AEPD Resolution: EXP202511622

On 17th June 2025, a tourist (A.A.A.) filed a complaint with the Spanish Data Protection Agency against Soluciones Espuña, S.L., a company operating holiday rental apartments. The complainant alleged that the company had completely ignored his requests to exercise his GDPR rights of access and erasure (deletion) of his personal data.

The Booking and Initial Contact: The complainant had booked an apartment through a third-party booking platform (identified in the documentation as ***EMPRESA.1, likely a platform like Booking.com or Airbnb). Throughout the booking process, he was never informed about:

• The identity of the data controller responsible for processing his personal data
• How his booking-related data would be processed
• His rights under GDPR
• How to contact the company's data protection officer or representative

Only after his stay, when he received the invoice for the accommodation, did the complainant discover Soluciones Espuña, S.L.'s identity as the responsible party. The invoice included a contact email address.

The Ignored Requests—A Timeline of Silence:

12th January 2025: The complainant sent an initial email asking for confirmation of the data controller's identity and contact details. No response received.

8th March 2025: The complainant sent a second email requesting the contact details for the company's data protection representative. No response received.

18th March 2025: Frustrated by the ongoing silence, the complainant formally exercised his GDPR rights, sending an email to the same address requesting:

1. Access to all personal data the company held about him (Article 15 RGPD)
2. Erasure (deletion) of his personal data (Article 17 RGPD)

No response received before the complaint was filed on 17th June 2025—three months after the rights request.

The Evidence: The complainant provided comprehensive documentation:

• Copy of the invoice identifying Soluciones Espuña, S.L.
• Copies of all emails sent to the company
• Evidence of the formal rights exercise request dated 18th March 2025

The AEPD's Investigation: Following standard procedure, on 29th July 2025, the AEPD transferred the complaint to Soluciones Espuña, S.L., requesting an explanation. The company finally responded on 11th September 2025—over five months after the original rights request.

The Company's Bizarre Defence: Soluciones Espuña, S.L. offered an extraordinary explanation for their months-long silence. They claimed they couldn't identify the complainant because:

1. Suspicious Email Address The complainant had sent emails from an account with the sender name "B.B.B." using the email address ***EMAIL.2. The company argued:

• The sender name "B.B.B." appeared to be a pseudonym
• The email address didn't correspond to the complainant's "real name" (A.A.A.)
• The email was received in a busy inbox that receives many communications
• The complainant didn't explicitly state his name in the email body
• Therefore, staff considered the emails "suspicious spam or unwanted mail"
• Consequently, staff "could not correctly identify that the interested party had exercised their right of access and deletion"

The AEPD's Implicit Rejection: Whilst the AEPD's resolution doesn't explicitly ridicule this defence, the fact that they upheld the complaint and ordered compliance speaks volumes. The company's argument essentially claimed they couldn't connect:

• An email about a booking
• Received at their customer service address
• Containing specific details about a stay
• With an actual customer in their database

This suggests either catastrophic incompetence or deliberate obstruction.

2. The Partial Response

On 11th September 2025 (the same day they responded to the AEPD's information request), the company finally sent the complainant a response addressing his access request. They provided information about what data they held, including:

Data Categories Held:

• Personal identification data collected during booking
• Copy of the complainant's national identity document (DNI)
• Data communicated to the National Police (Ministry of Interior) as required by Spanish hospitality law
• Booking details and stay information

Processing Details:

• The complainant had booked through a third-party platform, so Soluciones Espuña, S.L. never processed his banking data
• They used a third-party online check-in platform to collect guest information
• The DNI copy was requested through an online check-in system (voluntary—guests could alternatively do in-person check-in showing the document without submitting a copy)
• All data processing occurred on EU-based servers
• Security measures included encryption, secure connections, daily backups, and user profiles
• No optical character recognition (OCR) or similar technology was used on documents
• The company had stopped requesting DNI copies from 13th January 2025 (after becoming aware of complaints about this practice at various hospitality businesses)

3. Critical Omission—The Erasure Request

Despite the complainant having clearly requested both access AND erasure, the company's 11th September response completely ignored the deletion request. The response addressed only the access right, providing information about data held, but said nothing about whether that data would be deleted as requested.

