Resolutions, opinions and reports search tool

The data protection regulations would not prevent the claimant's access to the information contained in the application file of the anti-bullying protocol, relating to him and his minor daughter to the extent that it is holder of parental authority. There would also be no problem in facilitating access to the merely identifying data of public employees or public officials in charge of processing the harassment file, nor of the teachers, tutors or the director of the center where the events took place, that may be included. Likewise, access to the identification data of the people who have provided information about the claimant's daughter and the information they provided to the file about her could be facilitated, unless there is some reason that justifies it as a result of the hearing procedure its limitation. In the event that the file contains special categories of data of other people other than the claimant's daughter, access to this information should be denied.

An undue access to HC by a professional health person is noted, which violates the principle of data confidentiality. Responsibility of the entity for acts materially committed by its staff

Indra, in his capacity as sub-processor, did not apply the basic level security measures required by SocMobility in the treatment processor's contract, to ensure a safety level appropriate to the risk (thus to prevent unauthorised persons from accessing these data), since the T-Mobility access portal did not modify the password that the manufacturer of the "Liferay" undercuture assigns to the admin, so that access was opened, and in turn accessible to third parties.

SocMobility (processing controller) did not adequately determine the appropriate security measures to guarantee a safety level appropriate to the risk of the data processing entrusted to Indra (those who are in charge of processing) for the implementation and management of the T-Mobility card, while in the processing order contract the SocMobility entity indicated to Indra that the security measures it had to implement for the provision of the services being commissioned were of the basic level, i.e. it categorized the system as basic, when according to the concurrent circumstances in the processing being commissioned, the basic level was not sufficient.

An education inspector incorporated unnecessary information concerning the person's working life by denouncing in the report he issued in response to a request from the Syndic of Greuges, a move in which he violated the principle of minimisation, as he gave more information than was necessary for the intended purpose.

The complainant complains that they made him send medical documentation by email and that this would facilitate access to medical data by non-health administrative staff. RA is issued since this was an exceptional shipment since the patient requested urgent assistance by phone for the prescription of pain medication and since the last medical report was not yet included in the HC3, since the same one had been issued day at another medical center, he was asked to send it by e-mail in order to carry out the medical prescription. These emails are managed by the administrative staff entrusted with these functions and, moreover, management does not involve access to medical documentation; only if it becomes essential for the performance of its functions. Art. 16 Law 41/2022.

RA is being prepared because the complainant was the one who in a workplace revealed his or her COVID (and his/her) results to other partners. He did so for organisational purposes. At the same time, his boss communicated the results (and those of his wife) to a colleague in charge of carrying out organizational functions. Although it was not necessary to disclose data on his wife's results, it would be disproportionate to hold the complainant responsible for this fact, when it was the complainant himself who revealed the information in a voluntary, trusted environment amongst colleagues. It should also be noted that the complainant confirmed that he had carried out an access audit and confirmed that there had been no access to the complainant's data.

It resolves to admonise the Official College of Veterinaries of Barcelona, because of the violation of the principle of application, given that this entity transferred to a veterinary centre the deontological consultation that a passenger raised with the COVB, in relation to the care received at the aforementioned veterinary centre, without there being a legal basis legitimising the processing of the data of the current complainant.

The file of the complaint against the BCN IMSS is agreed to consult, in the Register of Deaths of the Ministry of Justice and the SEPE, data on whether the complainant is registered in the register of deaths and whether he or she is a beneficiary of unemployment benefits, since, final provision 7a of Law 2/2014, of 27 January, enables the competent administrations in the field of social services to consult on the remuneration received by the persons who are applicants for these services.

The file of the complaint against the BCN IMSS is agreed to consult, in the Register of Deaths of the Ministry of Justice and the SEPE, data on whether the complainant is registered in the register of deaths and whether he or she is a beneficiary of unemployment benefits, since, final provision 7a of Law 2/2014, of 27 January, enables the competent administrations in the field of social services to consult on the remuneration received by the persons who are applicants for these services.