AMAZON WEB SERVICES EMEA SARL SUCURSAL EN ESPAÑA – Complaint Upheld (Spain, 2021)

A data subject filed a complaint against a controller with the Spanish DPA (AEPD) for not answering their erasure request. The data subject had tried to exercise their right to erasure against a news website that had allegedly published false facts about them. After receiving no answer, the data subject exercised their right against Amazon Web Services, whose services were being used by the controller. AWS rejected the claim, alleging that they were not a controller but a processor, and that they were only following the instructions of the actual controller and could not unilaterally erase any data. The AEPD received the complaint and first sent it to the controller for them to provide an answer. Not having received a satisfactory answer, the DPA launched a proceeding. The AEPD determined that, according to Article 28(3)(e), the processor has the obligation to assist the controller in the fulfilment of the controller's obligation to respond to rights requests, when possible. Therefore, Amazon Web Services should have answered the request of the data subject. The DPA found that the processor had either not answered appropriately to the request, or had not responded to the erasure request, since they did not have any document proving that they did so. The DPA ordered the processor to give an adequate answer to the data subject's request, either upholding the request, or rejecting it in a reasoned way.