The AEPD's Audience Procedure: On 21st October 2025, the AEPD granted Soluciones Espuña, S.L. a formal hearing, giving them 10 working days to present allegations. The company reiterated their previous explanations and added:

Current Status Claims:

• DNI copies of all clients (not just the complainant) had been securely deleted from their systems and their third-party provider's systems
• All other customer data was "blocked" for legal compliance purposes
• The complainant's data had never been affected by any security breaches
• Appropriate security measures based on risk analysis were implemented

The Legal Analysis:

Articles 12, 15, and 17 RGPD Requirements:

Under GDPR, data controllers must:

1. Respond within one month (Article 12.3)—extendable by two additional months for complex requests, but only if the data subject is notified of the extension within the first month
2. Provide access when requested (Article 15)—confirming whether data is processed and providing a copy plus specified information
3. Delete data when requested (Article 17)—if one of the specified conditions applies

The One-Month Deadline:

• Rights request: 18th March 2025
• Legal deadline: 18th April 2025 (or 18th June 2025 if extension properly notified)
• Actual access response: 11th September 2025 (nearly 6 months late)
• Erasure response: Never provided

The Identification Excuse:

The company's claim that they couldn't identify the complainant contradicts basic operational competence:

• The complainant referenced a specific booking
• He received an invoice from the company (proving they could identify him for billing)
• His emails contained details that would match their reservation database
• Even if sender name and email address were unusual, the content of the messages clearly related to a real customer

GDPR explicitly contemplates identification issues: Article 12.6 states "Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject."

Proper Response: If genuinely uncertain about identity, the company should have responded: "We received your request but need to verify your identity. Please provide [specific information: booking reference, date of stay, payment confirmation, etc.] to proceed."

Instead, they simply ignored the emails for months—which is not a permissible response under GDPR.

The Erasure Obligation:

Article 17 RGPD establishes specific conditions under which data must be deleted:

• Data no longer necessary for original purposes (Article 17.1.a)
• Consent withdrawn and no other legal basis exists (Article 17.1.b)
• Data subject objects and no overriding legitimate grounds exist (Article 17.1.c)
• Data processed unlawfully (Article 17.1.d)
• Legal obligation requires deletion (Article 17.1.e)
• Data collected for information society services offered to children (Article 17.1.f)

Exemptions (Article 17.3) include:

• Legal compliance obligations
• Public interest tasks
• Legal claims establishment, exercise, or defence

In This Case: The company claimed they'd "blocked" the data for legal compliance. But they never communicated this to the complainant. Article 17 requires the controller to either:

• Delete the data if conditions apply, OR
• Explain why deletion is refused with specific legal justification

Silence is not an option.

The AEPD's Ruling:

On the Access Right: The AEPD ruled that the company had violated Article 15 RGPD by failing to respond within the legal timeframe. However, because the company eventually provided the access information (albeit months late), the AEPD determined that no new certification was required—the belated response satisfied the access request substantively, even though the timing violation was confirmed.

Result: Formal upholding of complaint on procedural grounds, but no further action required since substantive response was eventually provided.

On the Erasure Right: The AEPD ruled that the company had violated Article 17 RGPD by completely failing to address the deletion request. The company never explained whether they would delete the data or why they were refusing to do so.

Result: Company ordered to provide a proper response within 10 working days of notification, either:

• Confirming data deletion, OR
• Explaining with motivated legal reasons why the request is refused

The Enforcement Mechanism:

The AEPD warned that failure to comply with this resolution could constitute a further infringement under Article 83.6 RGPD (failure to comply with supervisory authority orders), classified as very serious under Article 72.1(m) LOPDGDD, punishable under Article 58.2 RGPD with potential fines up to €20 million or 4% of global annual turnover.

This warning transforms the resolution from a mere finding of violation into an enforceable order with significant financial consequences for continued non-compliance.

Based on Resolution EXP202511622, businesses (particularly those in hospitality and e-commerce sectors) must implement the following protocol:

1. Never Ignore Emails Based on Sender Name Assumptions

The company's defence that "B.B.B." seemed like a pseudonym so they ignored the emails is professionally and legally indefensible.

