AEPD - TD/00182/2019

From GDPRhub
AEPD - TD/00182/2019
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 15 GDPR
Type: Complaint
Outcome: Upheld
Decided: 4.11.2019
Published: n/a
Fine: None
National Case Number: TD/00182/2019
European Case Law Identifier n/a
Appeal: n/a
Original Language:


Original Source: AEPD (in ES)

The DPA ordered a bank (KUTXABANK S.A.) to respond to a subject access request.

English Summary[edit | edit source]

Facts[edit | edit source]

A bank's client complained that they could not exercise their right to access after the bank has blocked his account due to debts. The bank refused to fulfill the request, claiming that it does not process personal data anymore since the account was blocked.

Dispute[edit | edit source]

Could the controller refuse to answer to a request for access because the requested data is part of a "blocked" account?

Holding[edit | edit source]

The AEPD found that as there is an ongoing relationship, the bank still holds personal data. The DPA ordered the bank to fulfill the data subject’s request within the ten working days following the decision. It further ordered the company to inform the AEPD during the same time period on its compliance with the decision. Lastly, it decided that the fact that the controller blocked the account cannot is irrelevant and the controller must comply with the request of access, as required by Article 15 GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

File No.: TD/00182/2019

RESOLUTION Nº: R/00514/2019

Having regard to the appeal for reversal issued by the Director of the Spanish Data Protection Agency challenging the decision of this Agency with reference number E/03769/2019 dated 5 April 2019, which rejected the complaint submitted by Mr. A.A.A., representing Ms. B.B.B. against KUTXABANK, S.A., for failure to comply with the exercise of access

Having carried out the procedural actions provided for in Title VIII of Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the following have been established


FIRST: Mr. A.A.A., on behalf of Ms. B.B.B. (hereinafter, the claimant) exercised his right of access against KUTXABANK, S.A. with NIF A95653077 (hereinafter, the claimed entity), without his request having received the legally established response.

The claimant provides various documents relating to the complaint lodged with this Agency and on the exercise of the right exercised and points out that, as the access is motivated by the blocking of the accounts due to an alleged debt, the claimed entity confirmed to it that the data of the affected party were not included in credit information systems.

SECOND: In accordance with the functions provided for in Regulation (EU) 2016/679, of 27 April 2016, General Data Protection Regulation (RGPD), particularly those that respond to the principles of transparency and proactive responsibility on the part of the data controller, you have been required to inform this Agency of the actions that have been taken to deal with the complaint raised. In summary, the following allegations were made:

✓ In the allegations made during the processing of the present procedure, the entity complained of states that, to the right exercised by the complaining party on 23/07/2018, a reply was given on 10/08/2019 informing that the account was not blocked and detailing the origin of the debt incurred from a personal loan in 1991.

On 5/1/2018 a new claim was received requesting information related to the debt, its treatment, as well as the rectification and suppression of all the information derived from the same one and it is answered that, the data are not included in the files of patrimonial solvency and credit by the breach of monetary obligations, therefore, a data treatment in relation to these files does not take place.
After the requirement of this Agency, an additional written answer is sent and the right of access is resolved, with emphasis on the previous writings and complementing the information in accordance with the provisions of the right of access.

The complainant points out that it is not true that the existence of a debt for an alleged financing was reported. However, the entity did not provide nor did it provide the documentation where said operation is recorded, especially as it is an alleged operation from 1991, which, even if it existed pending, would have been time-barred.

That it does not comply with the data protection regulations, at the time it did not comply with the law and it does so when this Agency requires it, but it is not complete, it still does not provide the documentation on which the alleged debt is based, it does not clarify whether it has proceeded to cancel the product or the data relating to the alleged debt.

Therefore, the financial entity is required to expand the information.


FIRST: The Director of the Spanish Data Protection Agency is competent to decide on this matter, in accordance with the provisions of Article 56(2) in relation to Article 57(1)(f), both of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the RGPD); and in Article 47 of Organic Law 3/2018 of December 5, 2008, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD).

SECOND: Article 64.1 of the LOPDGDD, provides as follows

"1. When the procedure refers exclusively to the failure to comply with an application to exercise the rights set out in Articles 15 to 22 of Regulation (EU) 2016/679, it shall be initiated by an admission agreement, which shall be adopted in accordance with the following article.

In this case, the deadline for resolving the procedure shall be six months from the date on which the claimant was notified of the agreement of admission to processing. Once this period has elapsed, the interested party may consider his claim to be accepted".
THIRD: Article 12 of Regulation (EU) 2016/679 of 27 April 2016, General Data Protection (GDPS), provides that

