AEPD Resolution: EXP202314369

I'll create a comprehensive summary of this AEPD resolution following your established format.

AEPD Resolution: Travel Company's 13-Month Delay in Right of Access Response

Official Resolution Date: 20/01/2026
Date Published: [Publication date from system]
AEPD Reference Number: EXP202314369
IMI Reference: A56ID 565682
Sanction Procedure Number: PA-00028-2025

Fine Amount: €0 (Warning issued instead of financial penalty)

Full Description

The Incident: On 3rd September 2023, a German consumer (A.A.A.) received an unsolicited marketing email from Logitravel (TRAVELCONCEPT, S.L.U.), a Spanish travel company, advertising AIDA cruise packages. The email was sent in German to his email address, despite the consumer claiming he had never registered with the company or subscribed to their newsletter.

On the same day (3rd September 2023), the consumer exercised two separate rights under GDPR:

1. He clicked the "unsubscribe" button to opt out of marketing communications
2. He sent a formal email requesting access to his personal data under Article 15 GDPR, specifically asking for:
   • A copy of his personal data
   • Information about the origin/source of his data
   • The legal basis for processing his data, including email tracking

The Company's Initial Response: Eight days later (11th September 2023), Logitravel sent a brief response confirming only the unsubscription: "We hereby confirm your unsubscription as a customer and from our commercial mailing lists. Your personal data will be deleted in accordance with applicable legal provisions."

Critically, this response completely ignored the Article 15 access request. The company provided no information about the data they held, where it came from, or the legal basis for processing it.

The 13-Month Silence: From September 2023 through October 2024, Logitravel failed to provide any response to the access request. The consumer, frustrated by this non-compliance, filed a complaint with the German data protection authority (Lower Saxony) on 12th September 2023. Under the IMI system (Internal Market Information System) for cross-border GDPR enforcement, the complaint was transferred to the Spanish AEPD on 16th October 2023, as Logitravel's main establishment is in Spain.

What the Investigation Revealed: When the AEPD investigated, they discovered Logitravel had been holding the consumer's data since 5th October 2011 (nearly 12 years). The company's records showed:

• Name and surname (A.A.A.)
• Email address
• Language preference (German)
• The consumer had been receiving 1-2 marketing emails per week since at least August 2022

The investigation revealed the company had no record of how consent was originally obtained in 2011 because the "subscription log" was not retained. They could only provide a template from that era showing what the privacy notice might have looked like—referencing outdated Spanish legislation (LOPD 15/1999) that pre-dated GDPR.

The Company's Explanation: Logitravel finally responded to the access request on 28th October 2024—over 13 months late—and only after receiving a formal information request from the AEPD on 7th October 2024. In their response to both the consumer and the AEPD, they admitted:

"The lack of response was the result of a specific incident in the application of the internal procedure for processing requests to exercise data subject rights, as well as compliance with data protection guidelines that Logitravel employees must follow. Since the unsubscription from commercial newsletters resulted in the deletion of your personal data, in the absence of other active data processing operations, the staff who processed your request completed it without further detailing your exercised right of access."

In simpler terms: Their staff mistakenly believed that because the consumer had unsubscribed (triggering data deletion), there was no point responding to the access request. This revealed a fundamental misunderstanding of GDPR rights—the right of access exists regardless of whether data is subsequently deleted.

The Core Ruling: The AEPD determined that Logitravel violated Article 15 GDPR by failing to respond to a legitimate access request within the required timeframe. Under Article 12.3 GDPR, controllers must provide information "without undue delay and in any event within one month of receipt of the request." That deadline could be extended by two additional months for complex requests, but only if the data subject is informed of the extension within the first month.

