The Incident (The Loan History Denial): A consumer who had taken out multiple microloans from Soluciones Digitales CRX S.L. (operating under the brand "Dispon") contacted the lender on 20 May 2025 requesting access to their complete loan history, including all contracts, amounts borrowed, payments made, and details of any extensions or rollovers. This is a common request from borrowers who want to verify their outstanding debt, check for errors, or prepare for debt settlement negotiations.
The Company's Response (The "Check Your Email" Brush-Off): Instead of providing the requested loan history, the company sent two dismissive responses. The first email (21 May 2025) simply stated the current outstanding debt amount and provided bank account details for payment, completely ignoring the data access request. When the customer reiterated their request for historical loan data, the company replied: "All the information is in your email. We are waiting to receive your next payment this week as you agreed." The company refused to provide any itemised history of loans, payments, or contract details.
The Company's Legal Defence (The "Not Personal Data" Argument): When the AEPD requested an explanation, Soluciones Digitales CRX argued that the customer's request for "a history of loans" was a request for "commercial records," not "personal data," and therefore did not fall under GDPR's right of access. They claimed the customer was asking for mercantile information rather than exercising a data protection right, and insisted that because the customer had access to their email account (where past communications had been sent), they had already received all necessary information.
The Core Ruling (Full Enforcement): The AEPD categorically rejected the company's arguments and ruled that loan histories, payment records, and contract details are unequivocally personal data under Article 4(1) GDPR because they directly concern the customer's economic and financial identity. The AEPD cited European Court of Justice precedent (STJUE Rijkeboer) and the European Data Protection Board's Guidelines 1/2022, emphasising that citizens do not need to use technical legal language or cite specific GDPR articles when exercising their rights—it is sufficient to ask for "information that concerns them." The AEPD ordered the company to provide the complete loan history within 10 business days or face very serious sanctions under Article 72.1(m) LOPDGDD for non-compliance with a regulatory order.
Based on Resolution EXP202511016, here is the compliance protocol for financial services, lenders, and any business holding customer transaction histories:
Soluciones Digitales CRX's fundamental error was claiming loan histories are "commercial records" rather than personal data.
Legal Reality: Under Article 4(1) GDPR, personal data includes "any information relating to an identified or identifiable natural person," explicitly including data concerning a person's "economic" identity. Loan amounts, payment dates, interest charges, and contract terms are all personal data because they directly identify the customer's financial relationship with your company.
Action: Train staff to recognise that any information in a customer file—contracts, invoices, payment histories, account statements, transaction logs, debt balances—is personal data subject to GDPR access rights.
The AEPD emphasised that data subjects do not need to cite "Article 15 GDPR" or use technical terminology.
Protocol: Treat the following phrases as valid access requests:
Action: Create a customer service training module explaining that any request for "information about me" triggers GDPR access obligations, regardless of wording.
The company's claim that "all the information is in your email" does not satisfy GDPR access requirements.
Legal Standard: Article 15 GDPR requires data controllers to provide a structured, organised, and intelligible copy of personal data. Simply telling someone to search through years of past emails does not meet this standard.
Action: When a customer requests access to their data, compile it into a single document (PDF, Excel spreadsheet, or secure portal download) with clear headings and chronological organisation. For financial services, this should include:
The company failed to respond substantively within the one-month period required by Article 12.3 GDPR.
Protocol: Implement a ticketing system for data subject rights requests with automatic escalation alerts at:
Action: Even if you need additional time (permitted if the request is complex), you must notify the customer within 30 days that you are extending the deadline by up to two additional months, explaining why the extension is necessary.
The company's responses focused exclusively on payment demands ("We are waiting to receive your next payment") whilst ignoring the access request.
Critical Rule: Debt collection activities and GDPR compliance are separate legal obligations. You cannot condition access to personal data on payment of outstanding debts, nor can you use data access requests as an opportunity to pressure customers into paying.
Action: Separate your debt recovery and data protection functions. When a customer in arrears submits a GDPR request, the data protection team handles the request independently of the collections department's activities.
Some companies provide self-service portals where customers can download their data. This can satisfy Article 15, but only if the portal is comprehensive and user-friendly.
Requirements: Under Article 13.2 LOPDGDD, remote access systems satisfy the right of access only if:
Action: If you offer a customer portal, respond to access requests by directing customers to the portal and providing login instructions, a step-by-step guide, and customer support contact details. If the portal does not contain the specific data requested, you must supplement it with additional documentation.
For lenders, banks, credit providers, and financial services companies, common access requests include:
Must Provide:
Action: Create a standardised "Financial Data Access Report" template that compiles all this information automatically from your loan management system.
Unlike archive resolutions, this is an enforcement order requiring compliance within 10 business days. The AEPD explicitly warned that non-compliance could result in sanctions under Article 72.1(m) LOPDGDD for "very serious infractions."
Risk: Ignoring an AEPD enforcement order can result in fines up to €20 million or 4% of global annual turnover (Article 83.5 GDPR), with aggravating factors for deliberate non-compliance.
Action: If you receive an AEPD enforcement order, treat it as a legal emergency. Assign immediate priority to compliance and notify the AEPD of completion within the specified timeframe.
The AEPD cited the EDPB's Guidelines 1/2022 extensively, particularly the principle that data controllers must not interpret access requests "too restrictively."
Best Practice: Download and review the EDPB Guidelines 1/2022 on the Right of Access. These guidelines represent the authoritative interpretation of Article 15 across all EU member states and provide detailed examples of valid and invalid responses to access requests.
Every financial services company should have a documented procedure for handling data access requests.
Template Protocol:
This enforcement order establishes that loan histories, payment records, and financial contract details are unequivocally personal data subject to GDPR access rights. Financial services companies cannot dismiss access requests as "commercial inquiries" or claim that scattered email communications satisfy Article 15 requirements. The AEPD's 10-day compliance deadline and explicit warning of "very serious sanctions" for non-compliance signals zero tolerance for lenders who obstruct customer data rights, particularly in debt collection contexts where power imbalances are acute.
Informational Purposes Only: The content provided by ANRO DIGITAL SOLUTIONS S.L.U. (including resolution summaries, infographics, and case analyses) is for educational and informational purposes only.
No Legal Advice: This information does not constitute legal advice, a formal legal opinion, or a substitute for professional legal counsel. The interpretation of data protection laws (including the GDPR, LOPDGDD, and AEPD resolutions) is subject to change and can vary based on specific facts and circumstances.
No Liability: ANRO DIGITAL SOLUTIONS S.L.U. assumes no responsibility or liability for any actions taken, or not taken, based on the information provided on this website. While we strive for accuracy, we make no guarantees regarding the completeness or timeliness of the information.
Consult a Professional: Data protection compliance is a complex legal requirement. You should not act upon this information without seeking advice from a qualified Data Protection Officer (DPO) or a specialist data protection lawyer licensed to practice in your jurisdiction.
Third-Party Links: Links to official AEPD documents are provided for convenience. We are not responsible for the content or availability of these external government portals.
Este resumen tiene carácter meramente informativo. Para más información, consulte nuestro Aviso Legal.