ANRO Privacy Logo
close

AEPD Resolution: EXP202515296

Resolution Signed: 03/02/2026

AEPD Reference Number: EXP202515296

Sanction Procedure Number: PD-00336-2025 

Fine Amount: €0

Full Description

The Incident (The Identity Theft Verification Quest): A Spanish citizen discovered they had been the victim of identity theft when fraudsters used their personal data and a photograph of their national identity card (DNI) to fraudulently contract telecommunications services. After filing a police report (atestado nº ***REFERENCIA.1), the victim embarked on a systematic campaign to contact every telecommunications operator in Spain to verify whether their personal data had been used to fraudulently open accounts. On 25 October 2024, they sent an email to Telfy Telecom S.L., a Spanish telecommunications provider, asking a simple but critical question: "Do you have, or have you ever had, my personal data registered as a customer in your systems?"

The Company's Silence (The "Spam Filter" Defence): Telfy Telecom never responded to the victim's email. For nearly 11 months, the identity theft victim received no acknowledgment, no confirmation, and no information from the company—despite the fact that this information was essential to understanding the full scope of the fraud committed against them. The victim had no way of knowing whether Telfy's systems had been compromised by the fraudsters or whether the company held records that could help identify the criminals.

The Complaint and Investigation: Frustrated by the complete absence of response, the victim filed a formal GDPR complaint with the AEPD on 19 July 2025. The AEPD transferred the complaint to Telfy on 24 September 2025 under Article 65.4 LOPDGDD, giving the company an opportunity to explain their failure to respond. Telfy ignored this initial AEPD communication as well. On 19 October 2025, the AEPD formally admitted the case for full investigation. Finally, on 28 November 2025, the AEPD granted Telfy a formal hearing period, requiring them to submit written defences within 15 business days.

The Belated Response and Excuses: Only after receiving the formal hearing notice did Telfy finally respond—on 22 December 2025, more than 14 months after the original access request. The company offered a series of justifications:

  1. The "Lost Email" Claim: Telfy claimed they never received the victim's original email from October 2024, suggesting it may have been automatically filtered as spam and deleted without human review.
  1. The "No Malice" Defence: The company insisted there was no intention to violate GDPR deadlines and that once they became aware of the request through the AEPD, they responded within two days (26 September 2025), confirming the victim's data had never been in their systems.
  1. The "We're Compliant" Argument: Telfy emphasised their commitment to GDPR compliance, providing internal data protection manuals, describing their email channels for rights requests, and noting they use the "VigilaMisDatos" certified system and undergo periodic audits.
  1. The "Technical Fix" Promise: The company claimed that as a result of this complaint, they had reconfigured their email systems to whitelist all sender addresses and prevent similar spam-filtering incidents in the future.

The Core Ruling (Formal Estimation Despite Excuses): The AEPD categorically rejected Telfy's defences and ruled in favour of the complainant. The regulator found that regardless of technical spam filtering issues, Telfy violated Article 15 GDPR and Article 12.3 GDPR by failing to respond to a legitimate access request within 30 days. The AEPD emphasised that the burden of proof lies with data controllers to demonstrate they have proper systems in place to receive and process rights requests—companies cannot use technical failures as excuses for GDPR violations. However, because Telfy had eventually confirmed (albeit 14 months late) that they held no data about the victim, the AEPD determined no additional remedial action was required beyond the formal ruling against the company.

Articles Infringed

Article 15 GDPR (Right of Access): Telfy failed to respond to a legitimate access request from an identity theft victim seeking to verify whether their personal data had been fraudulently used to open accounts. Article 12.3 GDPR (Response Timeframe): Data controllers must respond to rights requests "without undue delay and in any event within one month of receipt." Telfy's 14-month silence (and response only after AEPD intervention) constitutes a severe violation of this mandatory deadline.

Actionable Steps

Based on Resolution EXP202515296, here is the compliance protocol for telecommunications companies, online service providers, and any business receiving rights requests via email:

1. "The Email Was Filtered as Spam" Is Not a Valid Legal Defence

Telfy's primary defence—that the access request was automatically filtered and deleted—was rejected by the AEPD.

