Resolutions, opinions and reports search tool

The complainant alleged that his medical history had been manipulated. Specifically, he stated that the diagnosis of the injuries he suffered in an accident was incorrect and that the images contained therein were blurred and cropped. During the processing of the claim, the hospital proved that the information in the complainant's medical history was correct, that there had been no modification after the date of the accident and that the images were not blurred or cropped. The procedure is closed, since no punishable act from the point of view of data protection can be attributed to the hospital, nor can any responsibility be attributed to the reported and unaccredited acts.

Title: Breach of the principle of confidentiality due to 9 improper accesses to the medical record.
Summary: The complainant complained about 9 improper accesses to her medical record that were not related to any healthcare or diagnostic action, since she had never been treated at the center or by the doctor who had made the disputed accesses. The complainant also complained that, within the framework of a meeting of a neighborhood association, the doctor had disseminated some of the complainant's health data. This alleged disclosure of data was filed in the initiation agreement, since the facts were not proven. With regard to the 9 improper accesses proven, the entity is sanctioned for the breach of the principle of confidentiality with a fine of €30,000, as responsible for an infringement provided for in article 83.5.a in relation to article 5.1.f, both of the GDPR. The entity has paid the penalty in advance (€24,000).

The medical history of the reported foundation is configured in such a way that, by design and by default, the foundation's own and external doctors can access it, through the foundation's information systems. This fact caused an external doctor who treated the reporting person within the framework of private healthcare to access his medical history, without his explicit consent or any other legal basis that legitimized this treatment. In this case, the violation of the duty of data protection by design and by default is not imputed, since there is an ideal competition of infringements and only the most serious infringement is imputed; that is, the violation of the principle of legality (qualified as very serious). Nor is the violation of the principle of purpose limitation imputed, because it is subsumed in the infringement relating to the principle of legality.

Taking into account the applicable regulations, it can be considered that there is a sufficient legal basis for the publication and dissemination of the academic qualifications of the group of university students (eg art. 6.1, sections e) and f) RGPD), without prejudice to the necessary compliance with the rest of the principles and guarantees of the data protection regulations. Given the principle of minimization, only the data necessary to comply with the intended purpose should be disseminated, taking into account the parameters and guidelines derived from the seventh additional provision of the LOPDGDD.

It is appropriate to warn the City Council, since it did not duly inform about the treatment of images captured by video surveillance cameras installed in the control points of access to restricted traffic areas, since, apart from the information contained in the information posters, in the complementary information that was available on the website of the consistory, the City Council did not inform about the right to file a claim provided to this Authority, and all extremes

The City Council should be reprimanded for 1) capturing images of public roads through the video surveillance camera system located on container islands that were not closed or delimited; and 2) process the images captured by this video surveillance system located on public roads, to exercise the sanctioning power against residents of the municipality. There is a medial concurrence between both infractions, but only the main infraction should be sanctioned, which is the violation of the principle of legality regarding the installation of a video surveillance system on public roads.

A City Council is reprimanded as being responsible for an infraction due to violation of the principle of legality, for having sent to an inspector of the Generalitat-Mossos d'Esquadra police force two instances with personal data without legal basis, specifically, before the opening of confidential information against the reporting agent, and without there being a real danger to public safety or the investigation and prosecution of a crime.

The claiming entity has not accredited that it has responded to the request for rectification exercised by the claimant.

It is appropriate to estimate the claim, since the ICS did not respond in time to the request of the claimant. Regarding the fund, it is not appropriate to make any pronouncement or require any action, since the ICS has accredited that it has delivered the documentation to the claimant in the requested terms, that is, it has made effective the right exercised by the claimant, although extemporaneously.

The claim for disregard of the right to delete data contained in shared folders in the workplace, to which the claimant now has no access, and which include personal emails, is estimated.