AEPD Resolution: EXP202517310

The Incident (The Silent Treatment): An individual (A.A.A.) exercised their Right of Access under Article 15 GDPR against a Homeowners' Association (Comunidad de Propietarios R.R.R.). The data subject submitted their request on 10 September 2025, seeking access to their personal data held by the association. According to the claimant, the homeowners' association failed to provide the legally mandated response within the required timeframe.

The claimant provided various documentation to the AEPD relating to their complaint and the exercise of their access rights, demonstrating they had properly initiated the request but received no timely acknowledgement or substantive response.

The Administrative Process: Following the procedure established under Article 65.4 LOPDGDD, the AEPD admitted the claim and granted the homeowners' association a hearing period of ten working days to present arguments and evidence.

Crucially, it was only during this AEPD investigation process—after the complaint had been formally lodged with the data protection authority—that the homeowners' association finally responded to the original access request and provided the required information to the data subject.

The Core Ruling: The AEPD ruled in favour of the claimant on formal grounds (motivos formales). The resolution establishes that whilst the homeowners' association eventually provided the requested information, this response came after the legally prescribed deadline had expired. The response was deemed "extemporánea" (untimely/out of time).

The AEPD emphasised several critical principles:

1. No Request Can Be Ignored: Controllers cannot simply ignore access requests as if they were never made. Even when no personal data exists, or when requests are deficient, the controller must respond—either requesting clarification of deficiencies or providing a reasoned refusal.
2. Express Response Mandatory: Every data subject request obliges the controller to provide an express response using any means that proves the data subject received the answer.
3. Mere Administrative Acknowledgement Insufficient: The response cannot consist of a simple administrative acknowledgement during procedural formalities. It must be a substantive reply addressing the request itself.

The Outcome: The AEPD formally ESTIMATED (upheld) the claim based on the procedural violation—the homeowners' association's failure to respond within the statutory deadline. However, recognising that the association had belatedly provided the information during the investigation, the AEPD determined that no further action was required. The association was not ordered to issue a new response, as the data subject had ultimately received the information requested.

Importantly, no fine was imposed. This resolution focuses purely on vindicating the data subject's rights and establishing that the procedural timeline was violated, without imposing financial penalties.

Based on Resolution EXP202517310, organisations, particularly smaller entities like homeowners' associations, community groups, and SMEs, must implement rigorous response protocols:

1. The "30-Day Clock" Is Absolute

Action: Implement a tracking system (even a simple spreadsheet) that logs every data subject request with:

• Date received
• 30-day deadline date
• Person responsible for responding
• Status updates

Legal Requirement: Article 12.3 GDPR requires response "without undue delay and in any event within one month." This is not flexible guidance—it's a hard deadline.

2. Never Ignore a Request

Even if you believe the request is invalid, poorly worded, or you hold no data about the individual:

Protocol:

• Acknowledge receipt within 48-72 hours
• If unclear, request clarification within the first week
• If you hold no data, state this explicitly in writing within the 30 days
• If you're refusing the request, provide detailed reasoning citing specific GDPR provisions

Legal Shield: The AEPD emphasised that silence is never an option. A reasoned refusal is legally compliant; no response is not.

3. Administrative Acknowledgement ≠ Legal Response

Critical Distinction: Simply saying "We've received your request and are looking into it" does not satisfy Article 12.3 GDPR.

Required Response Must Include:

• Confirmation of what data you hold (or don't hold)
• If providing data: the actual information in an accessible format
• If refusing: specific legal grounds under Article 15.3 GDPR
• Information about appeal rights

4. Small Organisations Are Not Exempt

This case involved a homeowners' association—a community organisation likely without dedicated legal or data protection resources.

Reality Check: The GDPR does not provide exemptions for:

• Small organisations
• Volunteer-run entities
• Community associations
• Organisations with limited resources

Risk Mitigation:

• Designate one person responsible for GDPR requests
• Create simple template responses for common scenarios
• Consider using secure email or registered post to prove delivery
• Keep records of all correspondence

5. Late Response = Formal Violation

Business Consequence: Whilst this homeowners' association avoided a fine, the formal estimation (upholding of the claim) creates:

• An official record of non-compliance
• Potential reputational damage
• Increased scrutiny for future incidents
• A precedent that could influence fine calculations if violations recur

Prevention Protocol:

• Set internal deadlines at Day 25 (not Day 30) to allow buffer time
• If you need the 2-month extension (Article 12.3 GDPR), notify the data subject by Day 25 explaining why the case is complex
• Never assume the AEPD investigation timeline gives you extra time—it doesn't reset the clock

6. During AEPD Investigation ≠ "On Time"

Critical Learning: Responding during the AEPD's Article 65.4 procedure does not cure the original violation.

Timeline Reality:

• Day 1: Data subject submits access request
• Day 30: Legal deadline passes—violation occurs
• Day 60+: Data subject complains to AEPD
• Day 90+: Organisation finally responds during AEPD investigation

The response at Day 90+ satisfies the substantive right but does not eliminate the procedural breach at Day 30.

7. Documentation Is Your Defence

Evidence Requirements:

• Proof of when you received the request
• Proof of when and how you responded
• Content of your response
• Any technical issues that caused delays (though these rarely excuse late response)

Best Practice: Use delivery confirmation (email read receipts, registered post, secure online portals with activity logs) for all data subject correspondence.

Summary of Business Risk

This resolution demonstrates that even organisations without malicious intent face formal findings of non-compliance for procedural failures. The homeowners' association eventually provided the information—they weren't hiding data or acting in bad faith—but the timing failure alone warranted formal estimation of the claim.

Key Risk Factors:

For Small Organisations: Community associations, clubs, and small businesses often lack dedicated compliance personnel. However, the GDPR's one-month deadline applies equally to a two-person business as to a multinational corporation.

No Fine ≠ No Consequence: Whilst no financial penalty was imposed, the formal ruling creates:

• Public record of non-compliance
• Basis for enhanced penalties if future violations occur
• Potential civil liability if the delay caused damage
• Reputational harm

The "Good Faith" Myth: Many organisations assume good faith compliance efforts will be recognised. This case proves timing compliance is objective—intentions don't extend deadlines.

Cascading Effect: Organisations handling multiple data subject requests simultaneously must track each independently. One missed deadline doesn't excuse others.