission of the infringement
considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, according to
with art. 58.2 of the RGPD.
SECOND: NOTICE this resolution to Ms. A.A.A. and EVO BANCO, S.A.U.
In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public after it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure according to art.
48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the
LPACAP, the interested parties may lodge, on an optional basis, an appeal for reversal
to the Director of the Spanish Data Protection Agency within a period of
month from the day following notification of this resolution or directly
contentious-administrative appeal to the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating
Contentious-Administrative Jurisdiction, within two months from
day following notification of this act, as provided for in Article 46(1) of the
referred to Law.

Mar España Martí
Director of the Spanish Data Protection Agency