The Incident: The case began when a citizen (A.A.A.) contacted YOU MOBILE TELECOM SPAIN, S.L. to exercise their Right of Access (Article 15 GDPR). The individual simply wanted to know what data the company held about them and to receive a copy of it.
The Administrative Silence: The company did not reply. They did not provide the data, nor did they inform the user that they had no data, nor did they ask for an extension. They simply ignored the request. The statutory deadline of one month passed without any communication.
The Escalation & Agency Intervention: On July 19, 2025, the claimant filed a complaint with the Spanish Data Protection Agency (AEPD). Before opening a formal investigation, the AEPD attempted to mediate. Under Article 65.4 of the LOPDGDD, the Agency sent the claim to YOU MOBILE TELECOM SPAIN, S.L., giving them a "second chance" to respond to the user and settle the matter amicably. The company ignored the AEPD as well.
The Procedural Failure: Due to this lack of cooperation, the AEPD formally admitted the claim on October 19, 2025. Even during the formal hearing window (where the company had 10 days to defend themselves), the company failed to provide any proof—such as a certified email, a log, or a letter—demonstrating that they had ever responded to A.A.A.
The Core Ruling: The AEPD ruled that the "silence" of a data controller is a direct violation of the law. The resolution clarifies that a company cannot simply "ghost" a user. Even if the request is repetitive,
Based on AEPD Resolution EXP202515295, here are the mandatory actionable steps for businesses in general. This case sets a crystal-clear precedent: administrative silence is not a valid option in the private sector when it comes to data rights.
The resolution makes it undeniable that you must always reply. Many businesses mistakenly believe that if they do not hold data on the user, or if the request seems absurd, they can simply ignore it.
Action: Implement a "Zero Pending Requests" policy. Even if the user is not a client or does not exist in your database, the company is legally obliged to reply informing them of this fact.
Protocol: Create standard templates for three scenarios:
Data Found: "Here is the copy of your data."
Data NOT Found: "We inform you that we do not process any data concerning you."
Refusal: "We cannot fulfill your request for reason X (legally motivated)."
The GDPR grants one month to respond. In this case, the company failed to meet the deadline and subsequently ignored the AEPD's procedural hearing.
Action: Configure automatic alerts in your management system (CRM or Helpdesk).
Day 1: Receipt and automatic acknowledgement.
Day 15: "Pending Resolution" alert sent to the DPO or legal manager.
Day 25: CRITICAL alert of imminent deadline expiration.
The AEPD sanctions or warns because the company "has not accredited" (proven) that they responded. It is not enough to send the email; you must be able to prove it was sent and that the user received it or had access to it.
Action: Do not use personal email accounts (like a direct Gmail/Outlook) to answer GDPR rights requests.
Tool: Use ticketing systems or digital certified emails that generate an audit log (timestamp of sending, content, destination address, and delivery status). Keep these logs for a minimum of 3 years.
The ruling notes that the company did not reply to the AEPD's initial requirement before the disciplinary procedure was opened. Ignoring the AEPD turns a fixable administrative issue into a serious infringement.
Action: Establish a priority channel for official notifications (DEHú - Single Enabled Electronic Address).
Protocol: If a notification from the AEPD arrives, it must be treated as a Level 1 Emergency, responding within the deadline (usually 10 days or 1 month for allegations) to prevent a disciplinary file from being opened.
The ruling reiterates that the controller must "arbitrate formulas and mechanisms" to facilitate the exercise of rights.
Action: Review the Privacy Policy on the website.
Verification: Is the email address for exercising rights (privacy@company.com) visible and functional? Is there a specific form? Avoid unnecessary bureaucracy (e.g., asking for a notarized ID if it is not strictly necessary for identification).
Failure to comply with a resolution of this type (a direct order from the AEPD to attend to a right) is classified as a Very Serious Infringement (Art. 72.1.m LOPDGDD). This significantly increases the amount of any potential future fine, regardless of the company's size.
Informational Purposes Only: The content provided by ANRO DIGITAL SOLUTIONS S.L.U. (including resolution summaries, infographics, and case analyses) is for educational and informational purposes only.
No Legal Advice: This information does not constitute legal advice, a formal legal opinion, or a substitute for professional legal counsel. The interpretation of data protection laws (including the GDPR, LOPDGDD, and AEPD resolutions) is subject to change and can vary based on specific facts and circumstances.
No Liability: ANRO DIGITAL SOLUTIONS S.L.U. assumes no responsibility or liability for any actions taken, or not taken, based on the information provided on this website. While we strive for accuracy, we make no guarantees regarding the completeness or timeliness of the information.
Consult a Professional: Data protection compliance is a complex legal requirement. You should not act upon this information without seeking advice from a qualified Data Protection Officer (DPO) or a specialist data protection lawyer licensed to practice in your jurisdiction.
Third-Party Links: Links to official AEPD documents are provided for convenience. We are not responsible for the content or availability of these external government portals.
Este resumen tiene carácter meramente informativo. Para más información, consulte nuestro Aviso Legal.