AEPD (Spain) - EXP202200999: Difference between revisions
m (added two sentences to the holding about Article 6(1)(b) GDPR and explained why consetn was invalid) |
m (Ar moved page AEPD (Spain) - PS/00204/2022 to AEPD (Spain) - EXP202200999) |
||
(One intermediate revision by the same user not shown) |
Latest revision as of 13:10, 13 December 2023
AEPD - PS-00204-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 12 GDPR Article 15 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 15.12.2022 |
Published: | |
Fine: | 20.000 EUR |
Parties: | Hospital Recoletas Ponferrada |
National Case Number/Name: | PS-00204-2022 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Michelle Ayora |
The Spanish DPA imposed a €16,000 fine on a hospital for a violation of Articles 6(1)(a), 12, and 15 GDPR. The consent request form had pre-ticked boxes and the hospital failed to grant access to a copy of that form in a timely manner.
English Summary
Facts
The data subject went to a hospital (the controller) for some health tests. They noticed that two boxes were pre-ticked when they had to read and consent to (parts of) the privacy notice. The first pre-ticked box referred to commercial communications, and the second one referred to the consent to disclose personal data regarding their stay at the hospital and their room number with third parties upon request.
Since it was an electronic consent form on a tablet, the data subject complained to the receptionist who changed the settings and handed the tablet which allowed the data subject to tick the options as they wished. Later, the data subject complained in writing to the controller about the occurence and requested from the controller a copy of the privacy notice signed by them but did not receive it. Therefore, the data subject submitted a complaint before the Spanish DPA, which started an investigation and notified the controller about an alleged violation of Articles 6(1) and 15 in connection with Article 12 GDPR.
In his own defense, the controller claimed that the pre-ticked clause about commercial communications was indeed a human error due to the long lines of patients waiting for their test in the morning, which made the receptionists change the settings to save time. Regarding the clause about communication of patients' personal data to third parties, the controller said that it did not apply to the data subject but to other patients who stayed at the hospital. The controller also mentioned that it was based on legitimate interest, and it was initially conceived as an opt-out box, giving to the patients the option to object to it when the privacy policy was in paper format, but the change to the electronic version on the tablet, made the system put it as a pre-ticked box. Additionally, the controller implemented measures, including staff training, in order to prevent such incidents in the future.
The controller submitted that the data subject's written complaint was attended verbally the same day, and admitted that it was not treated as an access request. However, the controller sent a copy of the information requested once it was notified about the DPA's investigation.
Holding
The DPA noted that the lawfulness of the processing carried out by the the controller for the management of the data subject's clinical history was covered by Article 6(1)(b) GDPR. However, for any other purposes, such as sharing personal data with third parties or for commercial purposes, the controller needed another legal basis, for example consent.
The DPA recalled that when processing is based on consent under Article 6(1)(a) GDPR, the consent must meet the requirements of, among others, Article 7 GDPR. The DPA observed deficiencies regarding the consent request and referred to Article 7 GDPR and Recital 32 GDPR. Specifically, the use of pre-ticked boxes rendered consent invalid, resulting in a lack of legal basis under Article 6(1) GDPR. Therefore, the DPA held that the controller unlawfully processed data for third-party sharing and commercial purposes.
Regarding the right to access, the DPA cited Recital 63, Articles 15, and 12 GDPR to conclude that in the written complaint submitted by the data subject to the controller, it was expressly stated that they were requesting access to the copy of the privacy policy signed on the tablet. However, the controller only provided the copy after the DPA started an investigation. Therefore, the access request was not processed in a timely manner, in violation of Articles 12 and 15 GDPR.
The DPA initially imposed two fines of €10,000 each for the violation of Articles 6(1) and 15 in connection with Article 12 GDPR. The fine was reduced to €16,000 in total since the controller benefited from one reduction for acceptance of guilt and another one, for the voluntary payment of the fine.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/17 File No.: EXP202200999 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On June 20, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate sanction proceedings against HOSPITAL RECOLETAS PONFERRADA, S.L. (hereinafter the claimed party). Notified on initiation agreement and after analyzing the allegations presented, on July 20, In 2022, the resolution proposal that is transcribed below was issued: << Procedure No.: PS/00204/2021 (EXP202200999) PROPOSED RESOLUTION OF SANCTION PROCEDURE Of the actions carried out by the Spanish Data Protection Agency before the entity, HOSPITAL RECOLETAS PONFERRADA, S.L. with CIF.: B47767793, (in hereinafter "the claimed party"), based on the brief presented by D.A.A.A., by the alleged violation of data protection regulations: Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, regarding the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of these Data (GDPR) and Organic Law 3/2018, of December 5, Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and considering the following: BACKGROUND: FIRST: On 01/10/22, a document submitted by the complaining party, in which it indicated, among others, that: “FIRST.- On 12/07/21 I went to the Recoletas Clinic to have some scheduled analyses. When my turn came I showed the flyer and they asked me for the insurance card to manage the service, after that they gave me the Tablet and I they said “you have to sign this data protection document to be able to process the information”, I took the electronic device and began to read it and I told him, "I do not agree with points 2 and 3 of the form that you have marking (one was to share my information with third-party companies and the other to receive propaganda)”; the clinic employee told me: “then don't we can assist you, without your signature nothing can be managed”, I reminded him that I did not refuse to sign the document but rather the items marked by them, I would sign ONLY with the first item that said "I authorize the clinic to manage my personal data…” (I am paraphrasing the document because I never C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/17 I received a copy) then she did something on the tablet and handed it back to me and at that moment all the items appeared unlocked and I can mark those that I deemed appropriate after which I signed with my rubric. Finally the nurse appeared in the emergency room and I went with her to do the analytics. After leaving there I filled out the claim that appears in this same document and which I also accompany individually. In this claim also stated, one more, that no one had provided me with a copy of what he had signed not even a way to access it signed as required by law. (whose justification is attached as Doc. No. 1). SECOND.- At the Clinic I asked to speak with management to state my discomfort with everything that happened but that day there was no one and they offered me file a claim assuring me that a manager would call me at that week. The RECOLETAS network manager asked me for an email where he asked the Center where he had had a bad experience, after tell him that same afternoon (December 15) a manager of the Clinic got contacted me to apologize and ensure that he had spoken with the person responsible for what had happened who had confirmed that they they always filled in the data because people were older and he told me that indeed this was illegal and was not going to be repeated and that he would answer me by written claim filed. The response arrived on January 7 and is the one you see attached to this document and in a separate file. Despite saying so in the claim, I still have not they have given the copy of the sheet that I signed that day nor any means to access she". Along with the previous letter, the following documentation is provided: - Copy of the claim form (No. 00XX) filed with the Clinic, sealed dated 12/07/21 where, among others, it denounces the same facts exposed before this Agency and indicated above and where, in addition, denounce before the address of the center as follows: or "(...) they have not provided me with the signed document as established by law." - Copy of the brief in response to claim No. 00XX, dated 01/03/22, where the Clinic informs the claimant in the following terms: "I am writing to you in response to your Complaint letter with registration number 0XX with the date of entry into our Service Patient Care on December 7, 2021, in which shows his discomfort at the inconvenience derived from having to sign the document of the Data Protection Law. We are deeply sorry for the incident and thank you for your claim to proceed to review compliance with the regulations of data protection by the hospital. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/17 Our clauses never appear pre-marked, although by mistake the admissions staff marked them instead of explaining the options for that were marked by you as required by law. We inform you that we have reminded our staff not to they can mark the clauses and that they must inform the patients the options that exist each time a protection clause is signed of data. We hope you will come back soon and see for yourself that clauses are not pre-marked. We are at your disposal for any questions or to expand the information of your claim”. SECOND: On 02/08/22, this Agency transferred the claim to the claimed party to respond to it, in accordance with the stipulated in article 65.4 of the LOPDGDD Law. notification attempts resulted in the following: - According to the certificate of the Electronic Notifications and Address Service Electronic, the shipment made to the claimed entity, on 02/08/22, through of the electronic notification service "NOTIFIC@", was accepted in destination the same day 02/08/22, being the recipient: (...)- B.B.B.. THIRD: On 04/10/22, by the Director of the Spanish Agency for Protection of Data, an agreement is issued to admit the processing of the claim presented by the claimant, in accordance with article 65 of the LPDGDD Law, to the not receive any response to requests made from this Agency. FOURTH: On 06/20/22, the Board of Directors of the Spanish Agency for the Protection of Data signs the initiation of this disciplinary procedure against the entity claimed, when appreciating reasonable indications of violation of article 6.1 GDPR, by the deficiencies detected when obtaining the consent of the patients for the subsequent processing of your personal data, imposing an initial sanction of €10,000; and for the violation of article 15 GDPR, with respect to article 12 of the same Regulation, by not providing the claimant with access to the document on data protection signed on the Tablet, imposing an initial penalty of 10,000 euro. FIFTH: On 07/13/22, the respondent entity formulated, in summary, the following allegations to the initiation of the file: “On 12/07/21 the patient comes to the center first thing in the morning to carry out some analysis, moment in which long queues of patients who come to the hospital for fasting clinical tests, together with the rest of the patients who attend consultations, scheduled surgeries, etc. The admission employees, given the large influx of patients, in the context current pandemic, and the uneasiness to dissolve said queue and ensure that it comply with security measures to avoid contagion decided to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/17 in a timely manner to speed up the queue pre-check the boxes of the patients, something that should never have happened. You can see in Doc. 2 response to the patient the content of the boxes of the existing clause that day that may or may not be checked: I consent to the processing of my personal data I consent to the sending of commercial communications by means emails about activities, events or services provided that may be of interest to you. I authorize to provide information in person or by telephone, to third parties who request it, only in relation to their stay in the center, as well as the Hospital room number Recoletas Ponferrada S.L. - CIF: B-47767793, registered in the Registry Mercantile of Valladolid to the Volume: 1,521; Folio: 111, Sheet: VA-29098 – inscription 1 The first box is essential since if the patients do not consent, they will not your data can be processed. Regarding the second box, the consent for the sending of commercial communications there is a human error when adapting the signature box on tablets. The basis of legitimacy of this purpose is the legitimate interest, protected by an impact assessment prior to its implementation in our clauses informative. Therefore, in the paper clause format that was implemented there was a negative box that, if checked by the patients sending these communications was refused. Although, when said clause is transcribed to the Tablet, the consent, by mistake, the box becomes positive, not adapting to the legitimation base contemplated. Observing this incident, the decision has been made to modify the basis of legitimacy of this purpose, which, as of the end of March 2022 has become consent. The admissions staff knew that this purpose was originally based on the legitimate interest and that therefore was negative in our clause of data protection on paper. The last box, as can be seen, applies to patients in case of admission to the hospital to give information to third parties, never to third-party companies, is a clause that was put so that patients they can decide if they want us to give their room number or information about your status to relatives, friends or related people. Checking this box does not apply to the service provided to this patient because it is ambulatory, in case of hospital admission the procedure is always ask the patient again about this point. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/17 After signing the document, the patient did not request a copy of the informative clause for patients signed, because if he had done so, he would have been delivered. The patient, that same day, December 7, 2021, filed a claim which was resolved by the manager of the center in a timely manner. That prior to the written response, the patient maintained a conversation with the manager related to the claim filed in the that a verbal response was given to the claim, not referring to it in the answer that what he wanted was a copy of what was signed, which is why it was not saw the need to include that information in the answer, because otherwise Otherwise, without a doubt, the data protection sheet would have been attached. That on February 8, notification was received from the AEPD in which we were transfers the claim filed by the patient and the AEPD ask us for more information. That, as observed in Doc. 4, which should have been sent on the 8th of March 2022 to the AEPD and did not have entry due to systems failure computer systems, from the moment the claim is received, begin to implement all kinds of measures and controls to ensure that no nothing similar happens again. THIRD.- OBTAINING CONSENT At the time of the event as reported to the patient on the data protection there are two bases of legitimacy of the treatment: - The management of the medical service requested as a basis of legitimation of the treatment of health data. In this sense, although it includes a checkbox to reinforce the fact that the patient is aware that we are treating your data the basis of legitimation is the one contained in the Article 6.1.b) of the GDPR. - The legitimate interest in sending commercial communications on the required medical service. Therefore, the basis of legitimacy is the contained in article 6.1.f) of the GDPR. The GDPR is also defined in the Recital 47 with the following tenor (...). Notwithstanding the foregoing, and despite the unfortunate incident that occurred, the claimant had the opportunity to read the data protection clause and be informed of the way in which Grupo Recoletas treats your data. FOURTH.- COMPLIANCE WITH THE PROVISIONS OF ART. 15 GDPR. In relation to the second legal basis in point IV "on the management of the access request made by the claimant” we refer to documents No. 2 and 3 attached to this claim to prove that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/17 After the claim filed with the AEPD, the information was transferred requested in compliance with art. 15 GDPR. Regarding the art. 12 GDPR as explained in the response to the AEPD which is attached as Doc. 4 the information made available to the interested party At the time of signing it complies with the requirements of art. 13 GDPR. Lastly, regarding the response to the claim filed by the concerned on December 7, 2021 at the Hospital, as has been commented, it was not treated as a right of access but as a complaint answering the patient both verbally and in writing, understanding that I was responding to your requests. FIFTH.- THE MEASURES ADOPTED Once what happened was learned and in compliance with the principle of proactive responsibility, the following measures were implemented: - Training: After analyzing the incident that occurred, it has been decided that the best way to fix it for the future is staff training. In this sense, all the Clinic staff were sent the documentation of training so that they could read it and a session of face-to-face training at the Clinic from 2:30 p.m. to 3:30 p.m. The attendance control sheet for said training is attached as Doc.6. - Review of the procedures: it has been verified in situ that currently comply with the procedure adapted to the provisions of the Regulation in regarding the way to obtain the consent of the interested parties. - Random control: It was checked randomly with several consents whether or not all the clauses were checked and observed that the same boxes were not always checked on the same day for part of the patients. - Creation of standard procedure: you have written an internal procedure and standardized for Grupo Recoletas admissions personnel in which includes the detail of the way in which the admissions staff must treat the data, request consent and information to collect. Attached procedure as Doc. 7. - Adaptation of the data protection clause: It has been decided to modify the basis of legitimacy for the processing of data for the purpose of sending of commercial communications. The change in the basis of legitimation of this purpose is motivated by the change of instrument for obtaining consent. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/17 Initially the informative data protection clauses were signed in paper and in each section the pertinent boxes were included, so that the The patient read the paragraph and decided whether or not to check the box. Box that in the purpose of commercial communications was negative (if not was marked was tacitly accepted based on legitimate interest) When tablets were introduced, the boxes had to be included at the end, all together, in this way when adapting the clauses to the Tablet the box remained in affirmative but the legitimation continued as a legitimate interest. Finally, aware of this issue, it has been decided to modify the base of legitimation of this purpose to the express consent The data protection clause since it has been verified that the clause that appears on the Tablet requests express consent (and not based on the legitimate interest) for the treatment of the data with the purpose of carrying out commercial communications, for this reason the legitimacy has been changed of the treatment and the wording of that purpose, being the basis of legitimacy of said clause the consent of the interested party. Clause is attached current data protection as Doc. 8 - Response to the interested party: As already mentioned, it has been replied to the interested party by sending the signed data protection clause, the answer corresponds to Doc. 2. SIXTH.- THE PROPOSED SANCTION In accordance with all of the above, we understand that Grupo Recoletas has at all times had a proactive attitude focused on eliminating any risk that may occur in the processing of the data of the interested parties. In this sense, we understand that there is no place for the proposed sanctions due for not having breached the precepts 6.1. and 15 GDPR. Notwithstanding the foregoing, if the AEPD does interpret that there is infraction, the points of article 83 would be applicable as mitigating GDPR: c) any measure taken by the controller or processor to alleviate the damages and losses suffered by the interested parties; We refer to the measures imposed in the previous section. e) any previous infringement committed by the person in charge or in charge of the treatment; Lack of previous sanctions by the Hospital Recoletas Ponferrada, S.L. k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, direct or indirectly, through the infringement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/17 In the absence of financial benefits obtained or losses avoided, the Group Recoletas we try to be very scrupulous with the fulfillment of the data protection regulations, otherwise apart from possible sanctions implies deterioration of our brand image at a reputational level with the loss of customers that this may entail. Article 83.1. RDPG establishes the following: Each control authority ensure that the imposition of administrative fines in accordance with this article for the violations of this Regulation indicated in the paragraphs 4, 5 and 6 are in each individual case effective, proportionate and deterrents”. PROVEN FACTS First: According to the claimant, when he went to the Recoletas Clinic to have a some analysis, at the reception they gave him a Tablet to sign the document of protection noticing that the boxes on the form were pre-ticked on the accepted option. When he refused to accept points 2 and 3 of the form, the receptionist did something on the Tablet and passed it again with the unchecked items being able to then mark those that the patient considered appropriate. These facts were corroborated by the Clinic in the letter sent to the claimant in response to the claim filed (Nº 00XX) and where they inform you, regarding to the pre-marked boxes, the following: "(...) Our clauses never appear pre-marked, although the admissions staff mistakenly marked them instead of explaining the options so that they were marked by you as established by law (…)”. Second: The claimant provides, together with the document submitted to this Agency, a copy of the aforementioned claim form (No. 00XX) that he filed with the Clinic, stamped with date 12/07/21 where, in addition to reporting the facts set forth in the first section, indicates the following to the Center's Management: "(...) they have not provided me with the document signed as required by law. Third: In the written response to the claim submitted by the claimant before the Clinic, is, in addition to apologizing for the events that occurred and for recognize that the boxes were pre-ticked for a specific event due to an error by the reception staff, they informed him that they had given an order to the staff not to pre-check the boxes again before offering the Tablet to patients. But at no time is the patient informed about his request for I access the signed document on the Tablet. Fourth: In the brief of allegations presented by the Clinic at the initiation of the this disciplinary procedure indicates that the following have been implemented measures so that the events indicated in the previous points do not happen again, providing the following documentation: - Training on data protection procedures. I know attached as Doc.6 the attendance control sheet for said training. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/17 - Review of the procedures: it has been verified in situ that currently comply with the procedure adapted to the provisions of the Regulation in regarding the way to obtain the consent of the interested parties. - Random control: It was checked randomly with several consents whether or not all the clauses were checked and it was observed that they were not always on the same day the same boxes were marked by the patients. - Creation of standard procedure: you have written an internal procedure and standardized for Grupo Recoletas admissions personnel in which includes the detail of the way in which the admissions staff must treat the data, request consent and information to collect. Attached procedure as Doc. 7. - Adaptation of the data protection clause: It has been decided to modify the basis of legitimacy for the processing of data for the purpose of sending of commercial communications. Data protection clause is attached current as Doc. 8. - Reply to the interested party, sending the data protection clause signed, the answer corresponds to Doc. 2. FUNDAMENTALS OF LAW I-Competition The Director of the Spanish Data Protection Agency, by virtue of the powers established in Article 58.2 of the GDPR and the LOPDGDD Law. II.- On the deficiencies observed in obtaining the consent of the patients. On the legality of the processing of personal data, recital (40) GDPR indicates that: For processing to be lawful, personal data must be processed with the consent of the interested party or on some other established legitimate basis in accordance with Law, either in this Regulation or by virtue of another Law of the Union or of the Member States referred to in this Regulation, including the need to comply with the legal obligation applicable to the controller or the need to perform a contract in which whether the interested party is a party or in order to take measures at the request of the interested party prior to the conclusion of a contract. And in application to this, article 6.1 of the GDPR, establishes, on the legality of the treatment of personal data obtained from users the following: 1. The treatment will only be lawful if at least one of the following is fulfilled conditions: a) the interested party gave his consent for the treatment of his personal data for one or more specific purposes; b) the treatment is necessary for the performance of a contract in which the interested party is a party or for the application at his request of pre-contractual measures; c) the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/17 processing is necessary for compliance with an applicable legal obligation to the data controller; d) processing is necessary to protect vital interests of the data subject or of another natural person; e) the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller; f) the processing is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that such interests are not overridden by the interests or the rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child. In the present case, the legality of the processing of personal data carried out by the Clinic ca for the management of the claimant's clinical history is covered in point b) of the Article 6.1 GDPR: "b) the treatment is necessary for the execution of a contract in to which the interested party is a party (…)”. But for any other purpose to which it is intended to dedicate the personal data obtained, must be protected in some other point of the aforementioned article 6.1 GDPR, if it does not have fit in section b). Therefore, in our case, when the Clinic intends to use personal data to transfer them to third parties or to send you commercial communications cials, requests the consent of the affected party through the existing boxes in the form to be signed at the Clinic reception. However, what the claimant denounces is that when he went to sign the document acceptance of the privacy policy, he found that the boxes correspond- consent to transfer personal data to other companies and to re- receive commercial communications were already marked "I accept". In this case, when the processing of personal data is based on the con- sentiment of the interested party, article 7 of the GDPR establishes the following: 1. When the treatment is based on the consent of the interested party, the res- responsible must be able to demonstrate that he consented to the treatment of your personal information. 2. If the consent of the interested party is given in the context of a statement writing that also refers to other matters, the request for consent will be presented in such a way that it is clearly distinguished from the other cases, from intelligible and easily accessible form and using clear and simple language. No Any part of the statement that constitutes a breach of the present Regulation. 3. The interested party will have the right to withdraw their consent at any mo- mint. The withdrawal of consent will not affect the legality of the treatment based on consent prior to its withdrawal. Before giving your consent lien, the interested party will be informed of it. It will be so easy to withdraw the consent I lie how to give it 4. When evaluating whether the consent has been freely given, it will be taken into account in to the greatest extent possible whether, among other things, the execution of a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/17 contract, including the provision of a service, is subject to the consent of the processing of personal data that is not necessary for the execution of dif- nice contract. And regarding the way to obtain said consent, recital (32) GDPR provides that it: It must be given by a clear affirmative act that reflects a manifestation of free, specific, informed and unequivocal will of the interested party to accept the processing of personal data concerning you" and that "silence, boxes already checked or inaction should not constitute consent.” Likewise, consent is required to be granted: “for all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent must be given for all them". Finally, it establishes that: "if the consent of the interested party has to be give as a result of a request by electronic means, the request must be clear, concise and not unnecessarily disrupt the use of the service for which it is lend”. Therefore, the fact that the person responsible for the processing of personal data obtained from the patients of the Clinic obtain their consent through a form where the boxes of the purposes for which they will be used, apart from the management of the patient's clinical history, are already marked in "I accept", could constitute a violation of article 6.1 of the GDPR. Notwithstanding the foregoing, the Clinic management recognizes that the boxes are were pre-marked for a specific event due to an error by the personnel of reception by pre-checking the boxes before offering the Tablet to the patient so that firm, and that they had ordered the staff not to do it again and although they have measures have been implemented so that this does not happen again in the future, this action will not produces in itself a reduction of the prejudices suffered by the patient if not that the only thing that has occurred is the action required by the norm and for the future. Nor does the mitigation applying article 83.2.e) “all previous infraction committed by the person in charge or the person in charge of the treatment" because this section would only fit as an aggravating circumstance when the entity had previously committed other similar infractions, therefore, we proceed to issue the Next: II.