Action:

• Train customer service staff to read email content, not just sender names
• Implement systems that flag keywords like "GDPR," "data protection," "access request," "delete my data," "erasure," "privacy" regardless of sender identity
• Create dedicated email addresses for rights requests (e.g., privacy@company.com, dpo@company.com, datarights@company.com)
• Route all potential rights requests to a specialist team, not general customer service

Critical Rule: If an email references a booking, stay, purchase, or service you provided, you must respond—regardless of whether the sender name matches your database exactly.

2. Establish Identity Verification Procedures (Don't Just Ignore Uncertain Requests)

Article 12.6 RGPD explicitly addresses identity verification concerns.

Proper Protocol When Identity is Uncertain:

1. Acknowledge receipt immediately: "We received your request dated [date]"
2. Request specific verification: "To process your request, please provide: [booking reference, stay dates, payment method last 4 digits, etc.]"
3. Set reasonable deadline: "Please provide this information within 7 days"
4. Explain why verification is needed: "This ensures we access the correct customer record and protect all customers' privacy"

What NOT to Do (as in this case):

• Ignore the request entirely
• Assume it's spam without investigation
• Wait months before responding
• Claim inability to identify the person without having asked for clarification

Best Practice: Implement a ticketing system that assigns unique reference numbers to all rights requests, confirming receipt and providing tracking.

3. Address EVERY Right Requested, Not Just the Easy Ones

The company responded to the access request but completely ignored the erasure request.

Why This Happens:

• Access requests are straightforward (export data, send to requestor)
• Erasure requests require legal analysis (do we have grounds to refuse?)
• Companies avoid difficult decisions by pretending they didn't see them

Mandatory Approach:

• Create checklist of all rights mentioned in each request
• Assign separate tracking for each right within a multi-right request
• Ensure final response explicitly addresses every right requested
• If refusing a right, provide detailed legal justification

Template Response Structure: "Dear [Name],

Regarding your request dated [date]:

Access Request: [Provide data copy and Article 15 information]

Erasure Request: [Either confirm deletion with timeline, OR explain legal basis for retention citing specific Article 17.3 exemption]

If you have questions about any aspect of this response, please contact [details]."

4. Understand the One-Month Deadline is Strict

Article 12.3 RGPD allows one month from receipt, extendable by two additional months only if:

1. The request is complex or numerous requests are pending, AND
2. The data subject is informed of the extension within the first month, AND
3. The reasons for the delay are explained

In This Case:

• Request: 18th March 2025
• No extension notification sent
• Response: 11th September 2025 (nearly 6 months late)
• This is indefensible

Implementation:

• Set automated calendar reminders: Day 7 (initial assessment), Day 14 (data gathering), Day 21 (draft response), Day 25 (final review and send)
• If unable to respond within one month, send extension notice by Day 28 explaining specific reasons
• Track all requests in a rights management system with automated deadline monitoring

5. Legal Compliance Obligations Don't Eliminate Response Duties

The company claimed data was "blocked for legal compliance" but never told the complainant this.

Article 17.3(b) Exemption: Erasure doesn't apply "for compliance with a legal obligation which requires processing by Union or Member State law [...] or for the performance of a task carried out in the public interest"

Spanish Hospitality Context:

• Law requires accommodation providers to collect and report guest data to police
• Retention periods are legally mandated
• BUT: This doesn't eliminate the duty to explain the refusal to the data subject

Proper Erasure Response When Legal Retention Applies: "Dear [Name],

Regarding your erasure request:

Spanish hospitality law (Orden INT/1922/2003) requires accommodation providers to retain guest identity data for [X period] and communicate it to law enforcement authorities. This constitutes a legal obligation under Article 17.3(b) RGPD that prevents immediate deletion.

Your data will be retained in blocked status (accessible only for legal compliance purposes) until [specific date], after which it will be securely deleted unless other legal retention obligations apply.

If you believe this retention is inappropriate, you have the right to lodge a complaint with the AEPD."

This response:

• Acknowledges the request
• Explains the specific legal basis for refusal
• Cites applicable law
• Provides timeline
• Informs of complaint rights
• Demonstrates GDPR compliance

6. Third-Party Booking Platforms Don't Eliminate Your Obligations

The company noted the booking came through a third-party platform, implying this somehow reduced their responsibilities.

