A.A.A – Violation Found (Spain, 2022)

Resolution No. R/00665/2022 is highlighted by a case concerning a claimant (namely A.A.A) and a respondent party (namely Securitas Direct España, S.A). The claimant filed against the respondent party for not having been duly attended to his right of access and deletion enshrined in Articles 15 to 22 of the RGPD, Articles 13 to 18 LOPDGDD and Article 17 GDPR respectively. The conflict of law arose in this case when a sufficiently legally established response was not generated by the respondent to the claimants request. Furthermore, the claim was transferred to the respondent so that the entity could proceed with its analysis and provide a response to the claimant within a period of one month. The Director of the Spanish Data Protection Agency agreed to admit the claim for processing and the parties concerned were informed of the maximum term for resolution, that being six months. The competence of the Spanish Data Protection Agency is refined by Article 55 GDPR in the promotion of an obligation between controllers and processors to deal with complaints issued by data subjects. The result of the said transfer did not allow the claimants issues to be understood as satisfied. Consequently, due to the lack of attention delegated to the claimants rights further set forth in Articles 15 to 22 of EU Regulation 2016/679, an agreement to admit for processing was initiated. The Director of the Spanish Data Protection Agency went on to note that considering the purpose of the outlined procedure was to ensure that the rights of affected parties were fully restored, the complaint that gave rise to this procedure should be upheld on formal grounds due to the fact that the right of access had been complied with and the right of erasure had been duly denied (on the applicable grounds of Article 17 GDPR).