Resolutions, opinions and reports search tool

The complainant alleged that his medical history had been manipulated. Specifically, he stated that the diagnosis of the injuries he suffered in an accident was incorrect and that the images contained therein were blurred and cropped. During the processing of the claim, the hospital proved that the information in the complainant's medical history was correct, that there had been no modification after the date of the accident and that the images were not blurred or cropped. The procedure is closed, since no punishable act from the point of view of data protection can be attributed to the hospital, nor can any responsibility be attributed to the reported and unaccredited acts.

The complainant complains that his ex-partner has improperly accessed his HC, without his permission. On the other hand, the CSI states that the professional accessed it during the period of time in which the complainant and the professional were a couple, but does not provide the patient's explicit consent. It is resolved that the principle of confidentiality has been violated.

The complainant complains that the medical center has issued two reports, which state a pathological history that is not based on any medical evidence. The entity has acknowledged the facts and corrected the reports. A final resolution is being prepared for violation of the principle of accuracy.

It is resolved to declare that, prior to 05/03/2023, the HCB had not implemented the appropriate security measures -technical and organizational- to guarantee a level of security appropriate to the risk of the personal data processing it carried out. Nor had it carried out a risk analysis to define the required security measures, as required by sections 1 and 2 of article 32 RGPD. The computer platform that was the subject of the cyberattack stored information from the HCB and also from other related entities (Barnaclínic SA, CAPSBE and FRCB-IDIBAPS); therefore, the volume and sensitivity of the information required special diligence in its custody and security.

The medical history of the reported foundation is configured in such a way that, by design and by default, the foundation's own and external doctors can access it, through the foundation's information systems. This fact caused an external doctor who treated the reporting person within the framework of private healthcare to access his medical history, without his explicit consent or any other legal basis that legitimized this treatment. In this case, the violation of the duty of data protection by design and by default is not imputed, since there is an ideal competition of infringements and only the most serious infringement is imputed; that is, the violation of the principle of legality (qualified as very serious). Nor is the violation of the principle of purpose limitation imputed, because it is subsumed in the infringement relating to the principle of legality.

The person making the complaint showed that her HC3 was accessed from CABO Centelles on four occasions, during the months of May 2022, despite not having been visited at that health center. In response, the DPD of the reported entity has confirmed that it is the material author of the accesses and has justified them by arguing that they were necessary to be able to respond to a request for information that this Authority notified to the aforementioned entity, within the framework of another complaint. filed by the same person complaining. In relation to this, during the prior information phase it was found that the accesses carried out by the personal data protection delegate to the complainant's HC3 were justified, given that they were carried out in the exercise of his duties. , and to respond to a request from this Authority. For all this, the filing of these proceedings is appropriate.

The City Council of Sant Boi de Llobregat is admonished as responsible for an infringement provided for in Article 83.5.a in relation to Article 5.1.f, both of the GDPR, for sending an email to numerous people without using the hidden copy tool.

It is resolved to declare that the Department of Health has committed the infringement provided for in Article 83.5a), in relation to Article 5 RGPD, which contemplates the principle of accuracy of personal data, since the platform "My Health" of the complainant contains inaccurate information about health professionals who would have attended it in different medical consultations. The discord is also manifested between the information contained on the one hand in the HC of the health center and the HC3; and on the other hand, in the information that appears in the LMS viewer.

Un club deportivo de fútbol de nueva creación contactó con la Federación Catalana de Fútbol dado que cuando intentaba vincular dieciséis jugadores a su club, la Intranet federativa le mostraba un mensaje mediante el cual se lo informaba que los mencionados jugadores estaban vinculados a otro club deportivo. Al respeto, la persona denunciando se quejaba por el hecho que, desde la FCF se había enviado al mencionado club de nueva creación unas impresiones de pantalla que contenían los datos personales de los 16 jugadores que, en aquel momento, estaban vinculados a otro club. Pues bien, por su parte, la entidad denunciada ha reconocido haber enviado las impresiones de pantalla - con información personal de los jugadores (nombre, apellidos y DNI) - al club de nueva creación, a los efectos de mostrarle los pasos que tenía que seguir para poder inscribir a los jugadores, y ha argumentado que este hecho no constituye una comunicación ilícita de datos personales dado que el receptor de la información, ya era conocedor de estas información. Al respeto, añadía que, la Intranet muestra el mencionado mensaje después de que el club haya introducido los datos personales de los jugadores. En estos términos, procede el archivo de los hechos denunciados dado que, cuando la FCF envió los datos personales de los jugadores al Club que los intentaba inscribir, este ya disponía de la información.

In relation to the data published by the representative of a political party in a plenary session of the city council, it is archived because it has not been proven that the published data was provided by the City Council. Furthermore, the data published is incorrect, which is indicative of the fact that the person who provided it was not linked to the City Council. In relation to the leak of personal data through a WhatsApp group, this fact is also archived since the fact that the photographs of the squares (with shifts and schedules) have been exchanged in a WhatsApp group is not an indication sufficient to allow a violation of the principle of confidentiality to be attributed because it is not proven that the people in the group are members of the local police of the City Council.