AEPD (Spain) - TD/00325/2019: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 13: Line 13:
[[Category:Article 12 GDPR]]
[[Category:Article 12 GDPR]]


[[Article 15 GDPR]][[Category:Article 15 GDPR]]
[[Article 15 GDPR]]
[[Category:Article 15 GDPR]]


[[Article 56 GDPR#2|Article 56(2) GDPR]] [[Category:Article 56(2) GDPR]]
[[Article 56 GDPR#2|Article 56(2) GDPR]]  
[[Category:Article 56(2) GDPR]]


[[Article 57 GDPR#1f|Article 57(1)(f) GDPR]]
[[Article 57 GDPR#1f|Article 57(1)(f) GDPR]]
Line 26: Line 28:
|Decided:||n/a
|Decided:||n/a
|-
|-
|Published:|| 3.02.2020
|Published:||3.02.2020
[[Category:2020]]
[[Category:2020]]
|-
|-
|Fine:||None
|Fine:||None
|-
|-
|Parties:||%Helath department of Madrid Vs. Anonymous
|Parties:||Health Department of Madrid Vs. Anonymous
|-
|-
|National Case Number:||TD/00325/2019
|National Case Number:||TD/00325/2019

Revision as of 09:38, 6 February 2020

AEPD - TD/00325/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR

Article 15 GDPR

Article 56(2) GDPR

Article 57(1)(f) GDPR

Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 3.02.2020
Fine: None
Parties: Health Department of Madrid Vs. Anonymous
National Case Number: TD/00325/2019
European Case Law Identifier n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

The DPA ordered a bank (KUTXABANK S.A.) to respond to a subject access request.

English Summary

Facts

A bank's client complained that they could not exercise their right to access after the bank has blocked his account due to debts. The bank refused to fulfill the request, claiming that it does not process personal data anymore since the account was blocked.

Dispute

Could the controller refuse to answer to a request for access because the requested data is part of a "blocked" account?

Holding

The AEPD found that as there is an ongoing relationship, the bank still holds personal data. The DPA ordered the bank to fulfill the data subject’s request within the ten working days following the decision. It further ordered the company to inform the AEPD during the same time period on its compliance with the decision. Lastly, it decided that the fact that the controller blocked the account cannot is irrelevant and the controller must comply with the request of access, as required by Article 15 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

To be completed..