- On the management of the access request made by the claimant. Regarding the right of access of the interested parties to their personal data, the recital (63) GDPR indicates that: Interested parties must have the right to access personal data collected that concern him and to exercise this right with ease and at reasonable intervals, in order to know and verify the legality of the treatment. This includes the right of the interested parties to access data related to the health, for example, the data of your medical records that contain information such as diagnoses, test results, evaluations of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/17 physicians and any treatments or interventions performed. All The interested party must, therefore, have the right to know and to be communicate, in particular, the purposes for which the data is processed personal information, its treatment period, its recipients, the implicit logic in any automatic processing of personal data and, at least when based on profiling, the consequences of said treatment. Yes possible, the data controller should be empowered to provide remote access to a secure system that offers the interested party access directly to your personal data. This right must not adversely affect the rights and freedoms of third parties, including trade secrets or the intellectual property and, in particular, intellectual property rights that protect computer programs. However, these considerations are not must result in the refusal to provide all information to the interested. If you process a large amount of data relating to the data subject, the controller should be empowered to request that, before information is provided, the interested party specifies the information or activities treatment to which the request refers. In this sense, article 15 GDPR establishes the following: 1. The interested party shall have the right to obtain from the data controller confirmation of whether or not personal data concerning you is being processed and, in such case, right of access to personal data and to the following information: a) the purposes of the treatment; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom The personal data were communicated or will be communicated, in particular recipients in third parties or international organizations; d) if possible, the expected period of conservation of personal data or, if this is not possible, the criteria used to determine this term; e) the existence of the right to request from the person in charge the rectification or deletion of personal data or the limitation of the processing of personal data relating to the interested party, or to oppose such treatment; f) the right to file a claim with a control authority; g) when the personal data has not been obtained of the interested party, any available information about its origin; h) the existence of automated decisions, including profiling, to referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, significant information about the applied logic, as well as the importance and expected consequences of such processing for the data subject. 2. When personal data is transferred to a third country or to a international organization, the interested party shall have the right to be informed of the adequate guarantees under article 46 relating to the transfer. 3. The controller will provide a copy of the personal data treatment object. The person in charge may receive for any other copy requested by the interested party a reasonable fee based on the costs administrative. When the interested party submits the application by means emails, and unless the latter requests that it be provided otherwise, the Information will be provided in a commonly used electronic format. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/17 4. The right to obtain a copy mentioned in section 3 will not affect negatively to the rights and freedoms of others. Whereas, Article 12 of the GDPR establishes that: "1. The person responsible for the treatment will take the appropriate measures to facilitate the interested all information indicated in articles 13 and 14, as well as any communication pursuant to articles 15 to 22 and 34 relating to the treatment, in a concise, transparent, intelligible and easily accessible form, with a clear and simple language, in particular any information directed specifically a child. The information will be provided in writing or by other means, including, if applicable, by electronic means. When requested by the interested party, the information may be provided verbally provided that prove the identity of the data subject by other means. 2. The data controller will provide the interested party with the exercise of their rights under articles 15 to 22. In the cases referred to in the Article 11(2), the controller shall not refuse to act at the request of the data subject in order to exercise their rights under articles 15 to 22, unless you can demonstrate that you are unable to identify the interested. 3. The person in charge of the treatment will provide the interested party with information regarding its actions on the basis of a request under articles 15 to 22, and, in any case, within one month from receipt of the application. This period may be extended by another two months if necessary, taking into account the complexity and number of requests. The responsible will inform the interested party of any of said extensions within a period of one month from receipt of the request, indicating the reasons for the delay. When the interested party submits the application by electronic means, the Information will be provided by electronic means where possible, unless that the interested party requests that it be provided in another way. 4. If the person responsible for the treatment does not process the request of the interested party, he will will inform without delay, and no later than one month after receipt of the application, the reasons for not acting and the possibility of presenting a claim before a control authority and to exercise actions judicial.