AEPD (Spain) - TD/00262/2019

From GDPRhub
(Redirected from AEPD - TD/00262/2019)
AEPD (Spain) - TD/00262/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 17 GDPR
Type: Complaint
Outcome: No Violation Found
Started:
Decided:
Published: 07.01.2020
Fine: None
Parties: CGT Sector Federal de Telemarketing A.A.A.
National Case Number/Name: TD/00262/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The AEPD dismissed the complaint regarding the right "to be forgotten" exercised by a complainant pursuant to Article 17 GDPR and analysed the exercise of the rights under Articles 15-22 GDPR.

English Summary

Facts

On 15 February 2019, Mrs A.A.A.  (hereinafter, the complainant) exercised her right to erasure against CGT Sector Federal de Telemarketing (hereinafter, the respondent), but had not received a response to her request. In particular, the request included that complainant's personal data (such as name, surname and telephone number) should not appear in a bulletin posted on the CGT Telemarketing website when a search is made. The complainant provided a list of the URLs concerned.

In response to the request "to be forgotten", the respondent instructed the complainant to address Google in order to remove the links or the text.

Dispute

The respondent stated that the complainant had voluntarily joined the CGT as a member of the Works Council. The complainant's data appeared on the Council's website because she belonged to the Council and to the Workers' Committees and because of her participation in the bulletins and along with thousands of workers, which means that the contact details are published in case any worker needs help or to locate their representatives.

The respondent claimed that the telemarketing sector is not done by the CGT's itself, but by an entity that is part of it and the has control only over the web and content of www.cgt-telemarketing. CGT is an Association of Trade Unions and sectors, each of which has its own legal personality and therefore its own C.I.F. and has not maintained any relationship with the claimant.

Holding

Results of the investigations conducted by the AEPD revealed that when a search is made by the name of the complainant the result is "No results found" for each of the urls in question.

The AEPD decided to dismiss the complaint, regardless of the fact that the search engine refused to cancel the URLs, but given that the claimant's name is not linked to the search results in the URLs claimed and that the controller stated that the complainant's data has been deleted, the claims of the complainant have been satisfied, therefore the claim is dismissed as non-existing.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

File No.: TD/00262/2019
1034-080719

RESOLUTION Nº: R/00651/2019

Having regard to the complaint made on 8 April 2019 to this Agency by Ms. A.A.A., against the CGT SECTOR FEDERAL DE TELEMARKETING, for not having duly attended to its right of deletion, the following procedural actions have been carried out as provided for in Title VIII of the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD)

FACTS 

FIRST: On February 15, 2019, Mrs. A.A.A.  (hereinafter, the complainant) exercised her right of withdrawal against CGT SECTOR FEDERAL DETELEMARKETINGcon (hereinafter, the respondent), without receiving the legally established response to her request. In particular, he requests that his personal data not be published in the URLs when a search is made with his name, the name, surname and telephone number appear in a bulletin posted on the cgt telemarketing website:

1.***URL.12.***URL.23.***URL.34.***URL.45.***URL.56.***URL.67.***URL.78.***URL.89.***URL.910.***URL.1011.***URL.1112.***URL.1213.***URL.1314.***URL.14

