AEPD - TD/00318/2019

From GDPRhub
AEPD - TD/00318/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR
Article 15 GDPR
[ LOPDGDD Article 13]
[ LOPDGDD Article 64(1)]
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 7. 2. 2020
Fine: n/a
Parties: Anonymous Vs. Directorate General of the Police
National Case Number/Name: TD/00318/2019
European Case Law Identifier: n/a
Appeal: {{{Appeal_To_Status}}}
[[:Category:{{{Appeal_To_Body}}}|{{{Appeal_To_Body}}}]]
[[{{{Appeal_To_Link}}}|{{{Appeal_To_Case_Number_Name}}}]]
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: {{{Initial_Contributor}}}

The AEPD found that the Directorate General of the Police failed to comply with their duties under GDPR by requiring a legitimate interest for granting an access request, and by not responding to an access request, thus denying the data subject its rights. The AEPD did not comment on the merit of the request itself.

English Summary[edit | edit source]

Facts[edit | edit source]

The data subject requested access to photographs and fingerprints. A total of seven request were sent, none of them including the information requested, thus being incomplete. The last request was not answered. The Directorate General of the Police did not reply when the AEPD sent the claim to them. As such, the complaint was decided on the basis of the claim and documentation provided by the complainant.

Holding[edit | edit source]

The AEPD instructed the Directorate General of the Police to respond to the access request within ten days following the notification of the decision. The AEPD noted that a failure to comply within ten days would be considered a violation pursuant to Article 72(1)(m) of the LOPDGDD, which would be sanctioned according to Article 58(2) GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the **Spanish** original. Please refer to the **Spanish** original for more details.

• File Nº: TD / 00318/2019 
1037-100919 
RESOLUTION Nº: R / 00062/2020 
Having regard to the claim made on June 9, 2019 before this Agency by D. 
AAA , against DIRECTORATE GENERAL OF THE POLICE, for not having been 
duly attended to your right of access. 
Performed the procedural actions provided for in Title VIII of the Law 
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of 
digital rights (hereinafter LOPDGDD), the following have been found 
ACTS 
FIRST: D. AAA (hereinafter, the complaining party) exercised the right of access 
in front of the POLICE GENERAL DIRECTORATE with NIF S2816015H (hereinafter, 
the claimed one), without your request having received the answer legally 
established. 
The complaining party provides various documentation related to the claim 
raised before this Agency and on the exercise of the right exercised and notes that, the 
The subject of the complaint is due to incomplete responses to repeated requests 
of access to personal data addressed to the claimed: 
 The complaining party requests access to photographs and fingerprints of their 
person stored, as directed by the Local Police Brigade 
Scientist at the *** LOCALITY Police Station.1 , in the file 
PERPOL / PEOPLE, and referred to a police action. 
In each of the seven access requests submitted it has gone 
offering more information, but none of them has been granted 
access to these photographs and fingerprints. 
The last of the seven requests has not been answered, and the previous one was 
denied, in the absence of crediting a legitimate interest for that purpose, for having exercised 
the right in the previous twelve months. 
The complaining party emphasizes photographs and fingerprints or reviews. 
other type, without obtaining the mentioned information in any of the answers. 
SECOND : In accordance with the functions provided for in Regulation (EU) 
2016/679, of April 27, 2016, General of Data Protection (GDPR), 
particularly those that respond to the principles of transparency and accountability 
proactive by the person responsible for the treatment, you have been required to inform 
2/7 
this Agency of the actions that have been carried out to address the claim 
raised. Without receiving an answer: 
 On July 24, 2019, this Agency through the Service Support 
of Electronic Notifications and Enabled Address (Notified @ platform), 
made available to the complainant the claim presented by the party 
claimant, so that they proceed to their analysis and respond to the claiming party 
This Agency is already available within one month, as well as the relevant documentation 
vacancy related to the procedures carried out to facilitate the right exercised 
or motivated denial. 
And on August 4, 2019 the Notify @ system proceeds to rejection 
Automatic notification for ten calendar days after 
the provision of the notification without accessing its content. 
Since the aforementioned notification was not accessed, exceptionally, 
It was sent by mail, which was received on 09/10/2019, without 
have received written in this Agency allegations. 
THIRD: On October 16, 2019, in accordance with article 65.4 of 
Organic Law 3/2018, of December 5, on the Protection of Personal Data and 
guarantee of digital rights and for the purposes set forth in article 64.2, the 
Director of the Spanish Agency for Data Protection agreed to admit the 
claim submitted by the complaining party against the claimed and agreed to give 
transfer of the claim, so that within fifteen business days submit the 
allegations it deems appropriate and the parties are informed that the maximum for 
Solve the procedure will be six months, without receiving an answer: 
 On November 12, 2019, this Agency through the Support of the 
Electronic Notification Service and Enabled Address (platform 
Notified), proceeded to transfer the facts object of the claim, so that 
Within fifteen business days, submit the allegations you consider 
convenient. 
And on November 23, 2019 the Notify @ system proceeds to rejection 
Automatic notification for ten calendar days after 
the provision of the notification without accessing its content. 
Since the aforementioned notification was not accessed, it was sent by 
postal mail, which was received on December 4, 2019, without having received in 
This Agency written allegations. 
RIGHTS OF LAW 
FIRST: It is competent to resolve the Director of the Spanish Agency of 
Data Protection, in accordance with the provisions of section 2 of article 56 in 
in relation to Article 57 (1) f), both of Regulation (EU) 2016/679 of the 

