Decision on how the European Commission dealt with two infringement complaints that Spain had breached EU data protection rules - CHAP(2021)317 and CHAP(2021)1713 (case 1429/2021/OAM)
Affaire 1429/2021/OAM - Ouvert le Lundi | 06 septembre 2021 - Décision le Lundi | 06 septembre 2021 - Institution concernée Commission européenne (Pas d’acte de mauvaise administration constaté )
Dear Mr X,
In August 2021, you complained to the European Ombudsman about how the European Commission dealt with your infringement complaints against Spain (CHAP(2021)317 and CHAP(2021)1713).
In your complaints to the Commission, you argued that Spanish authorities are not taking any measures against alleged breaches of your right to the protection of your personal data. You are of view that Spain is infringing the EU data protection rules.
In your complaint to the Ombudsman, you argue that the Commission was wrong not to take any action in relation to your complaints.
On the basis of a careful examination of your complaint, we find no maladministration by the Commission for the following reasons.
The Commission enjoys wide discretion in deciding whether and when to commence an infringement procedure. Its policy on infringements of EU law is set out in its Communication “EU law: Better results through better application”.
When it comes to infringement complaints, the Ombudsman may examine whether the Commission has clearly explained its position and whether it has given the complainant the opportunity to provide comments before it closes the case. Regarding the substance of a case, the Ombudsman may only intervene (by asking the Commission to look at an issue again) if the Commission was manifestly wrong in its presentation of the facts or of law.
In this case, the Commission has given you the opportunity to comment on its position before it closed the case. The Commission also provided you with clear information as regards why it closed the infringement complaint. We find no manifest error by the Commission in this case.
The Commission correctly explained that it is not its role to intervene in individual cases linked to potential data protection violations. Such cases should be treated at national level by the national data protection authorities or judicial authorities. The Commission further noted that the EU data protection regulation to which you referred - Regulation 2016/679 - did not apply at the time of the alleged breaches of your data protection rights. It is also correct that the Commission is not competent to deal with complaints against the European Court of Human Rights, which is not a body of the EU but an independent body linked to the Council of Europe.
On the basis of the above, the case is closed.
I hope you will find the above explanations helpful.
Head of the Case-handling Unit
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, in force as of 25 May 2018, available at: https://eur-lex.europa.eu/eli/reg/2016/679/oj