Resolutions, opinions and reports search tool

The Public Health Agency of Catalonia communicated to the Labour Risk Prevention Services of the Catalan company in which it provides services denouncing the list of staff who did not have the complete pattern of vaccination against COVID-19. This communication was carried out within the framework of a vaccination campaign by the Health Department. In this respect, the communication in question does not contravene data protection regulations, insofar as both occupational risk prevention regulations and public health regulations empower health authorities to establish mechanisms for collaboration with the occupational risk prevention services of private companies.

It resolves to dismiss the request of the holder because restricting access to the health data of the holder, to all administrative, IT and citizen management staff of the Health Department, who may need access to it in the performance of their duties, would seriously distort the functioning and organisation of the health system. Furthermore, to the extent that the claimant also intended that the Ministry should enforce its right of opposition "in a global way and not individually", in relation to data relating to his or her health, which is treated at all Hospitals of Catalonia and Primary Care Centers, it is decided to also dismiss this claim, insofar as the Ministry of Health is not responsible for all the treatments pointed out by the claimant.

It is decided to sanction Badalona Health Services for the infringement of the principle of confidentiality, since the complained entity has confirmed that a worker from Badalona Municipal Hospital, managed by Badalona Health Services S.A, would have unduly accessed a third person's clinical history. The proposed sanction is EUR 2 000.

It is decided to file the present complaint, given that the accused City Council and, in particular, the Chief Inspector of the Local Police, included references to the data on the person's health reporting - who holds the status of local agent - since these were necessary to resolve the desirability of initiating a disciplinary file against him, for alleged withdrawal from service on health grounds. Thus, this Authority concludes that the processing of controversial personal data was covered by Article 6.1e) - processing carried out in the exercise of public powers - and that the circumstances provided for in Article 9.2 (f) and g) GDPR, which lift the prohibition on processing health data in Article 9.1 (GDPR).

The complainant complains that they made him send medical documentation by email and that this would facilitate access to medical data by non-health administrative staff. RA is issued since this was an exceptional shipment since the patient requested urgent assistance by phone for the prescription of pain medication and since the last medical report was not yet included in the HC3, since the same one had been issued day at another medical center, he was asked to send it by e-mail in order to carry out the medical prescription. These emails are managed by the administrative staff entrusted with these functions and, moreover, management does not involve access to medical documentation; only if it becomes essential for the performance of its functions. Art. 16 Law 41/2022.

RA is being prepared because the complainant was the one who in a workplace revealed his or her COVID (and his/her) results to other partners. He did so for organisational purposes. At the same time, his boss communicated the results (and those of his wife) to a colleague in charge of carrying out organizational functions. Although it was not necessary to disclose data on his wife's results, it would be disproportionate to hold the complainant responsible for this fact, when it was the complainant himself who revealed the information in a voluntary, trusted environment amongst colleagues. It should also be noted that the complainant confirmed that he had carried out an access audit and confirmed that there had been no access to the complainant's data.

The hospital could communicate pseudonymized data relating to the health of patients treated with medicines for compassionate use in the pharmaceutical laboratory that facilitates the drug for clinical research purposes (Article 9.2.j) GDPR and paragraph 2.d) of DA 17a LOPDGDD) on the basis of the legitimate interest pursued by the laboratory.

The complainant complains that someone in Chief Manso would have disclosed his data (who is his family doctor to his ex-wife). RA is dictated as the ICS does not provide the complainant's data but merely informs the child's mother in common the reason why the child is not assigned the same doctor as her. The reason is that the child is a beneficiary of the parent's social security number and, by default, is assigned the same doctor/ssa as the cardholder. Therefore, with this information, you can guess who the complainant's doctor is. This fact does not constitute an infringement in respect of Article 6.1.h) in relation to Law 8/2007 regulating the functions of the ICS.In addition, information on the allocation of health professionals to beneficiaries is information easily accessible to any interested person.

The City Council could create a register of the residents of the municipality who, given the concurrence of certain circumstances, would require a quick action by the civil protection forces in emergency situations. The use of data from the Register for this purpose would be compatible, but the incorporation of information relating to people's health would require their explicit consent.

The treatment of driving staff's health data or functions related to the traffic safety of rail transport services to detect, by the company, alcohol or drug consumption, at the start or during working time, is enabled in Articles 6.1.c) and 9.2.h of the GPD in relation to rail legislation. In the case of personnel who carry out these duties in the transport services of the bus or cable network, the data protection regulations do not prevent regular controls on the consumption of the aforementioned substances, when it is established, justifiably, by the occupational risk prevention service, insofar as it may constitute a risk for third parties.