AEPD - TD/00109/2020
|AEPD - TD/00109/2020|
|Relevant Law:||Article 15 GDPR|
Article 17 GDPR
|Parties:||EVO BANCO, S.A.U|
|National Case Number/Name:||TD/00109/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA (AEPD) upheld a complaint where despite several appeals and decisions, their rights of access (Article 15) and erasure (Article 17) had still not been upheld.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainant exercised their rights of access and erasure against a bank. When the bank failed to do this, the complainant filed a complaint with the AEPD, who rejected it. The complaint was then appealed at the Audiencia Nacional, who held that the APED had to deal with the rejected complaint.
Holding[edit | edit source]
The AEPD upheld the complaint.
The AEPD gave the controller ten days to either certify to the complainant that it had a complied with the complainant's rights of access and erasure, or it could refuse to do so provided they gave reasons why complying with the request would be inappropriate.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
File No.: TD/00109/2020 1037-100919 RESOLUTION Nº: R/00290/2020 Having regard to the complaint made to this Agency by Ms. A.A.A., (from now the plaintiff), against EVO BANCO, S.A.U. (now the claimed), because their right to access and abolition. The procedural actions provided for in Title VIII of the Law have been carried out Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of digital rights (hereinafter referred to as LOPDGDD), the following have been found FACTS FIRST: The complainant exercised the rights of access and deletion against the claimed with NIF A70386024, without having received a reply legally established. The claimant provides various documentation relating to the claim raised before this Agency and on the exercise of the right exercised. SECOND: In accordance with the tasks provided for in Regulation (EU) 2016/679, of 27 April 2016, Data Protection General (RGPD), particularly those that meet the principles of transparency and accountability proactive on the part of the controller, you are required to inform this Agency of the actions that have been taken to address the complaint raised. As of the date of resolution of this complaint, no allegations. LEGAL GROUNDS FIRST: The Director of the Spanish Agency of Data Protection, as laid down in Article 56(2) in in relation to Article 57(1)(f), both of Regulation (EU) 2016/679 of European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter referred to as RGPD); and in article 47 of the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of digital rights (hereinafter LOPDGDD). SECOND: Article 64.1 of the LOPDGDD, provides that "1. Where the procedure relates solely to the failure of an application to exercise the rights laid down in Articles 15 to 22 of the Regulation (EU) 2016/679, will be initiated by a formal admission agreement, which will shall be adopted in accordance with the following Article. In this case the period for deciding on the procedure shall be six months, counting from the date on which the claimant was notified of the agreement to admission to procedure. After this period, the interested party may consider estimated your claim." THIRD: Article 12 of Regulation (EU) 2016/679 of 27 April 2016 General Data Protection (RGPD), provides the following: "1. The data controller shall take the appropriate measures to provide the any information referred to in Articles 13 and 14, as well as any communication pursuant to Articles 15 to 22 and 34 concerning processing, in concise, transparent, intelligible and easily accessible form, with clear language and simple, in particular any information directed specifically at a child. The information shall be provided in writing or by other means, including, where appropriate by electronic means. When requested by the interested party, the information may be provided orally provided that the identity of the person concerned is proven by other means. 2. The data controller shall facilitate the exercise of his rights under Articles 15 to 22. In the cases referred to in Article 11(2), the person responsible shall not refuse to act at the request of The person concerned in order to exercise his or her rights under Articles 15 to 22, unless you can prove that you are unable to identify the interested. 3. The data controller shall provide the data subject with information concerning his proceedings on the basis of an application under Articles 15 to 22, and in any case, within one month from the receipt of the application. This period may be extended by a further two months if necessary, taking into account The complexity and number of applications is taken into account. The person in charge will inform the of any such extension within one month of the date of the decision. receipt of the application, indicating the reasons for the delay. When the If the interested party submits the application by electronic means, the information shall provide by electronic means where possible, unless the person concerned request that it be provided otherwise. 4. If the data controller does not act on the request of the data subject, he shall inform without delay, and at the latest after one month, of the receipt of the application, the reasons for their failure to act and the possibility of submitting a claim to a supervisory authority and to take legal action. 5. The information provided under Articles 13 and 14 and any communication and action taken under Articles 15 to 22 and 34 shall be free of charge. Where requests are manifestly unfounded or excessive, in particular on account of their repetitive nature, the person responsible for treatment may: (a) charge a reasonable fee commensurate with the administrative costs incurred to provide the information or communication or to perform the requested action, or (b) refuse to act on the request. The controller shall bear the burden of proving the manifestly unfounded or excessive. 