AEPD (Spain) - TD/00325/2019

From GDPRhub
Revision as of 09:27, 6 February 2020 by Juliette Leportois (talk | contribs)
AEPD - TD/00182/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 15 GDPR
Type: Complaint
Outcome: Upheld
Decided: 4.11.2019
Published: n/a
Fine: None
Parties: KUTXABANK S.A.
National Case Number: TD/00182/2019
European Case Law Identifier n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

The DPA ordered a bank (KUTXABANK S.A.) to respond to a subject access request.

English Summary

Facts

A bank's client complained that they could not exercise their right to access after the bank has blocked his account due to debts. The bank refused to fulfill the request, claiming that it does not process personal data anymore since the account was blocked.

Dispute

Could the controller refuse to answer to a request for access because the requested data is part of a "blocked" account?

Holding

The AEPD found that as there is an ongoing relationship, the bank still holds personal data. The DPA ordered the bank to fulfill the data subject’s request within the ten working days following the decision. It further ordered the company to inform the AEPD during the same time period on its compliance with the decision. Lastly, it decided that the fact that the controller blocked the account cannot is irrelevant and the controller must comply with the request of access, as required by Article 15 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

To be completed..