Resolutions, opinions and reports search tool

The Public Health Agency of Catalonia communicated to the Labour Risk Prevention Services of the Catalan company in which it provides services denouncing the list of staff who did not have the complete pattern of vaccination against COVID-19. This communication was carried out within the framework of a vaccination campaign by the Health Department. In this respect, the communication in question does not contravene data protection regulations, insofar as both occupational risk prevention regulations and public health regulations empower health authorities to establish mechanisms for collaboration with the occupational risk prevention services of private companies.

A municipal watcher photographs a vehicle with which a traffic offence is allegedly committed, in which the image of the person sitting inside is shown.

It is appropriate to file the complaint insofar as the access to HC3, made during the year 2020, was justified because it was for welfare and epidemiological surveillance reasons. As regards the alleged undue access to HC3, carried out during the year 2019, it is appropriate to file the actions due to prescription.

The complainant explained that the Lleida City Council would have provided a third person (the new acquirer of a license) with the document relating to the "Joint declaration of change of ownership of activities", which would contain the personal data (name, surnames, address and number of DNI) of the complainant. However, since it has not been possible during the previous information phase to prove that the communication of personal data is attributable to the Lleida City Council, as the complainant stated, it is appropriate to archive the present complaint.

The complainant complained that the City Council had provided a neighbour of its building with a document containing his personal data. He also denounces the neighbor's lawyer for having exhibited this document in an oral hearing of a trial. As regards this second fact, the AEPD was transferred. As regards the reported fact against the City Council, RA is prepared on the basis of Article 48 and 52 LJCA, on the obligation to transfer a copy of the administrative file to the court by the requested administration. Since his neighbor had filed a judicial appeal, he had access to the file to formulate suit. This access is also provided for in Article 236 LOPJ quinquies.

The complainant complained that the City Council had revealed her data to a third party (a person who ran a bar and had called her to warn her that she would take a party). He does not provide any evidence or evidence to prove that his mobile phone was indeed revealed. RA is dictated by the lack of evidence to prove the communication of the complainant's mobile phone to the third person. In addition, both the City Council and the person who called her deny that it was the City Council that had provided the data.

There is no indication that the denounced City Council is the holder of the e-mail account from which a message was sent to certain local agents, criticising trade union behaviour. In this respect, it is also inappropriate to argue that the City Council has filtered information regarding corporate electronic addresses of members of the Police Corps, since, apart from the city council workers who may obviously have access to such corporate addresses, it cannot be ruled out that third parties have obtained this information by their own means (e.g., persons who have provided services to the City Council, or citizens who have related to these public employees).

It is decided to file the present complaint, given that the accused City Council and, in particular, the Chief Inspector of the Local Police, included references to the data on the person's health reporting - who holds the status of local agent - since these were necessary to resolve the desirability of initiating a disciplinary file against him, for alleged withdrawal from service on health grounds. Thus, this Authority concludes that the processing of controversial personal data was covered by Article 6.1e) - processing carried out in the exercise of public powers - and that the circumstances provided for in Article 9.2 (f) and g) GDPR, which lift the prohibition on processing health data in Article 9.1 (GDPR).

The complainant complains that they made him send medical documentation by email and that this would facilitate access to medical data by non-health administrative staff. RA is issued since this was an exceptional shipment since the patient requested urgent assistance by phone for the prescription of pain medication and since the last medical report was not yet included in the HC3, since the same one had been issued day at another medical center, he was asked to send it by e-mail in order to carry out the medical prescription. These emails are managed by the administrative staff entrusted with these functions and, moreover, management does not involve access to medical documentation; only if it becomes essential for the performance of its functions. Art. 16 Law 41/2022.

RA is being prepared because the complainant was the one who in a workplace revealed his or her COVID (and his/her) results to other partners. He did so for organisational purposes. At the same time, his boss communicated the results (and those of his wife) to a colleague in charge of carrying out organizational functions. Although it was not necessary to disclose data on his wife's results, it would be disproportionate to hold the complainant responsible for this fact, when it was the complainant himself who revealed the information in a voluntary, trusted environment amongst colleagues. It should also be noted that the complainant confirmed that he had carried out an access audit and confirmed that there had been no access to the complainant's data.