European Parliament and of the Council of April 27, 2016 on the protection of 
natural persons with regard to the processing of personal data and free 
circulation of this data (hereinafter GDPR); and in article 47 of the Law 
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of 
digital rights (hereinafter LOPDGDD). 
SECOND: Article 64.1 of the LOPDGDD provides the following: 
"one. When the procedure refers exclusively to the lack of attention of 
a request to exercise the rights established in articles 15 to 22 of the 
Regulation (EU) 2016/679, will be initiated by an admission agreement for processing, which will be 
shall adopt in accordance with the provisions of the following article. 
In this case, the period to resolve the procedure will be six months to count. 
from the date the claimant agreement had been notified 
admission to process. After this period, the interested party may consider 
Dear your claim. ” 
THIRD: Article 12 of Regulation (EU) 2016/679 of April 27, 2016, 
General Data Protection (GDPR), provides that: 
"one. The person responsible for the treatment will take appropriate measures to facilitate 
to the interested party all information indicated in articles 13 and 14, as well as any 
communication under articles 15 to 22 and 34 regarding treatment, in the form 
concise, transparent, intelligible and easily accessible, with clear and simple language, in 
particular any information specifically directed to a child. Information 
will be provided in writing or by other means, including, if appropriate, by means 
electronic When requested by the interested party, the information may be provided 
verbally whenever the identity of the interested party is demonstrated by other means. 
2. The person responsible for the processing will facilitate the interested party the exercise of their 
rights under articles 15 to 22. In the cases referred to in article 11, 
section 2, the person in charge will not refuse to act at the request of the interested party for the purpose 
to exercise your rights under articles 15 to 22, unless you can prove 
that is not in a position to identify the interested party. 
3. The data controller will provide the interested party with information regarding their 
actions based on an application under articles 15 to 22, and, in 
In any case, within one month of receiving the request. Saying 
term may be extended another two months if necessary, taking into account the 
complexity and the number of requests. The person responsible will inform the interested party of 
any of said extensions within one month of receipt of the 
request, indicating the reasons for the delay. When the interested party presents the 
request by electronic means, the information will be provided electronically 
when possible, unless the interested party requests that it be provided otherwise. 
4. If the person responsible for the treatment does not process the request of the interested party, 
will inform without delay, and at the latest one month after receiving the 
request, the reasons for its non-performance and the possibility of presenting a 
claim before a supervisory authority and to bring legal actions. 

