Legal development

Breach by Telefónica by providing incomplete information to a request

By Cristina Grande

12 December 2024

Share Share
spiral background
Share

    In December 2023, a complaint was filed by D. A.A.A. against TELEFÓNICA DE ESPAÑA, S.A.U (Telefónica) to the Spanish Data Protection Agency (AEPD). The interested party requested access to all her personal data on October 2, 2023, including processing, reports, and call logs. After several information exchanges (including errors in the data processing request) and the extending the response deadline multiple times, on December 21, 2023, Telefónica only provided part of the requested information (name, surname, ID number, and address), without offering the rest of the data or an explanation for such incomplete information.

    The AEPD initiated an investigation, and found that Telefónica's response to the access request had violated Article 15 of the GDPR, which contains all three aspects that constitute the right of access to personal datal: (i) confirmation of the processing of the applicant's personal data; (ii) access to those data; and (iii) information about the processing.

    On March 22, 2024, the AEPD decided to uphold the claim and determined that Telefónica had violated article 15 of the GDPR because it had addresses incompletely the right of access that had requested the interested party. Telefónica did not provide all the requested information nor explained the reasons for its omission, thus failing to fulfil its obligation to respond completely and transparently. Additionally, the AEPD notes that the deletion of personal data must be carried out by blocking the data (pursuant to Article 32 of the LOPDGDD), which allows access to this data in case of liabilities arising from the processing. And under no circumstances must this deletion leave the exercised right of access unanswered.

    As a consequence, the AEPD ordered Telefónica to provide the interested party with a certification fully addressing her right of access within ten business days warning that failure to comply with this order could constitute a very serious infringement under Article 83.6 of the GDPR and Article 72.1.m) of Spanish Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD), which could eventually lead to additional sanctions.

    Authors: Cristina Grande (Counsel)

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts