AEPD (Spain) - TD/00261/2020: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=R/001...") |
m (Ar moved page AEPD - R/00101/2021 to AEPD (Spain) - TD/00261/2020) |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 54: | Line 54: | ||
}} | }} | ||
The Spanish DPA (AEPD) admitted a claim against Asturias Healthcare System for not | The Spanish DPA (AEPD) admitted a claim against the Asturias Healthcare System for not attending a data subject's access request to medical data. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
Due to formal reasons, the Spanish Data Protection Authority (AEPD) decided to admit a claim against Asturias Healthcare System (the controller) for not satisfying a data subject's access request to medical records of data subject’s deceased mother, but without any economic fine nor warning, because, during the AEPD's investigation process, such right of access was finally fulfilled by the public administration. | Due to formal reasons, the Spanish Data Protection Authority (AEPD) decided to admit a claim against Asturias Healthcare System (the controller) for not satisfying a data subject's access request to medical records of data subject’s deceased mother, but without any economic fine nor warning, because, during the AEPD's investigation process, such right of access was finally fulfilled by the public administration. | ||
=== Dispute === | ===Dispute=== | ||
Might be a request of access considered as duly fulfilled by the controller when it was not attended in due time and proper course? | Might be a request of access considered as duly fulfilled by the controller when it was not attended in due time and proper course? | ||
=== Holding === | ===Holding=== | ||
The Spanish DPA held that the access request was properly fulfilled, in spite of being properly attended after claim admission, so it decided not to impose any fine nor warning to the defendant. | The Spanish DPA held that the access request was properly fulfilled, in spite of being properly attended after claim admission, so it decided not to impose any fine nor warning to the defendant. | ||
== Comment == | ==Comment== | ||
''Share your comments here!'' | ''Share your comments here!'' | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | ||
Latest revision as of 14:46, 13 December 2023
AEPD - R/00101/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 12 GDPR Article 15 GDPR Law 41/2002, of November 14, Basic regulating patient autonomy and rights and obligations in terms of information and clinical documentation Law 3/2018, 0f 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 22.03.2021 |
Fine: | None |
Parties: | Asturias Healthcare System |
National Case Number/Name: | R/00101/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Oscar Jacobo Bacelo |
The Spanish DPA (AEPD) admitted a claim against the Asturias Healthcare System for not attending a data subject's access request to medical data.
English Summary
Facts
Due to formal reasons, the Spanish Data Protection Authority (AEPD) decided to admit a claim against Asturias Healthcare System (the controller) for not satisfying a data subject's access request to medical records of data subject’s deceased mother, but without any economic fine nor warning, because, during the AEPD's investigation process, such right of access was finally fulfilled by the public administration.
Dispute
Might be a request of access considered as duly fulfilled by the controller when it was not attended in due time and proper course?
Holding
The Spanish DPA held that the access request was properly fulfilled, in spite of being properly attended after claim admission, so it decided not to impose any fine nor warning to the defendant.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8 File Nº: TD / 00261/2020 RESOLUTION NO: R / 00101/2021 Considering the claim made on July 27, 2020 before this Agency by Ms. A.A.A. , against the HEALTH SERVICE OF THE PRINCIPALITY OF ASTURIAS, for not having been duly attended to your right of access. The procedural actions provided for in Title VIII of the Law have been carried out. Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the following have been verified FACTS FIRST: On October 19, 2019, January 29 and March 5, 2020, Ms. A.A.A. (hereinafter, the complaining party) exercised the right of access to the record complete information of his deceased mother in front of the HEALTH SERVICE OF THE PRINCIPALITY DE ASTURIAS with NIF Q8350064E (hereinafter, the claimed one), without your request has received the legally established reply. The complaining party provides various documentation related to the claim made before this Agency and on the exercise of the right exercised. SECOND: In accordance with the functions provided for in Regulation (EU) 2016/679, of April 27, 2016, General Data Protection (RGPD), particularly those that respond to the principles of transparency and responsibility proactively by the data controller, it has been required to inform this Agency of the actions that have been carried out to address the claim raised, without receiving a response within the term conferred by this Agency. Once the procedure provided for in article 65.4 of the LOPDGDD had been completed, the the claim was processed and the claimed entity was granted a hearing procedure, to that within a period of fifteen business days it present the allegations it deems In summary, the following considerations have been formulated: The defendant manifests in the allegations made during the processing of the present procedure that, on all occasions, they were notified to collect the requested information. That the complaining party residing in England has been contacted, to indicate which report could have been pending, sending the information required from the brother, on November 25, 2020. Documentation of such extreme is attached. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/8 THIRD: After examining the allegations presented by the respondent, they are subject to transfer to the complaining party, so that, within fifteen business days, it can formulate allegations that it deems appropriate: On December 28, 2020, this Agency, through postal notification, put at the disposal of the complaining party the allegations presented by the person in charge, so that within fifteen days the allegations that consider appropriate, without receiving a response. FOUNDATIONS OF LAW FIRST: The Director of the Spanish Agency for Data Protection, in accordance with the provisions of section 2 of article 56 in in relation to paragraph 1 f) of article 57, both of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter, GDPR); and in article 47 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). SECOND: Article 64.1 of the LOPDGDD, provides that: "one. When the procedure refers exclusively to the lack of attention of a request to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, will start by agreement of admission for processing, which will be adopt in accordance with the provisions of the following article. In this case, the term to resolve the procedure will be six months from from the date the claimant was notified of the admission agreement to Procedure. After this period, the interested party may consider their claim." In the present case, the claim of the interested party was accepted for processing, giving rise to the opening of this administrative procedure, regulated in the previous article aforementioned, which is intended to ensure, if appropriate, the attention of the request of exercise of rights formulated. The purging of administrative responsibilities in the framework of the of a sanctioning procedure, the exceptional nature of which implies that - provided that possible- opt for the prevalence of alternative mechanisms that have protection ro in current regulations. It is the exclusive competence of this Agency to assess whether there are responsibilities administrative procedures that must be purged in a sanctioning procedure and, in Consequently, the decision on its opening, there being no obligation to initiate a procedure before any request made by a third party. Such a decision must be based on the existence of elements that justify said start of the activity sanctioning, circumstances that do not concur in the present case, considering that, in view of the actions carried out, with the present procedure the guarantees and rights of the affected party are duly restored. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/8 THIRD: Article 12 of Regulation (EU) 2016/679, of April 27, 2016, General Data Protection (RGPD), provides that: "one. The person responsible for the treatment will take the appropriate measures to facilitate the interested party all information indicated in articles 13 and 14, as well as any communication in accordance with articles 15 to 22 and 34 regarding the treatment, in the form concise, transparent, intelligible and easily accessible, with a clear and simple language, in particular any information directed specifically to a child. Information will be provided in writing or by other means, including, if applicable, by means electronic When requested by the interested party, the information may be provided verbally provided that the identity of the interested party is proven by other means. 2. The person responsible for the treatment will facilitate the exercise of their rights to the interested party. by virtue of articles 15 to 22. In the cases referred to in article 11, paragraph 2, the person in charge will not refuse to act at the request of the interested party in order to exercise your rights under Articles 15 to 22, unless you can show that you are not is in a position to identify the interested party. 3. The person responsible for the treatment will provide the interested party with information regarding their proceedings on the basis of a request pursuant to Articles 15 to 22, and, in In any case, within one month of receipt of the request. Saying The term may be extended for another two months if necessary, taking into account the complexity and number of requests. The person in charge will inform the interested party of any of said extensions within a period of one month from the receipt of the request, stating the reasons for the delay. When the interested party presents the request by electronic means, the information will be provided by electronic means when possible, unless the interested party requests that it be provided otherwise. 4. If the person responsible for the treatment does not comply with the request of the interested party, inform without delay, and no later than one month after receipt of the request, the reasons for not acting and the possibility of submitting a claim before a control authority and to exercise legal actions. 5. The information provided by virtue of articles 13 and 14 as well as all communication and any action carried out pursuant to articles 15 to 22 and 34 they will be free of charge. When the requests are manifestly unfounded or excessive, especially due to its repetitive nature, the person responsible for the treatment may: a) charge a reasonable fee based on the administrative costs incurred to facilitate information or communication or perform the requested action, or b) refuse to act on the request. The data controller will bear the burden of proving the character manifestly unfounded or excessive of the request. 