Legal Principle: Article 12.1 RGPD requires data controllers to "take appropriate measures to facilitate the exercise of data subject rights." If your spam filters are blocking legitimate rights requests, your systems are not GDPR-compliant.

Action: Implement a dedicated, clearly publicised email address for GDPR rights requests (e.g., dataprotection@company.com or privacy@company.com) and configure email security systems to:

  • Whitelist this address so no messages are ever filtered as spam
  • Set up automatic forwarding to at least two responsible staff members
  • Create automatic acknowledgment responses: "Your request has been received and will be responded to within 30 days"
  • Log all incoming messages for audit purposes

2. Multiple Communication Channels Are Essential

Telfy claimed to offer various channels for rights requests, but the victim's email was lost in one channel with no backup verification system.

Best Practice: Provide at least three methods for exercising data rights:

  1. Dedicated email address (with spam protection disabled)
  2. Web form on your privacy policy page (automatically generates ticket numbers)
  3. Postal address published in your privacy policy

Action: On your privacy policy page, include a prominent section titled "How to Exercise Your Data Rights" with clear instructions for each contact method. Test all channels quarterly to ensure they function properly.

3. Identity Theft Victims' Requests Require Special Urgency

This case involved identity fraud, making the access request particularly time-sensitive.

Protocol for Fraud-Related Access Requests: When someone contacts you claiming to be a victim of identity theft or account fraud:

  • Priority Response: Escalate to a senior data protection officer immediately
  • 24-Hour Acknowledgment: Send an interim response within one business day confirming receipt
  • 7-Day Investigation: Conduct a full audit of your systems to verify whether the person's data appears in customer databases
  • Detailed Response: Provide comprehensive information including:
    • Whether any accounts exist under the person's name
    • Creation dates and IP addresses for any suspicious accounts
    • Whether fraudulent charges or services were activated
    • Immediate account suspension if fraud is confirmed
    • Coordination with law enforcement if requested

Rationale: Identity theft victims need urgent confirmation to assess the scope of fraud and prevent ongoing harm. A 14-month delay (as occurred here) is unconscionable in fraud contexts.

4. The "We Responded Once We Knew" Excuse Doesn't Work

Telfy argued they responded quickly (two days) after the AEPD informed them of the request. The AEPD ruled this was irrelevant.

Legal Reality: The 30-day deadline begins when the data subject sends the request, not when the data controller becomes "aware" of it through regulatory intervention. If your systems failed to receive or route the request properly, that is your responsibility, not the data subject's problem.

Action: Implement a request tracking system that logs:

  • Date received
  • Assigned staff member
  • Deadline date (30 days from receipt)
  • Status (acknowledged, in progress, completed, delayed)
  • Proof of delivery to data subject

5. Spam Filters Must Not Block Rights Requests

Many companies use aggressive email security systems (greylisting, spam scoring, sender reputation filtering) that can inadvertently block legitimate communications.

Technical Solution:

  • Configure email security to never filter messages containing keywords like:
    • "GDPR request"
    • "Data access request"
    • "Right to erasure"
    • "Data protection rights"
    • "Derecho de acceso" (Spanish)
    • "Solicitud RGPD" (Spanish)
  • Create automatic routing rules to forward such messages to your data protection team
  • Whitelist common personal email providers (Gmail, Outlook, Yahoo, iCloud) for data protection inbox addresses

Test Regularly: Once per quarter, send a test access request from an external personal email address to verify it reaches the correct internal team.

6. The Burden of Proof Is on the Data Controller

Telfy claimed the email was never received, but the AEPD placed responsibility on the company to prove they have adequate systems in place.

Evidence You Must Maintain:

  • Email server logs showing all messages received at your GDPR contact addresses (retain for at least 3 years)
  • Spam filter reports showing what was blocked and why
  • Staff training records proving employees understand how to process rights requests
  • System audit logs documenting that your email infrastructure is functioning properly

Action: If you receive an AEPD complaint alleging non-response to an access request, immediately pull server logs for the relevant time period. If you cannot prove the email never arrived, the AEPD will assume you received it and ignored it.

7. Acknowledging Receipt Prevents Complaints

If Telfy had sent an automatic acknowledgment ("We received your request and will respond by [date]"), the victim would have known their email was received.

