D.A.A.A. (Complainant) V. Cooltra Motosharing S.L.U.

The Spanish Data Protection Authority issued a reprimand to a controller for failing to fulfill a data subject's request for deletion. Despite six separate attempts by the data subject, the controller did not act promptly, and neither their website nor app allowed for easy account cancellation.

The motorcycle sharing company in question utilised a deceptive pattern known as the hard to cancel to make it difficult for users to cancel their accounts. This is evidenced by the fact that the company did not provide an option for users to cancel their accounts through their website or app, and instead required the data subject to email a generic mailbox which did not accept incoming mail. Furthermore, despite the data subject's repeated requests to delete their account and data, the company failed to do so in a timely manner, which violated Article 17 of the GDPR. Additionally, the company failed to notify the data subject once their account was deleted, as required by Article 12 of the GDPR. In this case, the motorcycle sharing company made it intentionally difficult for users to cancel their accounts and delete their data, which violates the principles of transparency and fairness that are fundamental to the GDPR. The company's failure to respond to the data subject's requests and continued sending of commercial messages after the data subject had requested deletion of their data also constitutes a violation of the GDPR, specifically Article 21 which grants individuals the right to object to the processing of their personal data for direct marketing purposes.