"The controller shall take appropriate measures to provide the data subject with any information referred to in Articles 13 and 14 and any communication pursuant to Articles 15 to 22 and 34 relating to the processing, in a concise, transparent, intelligible and easily accessible form, using clear and simple language, in particular any information addressed specifically to a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. At the request of the data subject, the information may be provided orally provided that the identity of the data subject is established by other means.
2.	The controller shall facilitate the exercise by the data subject of his rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for the purpose of exercising his or her rights pursuant to Articles 15 to 22, unless he or she can prove that he or she is unable to identify the data subject.
3.	The controller shall provide the data subject with information concerning his or her actions on the basis of a request pursuant to Articles 15 to 22, and in any event within one month of receipt of the request. That period may be extended by a further two months if necessary, taking into account the complexity and number of requests. The official shall inform the person concerned of any such extension within one month of receipt of the application, stating the reasons for the delay. Where the data subject submits the request by electronic means, the information shall be provided by electronic means where possible, unless the data subject requests otherwise.
4.	If the controller does not comply with the request of the data subject, it shall inform the data subject without delay, and at the latest one month after receipt of the request, of the reasons for the failure to act and of the possibility of lodging a complaint with a supervisory authority and of taking legal action.
5.	The information provided pursuant to Articles 13 and 14 and any communication and action taken pursuant to Articles 15 to 22 and 34 shall be free of charge. Where requests are manifestly unfounded or excessive, in particular because they are repetitive, the controller may
(a) charge a reasonable fee commensurate with the administrative costs incurred in providing the information or communication or in carrying out the requested action; or
(b) refuse to act on the application.
The controller shall bear the burden of proving that the request is manifestly unfounded or excessive.
6.	Without prejudice to Article 11, where the controller has reasonable doubts as to the identity of the natural person making the request referred to in Articles 15 to 21, he or she may request that additional information necessary to confirm the identity of the data subject be supplied.
7.	The information to be provided to the data subjects pursuant to Articles 13 and 14 may be transmitted in combination with standard icons providing in an easily visible, intelligible and clearly legible form an adequate overview of the intended processing. Icons presented in electronic form shall be mechanically legible.
8.	The Commission shall be empowered to adopt delegated acts in accordance with Article 92 to specify the information to be displayed by means of icons and the procedures for providing standardised icons.

FOURTH: Article 15 of the RGPD provides that:

"1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him are being processed and, if so, the right of access to the personal data and to the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third parties or international organisations;
(d) if possible, the intended period of storage of the personal data or, if this is not possible, the criteria used to determine this period;
(e) the existence of the right to request from the controller the rectification or erasure of personal data or the limitation of the processing of personal data relating to the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data have not been obtained from the data subject, any available information concerning their origin;
(h) the existence of automated decisions, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, significant information about the logic involved and the significance and the expected impact of the processing on the data subject.
2.	Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of appropriate safeguards pursuant to Article 46 concerning the transfer.
3.	The controller shall provide a copy of the personal data processed. The controller may charge a reasonable fee based on administrative costs for any other copies requested by the data subject. Where the request is made by the data subject by electronic means, and unless the data subject requests otherwise, the information shall be provided in a commonly used electronic format.
4.	The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

FIFTH: Article 13 of the LOPDGDD determines the following:

"1. The right of access of the person concerned shall be exercised in accordance with the provisions of Article 15 of Regulation (EU) 2016/679.
Where the controller processes a large amount of data relating to the data subject and the data subject exercises his right of access without specifying whether it relates to all or part of the data, the controller may, before providing the information, request the data subject to specify the data or processing activities to which the request relates.
2.	The right of access shall be deemed to be granted if the controller provides the data subject with a system of remote, direct and secure access to the personal data which guarantees, on a permanent basis, access to all the data. To such

For this purpose, the notification by the person responsible to the person concerned of the way in which he may have access to the system shall be sufficient to satisfy the request to exercise the right.
However, the interested party may request from the person responsible the information referred to in Article 15(1) of Regulation (EU) 2016/679 that is not included in the remote access system.
3.	For the purposes set out in Article 12(5) of Regulation (EU) 2016/679, the exercise of the right of access may be considered to be repetitive on more than one occasion during the six-month period, unless there are legitimate grounds for doing so.
4.	Where the data subject chooses a means other than that offered to him/her which entails disproportionate costs, the application shall be considered excessive and the data subject shall bear the additional costs involved. In this case, only the fulfilment of the right of access without undue delay shall be enforceable against the data controller.

SIXTH: Before going into the substance of the issues raised, it should be noted that the present procedure is being conducted as a result of the denial of some of the rights regulated by the data protection regulations (access, rectification, deletion, limitation, portability and opposition) and aims to ensure that the corresponding measures are adopted so that the guarantees and rights of the affected party are duly restored. Therefore, in the present case, only those issues raised by the claimant that are included within the object of the aforementioned data protection claims procedure will be analysed and assessed.
In addition, the right of access, in particular, offers the possibility of obtaining a copy of the personal data concerning him/her that are being processed, as well as information, in particular, on the purposes of the processing, the categories of data, the recipients, the intended period of storage, the possibility of exercising other rights, the information available on the origin of the data (if these have not been obtained directly from the complaining party) or the existence of automated decisions, including the creation of profiles.
Having said that, in the case analysed here, the claimant exercised his right of access in relation to an alleged debt that led to the blocking of an account, and that, after the time limit established in accordance with the above-mentioned rules, his request did not receive the legally required response, given that the access granted was incomplete.
From the documentation provided by the parties, it can be seen that the contractual relationship is still alive, and therefore, once the access granted by the requested entity has been examined, it can be seen that this access is incomplete, since the banking or financial products that the requesting party holds in assets are not provided, nor is it known whether or not the requesting party currently holds any debt.
Therefore, the claim that gave rise to this procedure should be upheld so that access is facilitated in accordance with the preceding paragraph.

The rest of the issues raised by the parties are not within the competence of this Agency and must be resolved by the corresponding bodies.
Having regard to the above-mentioned and other generally applicable provisions, the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: TO ESTIMATE the claim made by Mr. A.A.A., on behalf of Ms. B.B.B. and to urge KUTXABANK, S.A. with NIF A95653077, so that, within ten working days following notification of this resolution, it sends the claimant a certificate stating that it has complied with the right of access in accordance with the provisions of the body of this resolution. The actions carried out as a result of this Resolution must be communicated to this Agency within the same period of time. Failure to comply with this resolution could lead to the commission of the infringement considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, in accordance with article 58.2 of the RGPD.

SECOND: TO NOTIFY this resolution to Mr. A.A.A., on behalf of Ms. B.B.B. and to KUTXABANK, S.A..

In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with article
48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this decision or directly lodge an administrative appeal with the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Law.

Mar Spain Martí
Director of the Spanish Data Protection Agency