Complaint forms and the Law of Data Protection in E-Commerce in Spain
The Spanish trade is based on Royal Decree 1/2007 of 16 November 2007, which laid ground for the revised text of the General Law of Consumer and User Protection and other complementary acts. Nevertheless, and given that many responsibilities have been transferred to the Autonomous Communities, which will not be further discussed here, we will focus on the legislation of Madrid in this article.
First, we must emphasize the compulsory nature of complaint forms. In physical trade, it is assumed that the merchant is obligated to make complaint forms available to customers. However, is this obligation also transferable to electronic commerce? The answer is a resounding ‘yes’. In article 29.4 of Decree 1/2010, of 14 January 2010 of the Governing Council, which enacts statute 11/1998 of 9 July 1998, on Customer Protection within the Community of Madrid, explicitly states that E- Commerce and all other businesses that do not have public establishments, are obligated to inform consumers about the existence of complaint forms and how they can be accessed.
With regard to this obligation, the following question comes to mind: Where do I place the complaint forms if I do not have a physical or local business premises? The solution is to provide complaint forms at the registered business address within the Community of Madrid, informing about their existence at the locations and media channels on which the offer is made.
Simply said, E- Commerce, like any other business, is legally obligated to supply complaint forms, inform about their existence and enable customers who request them to obtain the forms at the headquarters or tax domicile within the Community of Madrid of the E-Commerce business.
Let us now examine the impact those complaint forms might have on the protection of data privacy, especially since the official model forms compose of three individual copies containing private data and given that one of these copies remains at the place of business. Could the business be considered responsible for the data and be required to fulfil the duties of information and consent?
One could suppose that it is excessive to demand a business to assume responsibility for the data (and therefore to meet all associated obligations) where the business is only acting in order to fulfil a legal responsibility, the data is not used and the forms used to collect the data is imposed by the competent authority. Nevertheless, analysing various resolutions of the Spanish Agency of Data Protection (AEPD) in reference to missing informative clauses, we recognize a common trait, which seems to mark the perception of the AEPD. This trait consists of identifying the use or processing of the data obtained. It is about clarifying whether the data from the complaint forms is going to be further processed and used within the place of business in order to pursue its own objectives (i.e., to undertake a quality study or for internal auditing purposes) or if this information is only going to be saved to fulfil the legal obligations of the business.
Therefore, the AEPD appears to focus its attention on determining if the used forms are the official ones (which require them to have a specific mark and identification of the competent authority), or if the forms are internal (showing a logotype or indication of the firm that identifies the form as specifically created by the business).
As proof of this distinction, we found the case of a shopping mall, which used the official model of the form, declaring that no additional use had been made of the data, and where the AEPD applied the principle of confidence in approving those forms by the Community of Madrid. On the other hand, there are examples of sanctions imposed due to the lack of informative clauses, when the firm itself, showing their logotype or indication, had created the forms.
In conclusion, to know where we could be considered responsible for the data, we need to keep the AEPD’s criteria in mind. This means that as long as we adhere to the uses of compliant forms as required by the consumer legislation and for no other purposes, the responsible party for the data is the competent authority.
In the case of personalized compliant forms, which introduce the possibility to add informative clauses and to use and process the data within the firm, it is without doubt that the business is considered responsible for the data and all the obligations and legal responsibilities it entails.