The Incident: Following a notification of a security breach at a third-party provider on 3 March 2025, a customer exercised their Right of Access to verify the integrity of their data. El Corte Inglés failed to respond within the statutory one-month period.
The Conflict: The entity notified a two-month extension on 18 July (well past the deadline) and finally responded on 8 August. Their primary argument was that the customer had requested the deletion of their data six months prior, so they purportedly "had no data to show" other than the name and email used for the request.
The AEPD Ruling: The Agency dismantled the entity's defence based on two key pieces of evidence:
"Zombie" Data: The claimant proved they received marketing emails on a secondary account on 5 July, demonstrating that the deletion was neither effective nor complete.
Confusion between Erasure and Blocking: The AEPD reiterated that Article 32 of the LOPDGDD mandates data blocking, not immediate physical deletion. Blocked data must be available to authorities, but also to satisfy access rights if the user needs to verify what historical information is held, particularly after a security incident.
To ensure your business avoids the errors made by this major corporation, implement these three protocols immediately:
The 30-Day Rule is Sacred: Never notify an extension on day 31. If you have not collated the information by day 25, automatically send the notification extending the deadline. Sending it late renders the extension legally void.
Understand "Blocking" vs "Erasure": If a user requests access to "deleted" data, do not reply "we have nothing". The correct response is: "Your data is legally blocked for liability purposes. We retain [List of Data] under reinforced security measures with no active processing."
Marketing Audit: If Legal marks a contact as "Deleted/Blocked", ensure your Marketing CRM actually excludes them. A single promotional email sent in error (as occurred in this case) serves as irrefutable proof to the AEPD that active data processing is continuing.
Informational Purposes Only: The content provided by ANRO DIGITAL SOLUTIONS S.L.U. (including resolution summaries, infographics, and case analyses) is for educational and informational purposes only.
No Legal Advice: This information does not constitute legal advice, a formal legal opinion, or a substitute for professional legal counsel. The interpretation of data protection laws (including the GDPR, LOPDGDD, and AEPD resolutions) is subject to change and can vary based on specific facts and circumstances.
No Liability: ANRO DIGITAL SOLUTIONS S.L.U. assumes no responsibility or liability for any actions taken, or not taken, based on the information provided on this website. While we strive for accuracy, we make no guarantees regarding the completeness or timeliness of the information.
Consult a Professional: Data protection compliance is a complex legal requirement. You should not act upon this information without seeking advice from a qualified Data Protection Officer (DPO) or a specialist data protection lawyer licensed to practice in your jurisdiction.
Third-Party Links: Links to official AEPD documents are provided for convenience. We are not responsible for the content or availability of these external government portals.
Este resumen tiene carácter meramente informativo. Para más información, consulte nuestro Aviso Legal.