The complainant provides documentation where the respondent informs him that he must go to the branch union and that he must go to Google in order to remove the links or text of the branch union.4 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights, and the Director of the Spanish Data Protection Agency agreed to admit the claim presented by the claimant against the defendant and agreed to postpone the claim, so that within fifteen working days he can present the allegations he considers appropriate and the parties are informed that the maximum period for resolving the procedure will be six months. In summary, the following delegations were made: The representative of the respondent states in the allegations made during the processing of this procedure that the complainant has voluntarily joined the CGT as a member of the Works Council. That a response was given to the complaint raised, that the data appeared on the union website because she belonged to the union and to the Workers' Committees and because of her participation in the bulletins and in a company with thousands of workers, which means that the contact details are published in case any worker needs help or to locate their representatives.That the bulletins are uploaded on the Internet by the union sections in a self-managed manner, with the complainant herself participating in the distribution of union information bulletins. However, in response to her complaint, she has censored her name and telephone number in the PDF documents. It was reported that in reference to external pages such as social networks or search engines must be time to stop indexing that content or request the cancellation oborrados to the website that stores such information outside the CGT. That the telemarketing sector is not itself the CGT but an entity that is part of it and therefore only has control over the web and content of "www.cgt-telemarketing.That CGT is an Association of Trade Unions and sectors, each of which has its own legal personality and therefore its own C.I.F. and has not maintained any relationship with the claimant. That it is not recorded, furthermore, that it has exercised the right before this headquarters, and that, the data of this one do not appear in the files of this headquarters.