In this case:

• Request received: 3rd September 2023
• Required deadline (maximum with extension): 3rd December 2023
• Actual response: 28th October 2024
• Delay: 10 months beyond the absolute legal deadline

Mitigating Circumstances: The AEPD acknowledged several factors that influenced their decision to issue a warning rather than a fine:

1. Remedial Action: Once the issue was identified, Logitravel eventually provided comprehensive information to the data subject
2. Procedural Improvements: The company implemented significant corrective measures:
   • Updated their internal procedure for handling rights requests
   • Issued circulars to all staff reminding them of proper protocols
   • Designated specific departments responsible for rights management
   • Implemented training for department heads on complaint resolution
   • Updated onboarding training for all new employees
   • Established verification controls (staff interviews) to ensure understanding
3. No Deliberate Intent: The AEPD accepted that the failure resulted from staff misunderstanding rather than deliberate obstruction
4. Company Cooperation: Logitravel admitted the facts, accepted responsibility, and cooperated fully with the investigation

Cross-Border Element: This case demonstrates the IMI cooperation mechanism in action. A German resident complained to a German authority about a Spanish company. The German authority (Lower Saxony) transferred the case to Spain under Article 56 GDPR. The AEPD shared its draft decision with the German authority, which had four weeks to raise objections. No objections were raised, so the AEPD proceeded with its warning decision.

Articles Infringed

Article 15 RGPD (Right of Access): Logitravel failed to provide the data subject with access to his personal data and related information within the timeframes established by Article 12.3 GDPR. The 13-month delay (10 months beyond the absolute maximum deadline) constituted a clear violation of the data subject's fundamental right to access his information.

Classification: Very serious infringement under Article 83.5(b) RGPD and Article 72.1(k) LOPDGDD (repeated failure to comply with data subject rights requests), with a three-year prescription period.

Actionable Steps

Based on Resolution EXP202314369, businesses must implement the following protocol for handling data subject access requests:

1. Separate Request Types—Never Conflate Different Rights

The critical error in this case was treating an unsubscribe request and an access request as a single action.

Action:

• Train staff to recognise that Article 15 (access), Article 17 (erasure), Article 18 (restriction), Article 20 (portability), and Article 21 (objection) are distinct legal rights with different obligations
• If a data subject submits multiple requests simultaneously (e.g., "unsubscribe me AND tell me what data you hold"), create separate internal tickets/workflows for each request
• Completing one action (like unsubscribing someone) does NOT satisfy other pending requests

Legal Principle: Each GDPR right operates independently. Processing one request does not discharge your obligation to process others.

2. The One-Month Deadline is Non-Negotiable

Article 12.3 GDPR establishes strict timing requirements that apply to ALL controller responses.

Protocol:

• Day 1: Acknowledge receipt of the request (not legally required but best practice)
• Within 30 days: Provide the requested information OR notify the data subject of a two-month extension with reasons
• Maximum deadline (with extension): 90 days from receipt

Critical Rule: You cannot extend beyond one month without first notifying the data subject within that first month. In this case, 13 months is indefensible.

Set up automated calendar reminders:

• Day 7: Initial assessment completed
• Day 14: Data collection in progress
• Day 21: Prepare response or extension notice
• Day 28: Final review before deadline

3. "Data Will Be Deleted" is Not a Response to Access Requests

The company's 11th September email was legally worthless as an Article 15 response.

What Article 15 Requires: Even if you're deleting someone's data, before deletion you must still provide:

• Confirmation of what data you hold/held
• The purposes of processing
• Categories of data
• Recipients or categories of recipients
• Retention periods or criteria
• Rights (rectification, erasure, restriction, objection, complaint)
• Source of the data (especially if not obtained directly from the data subject)
• Information about automated decision-making or profiling

Correct Response Template: "We confirm your unsubscription from marketing. Regarding your access request under Article 15 GDPR: We held the following data: [list]. This data was collected on [date] from [source]. Processing was based on [legal basis]. This data has now been deleted following your unsubscription. If you require any further information, please contact [DPO details]."

4. Document Retention for Consent/Legal Basis

Logitravel's inability to prove how they obtained consent in 2011 significantly weakened their position.

Requirement: Under Article 7.1 GDPR, if you rely on consent, "the controller shall be able to demonstrate that the data subject has consented to processing of their personal data."

Action:

• Maintain subscription logs showing when, where, and how consent was obtained
• Keep copies of the exact privacy notices/terms shown to users at registration
• Timestamp all consent records
• Minimum retention: Keep consent records for as long as you process the data PLUS the applicable prescription period (in Spain, 3 years for very serious infringements)

If you cannot prove lawful basis: You should not be processing the data. Period.

