Resolutions, opinions and reports search tool

The person in charge of the treatment must implement the appropriate measures to ensure that the conversations held between their staff and the patients cannot be heard by unauthorized third parties. It is necessary to carry out a risk analysis to determine the applicable security measures.

The CTTI, in its capacity as processor, did not implement adequate security measures to guarantee the personal data it processed on behalf of the controller (Dept EDU). This allowed a student, when making a telematic pre-enrolment at a given training, to display the data of a third party on screen.

The complaint is shelved, while the Department's communication of the personnel directory to union delegates is covered by data protection regulations. The subsequent use or processing of data by trade union organizations or union delegates is not covered by the APDCAT's scope of competence.

The hospital could communicate pseudonymized data relating to the health of patients treated with medicines for compassionate use in the pharmaceutical laboratory that facilitates the drug for clinical research purposes (Article 9.2.j) GDPR and paragraph 2.d) of DA 17a LOPDGDD) on the basis of the legitimate interest pursued by the laboratory.

The data protection regulations do not prevent access to information relating to the call and the bases of the selective processes carried out by the City Council, the rest of the acts of the processes subject to publication and, in particular, to the results of the called processes. Now, taking into consideration the circumstances that come together in the particular case, from the point of view of the general purpose of transparency, access to the tests carried out by the candidates in each of the selective processes, nor to the contracts of formalized work

Dept. EDU, as the controller of the treatment, did not enforce the right of information when it collected the data of the relatives or legal tutors of the pupils attended at the UEC Girona of the Oscobe Foundation.

To determine that we are dealing with positions of special responsibility, we need to address the uniqueness of the workplace according to the functions attributed to it, the hierarchical dependency, the command functions that it has, its form of provision, etc., in accordance with the civil service regulations and the configuration of the workplace that the corresponding public entity makes. In order to determine whether a job has a high level of remuneration, consideration must be given to the salaries established for the different jobs within the public entity where it is located. In any case, in the weighting provided for in Article 24.2 of LTC both circumstances must be assessed jointly and not in isolation. Data protection regulations would not prevent access to the remuneration received and the situation of having requested or having the so-called age licence with regard to officials in Parliament who hold posts of lawyer or financial controller when they hold the posts of secretary-general, major lawyer, auditor of accounts or with regard to those in positions of trust, special responsibility or free designation of the organisation. From the point of view of data protection regulations, the resolution recognising the journalist's right of access must warn that the subsequent processing of the information obtained must respect data protection rules, but this does not exclude the freedom of information from the dissemination of certain information. The right of access to information is not limited in time. In this case, the degree of interference for the affected persons tends to be lower if it refers to periods beyond the last five years.

One entity is sanctioned, absorbing another, within the framework of the provision of a health monitoring service. He sent citation emails to various workers who mistakenly contained data from other workers.

A private entity is sanctioned for having entrusted the management of the medical check appointments of workers to another entity without having formalised the contract of sub-responsor of the treatment, and without having requested the controller to authorise the sub-response of the treatment.