Resolutions, opinions and reports search tool

The complainant complains that the medical center has issued two reports, which state a pathological history that is not based on any medical evidence. The entity has acknowledged the facts and corrected the reports. A final resolution is being prepared for violation of the principle of accuracy.

The medical history of the reported foundation is configured in such a way that, by design and by default, the foundation's own and external doctors can access it, through the foundation's information systems. This fact caused an external doctor who treated the reporting person within the framework of private healthcare to access his medical history, without his explicit consent or any other legal basis that legitimized this treatment. In this case, the violation of the duty of data protection by design and by default is not imputed, since there is an ideal competition of infringements and only the most serious infringement is imputed; that is, the violation of the principle of legality (qualified as very serious). Nor is the violation of the principle of purpose limitation imputed, because it is subsumed in the infringement relating to the principle of legality.

Taking into account the applicable regulations, it can be considered that there is a sufficient legal basis for the publication and dissemination of the academic qualifications of the group of university students (eg art. 6.1, sections e) and f) RGPD), without prejudice to the necessary compliance with the rest of the principles and guarantees of the data protection regulations. Given the principle of minimization, only the data necessary to comply with the intended purpose should be disseminated, taking into account the parameters and guidelines derived from the seventh additional provision of the LOPDGDD.

The City Council should be reprimanded for 1) capturing images of public roads through the video surveillance camera system located on container islands that were not closed or delimited; and 2) process the images captured by this video surveillance system located on public roads, to exercise the sanctioning power against residents of the municipality. There is a medial concurrence between both infractions, but only the main infraction should be sanctioned, which is the violation of the principle of legality regarding the installation of a video surveillance system on public roads.

A City Council is reprimanded as being responsible for an infraction due to violation of the principle of legality, for having sent to an inspector of the Generalitat-Mossos d'Esquadra police force two instances with personal data without legal basis, specifically, before the opening of confidential information against the reporting agent, and without there being a real danger to public safety or the investigation and prosecution of a crime.

The City Council of Sant Boi de Llobregat is admonished as responsible for an infringement provided for in Article 83.5.a in relation to Article 5.1.f, both of the GDPR, for sending an email to numerous people without using the hidden copy tool.

Resolution with ammunation in the sanctioning procedure against the Garraf Health Consortium, Hospital Residencia Sant Camil, due to violation of the principle of accuracy. For having used a mobile phone that had in its database since 2011, instead of using the telephone provided with the derivation of the Sitges EAP, 2022.

The Department of Social Rights (DDS) consulted the tax data of the complainant who was in the possession of the AEAT. This action is considered legitimate, taking into account that in accordance with Law 12/2007 and Law 2/2014 enables the DDS to consult ex officio, and without prior consent of the interested persons, the data of the beneficiaries of aid and those of their "economic unit of coexistence". The DDS has also accredited that in the forms to request aid for the dependency, an information clause is included on the possibility of consulting the data.

One person reported that he had received a call from a call centre for the purposes of COVID-19 vaccination, in which he was asked why he did not want to be vaccinated, and was informed that the call would be recorded. The Authority processed a sanctioning procedure against the Department of Health, who was warned for not having fulfilled the duty of information provided for in art. 13 RGPD. At the same time, he filed the rest of the reported facts, since, on the one hand, it was found that the call had been made by SEMSA, on behalf of the CatSalut, to whom the Department had commissioned to make those calls; and on the other hand, it was found that the collection of the reason for not wanting to be vaccinated (by free will) was protected by the applicable health regulations.

The filing of the complaint is necessary for the following reasons: 1) It is accredited that no improper access has been made to the clinical history of the complainant. 2) In this case, it is considered that giving an extemporaneous response and requesting to fill in a specific form are management irregularities that do not have enough entity to start a sanctioning procedure.