Critical Principle: When you provide services booked through intermediaries (Booking.com, Airbnb, Expedia, etc.), you are still the data controller for processing related to service delivery.

Joint Controller Arrangements:

• The booking platform controls booking/payment data
• You control service delivery data (check-in information, stay details, guest communications)
• Both have GDPR obligations to the data subject
• Both must respond to rights requests for their respective processing

Your Obligations Don't Diminish:

• Inform guests of your identity as controller (Article 13/14 RGPD)
• Provide privacy notice covering your processing
• Respond to rights requests regarding your processing
• Implement appropriate security measures

Best Practice:

• Include clear privacy notice during check-in process (not just rely on platform's notice)
• Provide contact details for your DPO or privacy representative
• Explain what data you collect beyond what the platform collects
• Make rights exercise easy with dedicated contact channels

7. The DNI Copy Collection Issue

The company's explanation about collecting DNI (national identity document) copies reveals important compliance considerations.

What They Did:

• Requested DNI photo copies through online check-in
• Claimed it was "voluntary" (guests could do in-person check-in instead)
• Justified it for identity verification and police cooperation
• Stored copies with third-party processor
• Stopped the practice in January 2025 after becoming aware of complaints

Legal Analysis:

• Spanish law requires accommodation providers to collect guest identity data
• BUT: The law requires collection of identity information, not necessarily storage of complete document copies
• Collecting full DNI scans creates heightened data protection risks
• Better approaches: Sight and record relevant information without retaining full document image

AEPD Guidance:

• Minimise data collection (Article 5.1.c)
• Collect only what's legally required
• If collecting sensitive documents, ensure robust security and short retention
• Consider alternatives (visual inspection without copying, partial information recording)

The company's decision to stop collecting DNI copies suggests they recognized compliance concerns.

8. "Blocking" Data Requires Proper Implementation

The company claimed data was "blocked" for legal compliance.

What "Blocking" Means Under GDPR: Article 18 RGPD establishes "restriction of processing" (often called "blocking"):

• Data remains stored
• Can only be processed for specific limited purposes (legal compliance, legal claims, protecting other persons' rights, public interest)
• Cannot be used for original purposes
• Data subject must be informed before restriction is lifted

Proper Blocking Implementation:

• Mark records clearly as "restricted/blocked"
• Implement access controls preventing normal use
• Maintain audit logs of any access
• Set review dates for when blocking can be lifted
• Document legal basis for continued storage

In This Case: The company claimed blocking but never informed the data subject, which violates the transparency obligation inherent in Article 18.

9. Document Retention After Stay Completion

Hospitality businesses face complex retention obligations.

Legitimate Retention Grounds:

• Legal obligation: Spanish law requires retention of guest registration data
• Legal claims: Damage deposits, dispute resolution (6-month to 5-year periods depending on claim type)
• Accounting/tax: Invoice records (typically 4-6 years under tax law)

Data Minimisation Approach:

• Retention schedule: Different data types, different periods
  • Police-required data: Legal minimum period only
  • Financial records: Tax law requirements
  • Marketing data: Only with consent, delete upon withdrawal
  • Operational data: Delete when no longer needed
• Automatic deletion: Implement systems that auto-delete after retention periods expire
• Regular audits: Quarterly review of old customer data

10. The Consequences of Ignoring Rights Requests

This resolution demonstrates escalating consequences:

Stage 1: Initial Violation

• Company ignores rights requests (March-June 2025)
• Complainant files with AEPD (17th June 2025)

Stage 2: AEPD Investigation

• AEPD transfers complaint (29th July 2025)
• Company finally responds (11th September 2025)—but still incompletely

Stage 3: Formal Resolution

• AEPD upholds complaint (24th January 2026)
• Company ordered to comply within 10 days
• Warning of Article 83.6 RGPD violations for non-compliance

Stage 4: Potential Future Enforcement

• If company fails to comply with resolution:
  • Separate infringement proceedings under Article 83.6
  • Very serious violation under Article 72.1(m) LOPDGDD
  • Potential fines up to €20 million or 4% global turnover
  • Possible additional supervisory measures

Prevention Strategy:

• Treat every rights request as urgent
• Respond within legal timeframes
• Address all rights requested
• Document everything
• Seek legal advice when uncertain about response
• Never ignore requests hoping they'll go away