Implement Automatic Acknowledgments:

  • Set up email auto-responders on all data protection contact addresses
  • Template: "Thank you for your data rights request received on [date]. We will provide a full response by [date 30 days later]. Your reference number is [unique ID]. If you do not receive a response by this date, please contact [escalation email/phone]."
  • This simple measure prevents 90% of "ignored request" complaints

8. Post-Incident Technical Fixes Don't Erase Liability

Telfy promised to reconfigure their email systems after this incident. The AEPD acknowledged this but still ruled against the company.

Key Principle: Implementing better systems after a violation does not excuse the original non-compliance. However, demonstrating corrective action can:

  • Reduce the severity of sanctions in enforcement proceedings
  • Show good faith to regulators
  • Prevent repeat violations that would trigger compounded penalties

Action: If you discover your systems failed to process a rights request, immediately:

  1. Fix the technical problem
  2. Document what went wrong and how you fixed it
  3. Audit all other recent requests to ensure none were similarly missed
  4. Report your corrective actions to the AEPD if an investigation is underway

9. Identity Theft Verification Requests Are Increasingly Common

As fraud rises, more victims will contact companies asking: "Has someone used my identity to open an account with you?"

Standardised Response Protocol:

  1. Search All Systems: Check current customers, closed accounts, and failed verification attempts
  2. Provide Clear Answer: "We have no records of your data" or "We found an account created on [date] from IP address [X]"
  3. Offer Proactive Protection: "We've placed a fraud alert on your details to prevent future unauthorized account creation"
  4. Suggest Next Steps: "If you believe fraud occurred, please provide your police report number and we will cooperate with authorities"

Action: Create a template response letter for identity theft verification requests to ensure consistency and completeness.

10. The "VigilaMisDatos" Seal Is Not a Substitute for Actual Compliance

Telfy emphasised that they use the VigilaMisDatos certification system and undergo periodic audits. The AEPD was unimpressed.

Reality Check: Third-party compliance certifications, privacy seals, and audit reports are useful tools, but they do not exempt you from GDPR obligations. If your systems fail to process a rights request—regardless of your certifications—you are still liable.

Action: Use certifications and audits as process improvement tools, not as shields against accountability. If your auditor doesn't test whether your email systems actually deliver rights requests to the correct staff, your audit is incomplete.

Summary of Business Risk

This case establishes that technical email filtering failures are not valid defences for ignoring GDPR access requests, particularly from identity theft victims who need urgent verification of whether their data has been compromised. Telecommunications companies and online service providers must implement robust, spam-filter-proof systems for receiving and processing rights requests, with automatic acknowledgments, dedicated contact channels, and priority escalation for fraud-related inquiries. The AEPD's formal ruling against Telfy Telecom—despite the company's eventual compliance and technical remediation—creates a permanent regulatory record that could influence future sanctions for repeat violations or similar failures across the telecommunications sector.

Link to Official AEPD PDF

https://www.aepd.es/documento/pd-00336-2025.pdf

Legal Disclaimer

Informational Purposes Only: The content provided by ANRO DIGITAL SOLUTIONS S.L.U. (including resolution summaries, infographics, and case analyses) is for educational and informational purposes only.

No Legal Advice: This information does not constitute legal advice, a formal legal opinion, or a substitute for professional legal counsel. The interpretation of data protection laws (including the GDPR, LOPDGDD, and AEPD resolutions) is subject to change and can vary based on specific facts and circumstances.

No Liability: ANRO DIGITAL SOLUTIONS S.L.U. assumes no responsibility or liability for any actions taken, or not taken, based on the information provided on this website. While we strive for accuracy, we make no guarantees regarding the completeness or timeliness of the information.

Consult a Professional: Data protection compliance is a complex legal requirement. You should not act upon this information without seeking advice from a qualified Data Protection Officer (DPO) or a specialist data protection lawyer licensed to practice in your jurisdiction.

Third-Party Links: Links to official AEPD documents are provided for convenience. We are not responsible for the content or availability of these external government portals.

Este resumen tiene carácter meramente informativo. Para más información, consulte nuestro Aviso Legal.

ANRO Privacy Logo
Providing clear, reliable information on GDPR and data privacy standards to help you navigate the digital landscape securely.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram