Holidays Edreams – Complaint Upheld (Spain, 2023)

A data subject made a purchase from Edream (the controller). Slight after, he contacted the controller via phone. On January 5, 2021, the data subject requested access to the call recording but, after one month, he did not receive any response. He therefore filed a complaint with the French DPA. The case was then sent to the Spanish authority, under Articles 56 and 60 GDPR. During the investigation, the controller explained that the data subject contacted the customer service department and not the privacy department and that the internal process for responding to the request was not followed due to a human error. He also stated that as soon as the relevant department was informed, i.e. in response to the proceeding, the controller responded to the access request and sent the records by email. Finally, he explained that he had put measures in place to prevent this from happening again. In accordance with Article 60 GDPR, the Spanish DPA allowed the other supervisory authorities concerned to give their opinions, none of which reacted. The DPA considered that human error on the part of an employee does not exonerate the controller from its responsibility for the protection of personal data. It acknowledged that measures had been taken to ensure that access requests would be properly managed in the future. These measures however did not allow the data subject to exercise his rights before the proceedings were initiated. The DPA therefore concluded that the controller had violated Article 15 GDPR and, considering that the infringement was minor, issued a warning.