5. Establish Clear Escalation Procedures

The company admitted their front-line staff "did not correctly apply the procedure."

Required Infrastructure:

• Front-line Training: All customer service staff must be able to recognise a GDPR rights request (even if phrased informally like "what data do you have on me?")
• Immediate Escalation: Front-line staff should forward ALL rights requests to a designated DPO or privacy team within 24 hours—they should NOT attempt to handle these themselves
• Dedicated Email: Maintain a dedicated email address for privacy requests (e.g., privacy@company.com or dpo@company.com)
• Tracking System: Use a ticketing system that prevents rights requests from being closed until all components are addressed

6. Cross-Border Data Processing Requires Extra Diligence

This German-language marketing to a German resident triggered cross-border enforcement.

Key Insight: If you market to consumers across the EU:

• You're subject to the "one-stop-shop" mechanism (Article 56-60 GDPR)
• Your lead supervisory authority (where your main establishment is) coordinates with authorities where consumers reside
• Complaints can originate anywhere in the EU but will be transferred to your lead authority
• All responses must be in the data subject's language if you marketed to them in that language

7. Implement the "Three Lines of Defence" Model

First Line: Front-line staff who can identify rights requests
Second Line: Privacy/DPO team who process requests
Third Line: Internal audit/compliance who verify the process works

Verification Controls (as Logitravel now does):

• Quarterly sampling of closed rights request tickets
• Staff interviews to test understanding
• Mystery shopper exercises (internal staff submit test requests)
• Annual review of request handling times

8. The "Deletion" Exception Doesn't Apply Here

Some controllers mistakenly believe: "If we've deleted the data, we don't need to respond."

This is wrong. Even if data is deleted:

• You must still confirm what was held before deletion
• You must still explain the source, purposes, and legal basis
• You must still respond within the deadline

Only Exception: If you genuinely hold no data and never have held data about that individual, you can provide a "nil response" confirming this fact.

9. Corrective Measures Must Be Verified

The AEPD looked favourably on Logitravel's remedial actions because they were comprehensive and verifiable.

If You Receive a Complaint:

• Don't just apologise—implement systemic fixes
• Document all changes (updated procedures, training records, staff confirmations)
• Set measurable objectives (e.g., "100% of rights requests will receive initial response within 7 days")
• Conduct follow-up verification (e.g., staff testing, process audits)

Evidence That Helps:

• Dated procedure updates
• Training attendance records
• Follow-up quiz results showing staff understanding
• Tracking data showing improved response times

10. Warning vs. Fine—Understanding the AEPD's Decision

Despite the serious violation (10+ month delay), the AEPD issued only a warning. They considered:

• Lack of deliberate intent
• Eventual full compliance
• Comprehensive corrective measures
• No pattern of repeated violations
• Full cooperation with investigation

Lesson: Early cooperation, genuine remediation, and transparency can significantly reduce penalties. However, this is not guaranteed—the AEPD could have imposed a fine up to €20 million or 4% of global turnover.

Summary of Business Risk

This resolution demonstrates that data subject access requests require the same urgency as customer complaints or legal notices. The 13-month delay, whilst ultimately resolved with only a warning, exposed Logitravel to:

Actual Consequences:

• Formal AEPD investigation
• Administrative burden of detailed responses
• Cross-border enforcement scrutiny
• Public resolution (reputational damage)
• Requirement to implement costly systemic improvements

Potential Consequences (Avoided):

• Financial penalty up to €20 million or 4% of global annual turnover
• Potential class actions from other affected individuals
• Mandatory data processing audits
• Ongoing AEPD monitoring

Key Risks for All Businesses:

• Front-line staff cannot distinguish between different GDPR rights
• Automated unsubscribe processes may mask access requests
• "Data deleted" is not a substitute for proper access response
• Cross-border marketing triggers multi-jurisdictional enforcement
• Cannot prove lawful basis for processing (especially for old data)

Critical Takeaway: Implement a dedicated, well-trained privacy team with clear escalation procedures. Never allow customer service staff to close data subject rights requests without specialist review. The one-month deadline is absolute—missing it by over a year, even accidentally, can trigger regulatory action.