Euskaltel – Complaint Upheld (Spain, 2024)

See also: AEPD (Spain) - EXP202201673 A data subject requested access and the restriction of the processing specifically of his geolocation data regarding his telephone number with Euskaltel (“controller”). The controller refused to comply with the access request arguing that Law 25/2007, of October 18, 2007, on the Conservation of Data related to electronic communications and public communications networks (Ley 25/2007, de 18 de octubre, de Conservación de Datos relativos a las comunicaciones electrónicas) did not allow him to do so. The data subject then filed a complaint with the Spanish DPA (“AEPD”). The AEPD archived the proceedings. Following that the data subject appealed this decision with the Audencia Nacional (“AN”) who annulled the AEPD decision. On 5 January 2024, the AEPD issued a new decision in the proceedings, stating that the controller was in violation of Articles 15 and 18 GDPR. On 25 January 2024, the controller filed an internal appeal for reconsideration against this decision with the AEPD (recurso de reposición). claiming that (i) the initial decision required the controller to infringe the law, (ii) the controller does not process geolocation data. On 23 February 2024, the AEPD issued a decision on this matter. Firstly, the AEPD stated that the GDPR and Law 25/2007 are not contradictory rules, but complementary by their purpose or the balance sought between public safety and respect for individual rights. However, the AEPD also pointed out that Law 25/2007 establishes special rules in relation to the rights conferred by the GDPR, and is for these purposes a lex specialis. The AEPD maintained the same reasoning as in the appealed decision, by stating that Law 25/2007 does not establish that the right to access cannot be exercised. Furthermore, the AEPD added that this position does not depart from the AEPD’s precedents. Secondly, regarding the argument that the controller does not process geolocation data, the AEPD noted that on the one han