Ridiculous decision from Spanish AEPD

Just came across this: AEPD (Spain) - R/00423/2021 - GDPRhub

It’s absolutely ridiculous! See for your self. :rofl:

1 Like

There are legitimate concerns underlying this order: A data controller shouldn’t be able to make requests go away by ignoring them. And if a data processor wants to benefit from their privileged status, they must demonstrably* defer to their controller. AWS did mess up by failing to provide documentation that they forwarded the request to the controller.

But the conclusion that a processor should decide a data subject request is utterly insane and really dangerous, especially when journalistic freedom is involved. I hope AWS does us a favour and gets to produce some good case law from this. The only thing the supervisory authority should have asked AWS for is the contact details of the controller, because the controller’s website (extraconfidencial . com) doesn’t even include a privacy notice. They’re the one who have to be threatened with a fine here.

* actually not sure about this, because the Art 5(2) accountability principle expressly only applies to controllers.

1 Like

No obligation is imposed by the GDPR for processors to be required to forward data subject requests to the controller. Sure GDPR imposes an obligation to help the controller, by appropriate technical and organisational measures, but this is merely for supporting the controller in responding, such as by helping collect data for a DSAR. There is in no way an obligation for a processor to do anything with a DSAR.

It is best practice to also agree in the processing agreement what the processor should do in case they receive a data subject request.

Really hope AWS appeals the case too!

Thanks for sharing this. It’s an interesting one, and I agree that it’s ridiculous. I was intrigued however as to how they possibly reached this decision, as it seems absurd on its face.

I think it probably comes down to their interpretation of article 28(3)(e) and the requirement to assist with handling rights requests “insofar as this is possible”. I always interpreted those words as a limiting factor on what is required, but I think maybe the aepd is in fact using them to interpret AWS’ obligation as broadly as possible. Ie rather than meaning “assist the controller to respond only to the extent possible”, they are interpreting it to mean “do everything that is technically possible to assist the controller to respond”, and in their view this means everything up to handling the request themselves without recourse to the controller. If that is what the aepd is doing, then I don’t agree with it, but I don’t think it’s entirely without merit.

Of course, all of this rests on the assumption that the aepd has the power to force a company to comply with its contractual obligations entered into as required by Article 28(3), or that article 28(3) creates freestanding obligations on processors that the SA is able to enforce, which is an entirely separate issue and one I’m also sceptical of.


Thanks for sharing your thoughts. What you say is probably their interpretation, I guess.

Essentially if a processor receives a DSAR and does anything with it that is not on the instruction of the controller (e.g. predefined agreement with the controller to simply forward all DSARs), the processor then becomes a controller in respect of that DSAR, which is not a position you would want to be in. It’s a tricky situation.

Another interesting aspect is that it is up to the controller to decide how to handle requests for data subject rights, for example in certain situations certain rights may even not apply at all to that data subject, yet the processor is expected to act on them? It just makes zero sense to me, in every aspect.

Yep, I’m fully agreed with you on all of those points. I’m just sort of baffled, so trying to come up with some explanation

FAQ | Privacy Policy |  ToS