AEPD Resolution: EXP202509766

The Incident (The "Format War"): A civil servant (A.A.A.) launched a massive campaign of 44 requests against the Spanish Tax Agency (AEAT). He demanded 25 years' worth of data regarding his official vehicle usage, remote connection logs, holiday records, and overtime pay. Crucially, he demanded the data be delivered in physical paper, signed PDFs with CSV (Secure Verification Codes), and Excel files with SHA-1 Hash digital fingerprints to ensure "probatory value."

The Institutional Response: The AEAT responded via two channels:

1. Transparency Law: They denied several requests, stating they were personal in nature and not "public information."

2. GDPR Right of Access: They "estimated" the request but didn't send the files in the specific formats requested. Instead, they told the employee: "You can see all this data yourself by logging into the employee intranet (MIRAte and GEMMA systems)."

The Conflict: The claimant argued that providing a "path" to an intranet isn't a valid response and that the lack of signed, hashed files was an "administrative trick" to deny him legal evidence. He also challenged a time extension (prórroga) the AEAT filed, claiming it was issued late and by an unauthorised official.

The Core Ruling: The AEPD ruled on two major fronts:

• The Substantive Right: The Agency sided with the AEAT. Under Article 13.2 LOPDGDD, the Right of Access is considered satisfied if the company provides a remote, direct, and secure system (like a portal or intranet) where the user can view their data. The law does not give the user the right to demand specific file formats (Hash, CSV, Paper) as long as the access is effective.

• The Procedural Error: The AEPD ruled against the AEAT regarding the extension. The AEAT notified the one-month extension nearly two and a half months after the request. This is a formal violation of Article 12.3 GDPR.

Based on Resolution EXP202509766, here is the protocol for handling high-volume or "picky" data requests:

1. The "Self-Service" Defense

You do not have to manually export files if you already have a secure user area.

• Action: If a user requests their data, your official response can simply be: "Your data is available for download at [URL] within your secure profile." * Legal Shield: Cite Article 13.2 LOPDGDD. This satisfies the law and saves your HR/IT departments hundreds of hours.

2. Rejecting "Bespoke" Formats

Users cannot force you to act as their personal data analyst or forensic expert.

• Action: If a user demands specific digital signatures (Hash), CSVs, or physical mail, you are legally entitled to refuse as long as the data itself is accessible. You provide the information, not "legal evidence" tailored to their liking.

3. The "One-Month" Extension Rule

The AEAT lost on a technicality because they were slow.

• Protocol: If a request is complex (e.g., 25 years of data), you must notify the user of a 2-month extension within the first 30 days. If you notify them on day 31, the extension is legally void.

4. Handling "Abusive" or Repetitive Requests

The AEPD noted the claimant’s 44 requests.

• Action: If a user asks for the same data they requested 3 months ago, you can charge a "reasonable fee" based on administrative costs or refuse to act. Article 12.5 GDPR protects you from "manifestly unfounded or excessive" requests.

5. Intranet Access for Employees

For businesses with employees in Spain:

• Verification: Ensure your employee portal (Intranet) is functional. If an employee sues for "Right of Access," your best defense is proving they had a login to a portal where that data (pay slips, hours, etc.) was always available.

Summary of Business Risk: While the AEAT escaped a fine because it is a public body, a private company could be fined for the procedural delay (Article 12.3). However, this ruling is a massive win for businesses, confirming that users cannot dictate the technical format of data delivery.