Resolutions, opinions and reports search tool

Undue access to the HC3 of the complainant is not credited. The filing of the complaint is resolved because the complainant has accredited that the data referring to the complainant's HC3 was extracted from an opinion submitted to them by the INS.

There are four unjustifiable accesses to the HC3 of the person denouncing by staff of the Sanitary Corporation Parc Taulí de Sabadell. It resolves to admonish the Corporation as the person responsible for an infringement provided for in Article 83.5.a) in relation to Article 5.1.a), both of which are in the GDPR, for 2 undue access to the HC3 which have not been prescribed, for the violation of the basic principles for processing, specifically the principle of application.

The complaint is filed about how a Hospital carried out the transfer of documentation from a trade union section to another room inside the hospital, since that transfer was carried out without jeopardising the protection of the personal data contained there, and the security measures taken to do so were appropriate to guarantee its safety and confidentiality.

The claimant asked the ICS for access to their clinical history and traceability. The ICS responded once the one-month period foreseen for art had elapsed. The Authority's resolution states that the ICS responded extemporarily to the request for access, and regarding the information not delivered concerning traceability, the claim is partially estimated, regarding only information concerning data communications from clinical history (including any data communications to the clinical history shared in Catalonia), since the ICS' response was not clear enough to understand that he had been informed about this end. And the claim is dismissed as regards the other information included in the concept of 'traceability', as it is information that exceeds the material aspect of the right of access to data protection.

The claimant requested access to information about access to his or her clinical history (HC), and the claimed entity responded, lately, that they did not record undue access to his HC. The Authority estimates the claim of guardianship of the right of access, since the claimed entity did not provide an answer within the time frame set for the applicable law, nor did it inform him of whether data communications existed in the shared clinical history of Catalonia, or of other data communications to other recipients, whether they were external recipients to the claimed entity, or other health centers that, while belonging to the claimed entity, have information systems other than the health center assigned to the claimant.

The claimant requested access to information about access to his or her clinical history (HC), and the claimed entity responded, lately, that they did not record undue access to his HC. The Authority estimated the claim of guardianship of the right of access, since the claimed entity did not respond to it within the time frame set to the applicable law, nor did it inform it about whether data communications existed in the shared clinical history of Catalonia, or about other data communications to other recipients, whether they were external recipients to the claimed entity, or other health centers that, while belonging to the claimed entity, have information systems other than that of the health center assigned to the claimant.

The claimant requested an entity, by exercising the right of access, to hand over a copy of the document that another public entity had sent him, accrediting in the workplace his status as a victim of gender violence, as well as the original document. The claim is partially estimated as the claimant entity extemporarily resolved the request for access to the copy of the requested document, and is dismissed as regards the request for the submission of the original document, since the right of access provided for in Article 15 of the RGPD does not include the delivery of the original document, but only access to those personal data and to the copying of those data, as well as the right to copy them.

The claimant asked a Foundation, by exercising the right to data portability, to submit an original document that had been sent to it by another public body, accrediting in the workplace his status as a victim of gender violence. The claim was dismissed, as: (1) the right to portability does not include the delivery of the original document, but of the data in a structured, common-use and mechanical readership format; (2) the person concerned had not been the person who submitted this data to the claimed entity; and (3) the right to portability does not apply to the treatment needed to fulfil a mission performed in the public interest or in the exercise of public powers conferred to the responsible.

The claimant complained that in the face of the request for access to his HC, the Hospital had not delivered the full documentation to him. Within the protection procedure, the hospital has provided the complainant with all the documentation requested, and the hospital's response is therefore extemporaneous, without going into any other considerations of substance.

The patient, in view of the legislation studied (legislation on patient autonomy and transparency legislation, in connection with article 6.1.c) RGPD), must be able to know the identity of the people who have accessed their medical history and, where appropriate, any improper access that may have occurred. Although not part of the right of access provided for in the RGPD, data protection regulations do not prevent the holder of the medical record from accessing information on the due or improper nature of access to the medical history, if the person in charge has this information.