AYUNTAMIENTO DE GIJÓN – Complaint Upheld (Spain, 2021)

This decision is a consequence of a complaint submitted by a citizen stating that they requested via email the defendant’s Data Protection Officer access to the record of processing activities, but the controller never replied to the request. Four months after the request the claimant brought the dispute to the Spanish Data Protection Authority (AEPD). The AEPD found that the Council did not have a record of processing activities, what was confirmed by the controller. The controller answered to the AEPD's investigation requests confirming that it had not implemented a record of processing activities, due to political issues and the pandemic situation. With regards to the lack of answer to the data subject, the controller stated that the request was not addressed by the means required by the Spanish Administrative Law. The AEPD launched a sanctioning procedure, remaking that the GDPR entered into force in 2016 and is fully applicable since 2018, so the controller had had enough time to adapt to it. In the allegations process, the controller argued that it had started implementing the record of processing activities during the duration of this procedure and was compliant with Article 30 GDPR and Article 31 of the [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Spanish Data Protection Act]. The DPA concluded that there had been no record of processing activities, and that consequently the controller had infringed Article 30 GDPR and Article 31 of the [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Spanish Data Protection Act]. Since the City Council is a public body, the AEPD imposed a warning on the controller, and compelled it to comply with the GDPR.