LEGAL GROUNDS FIRST:   The Director of the Spanish Data Protection Agency is competent to decide, in accordance with the provisions of Article 56(2) in relation to Article 57(1)(f), both of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, RGPD);   anddArticle 47 of the Organic Law 3/2018 of December 5,,onnPersonal Data Protection anddGuarantee of Digital Rights (hereinafter referred too as LOPDGDD).SECOND: Article 64.1 of the LOPDGDD, provides that: "1. When the procedure refers exclusively to the failure to comply with a request to exercise the rights established in articles 15 to 22 of Regulation (EU) 2016/679, it will be initiated by an admission agreement, which will be adopted in accordance with the provisions of the following article.   Once this period has elapsed, the interested party may consider his or her claim to be accepted". Third: Article 12 of Regulation (EU) 2016/679, of 27 April 2016, General Data Protection Regulation (RGPD), provides the following: "1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication pursuant to Articles 15 to 22 and 34 relating to the processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and simple language, in particular any information addressed specifically to a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means.   At the request of the data subject, the information may be provided orally provided that the identity of the data subject is established by other means.2.   In the cases referred to in Article 11(2), the controller shall not refuse to act on request of the data subject for the purpose of exercising his rights under Articles 15 to 22, unless he can prove that he is not able to identify the data subject.3. The data controller shall provide the data subject with information concerning his or her actions on the basis of a request pursuant to Articles 15 to 22, and in any case within one month of receipt of the request. This period may be extended by another two months if necessary, taking into account the complexity and number of requests.   The official shall inform the applicant of any such extension within one month of receipt of the application, stating the reasons for the delay.   Where the interested party submits the request by electronic means, the information shall be made available by electronic means where possible, unless the interested party requests otherwise.4. If the data controller does not comply with the request of the data subject, he shall inform the data subject without delay, and at the latest one month after receipt of the request, of the reasons for his failure to act and of the possibility of lodging a complaint with a supervisory authority and of taking legal action.5.   The information provided under Articles 13 and 14 as well as any communication and any action taken under Articles 15 to 22 and 34 shall be free of charge. (a) charge a reasonable fee commensurate with the administrative costs incurred in providing the information or communication or in taking the action requested; or (b) refuse to act on the request.   Without prejudice to the provisions of Article 11, where the data controller has reasonable doubt as to the identity of the natural person making the request referred to in Articles 15 to 21, he may request that additional information necessary to confirm the identity of the data subject be provided.7. The information to be provided to the data subject under Articles 13 and 14 may be transmitted in combination with standardised icons which provide an easily visible, intelligible and clearly legible overview of the intended processing.   Icons presented in electronic form shall be mechanically legible.8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 to specify the information to be displayed by means of icons and the procedures for providing standardised icons.   The rights recognised in Articles 15 to 22 of Regulation (EU)2016/679, may be exercised directly or through a legal or voluntary representative.2 The data controller shall be obliged to inform the data subject of the means at his disposal to exercise the rights to which he is entitled.   The means must be easily accessible to the data subject.   The exercise of the right may not be denied on the sole ground that the data subject has opted for otromedio.3.   The person in charge may process, on behalf of the person responsible, the requests for the exercise of his rights made by the affected parties if this is established in the contract or legal act that binds them.4.   When the laws applicable to certain processing operations establish a special regime affecting the exercise of the rights provided for in Chapter III of Regulation (EU) 2016/679, the provisions of those laws shall apply.6. In any case, the holders of the parental authority may exercise the rights of access, rectification, cancellation, opposition or any other rights that may correspond to them in the context of this law in the name and on behalf of minors under fourteen years of age.7   The actions carried out by the person in charge of the treatment to attend the requests of exercise of these rights will be free of charge, without prejudice of the articles 12.5 and 15.3 of the Regulation (UE)2016/679 and in the paragraphs 3 and 4 of article 13 of this organic law "FIFTH: The article 17 of the RGPD establishes that: "1. The data subject shall have the right to obtain without undue delay from the data controller the deletion of personal data relating to him, who shall be obliged to delete the personal data without undue delay in any of the following circumstancesa) personal data are no longer necessary for the purposes for which they were collected or otherwise processed; b) the data subject withdraws the consent on the basis of which the processing was carried out in accordance with Article 6(1)(a) or Article 9(2)(a) and this is not based on any other legal basis; c) the data subject opposes the processing according to Article 21(1) and no other legitimate grounds prevail for the processing, or the data subject opposes the processing according to Article 21(2); (e) personal data must be deleted in order to comply with a legal obligation under Union law or the law of the Member States applicable to the controller 2. Where he has made personal data public and is required, pursuant to paragraph 1, to delete such data, the controller shall, taking into account the technology available and the cost of implementation, take reasonable steps, including technical measures, to inform the controllers who are processing the personal data of the request of the data subject to delete any link to such personal data or any copy or replica thereof. 3. Paragraphs 1 and 2 shall not apply where processing is necessary: (b) in order to comply with a legal obligation requiring the processing of data imposed by Union law or by law of the Member States on the controller or in order to carry out a task carried out in the public interest or in the exercise of public authority vested in the controller; (d) for archiving purposes in the public interest, for the purposes of scientific or historical research or for statistical purposes, in accordance with Article 89(1), insofar as the right referred to in paragraph 1 is likely to make impossible or seriously impede the achievement of the purposes of such processing; or"SIXTH: In the case analyzed here, the claimant exercised its right of deletion and in accordance with the rules indicated above, its request obtained the legally required response within the established period, the claimant indicates that they have proceeded to the deletion of their data. Furthermore, as regards the fact that their personal data are deleted when they are entered in the search engine and that they are not associated with the search results from their names in the already referenced URLs, during the processing of the present proceedings this Agency has verified that, when a search is made by the name of the party in the search engine, the result is "No results found" for each of the urls in question.The purpose of this procedure is to ensure that the guarantees and rights of those affected are duly restored, and therefore, in this case, regardless of whether the search engine refuses to cancel the URLs, there would be grounds for analysing the relevance or otherwise of what has been published, and given that your name is not linked to the search results in the URLs in question and that the person responsible for the file states that your data has been cancelled, the claims of the complainant have been satisfied, and therefore the complaint is rejected as not having any purpose. In view of the above-mentioned precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES:FIRST: TO DISMISSUE the claim formulated by Ms. A.A.A. against CGTSECTOR FEDERAL DE TELEMARKETING.SECOND: TO NOTIFY this resolution to A.A.A.A. and CGT SECTOR FEDERAL DE TELEMARKETING In accordance with the provisions of Article 50 of the LOPDGDD, this resolution will be made public once it has been notified to the interested parties..6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this resolution or the address of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the date on which it was issued.are manifestly unfounded foreseen on the day following the notification of this act, in accordance with the provisions of article 46.1 of the aforementioned Act.

Mar Spain Martí
Director of the Spanish Data Protection Agency