What can your company do if it receives a request for information from the AEPD?
Those companies that process personal data, either in their capacity as Data Controller or as Data Processor, must be prepared and have the necessary means and tools to reply in due time and form to any requirement or request for information that may be received from the Spanish Data Protection Agency (AEPD).
In this sense, the purpose of the requirement or request for information received by the AEPD is none other than to gather sufficient information to verify whether or not there are sufficient indications to proceed with the opening of a sanctioning procedure.
Why has your company received a request for information from the AEPD?
The requests for information or requirements of the AEPD are motivated by two fundamental reasons:
- That the AEPD has initiated an investigation ex officio because it understands that your company has failed to comply with any of the provisions of the regulations on privacy and data protection or;
- That the AEPD has received a complaint from a user in which he/she states that your company has acted contrary to the aforementioned regulations.
Once the company has received the request from the AEPD, what should it do?
Once the request for information in question has been received, the AEPD will set forth in detail in said written document the information or questions that must be submitted to said entity for the purpose of identifying or delimiting the facts that motivated the request, identifying the persons who may be responsible and, in summary, to verify the circumstances of the specific case in order to initiate or not a sanctioning proceeding.
Likewise, the AEPD will grant a specific term for the company to proceed to reply to the requirement, action that will also be carried out in writing, being such term ten (10) working days as a general rule.
In accordance with the above, the company must make the allegations it deems appropriate to demonstrate that it has acted in accordance with the applicable regulations, providing the necessary evidence (registration forms, clauses, privacy policies, etc.) to demonstrate that its actions have been adequate and that it complies with its data protection obligations.
What happens when the company replies to the requirement in a timely manner?
After submitting the response to the AEPD, two different scenarios may occur:
- That the AEPD archives the proceedings because it understands that the information provided is sufficient to justify that the company is not responsible for the facts on which the request is based or;
- The AEPD may proceed to open a sanctioning procedure in the event that it determines that the information provided by the company does not justify, in a reasonable manner, the absence of responsibility on its part.
In the event that a sanctioning proceeding goes ahead, the most common consequence for the company will be the payment of a financial fine.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.