Result of the resolution: Economic sanction
On the one hand, by means of the digital certificate linked to a worker in the entity - which allowed him to access the HC3 file of the Department of Health - an unidentified person or persons who had access to the HC3 of the complainants, all of them workers in the entity; which is considered constitutive of a violation of the principle of application linked to the improper treatment of special categories of data. On the other hand, the digital certificate linked to one of the working people of the FSFA, which as mentioned allowed access to the HC3 file, was installed on several computers to which different people also workers in the entity had access. Thus, to the extent that all these people could use the same certificate to access the HC3 database, the identification of the person who actually accessed it could not be guaranteed unequivocally and customarily, nor, consequently, the justification of these accesses could be analysed. This is considered to be a breach of security measures.