6. Without prejudice to the provisions of article 11, when the person responsible for the treatment have reasonable doubts in relation to the identity of the natural person taking the application referred to in articles 15 to 21, you may request that the additional information necessary to confirm the identity of the interested party. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/8 7. The information that must be provided to the interested parties by virtue of articles 13 and 14 may be transmitted in combination with standard icons that allow provide in an easily visible, intelligible and clearly legible way a suitable overview of the planned treatment. Icons presented in the format electronic will be machine readable. 8. The Commission is empowered to adopt delegated acts in accordance with the Article 92 in order to specify the information to be submitted through icons and procedures for providing standard icons. " FOURTH: Article 12 of the LOPDGDD determines the following: 1. The rights recognized in articles 15 to 22 of Regulation (EU) 2016/679, They may be exercised directly or through a legal or voluntary representative. 2. The person responsible for the treatment will be obliged to inform the affected party about the means at your disposal to exercise the rights that correspond to you. The media They must be easily accessible to the affected person. The exercise of the right may not be denied for the sole reason of choosing the affected by another means. 3. The person in charge may process, on behalf of the person in charge, requests for exercise formulated by those affected by their rights if this is established in the contract or legal act that binds them. 4. Proof of compliance with the duty to respond to the request to exercise their rights formulated by the affected party will fall on the person responsible. 5. When the laws applicable to certain treatments establish a regime that affects the exercise of the rights provided for in Chapter III of the Regulation (EU) 2016/679, the provisions of those will be followed. 6. In any case, the holders of parental authority may exercise on behalf of and representation of minors under fourteen years of age the rights of access, rectification, cancellation, opposition or any others that may correspond to them in the context of this organic law. 7. The actions carried out by the person responsible for the treatment will be free to meet requests for the exercise of these rights, without prejudice to the provided in articles 12.5 and 15.3 of Regulation (EU) 2016/679 and in the sections 3 and 4 of article 13 of this organic law. " FIFTH: Article 15 of the RGPD provides that: "one. The interested party will have the right to obtain from the person responsible for the treatment confirmation of whether or not personal data concerning you is being processed and, as such case, right of access to personal data and the following information: a) the purposes of the treatment; b) the categories of personal data in question; c) the recipients or categories of recipients to whom they were communicated or personal data will be communicated, in particular recipients in third parties or international organizations; d) if possible, the expected period of conservation of personal data or, if possible, the criteria used to determine this period; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/8 e) the existence of the right to request the person responsible for rectification or deletion of personal data or the limitation of the processing of personal data related to interested party, or to oppose said treatment; f) the right to file a claim with a supervisory authority; g) when the personal data have not been obtained from the interested party, any information available on its origin; h) the existence of automated decisions, including profiling, to referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information significant on the applied logic, as well as the importance and consequences provided for said treatment for the interested party. 2. When personal data is transferred to a third country or to an organization international, the interested party will have the right to be informed of the guarantees appropriate under Article 46 relating to the transfer. 3. The person responsible for the treatment will provide a copy of the personal data object of treatment. The person in charge may receive for any other copy requested by the interested a reasonable fee based on administrative costs. When the interested party submit the request by electronic means, and unless he requests otherwise provided, the information will be provided in an electronic format of Common use. 4. The right to obtain a copy mentioned in section 3 shall not negatively affect to the rights and freedoms of others. " SIXTH: The right of access in relation to medical records is regulated specifically in article 18 of Law 41/2002, of November 14, basic regulating the Autonomy of the Patient and Rights and Obligations in the Matter of Information and Clinical Documentation (hereinafter LAP), whose literal wording expresses: "one. The patient has the right of access, with the reservations indicated in section 3 of this article, to the documentation of the medical history and to obtain a copy of the data contained in it. The health centers will regulate the procedure that guarantee the observance of these rights. 2. The patient's right of access to the medical record can also be exercised by duly accredited representation. 