AEPD Resolution: EXP202516711

The Right of Access Request: On 26 August 2025, A.A.A,  filed a complaint with the AEPD claiming that RODRÍGUEZ ORTEGA CASA 10 AGENCIA INMOBILIARIA, S.L. (a real estate agency, NIF B50914555) had failed to respond to his exercise of the Right of Access under Article 15 RGPD. The claimant provided documentation showing he had exercised his data access rights but received no legally required response.

The AEPD's Initial Process: Following Article 65.4 LOPDGDD, the AEPD first transferred the claim to the real estate agency, giving them one month to analyze the request and provide evidence they had properly responded to the data subject. The agency's initial response did not satisfy the claimant's demands, so on 26 November 2025, the AEPD formally admitted the claim for processing.

The Procedural Framework: This case fell under Article 64.1 LOPDGDD, which governs procedures exclusively concerning failure to attend to rights requests under Articles 15-22 RGPD. The procedure has a six-month resolution deadline from the date of admission notification. If the AEPD doesn't resolve within this timeframe, the claimant can consider their claim granted.

The Late Response Problem: During the AEPD's investigation, the real estate agency finally provided documentation proving they had sent a communication to the data subject addressing his access request. However, this response came well after the legally established deadline—it was sent only after the AEPD had initiated formal proceedings against them.

The Legal Requirements: Under Articles 12 RGPD and 12 LOPDGDD, data controllers must:

• Provide free mechanisms for data subjects to exercise their rights
• Respond to requests within one month maximum
• Respond even if no data exists or the request lacks proper requirements (in which case they must request clarification or provide reasoned denial)
• Use any means that proves receipt of the response
• Communicate in concise, transparent, intelligible, and accessible language

The Burden of Proof: The resolution emphasizes that the burden of proving compliance with the duty to respond falls entirely on the data controller. A data subject's request cannot simply be ignored, silence is never an acceptable response.

The AEPD's Ruling: The AEPD ruled to UPHOLD the claim on formal procedural grounds (estimar por motivos formales). The real estate agency violated the data subject's rights by failing to respond within the legal timeframe. However, since the company had eventually provided a response during the investigation—albeit late—the AEPD determined that no additional action was required. The agency did not need to issue a new certification since they had already (belatedly) addressed the access request.

The Key Distinction: This is a "formal estimation" rather than a substantive finding. The AEPD acknowledged the procedural violation (late response) but recognized that the substantive right had ultimately been satisfied. This nuanced approach balances enforcement with practical resolution—punishing the delay while avoiding duplicative compliance burdens.

Based on Resolution EXP202516711, here is the protocol for handling Right of Access requests:

1. The One-Month Deadline is Absolute

• Action: Respond to ALL data access requests within 30 calendar days of receipt, even if the response is a denial or request for clarification
• Legal Basis: Article 12.3 RGPD
• Warning: Responding after AEPD intervention, even if substantively correct, still constitutes a procedural violation

2. Silence is Never an Option

• Action: ALWAYS send a formal response to every data rights request, regardless of circumstances
• Required Responses Include:
  • Providing the requested data (if it exists)
  • Explaining that no data exists (if applicable)
  • Requesting clarification if the request is ambiguous
  • Providing reasoned denial if legal exemptions apply
• Critical Rule: You cannot ignore a request as if it was never made

3. Establish Proof of Response

• Action: Use communication methods that provide proof of receipt:
  • Registered mail with return receipt
  • Certified email delivery services
  • Hand delivery with signed acknowledgment
  • Electronic notifications with read confirmation
• Why: The burden of proof falls entirely on the controller to demonstrate compliance

4. Create an Access Request Response Protocol Day 1-3: Log the request, assign responsibility, acknowledge receipt to the data subject Day 3-20: Gather the relevant personal data, verify accuracy, prepare response Day 20-25: Review response for completeness and clarity, obtain management approval Day 25-28: Send formal response with proof of delivery Day 28-30: Buffer zone for any delivery issues

5. Content Requirements for Responses Your response must be:

• Concise: No unnecessary verbiage
• Transparent: Clear about what you're providing or why you're not
• Intelligible: Understandable to an average person
• Easy to access: In a commonly usable format
• Clear and simple language: No excessive legal jargon

6. What to Do If You Have No Data

• DO: Send a formal response stating "We have searched our systems and have no personal data concerning you"
• DON'T: Simply ignore the request thinking "we have nothing to provide"
• Why: Even a negative response is legally required

7. When Requests Are Deficient If a request lacks necessary information for identification:

• Action: Within 5-7 days, send a written request for clarification
• Specify: Exactly what additional information you need
• Timeframe: The one-month deadline still applies from the original request date, not from when you receive clarification

8. The "AEPD Investigation Defense" Doesn't Work

• Mistake: Thinking that responding during AEPD investigation cures the original violation
• Reality: Late response = procedural violation, even if substantively correct
• Result: Formal finding against you, potential sanctions, reputational damage

9. Train Your Staff on Recognition Access Request Triggers Include:

• "I want to see what data you have about me"
• "Send me my personal information"
• "What do you know about me?"
• "Give me copies of my data"
• Formal letters citing Article 15 RGPD

10. Small Business Reality Check This case involved a small real estate agency—not a tech giant. The GDPR's access rights obligations apply equally to:

• One-person businesses
• Small family companies
• Large corporations

Summary of Business Risk

While this case resulted in no fine, it represents significant business risk for small and medium enterprises. The real estate agency incurred:

1. Reputational damage from public AEPD resolution finding against them
2. Legal costs of responding to AEPD investigation
3. Administrative burden of formal proceedings
4. Management time diverted to compliance issues
5. Future vulnerability to escalated sanctions if patterns continue

More importantly, this resolution establishes that the AEPD will formally rule against entities that respond late—even if they eventually provide substantively correct responses. The message is clear: timely compliance matters as much as substantive compliance.

For small businesses, the lesson is stark: invest in simple response protocols NOW rather than pay the price of AEPD intervention later. A basic ticketing system, calendar reminder, and standard response templates can prevent these costly procedural violations.