6. Without prejudice to Article 11, where the person responsible for the treatment has reasonable doubts as to the identity of the person The physical person making the request referred to in Articles 15 to 21 may request that the additional information necessary to confirm the identity of the interested. 7. The information to be provided to interested parties under Articles 13 and 14 may be transmitted in combination with standardised icons allowing provide an easily visible, intelligible and clearly readable adequate overview of the planned treatment. The icons that are presented in electronic format will be machine-readable. 8. The Commission is empowered to adopt delegated acts in accordance with with Article 92 in order to specify the information to be submitted to through icons and the procedures for providing standardised icons". FOURTH: Article 12 of the LOPDGDD determines the following: 1. The rights recognised in Articles 15 to 22 of the Regulation (EU) 2016/679, may be exercised directly or through a legal representative or voluntary. 2. The data controller shall be obliged to inform the data subject of the means at its disposal to exercise its rights. The means must be easily accessible to the person concerned. The exercise of The right may not be denied on the sole ground that the person concerned chooses another medium. 3. The person in charge may process, on behalf of the person in charge, requests for exercise by the persons concerned of their rights if so provided for in the contract or legal act that binds them. 4. Proof of compliance with the duty to respond to the request to exercise their rights formulated by the person concerned shall be vested in the person responsible. 5. When the laws applicable to certain processing operations establish a special arrangements affecting the exercise of the rights provided for in the Chapter III of Regulation (EU) 2016/679, the provisions of the latter will be applied. 6. In any case, the holders of parental authority may exercise on behalf and representation of children under fourteen years of age the rights of access, rectification, cancellation, opposition or any other that could correspond to them in the context of the present organic law. 7. The actions carried out by the person responsible for the processing to meet requests to exercise these rights, without without prejudice to Articles 12(5) and 15(3) of the EU Regulation 2016/679 and in Article 13(3) and (4) of this Organic Law". FIFTH: Article 15 of the RGPD provides that "1. The data subject shall have the right to obtain from the data controller confirmation as to whether or not personal data concerning you are being processed and, if so case, right of access to personal data and to the following information: a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the data have been disclosed; or personal data will be communicated, in particular to third parties or international organisations; (d) if possible, the intended period of retention of the personal data or, of not be possible, the criteria used to determine this deadline; (e) the existence of the right to request the person responsible to correct or delete of personal data or the limitation of the processing of personal data relating to or to oppose such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data have not been obtained from the data subject, any information available on their origin; (h) the existence of automated decisions, including profiling, to referred to in Article 22(1) and (4) and, at least in such cases, information The importance and consequences of the new system for the development of the provided for such processing for the data subject. 2. When personal data are transferred to a third country or to an organisation international, the person concerned shall have the right to be informed of the guarantees appropriate under Article 46 concerning transfer. 3. The controller shall provide a copy of the personal data object of treatment. The data controller may receive for any other copy requested a reasonable fee based on administrative costs. When the The application must be submitted electronically by the applicant, and unless the applicant requests otherwise provided, the information shall be provided in an electronic format of common use. 4. The right to obtain a copy referred to in paragraph 3 shall not affect negatively to the rights and freedoms of others." SIXTH: Article 13 of the LOPDGDD determines the following: "The right of access of the person concerned shall be exercised in accordance with the provisions in Article 15 of Regulation (EU) 2016/679. Where the controller processes a large amount of data relating to the data subject and he exercises his right of access without specifying whether it concerns all or part of the data controller may request, before providing the information, that the concerned specifies the data or processing activities to which the application. 2. The right of access shall be deemed to be granted if the data controller provide the affected person with a system of remote, direct and secure access to the data personal to guarantee, in a permanent way, access to its totality. To such the communication by the person in charge to the person concerned of the way in which he may access to this system will be sufficient to satisfy the request to exercise the right. However, the person concerned may request from the person responsible information concerning the points set out in Article 15(1) of Regulation (EU) 2016/679 which are not be included in the remote access system. 3. For the purposes of Article 12(5) of Regulation (EU) 2016/679, the following shall apply may consider the exercise of the right of access on more than one occasion to be repetitive during the six-month period, unless there is legitimate cause to do so. 4. Where the person concerned chooses a means other than the one offered to him which entails disproportionate cost, the application will be considered excessive, and therefore affected will assume the excess costs that its choice entails. In this case, only the controller shall be required to satisfy the right of access without undue delay." SEVENTH: Article 17 of the RGPD provides that: "The data subject shall have the right to obtain without undue delay from the controller of the processing the deletion of personal data concerning him, which shall be obliged to delete personal data without undue delay when any of the following circumstances apply: (a) the personal data are no longer necessary in relation to the purposes for which they were that were collected or otherwise treated; (b) the data subject withdraws the consent on the basis of which the processing of in accordance with Article 6(1)(a) or Article 9(2)(a) a), and this is not based on any other legal basis; (c) the data subject opposes the processing pursuant to Article 21(1); and no other legitimate grounds for processing prevail, or the data subject to oppose processing under Article 21(2); (d) the personal data have been processed unlawfully; (e) the personal data must be deleted in order to comply with an obligation established in Union law or in the law of the Member States to be ratified apply to the data controller; (f) the personal data have been obtained in connection with the provision of the information society referred to in Article 8(1). 2. Where he has made personal data public and is required under the provisions of paragraph 1, to delete such data, the person responsible for treatment, taking into account the available technology and the cost of its implementation, take reasonable measures, including technical measures, with a view to inform the persons responsible for processing the personal data of the request from the person concerned to delete any link to these personal data, or any copies or replicas thereof. 3. Paragraphs 1 and 2 shall not apply where processing is necessary: (a) in order to exercise the right to freedom of expression and information; (b) for the fulfilment of a legal obligation requiring the processing of data imposed by Union law or by the Member States which are apply to the controller, or for the performance of a task carried out in the public interest or in the exercise of public authority conferred on the responsible; (c) for reasons of public interest in the field of public health in accordance with with Articles 9(2)(h) and (i) and 9(3) (d) for archiving purposes in the public interest, for scientific research purposes or historical or statistical purposes, in accordance with Article 89(1) in the to the extent that the right referred to in paragraph 1 would make it impossible or seriously undermine the achievement of the objectives of such treatment, or (e) for the formulation, exercise or defence of claims. EIGHTH: Before going into the substance of the issues raised, it should be noted that that these proceedings are being conducted following the refusal to any of the rights regulated by data protection regulations (access, correction, deletion, limitation, portability and opposition) and aims to take appropriate measures to ensure that the guarantees and rights of the person concerned are properly restored. Therefore, in the present case, only and assessed those issues raised by the complainant that remain included in the subject matter of the above-mentioned complaints procedure in respect of data protection. In the case analysed here, the complainant has exercised its right to access and deletion and, after the deadline set in accordance with the rules above The Commission has not received the legally required response to its request. It should be noted that the complaint was in principle rejected by the Agency and, subsequently, the decision of the Audiencia Nacional is upheld submitted in this respect by the complainant. The judgment states that this Agency must to deal with the complaint which it rejected. On the basis of the foregoing, considering that the present proceedings have to ensure that the guarantees and rights of those concerned are duly restored, combining the information on file with the regulations referred to in the preceding paragraphs, it is appropriate to uphold the claim that originated the present procedure as the rights have not been met. Having regard to the above-mentioned and other generally applicable provisions, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO ESTIMATE the claim made by Ms. A.A.A. and to urge EVO BANCO, S.A.U. with NIF A70386024, so that within ten working days following the notification of the present resolution, send to the complaining party certification in the to record that it has complied with the rights of access and deletion exercised by or is refused, with reasons, indicating the reasons why it is not appropriate to attend to your request. The actions carried out as a consequence of this Resolution must be communicated to this Agency within the same period of time. The failure to comply with this resolution could lead to the commission of the infringement considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, according to with art. 58.2 of the RGPD. SECOND: NOTICE this resolution to Ms. A.A.A. and EVO BANCO, S.A.U. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public after it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to art. 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may lodge, on an optional basis, an appeal for reversal to the Director of the Spanish Data Protection Agency within a period of month from the day following notification of this resolution or directly contentious-administrative appeal to the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating Contentious-Administrative Jurisdiction, within two months from day following notification of this act, as provided for in Article 46(1) of the referred to Law. Mar España Martí Director of the Spanish Data Protection Agency