3. The patient's right of access to the documentation of the medical record does not can be exercised to the detriment of the right of third parties to confidentiality of the data contained in it collected in the therapeutic interest of the patient, or in prejudice to the right of the professionals participating in its preparation, who They can oppose the right of access to the reservation of their subjective annotations. 4.Health centers and individual practitioners will only facilitate the access to the medical history of deceased patients to people linked to him, for family or factual reasons, unless the deceased had prohibited it expressly and thus accredited. In any case, the access of a third party to the story clinic motivated by a risk to your health will be limited to the relevant data. I dont know provide information that affects the privacy of the deceased or the annotations subjective of the professionals, nor that it harms third parties. " SEVENTH: In this sense, article 15 of the LPA that includes the minimum content of the medical history: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/8 "one. The medical history will incorporate the information that is considered transcendental for accurate and up-to-date knowledge of the patient's health status. All patient or User has the right to be recorded, in writing or in the technical support more adequate, of the information obtained in all their care processes, carried out by the health service both in the field of primary care and care specialized. 2. The main purpose of the medical record will be to facilitate health care, leaving constancy of all those data that, under medical criteria, allow the knowledge truthful and updated of the state of health. The minimum content of the medical history will be the following: a) The documentation related to the clinical-statistical sheet. b) The entry authorization. c) The emergency report. d) Anamnesis and physical examination. e) Evolution. f) Medical orders. g) The consultation sheet. h) Complementary examination reports. i) Informed consent. j) The anesthesia report. k) The operating room report or birth record. l) The pathological anatomy report. m) The evolution and planning of nursing care. n) The therapeutic application of nursing. ñ) The graph of constants. o) The clinical discharge report. Paragraphs b), c), i), j), k), I), ñ) and o) will only be required upon completion of the clinical history in the case of hospitalization processes or so arrange. 3. The completion of the clinical history, in the aspects related to the direct patient care, it will be the responsibility of the professionals who intervene in it. 4. The clinical history will be kept with unit and integration criteria, in each care institution as a minimum, to facilitate the best and most timely knowledge by the physicians of the data of a certain patient in each care process ”(the underlining is from the Spanish Data Protection Agency). EIGHTH: Before going into the merits of the questions raised, it should be noted that, the LAP establishes a series of obligations to professionals and health centers, in its article 15 contains the minimum content of the clinical history, it also states an obligation to preserve the medical record for the health center established in its article 17. The regulations on data protection, put into relation with articles 17, 18 and, especially article 15 of the LAP, recognizes a right of access to the entire clinical history by its owner or representative. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/8 Specifically, article 18.1 of the LAP establishes that “The patient has the right to access, with the reservations indicated in section 3 of this article, to the documentation of the medical record and to obtain a copy of the data contained in it. The health centers will regulate the procedure that guarantees the observance of these rights. " Consequently, the respondent has the legal obligation to deliver to the complaining party copies their entire medical record. In the case analyzed here, the complaining party exercised its right of access to its clinical history, and that, after the period established in accordance with the rules before indicated, your request did not obtain the legally required response, since the access granted was incompletely produced. However, the foregoing, once the claim raised by the complaining party, the complained party provides the documentation proving the communication sent to the interested party taking into account the right of access, said allegation being object of transfer to the complaining party, by postal notification, without there being any presented any allegation against it, therefore, with the measures adopted by the person in charge, the rights of the affected party are duly restored. Consequently, the present claim must be upheld for formal reasons at the response has been issued extemporaneously without requiring the completion of additional actions by the person responsible for the file. Considering the cited precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: ESTIMATE for formal reasons, the claim made by Ms. A.A.A., against the HEALTH SERVICE OF THE PRINCIPALITY OF ASTURIAS. However, no the issuance of a new certification by said entity proceeds, as it has the response was issued extemporaneously, without requiring the completion of additional actions by the person in charge. SECOND: NOTIFY this resolution to Ms. A.A.A. and at the SERVICE OF HEALTH OF THE PRINCIPALITY OF ASTURIAS. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/8 1037-100919 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es