(…) In the present case, it has been verified that in the brief that the claimant submitted before the management of the Clinic, he denounced verbatim "not having received the data protection document signed on the Tablet" but in the reply that The Clinic address makes no reference to this claim in any moment to this fact nor is said information provided. Faced with this, the Clinic indicates in its brief of allegations to the initiation of this disciplinary procedure that: "(...) we refer to documents No. 2 and 3 attached to this claim to prove that after the claim filed against The AEPD transferred the information requested in compliance with art. 15 GDPR”, in based on the requirement set forth by this Agency, of the measure to be adopted by C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/17 the one claimed, in the brief initiating this proceeding and that, insofar as to the response to the claim filed by the interested party on the 7th of December 2021 at the Hospital, "(...) it was not treated as a right of access but rather as a complaint answering the patient both verbally and in writing understanding that their requirements were being responded to." Therefore, according to the available evidence, after the analysis carried out on the documents provided by the requested entity, it is verified that the claimant's right of access has been contested after the claim filed before the AEPD, but this action does not in itself produce a reduction in the prejudices suffered by the individual concerned, if not the only thing that has occurred is action required by law. Nor does the mitigation applying article 83.2.e) “all previous infraction committed by the person in charge or the person in charge of the treatment" because this section would only fit as an aggravating circumstance when the entity had previously committed other similar infractions, therefore, we proceed to issue the Next: PROPOSED RESOLUTION FIRST: That by the Director of the Spanish Data Protection Agency proceed to sanction for violation of article 6.1 of the GDPR, with respect to the deficiencies detected when obtaining the consent of the patients, to the entity, HOSPITAL RECOLETAS PONFERRADA, S.L. with CIF.: B47767793, with in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of Common Administrative Procedure of Public Administrations (LPACAP), imposing a penalty of 10,000 euros. SECOND: That by the Director of the Spanish Data Protection Agency proceed to penalize violation of article 15 of the GDPR, with respect to article 12 of the same Regulation to the entity, HOSPITAL RECOLETAS PONFERRADA, S.L. with CIF.: B47767793, in accordance with the provisions of articles 63 and 64 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (LPACAP), imposing a penalty of 10,000 euros. By virtue of this, you are notified of the foregoing, and the procedure is revealed. so that within ten business days you can allege whatever you consider in your defense and present the documents and information that it deems pertinent, in According to article 89.2 in relation to art. 82.2 of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations. C.C.C. THE PROCEDURE INSTRUCTOR C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/17 List of documents pending in Procedure PS/00204/2022, the list of documents pending is notified in the procedure so that you can obtain copies of those you deem appropriate, by appointment: 1. Complaint and documentation 2. Petition and Reports. 3. Agreement to start the disciplinary procedure. 4. Allegations to the initiation agreement and attached documents. 5. Beginning of the test practice period, notification to the accused. >> SECOND: On October 31, 2022, the claimed party has proceeded to pay of the sanction in the amount of 16,000 euros making use of the reduction provided for in the motion for a resolution transcribed above. THIRD: The payment made entails the waiver of any action or resource in the against the sanction, in relation to the facts referred to in the resolution proposal. FUNDAMENTALS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character 28001 – Madrid 6 sedeagpd.gob.es 16/17 subsidiary, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common for Public Administrations (hereinafter LPACAP), under the heading "Termination in disciplinary proceedings" provides the following: "1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the presumed perpetrator, in any moment prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offence. 3. In both cases, when the sanction is solely pecuniary in nature, the The competent body to resolve the procedure will apply reductions of at least 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or resource against the sanction. The percentage reduction provided for in this section may be increased according to regulations." According to what has been stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202200999, in in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to HOSPITAL RECOLETAS PONFERRADA, S.L. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/17 968-171022 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es