Resolutions, opinions and reports search tool

The complainant alleged that his medical history had been manipulated. Specifically, he stated that the diagnosis of the injuries he suffered in an accident was incorrect and that the images contained therein were blurred and cropped. During the processing of the claim, the hospital proved that the information in the complainant's medical history was correct, that there had been no modification after the date of the accident and that the images were not blurred or cropped. The procedure is closed, since no punishable act from the point of view of data protection can be attributed to the hospital, nor can any responsibility be attributed to the reported and unaccredited acts.

Title: Breach of the principle of confidentiality due to 9 improper accesses to the medical record.
Summary: The complainant complained about 9 improper accesses to her medical record that were not related to any healthcare or diagnostic action, since she had never been treated at the center or by the doctor who had made the disputed accesses. The complainant also complained that, within the framework of a meeting of a neighborhood association, the doctor had disseminated some of the complainant's health data. This alleged disclosure of data was filed in the initiation agreement, since the facts were not proven. With regard to the 9 improper accesses proven, the entity is sanctioned for the breach of the principle of confidentiality with a fine of €30,000, as responsible for an infringement provided for in article 83.5.a in relation to article 5.1.f, both of the GDPR. The entity has paid the penalty in advance (€24,000).

The complainant complains that his ex-partner has improperly accessed his HC, without his permission. On the other hand, the CSI states that the professional accessed it during the period of time in which the complainant and the professional were a couple, but does not provide the patient's explicit consent. It is resolved that the principle of confidentiality has been violated.

The complainant complains that the medical center has issued two reports, which state a pathological history that is not based on any medical evidence. The entity has acknowledged the facts and corrected the reports. A final resolution is being prepared for violation of the principle of accuracy.

The complainant complains that the hospital where he is receiving medical treatment has provided his personal data to an external company, without his consent. It is established that the company that has processed the data is a data processor that uses his data to fulfill one of the purposes of the data controller, CatSalut. Specifically, for a medical treatment subscribed to by the complainant. For this reason, an archiving resolution is issued.

It is resolved to declare that, prior to 05/03/2023, the HCB had not implemented the appropriate security measures -technical and organizational- to guarantee a level of security appropriate to the risk of the personal data processing it carried out. Nor had it carried out a risk analysis to define the required security measures, as required by sections 1 and 2 of article 32 RGPD. The computer platform that was the subject of the cyberattack stored information from the HCB and also from other related entities (Barnaclínic SA, CAPSBE and FRCB-IDIBAPS); therefore, the volume and sensitivity of the information required special diligence in its custody and security.

The medical history of the reported foundation is configured in such a way that, by design and by default, the foundation's own and external doctors can access it, through the foundation's information systems. This fact caused an external doctor who treated the reporting person within the framework of private healthcare to access his medical history, without his explicit consent or any other legal basis that legitimized this treatment. In this case, the violation of the duty of data protection by design and by default is not imputed, since there is an ideal competition of infringements and only the most serious infringement is imputed; that is, the violation of the principle of legality (qualified as very serious). Nor is the violation of the principle of purpose limitation imputed, because it is subsumed in the infringement relating to the principle of legality.

Taking into account the applicable regulations, it can be considered that there is a sufficient legal basis for the publication and dissemination of the academic qualifications of the group of university students (eg art. 6.1, sections e) and f) RGPD), without prejudice to the necessary compliance with the rest of the principles and guarantees of the data protection regulations. Given the principle of minimization, only the data necessary to comply with the intended purpose should be disseminated, taking into account the parameters and guidelines derived from the seventh additional provision of the LOPDGDD.

The data protection regulations do not prevent the complainant from communicating the information he requests, regarding access to his clinical history, including the identity of the professionals, rank and professional category, who have accessed it.

Consent may be a legal basis for the processing of biometric data for the purpose of time control, provided that it constitutes a manifestation of free, specific, informed and unambiguous will on the part of the data subject to accept the processing, in the terms stated. In any case, before processing such as that provided for in the consultation, an impact assessment on data protection must be carried out in view of the specific circumstances in which the processing is carried out where, among other things, the application of the processing is analysed.