5. The information provided under articles 13 and 14 as well as all 
communication and any action carried out under articles 15 to 22 and 34 
They will be free of charge. When the requests are manifestly unfounded or 
excessive, especially due to its repetitive nature, the person in charge of 
Treatment may: 
a) charge a reasonable fee based on the administrative costs incurred 
to facilitate the information or communication or perform the requested action, or 
b) refuse to act on the request. 
The person responsible for the treatment will bear the burden of demonstrating the character 
manifestly unfounded or excessive request. 
6. Without prejudice to the provisions of article 11, when the person responsible for 
treatment have reasonable doubts regarding the identity of the natural person 
When the application referred to in articles 15 to 21 is submitted, you may request that 
provide the additional information necessary to confirm the identity of the interested party. 
7. Information to be provided to interested parties under the articles 
13 and 14 may be transmitted in combination with standardized icons that allow 
provide an easily visible, intelligible and clearly readable form an adequate 
overview of the planned treatment. The icons presented in format 
electronic will be readable mechanically. 
8. The Commission shall be empowered to adopt delegated acts in accordance with 
Article 92 in order to specify the information to be submitted through 
icons and procedures to provide standardized icons. ” 
FOURTH: Article 15 of the GDPR provides that: 
"one. The interested party will have the right to obtain from the controller 
confirmation of whether or not personal data concerning you is being processed and, in such 
case, right of access to personal data and the following information: 
a) the purposes of the treatment; 
b) the categories of personal data in question; 
c) recipients or categories of recipients to whom they communicated or 
personal data will be communicated, in particular recipients in third parties or 
international organizations; 
d) if possible, the expected term of conservation of personal data or, of 
if not possible, the criteria used to determine this term; 
e) the existence of the right to request rectification or deletion from the responsible party 
of personal data or the limitation of the processing of personal data related to 
interested, or oppose such treatment; 
f) the right to file a claim with a supervisory authority; 
g) when personal data has not been obtained from the interested party, any 
information available on its origin; 
h) the existence of automated decisions, including profiling, to 
referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information 
significant on the logic applied, as well as the importance and consequences 
provided for said treatment for the interested party. 
2. When personal data is transferred to a third country or to an organization 
international, the interested party will have the right to be informed of the guarantees 
appropriate under article 46 regarding the transfer. 
3. The controller will provide a copy of the personal data 
object of treatment The person in charge may receive for any other requested copy 
for the interested party a reasonable fee based on administrative costs. When he 
interested submit the application electronically, and unless it requests 
otherwise provided, the information will be provided in an electronic format of 
Common use. 
4. The right to obtain a copy mentioned in section 3 shall not affect 
negatively to the rights and freedoms of others. ” 
FIFTH: Article 13 of the LOPDGDD determines the following: 
"one. The access right of the affected party will be exercised in accordance with the provisions 
in Article 15 of Regulation (EU) 2016/679. 
When the person responsible processes a large amount of data related to the affected party and 
this exercises your right of access without specifying whether it refers to all or a party 
of the data, the person in charge may request, before providing the information, that the 
affected specify the data or treatment activities to which the 
request. 
2. The right of access shall be deemed granted if the person responsible for the treatment 
provide the affected with a remote, direct and secure data access system 
personnel that permanently guarantee access to its entirety. To such 
effects, the communication by the person responsible to the affected one of the way in which this may 
access to this system will be enough to consider the request to exercise the 
right. 
However, the interested party may request information from the person responsible for 
the extremes provided for in Article 15.1 of Regulation (EU) 2016/679 that are not 
included in the remote access system. 
3. For the purposes set out in Article 12.5 of Regulation (EU) 2016/679, 
may consider the exercise of the right of access repetitive on more than one occasion 
for a period of six months, unless there is legitimate cause for it. 
4. When the affected person chooses a different means than the one offered to him that supposes a 
disproportionate cost, the request will be considered excessive, so that 
Affected will assume the excess costs that your choice involves. In this case, just 
the satisfaction of the right of access without the 
undue delay. ” 
SIXTH: Before entering the merits of the issues raised, it should be noted 
that the present procedure is instructed as a result of the denial of 
any of the rights regulated by the data protection regulations (access, 
rectification, deletion, limitation, portability and opposition) and is intended to be 
adopt the corresponding measures so that the guarantees and rights of the affected party 
are properly restored. Therefore, in the present case, they will only be analyzed 
and assessed those issues raised by the complaining party that remain 
included within the object of the aforementioned claims procedure regarding 
Data Protection. 
In addition, the right of access, in particular, offers the possibility of obtaining 
a copy of the personal data that concerns you and that are being subject to 
treatment, as well as information, in particular, about the purposes of the treatment, 
data categories, recipients, the expected period of conservation, the possibility 
to exercise other rights, the information available on the origin of the data (if 
these have not been obtained directly from the complaining party) or the existence of 
automated decisions, including profiling. 

That said, in the case analyzed here, the complaining party exercised in 
repeatedly his right of access, and that, after the deadline 
In accordance with the rules mentioned above, your request did not get the answer 
legally enforceable, given that of the documentation provided by the complaining party, 
it follows that, the access granted is incomplete, as the 
photographs and fingerprints or motivated denial. 
This circumstance has not been refuted by the claim and although this Agency 
transferred the claim filed in the manner provided for in paragraph 1 
of article 39 of the GDPR, by means of writings through the Service Support of 
Electronic Notifications and E-mail Address Enabled and by postal mail, 
exceeded, in excess of the period indicated without receiving an answer; therefore, it must be taken 
for not fulfilling the requirement, estimating, consequently that the claimed opts 
for not objecting to the claim of the complaining party, so that this 
Agency proceeds to issue an opinion on the basis of the claim and documentation 
Attached by the complaining party. 
As for the substance, the request for access to personal data that is 
formulate obliges the person responsible for the treatment in question to give an express response, in 
In any case, using any means attesting to the duty of response, 
even in those cases in which it did not meet the requirements, in whose 
In case the recipient of this is also obliged to require the correction of the 
deficiencies observed or otherwise, motivate the refusal to address it. 
On the other hand, this Agency, in accordance with the functions provided in the 
Regulation (EU) 2016/679, of April 27, 2016, General of Data Protection 
(GDPR), particularly those that respond to respect, by the person responsible for 
treatment, of the principles of transparency and proactive responsibility, has been 
required to this, report the actions that have been carried out to attend 
the claim raised by the complaining party, without receiving a response from 
that institution 
Therefore, combining the information in the file with the 
regulations referred to in the preceding sections, it is appropriate to estimate the claim, at 
not record that the right of access exercised or its 
motivated refusal 
Having regard to the aforementioned precepts and others of general application, 
the Director of the Spanish Agency for Data Protection RESOLVES: 
FIRST: ESTIMATE the claim made by D. AAA and urge DIRECTORATE 
GENERAL OF THE POLICE with NIF S2816015H, so that, within ten days 
following the notification of this resolution, refer to the party 
complainant certification stating that he has fully attended the 
right of access exercised by the latter or denied motivatedly indicating the 
causes for which it is not appropriate to attend your request. The actions performed as 
Consequence of this Resolution must be communicated to this Agency at 
identical term. Failure to comply with this resolution could entail the commission of the 
violation considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, of 
according to art. 58.2 of the GDPR.