ABANCA CORPORACIÓN BANCARIA, S.A. – Complaint Upheld (Spain, 2022)

On February 8, 2022 the data subject complaint in AEPD against ABANCA CORPORACIÓN BANCARIA, S.A. due to not responding to an access request. The data subject also approached LEXER, the credit recovery company for ABANCA, requesting for an immediate cessation of telephone harassment, mail, letters to the data subject requesting money recovery. LEXER answered that regarding the debt with ABANCA, the communications were sent to the data subject since they provide a service of money recovery for ABANCA and they would immediately stop the processing. LEXER stated that the first complaint made by the data subject was not considered as an exercise right since the data subject did not specify any of the rights in data protection laws. ABANCA attributed the failure to immediately address the data subject's request to an internal error at LEXER, which did not communicate the request for data suppression to ABANCA in a timely manner. AEPD highlighted that the controller must reply to the exercise of rights by the data subject within 30 days, exempt in cases which it cannot identify the data subject and it shall justify the reasons, as per Article 12(3) GDPR. AEPD stated that, with the documentation provided, the data subject exercised the right of deletion of his data and that LEXER did not forward the request to the ABANCA. In additional, ABANCA, after being aware of the request via the procedure at hand, denied the request claiming existing contractual relations in force, which included debts, thus justifying their refusal to erase the complainant's data. AEPD decided to formally notify ABANCA for the exercise of right by the data subject, without any further proceedings, since ABANCA later replied to the data subject.