AEPD (Spain) - EXP202202309: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202202309 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00317-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code...") |
m (→Facts) |
||
(One intermediate revision by one other user not shown) | |||
Line 63: | Line 63: | ||
}} | }} | ||
The DPA sanctioned a medical center € 30,000, finding that it violated | The DPA sanctioned a medical center € 30,000, finding that it violated confidentiality principles when it required data subjects to take their temperature in a reception area where the data could be seen by third parties. | ||
== English Summary == | == English Summary == | ||
Line 70: | Line 70: | ||
On 9 February 2022, a data subject filed a complaint with the Spanish DPA (AEPD) against a medical center, Centro Médico Salus Baleares, S.L. (the controller). During the COVID-19 pandemic, the controller required patients to take their temperature on a device in order to receive medical assistance. The device was located in the reception and waiting area and was within sight of third persons. | On 9 February 2022, a data subject filed a complaint with the Spanish DPA (AEPD) against a medical center, Centro Médico Salus Baleares, S.L. (the controller). During the COVID-19 pandemic, the controller required patients to take their temperature on a device in order to receive medical assistance. The device was located in the reception and waiting area and was within sight of third persons. | ||
In its defense brief, the controller noted that the data subject had never | In its defense brief, the controller noted that actually the data subject had never their temperature taken and thus lacked standing to bring a complaint. The controller also noted that these protocols were in place during the COVID-19 pandemic, during which public health authorities had guidance in place that included temperature controls. | ||
=== Holding === | === Holding === | ||
The AEPD found that the controller violated security and confidentiality principles under Articles 5(1)(f) and 32 GDPR. It fined the controller € 30,000 for the violations. | The AEPD found that the controller violated security and confidentiality principles under [[Article 5 GDPR#1f|Articles 5(1)(f)]] and [[Article 32 GDPR|32 GDPR]]. It fined the controller € 30,000 for the violations. | ||
The AEPD noted that temperature is health data and thus a special category of data pursuant to [[Article 9 GDPR#1|Article 9(1) GDPR]]. At the same time, it acknowledged that in a public health crisis, employers are obligated to adopt extraordinary measures in line with public health guidance and observed that national laws on occupational risk prevention justified processing this sensitive data pursuant to [[Article 9 GDPR#2h|Article 9(2)(h) GDPR]]. Thus, taking individuals’ temperature in of itself was not prohibited in this case. | The AEPD noted that temperature is health data and thus a special category of data pursuant to [[Article 9 GDPR#1|Article 9(1) GDPR]]. At the same time, it acknowledged that in a public health crisis, employers are obligated to adopt extraordinary measures in line with public health guidance and observed that national laws on occupational risk prevention justified processing this sensitive data pursuant to [[Article 9 GDPR#2h|Article 9(2)(h) GDPR]]. Thus, taking individuals’ temperature in of itself was not prohibited in this case. | ||
Nonetheless, such data must be safeguarded pursuant to the GDPR’s security and integrity obligations. The AEPD found that the temperature device permitted temperature data to be seen by third parties in the waiting area of the medical center. The controller lacked measures to protect against such potential | Nonetheless, such data must be safeguarded pursuant to the GDPR’s security and integrity obligations. The AEPD found that the temperature device permitted temperature data to be seen by third parties in the waiting area of the medical center. The controller lacked measures to protect against such potential observationof individuals’ health data. As a result, the controller violated [[Article 5 GDPR#1f|Articles 5(1)(f)]] and [[Article 32 GDPR|32 GDPR]]. | ||
== Comment == | == Comment == |
Latest revision as of 12:14, 3 April 2024
AEPD - EXP202202309 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | n/a |
Parties: | Centro Médico Salus Baleares, S.L. |
National Case Number/Name: | EXP202202309 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA sanctioned a medical center € 30,000, finding that it violated confidentiality principles when it required data subjects to take their temperature in a reception area where the data could be seen by third parties.
English Summary
Facts
On 9 February 2022, a data subject filed a complaint with the Spanish DPA (AEPD) against a medical center, Centro Médico Salus Baleares, S.L. (the controller). During the COVID-19 pandemic, the controller required patients to take their temperature on a device in order to receive medical assistance. The device was located in the reception and waiting area and was within sight of third persons.
In its defense brief, the controller noted that actually the data subject had never their temperature taken and thus lacked standing to bring a complaint. The controller also noted that these protocols were in place during the COVID-19 pandemic, during which public health authorities had guidance in place that included temperature controls.
Holding
The AEPD found that the controller violated security and confidentiality principles under Articles 5(1)(f) and 32 GDPR. It fined the controller € 30,000 for the violations.
The AEPD noted that temperature is health data and thus a special category of data pursuant to Article 9(1) GDPR. At the same time, it acknowledged that in a public health crisis, employers are obligated to adopt extraordinary measures in line with public health guidance and observed that national laws on occupational risk prevention justified processing this sensitive data pursuant to Article 9(2)(h) GDPR. Thus, taking individuals’ temperature in of itself was not prohibited in this case.
Nonetheless, such data must be safeguarded pursuant to the GDPR’s security and integrity obligations. The AEPD found that the temperature device permitted temperature data to be seen by third parties in the waiting area of the medical center. The controller lacked measures to protect against such potential observationof individuals’ health data. As a result, the controller violated Articles 5(1)(f) and 32 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/36 File No.: EXP202202309 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) dated February 9, 2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against CENTRO MÉDICO SALUS BALEARES, S.L. with NIF B07060478 (hereinafter SALUS BALEARES). The reasons on which the claim are the following: That while in a SALUS BALEARES medical center (Asistel Moraira clinic) he was asks you to take your temperature with a device located on the wall in front of the room waiting area and next to the reception, therefore in view of third parties, the viewing the body temperature it gives. He refuses to take it and with this he is denies medical assistance (performing an analysis). He considers that he has been discriminated against and their rights violated. Along with the notification, photographs are provided showing the location of the thermometer from the aforementioned medical center, as well as a copy of the claim form presented by the complaining party. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to SALUS BALEARES, to proceed with its analysis and report to this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on March 1, 2022, as It appears in the acknowledgment of receipt that is in the file. On March 28, 2022, this Agency received a response letter indicating the following: -The measurement system used is a laser thermometer located at the entrance of the clinic, in which the user individually takes their temperature and the staff admission of the medical clinic observes said measurement, without carrying out any type temperature recording or identifying data of said user. Therefore, in In no case is the temperature measurement carried out (laser measurement of the forehead or hand) a processing of personal data, and therefore the intervention of the Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/36 Spanish Data Protection, and the application of current regulations on the matter of data protection does not apply as there is no data processing. -Automatic temperature measurement of a user, without carrying out a record rigged does not involve data processing, and therefore there is no purpose established for said treatment. -Likewise, if data processing were effectively considered, the The purpose of this is the safety of workers and users of the clinic, seen from the vertex of the coronavirus health pandemic, in which different protocols to normalize the return to normality with this measure. (measurement of temperature to users). There is a legal obligation under the Prevention Law of Occupational Risks, which obliges the employer to implement measures to guarantee safety in the work environment. -Concrete instructions have been given so that the operators who have the function assigned to control temperature verbally inform people about the situation and the reason for said control, indicating that, at no time Measurement results will be recorded, stored or used to any other purpose than to advise on the security measures to be adopted. -Concludes that as long as there is no official regulation that imposes a measure different, the temperature taking protocol will continue to be implemented workers and users, legitimized by compliance with a legal obligation. THIRD: On May 9, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: The entity CENTRO MÉDICO SALUS BALEARES, S.L. It's a company established in 2000 and with a turnover of 34,816,282 euros in the fiscal year 2021 and 39,597,787 in fiscal year 2022, according to a report issued by the Axesor entity. FIFTH: On May 8, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (in hereinafter, LPACAP), for the alleged violation of Article 5.1.f) of the RGPD and Article 32 of the GDPR, typified in Article 83.5 of the GDPR and Article 83.4 of the GDPR respectively. SIXTH: The aforementioned initiation agreement has been notified in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP), the claimed party presented a written of allegations in which, in summary, he stated the following: I. In reference to whether taking temperature involves data processing personal character: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/36 SALUS BALEARES indicates that from what this Agency indicated in the Agreement itself At the beginning, the criterion is clear that the measurement of temperature, without Carrying out any type of registration is NOT data processing and therefore would be excluded from the scope of application of the current regulations on Data Protection. Likewise, SALUS BALEARES points out that the Agency follows the same criteria in other procedures in which it has been determined that the measurement of temperature at through thermometers without registration of the interested parties is not a processing of personal data. personal nature (Procedure No.: E/03884/2020) However, SALUS BALEARES warns, this Agency wants to prove that, in the This case, yes, it is data processing, because according to the photographs provided by the claimant the result of the measurement is visible or public. SALUS BALEARES reviews that, if the photographs provided in the claim looks like the device is located on a wall next to reception, where the right side includes ornamental elements to prevent the right side the measurement result can be viewed, and are included indications to perform the measurement by bringing your hand closer to the device. SALUS BALEARES points out that when you bring your hand within a few centimeters of the device, together with our body that visually obstructs from a rear flank and the ornamental elements located in the reception to avoid a possible right lateral visualization, it would be practically impossible for the measurement of the temperature was visible to no one other than the person carrying out the measurement. Likewise, SALUS BALEARES points out that, due to the photographs provided in the procedure, it is not proven in any way that at the time the claimant carried out your measurement, there would be someone in the waiting room on the left of the reception, given that all the images that have been provided in the procedure do not refer to the moment in which the interested party (claimant) carried carry out the measurement of your temperature to be able to enter the Asistel medical clinic Moraira. In this sense, SALUS BALEARES believes that this assumption has not been properly examined. reliable manner by this Agency, since SALUS BALEARES is not aware no inspection visit by the AEPD to the Asistel Moraira clinic, in relation to the claim received, in which it was examined or reviewed whether the photographs taken were a true reflection of reality or whether the temperature measurement system was installed correctly to avoid any type of publicity or disclosure of the measurement results. It must be said that since the day the health recommendation to measure the temperature of those attending medical centers was no longer mandatory, this clinic uninstalled the thermometer and therefore they have not been carried out further measurements. Furthermore, SALUS BALEARES points out that the claimant states in your claim (annex 1 claim), that the measurement has NOT been carried out, which is why he was not allowed to access clinical treatment. Fact that does not C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/36 more than reinforcing our argument that in the specific case in which we We find, there has been no processing of personal data, according to the definitions of “personal data” and “processing” in article 4 of the GDPR, because the claimant never made his measurement. II.-In reference to the quantification of sanctions SALUS BALEARES points out that the sanctioning procedure establishes a series of aggravating factors in relation to the alleged infringement of SALUS BALEARES of the article 5.1.f) of the RGPD, which results in the imposition of a proposed sanction of €20,000.00 (TWENTY THOUSAND EUROS). So: Regarding the aggravating circumstances of article 83.2.a) RGPD In this sense, SALUS BALEARES considers that the case has not been taken into account. specific complaint reported by the claimant nor the specific circumstances of the clinic Asistel Moraira, but the Agency has taken into account the global data of the CMSB company. Likewise, SALUS BALEARES reports that, with respect to confidentiality, as has been argued in point I of this appeal, there has not been a treatment of data, the claimant never measured his temperature, so there cannot be confidentiality about an event that did not occur. Regarding the number of interested parties, SALUS BALEARES reminds this Agency that In the period of pandemic derived from the COVID-19 virus, in our country, the sector entire healthcare system, including private healthcare as is the case in CMSB, has been made available to all citizens, as requested the Spanish Minister of Health, Salvador Illa, on March 15, 2020. Joining forces, resources and energies to be able to attend to the maximum possible cases and help overcome the COVID-19 crisis. SALUS BALEARES brings up that the health authority, the Ministry of Health or organizations in which it delegates, published, different protocols where includes, as a necessary security measure for the return to normality of those activities, the aforementioned temperature controls. For example, the Protocol action for the reactivation of judicial activity and professional health, of the Council General of the Judiciary, the basic protocol of action for the return to the training and the restart of federated and professional competitions; or in the Recommendations for the restoration of activity in swimming pools public after the Covid-19 crisis. And also remember that the Government of Spain, in the management of this emergency situation and, specifically, in relation with the measures imposed on foreigners visiting Spain during the period As long as this situation lasted, temperature checks were carried out on each person who access the country, with the aim of guaranteeing maximum health security. Because This is what SALUS BALEARES was looking for at all times, to avoid spread of the Covid-19 crisis, which is why the reader was installed body temperature. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/36 SALUS BALEARES indicates that, with a more specific character, the action denounced, was carried out in compliance with Law 31/1995, of November 8, of Occupational Risk Prevention (LPRL), which states that it is the obligation of the Businessman ensure safety at work. This last obligation of the employer must be understood in a broad sense, so the simple circumstance that the employees of the Asistel Moraira medical clinic of SALUS BALEARES work in contact with clients and users, would imply the need for the protection provided to employees is extended to clients or users, as a consequence of the fact that access to the SALUS BALEARES facilities by part of infected clients or users could put the safety of the users at risk. employees, and that of the users themselves among themselves. Even the lack of action in the compliance with the worker protection obligations derived from the LPRL could constitute a crime, as regulated in the articles 316-318 of the Penal Code. SALUS BALEARES reminds that this opinion is ratified by the Ministry of Health in the document that has been prepared regarding “Procedure of action for occupational risk prevention services against exposure to SARSCOV-2” that makes the following recommendation to the prevention services of occupational risks on page 3: “Given that contact with the virus can affect healthcare environments and not health, it is up to companies to evaluate the risk of exposure in which You can find hard-working people in each of the tasks differentiated that they carry out and follow the recommendations that on the individual issues the prevention service, following the guidelines and recommendations made by health authorities. Furthermore, SALUS BALEARES says that it has not been reflected in the sanction proposal, what has been the criteria established by this Agency to determine that the number of affected people is high, if they do not know the number of clients that is received at the Asistel Moraira clinic, no more claims have been submitted to the respect and more taking into account that the total number of citizens registered in Teulada, the population where the clinic in question is located, is 11,944 inhabitants (according to INE 2022 data). This is why we consider that this aggravating criterion has not been calculated objectively, in accordance with the facts reported. “Article 83.2.b) RGPD. Intentional or negligence in the infringement: Although It is considered that there was no intention on the part of SALUS BALEARES, yes the existence of negligence in compliance can be observed and observance of technical and organizational measures to ensure the security necessary for the protection of personal data, specifically to guarantee their confidentiality, since there was a taking the temperature of the users who came to the clinic in such a way that It was possible to view it by the rest of the people who were in the waiting room or reception area, reflecting negligence, especially if you take into account that it is health data. In this regard, It must be remembered that SALUS BALEARES is a clinic and therefore, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/36 accustomed to the processing of personal data, specifically health data. It is worth remembering, in this sense, that of the National Court of 10/17/2007 (rec.63/2006), that with respect to entities whose activity involves the continuous processing of customer data, indicates “…the Supreme Court comes understanding that imprudence exists whenever a legal duty is neglected of care, that is, when the offender does not behave with diligence required. And in assessing the degree of diligence, it must be weighed especially the professionalism or not of the subject, and there is no doubt that, in the case now examined, when the appellant's activity is constant and abundant handling of personal data, emphasis must be placed on rigor and “exquisite care to comply with the legal provisions in this regard.” Indicates SALUS BALEARES which, in the aforementioned aggravating circumstance, refers to the intentionality or negligence, and this Agency states in its writing that “it is "considers that there was no intention on the part of SALUS BALEARES." About negligence, is supported again by the lack of confidentiality, as has already been made in the application of the aggravating circumstance of Article 83.2.a) of the RGPD. We reiterate the proven facts that, there has been no data processing, the claimant has never measured your temperature, so it is not a data processing of a nature personnel, the RGPD and other regulations are not applicable to it, and in the case in question, it is factually impossible for confidentiality to occur regarding a fact not occurred, such as taking the temperature of the claimant's hand. For all these reasons, we consider that the aggravating circumstance of negligence applied in the graduation of the sanction does not apply. “Article 83.2.g) RGPD. Categories of personal data affected by the violation: Personal data related to health has been affected. It is necessary to remember at this point that the measurement system used is It is a laser thermometer located at the entrance of the clinic, in which the The user individually takes the temperature, without carrying out any type of temperature recording or identifying data of said user. That is, it use laser thermometers for temperature measurements without this process is accompanied by the recording of the temperature obtained from the clinic users. SALUS BALEARES points out that, despite the fact that this Agency considers that the body temperature is a health fact, the temperature measurement carried out (measurement laser forehead or hand), it is NOT a processing of personal data, as has has been proven previously. (Procedure No.: E/03884/2020 AEPD: Metro de Bilbao) SALUS BALEARES insists that there is no data processing, because as stated stipulated in the first articles of the GDPR, and more specifically in article 2.1 regarding the material scope of application of this standard, “This Regulation is applies to the fully or partially automated processing of personal data, as well as to the non-automated processing of personal data contained or intended to be included in a file.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/36 SALUS BALEARES Review that, after the description of the scope of application of the regulation, from their point of view, there is no automated data processing personal data, nor is it non-automated processing intended to be included in a file, understanding this concept as “any structured set of data personal, accessible according to specified criteria, whether centralized, decentralized or distributed in a functional or geographical manner”, in accordance with the article 4 GDPR, point six. For this reason, this action must be left out of the scope of application of data protection regulations. Next, SALUS BALEARES states that, regardless of whether the situation should be located under the defense of data protection regulations or not, due to the existence or not of automated or non-automated processing, of According to the material scope of application, it can also be argued that, in the In this specific case, the use of the information necessary to comply with the purpose of temperature control, as implemented by SALUS BALEARIC ISLANDS, does not constitute personal data if we look at the definition that the GDPR offers about this concept in the first point of article 4, when it stipulates that personal data will be “any information about an identified natural person or identifiable ("the interested party"); Any person will be considered an identifiable natural person whose identity can be determined, directly or indirectly, in particular by an identifier, such as a name, an identification number, data location, an online identifier or one or more elements of identity physical, physiological, genetic, mental, economic, cultural or social of said person.” In fact, indicates SALUS BALEARES, the first part is divided into 4 elements well differentiated, that the now extinct Working Group of article 29 (GT29) already had analyzed separately: “Information” + “About” + “Natural person” + “Identified or identifiable.” In the opinion of SALUS BALEARES, in the case at hand, in the verification of the temperature the first 3 are met, but not the one indicated in fourth place. That is to say, Of course, the temperature measurement may be associated with a natural person, but what will not be possible, according to the data that the clinic collects, will be know the identity of that person, in a reasonable manner, in accordance with GT29 itself established, since there is no collection or association with another direct or indirect identifier that allows knowing the identity of a person. In these cases, according to the report on the concept of personal data issued by the GT29 already in 2007, we will simply find ourselves faced with anonymous data that does not require the protection of privacy legislation, for the simple fact that that this last right will not be affected. Likewise, SALUS BALEARES reports that this line of argument it defends has been that taken by different Control Authorities in the European Union: “CNIL (France): Publicly recognizes that the regulations on the Data processing only applies to automated processing (in particular, IT) or the non-automated processing of personal data intended to be included in a file. Therefore, he concludes that if there was only verification of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/36 the temperature by means of a manual thermometer (such as, for example, a contactless infrared) at the entrance of a site, without leaving a trace, or any other operation being carried out (such as information feedback, etc.), This situation does not fall under data protection regulations. This statement can be consulted at the following link: https://www.cnil.fr/fr/la-cnil-appelle-la-vigilance-sur-lutilisation-des-cameras ditesintelligentes-et-des-cameras Autoriteit Persoonsgegevens (Netherlands): Along the same lines, the Dutch Supervisory Authority recognizes that the GDPR It is not applicable to situations in which only the temperature is read, without it recorded or stored in an automated system, as applicable to the present action for which a claim has been received. Yes it leaves open the situation to which said control may affect other rights, but not to data protection in this case. This statement can be consulted at the following link: https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/corona/temperaturen- tijdens-crown SALUS BALEARES concludes that, although body temperature may be a health data, it as such does not constitute personal data, since it does not identify the interested party, and therefore the current regulations regarding the protection of data, would not be applicable, and would nullify the application of this aggravating circumstance of the proposed sanction. Article 76.2.b) LOPDGDD. Linking the offender's activity with the carrying out processing of personal data: The development of the business activity carried out by SALUS BALEARES represents a continuous processing of personal data, many of them health data. Therefore, This is a company used to processing personal data. In reference to this last aggravating factor, SALUS BALEARES points out that it has once again taken into account the activity of the entire group and not the specific activity of the clinic Asistel Moraira, where the violation in matters of data protection, as argued above, refuting the application of the aggravating circumstance of Article 83.2.a) RGPD when considering the number of interested parties affected high, when it is not. The total number of patients at the Asistel Moraira clinic in all of 2022, the year in which the claim occurred, it was 2,375 people. III.-In reference to the AGREEMENTS of initiation of the sanctioning procedure SALUS BALEARES alleges that the Startup Agreement shows a defect of form, which entails the cancellation of all or part of the proposed sanction, since agrees in duplicate to initiate sanctioning proceedings against her, for alleged violation of Article 5.1.f) proposing a sanction of an administrative fine of amount of 20,000.00 euros (TWENTY THOUSAND EUROS), thus violating the principle of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/36 procedural law NON BIS IN IDEM. This principle establishes the prohibition of that the same act can be sanctioned several times when there is identity of subject, of facts and foundation, as is the case at hand, which is intended double punish CMSB with a fine of 20,000.00 euros (TWENTY THOUSAND EUROS) for the same alleged breach. That is why it requests this Agency to annul the proposed sanction or recalculate its value. SALUS BALEARES also indicates that, in reference to the proposed sanction of 10,000.00 euros (TEN THOUSAND EUROS) for alleged violation of article 32 of the RGPD, It is made clear to this Agency that in file EXP202202309 there has been no proceeded to initiate any sanctioning procedure against SALUS BALEARES motivated by the violation of article 32 of the RGPD, which is why it requests that declare this sanctioning procedure null and void, since in accordance with the provisions of the administrative procedural regulations, a proposal for sanction without having initiated an administrative sanctioning procedure. For the above reasons, SALUS BALEARES begs that it be agreed to close the file relating to this claim, declaring this null and void sanctioning procedure for defects of form and annul the proposals for sanction. SEVENTH: On January 15, 2024, a Proposed Resolution was formulated, proposing that the Director of the Spanish Data Protection Agency sanction CENTRO MEDICO SALUS BALEARES, S.L., with NIF B07060478, for a violation of article 5.1.f) of the RGPD, typified in article 83.5 of the RGPD, with a fine of 20,000.00 euros (TWENTY THOUSAND EUROS), and for a violation of article 32 of the RGPD, typified in article 83.4 of the RGPD, with a fine of 10,000.00 euros (TEN THOUSAND EUROS). EIGHTH: The aforementioned Proposed Resolution was notified in accordance with the regulations established in Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter, LPACAP), the part claimed presented a written statement of allegations in which, in summary, it states the following: First. – THE AEPD HAS NOT PROVEN ANY FACT THAT SUPPOSES THE COMMISSION OF AN INFRINGEMENT BY CMSB AND THE IMPOSITION OF THE PROPOSED SANCTIONS. SALUS BALEARES alleges that the sanction proposal is based on evidence insufficient. Only one photograph appears in the administrative file. made by the complainant. SALUS BALEARES understands that the proposed resolution lacks evidence enough to undermine the presumption of innocence. The eventual resolution that issue with support from the evidence contained in the administrative file, considers SALUS BALEARES which would be null and void as it is manifestly unmotivated, indicating the following reasons: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/36 1. The proposed resolution considers proven the facts constituting infringement that is attributed to SALUS BALEARES on the sole basis of the photographs provided by the complainant. 2. The AEPD has not carried out any verification on the reality and date of the photographs taken. 3. Likewise, the AEPD has not carried out evidentiary activity in the processing of the administrative file for the imposition of the sanction on SALUS BALEARES. This is, he has not appeared at my client's premises to verify the reality that presumably indicated in the photographs. 4. From the images provided by the complainant, the AEPD deduces the following proven facts: - The clinic uses an electronic device to measure temperature using a proximity sensor. - The device is located in the waiting room and at the reception of the clinic. - The person's temperature is shown on the thermometer screen. However, in the opinion of SALUS BALEARES, these are facts that do not distort its presumption of innocence. Second. – SALUS BALEARES HAS NOT PROCESSED THE COMPLAINANT'S DATA. SALUS BALEARES reiterates that, within the process of taking the temperature of the complainant, there was no processing of personal data. In any moment events that made this user identifiable, all based on to the following objective circumstances: 1. The claimant did not submit to a temperature check. 2. Temperature was taken using a device that measured the temperature without registration, therefore, none of the shots were stored. 3. The device was located on a wall next to reception, where the right side includes ornamental elements to prevent from the side right the measurement result could be displayed. Additionally, the measurement temperature was carried out by approximating the person's hand in question. For this reason, the screen of the device itself was covered by both the hand from the person taking the temperature, as well as from the body itself. 4. Likewise, the mandatory distance that had to be maintained between people did not allowed the display of this data except for the person who was taking the test. temperature. 5. All facility staff had to access the facilities wearing a mask. (including patients having their temperature taken). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/36 6. Notification to patients to access the consultation is not done using data personal. Calling clients is made with a code, maintaining their anonymity at all times. In this sense, SALUS BALEARES alleges that in the case of verification of the body temperature as a preventive measure against the spread of COVID-19, no None of the following operations contemplated by the GDPR in its entirety were carried out: Article 4 when it defines what is meant by “processing” of personal data: ▪ Record: body temperature measurement was not recorded in any type of system or device, automated or non-automated. ▪ Structuring: the information was not structured as data processing was not carried out. personal information. ▪ Modification: the information was not changed or altered. ▪ Conservation: the information was not stored for a certain period of time. time. ▪ Extraction: the information was not obtained from an original system or device for sending or transferring to another system or device. ▪ Dissemination: the data was not transferred or communicated to a person other than the interested. ▪ Communication by transmission: the data was not sent to another recipient from your system or source device through electronic means. ▪ Comparison: data from two or more treatments or systems were not analyzed to establish similarities and differences and develop some type of assessment. ▪ Limitation: it was not applicable since the device did not store data or carry out any further processing. ▪ Communication: due to existing measures and where it was placed the device, no data was revealed to a person other than the interested party. Third. – THE EVENTUAL DATA PROCESSING WAS SECURE. THROUGHOUT MOMENT THE INDICATIONS OF THE LOPD AND THE REGULATION. SALUS BALEARES points out that it applied the necessary measures to guarantee the confidentiality of the temperature data taking into account the provisions of the article 32 of the GDPR, which advocates that “the technique, the costs of application, and the nature, the scope, context and purposes of the processing, as well as probability risks and “variable severity for the rights and freedoms of natural persons.” SALUS BALEARES indicates that the recording was carried out within the facilities of the clinic. And, inside the clinic, in a place with individual access to clients. This is, At no time can another client/patient observe the temperature indicated on the thermometer. Likewise, SALUS BALEARES points out that, at that time, the clinic did not have necessary personnel to assume only the temperature control function of neither the users nor the facilities had an adjoining space that could allow take the temperature individually, but at the same time it would facilitate the work staff being able to control the action protocols against COVID. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/36 Quarter. – FROM THE ISOLATED TEMPERATURE DATA THE IDENTITY OF THE PERSON. SALUS BALEARES alleges, in relation to the temperature data, that although considered a health fact, at the time of taking the temperature the possible Users of the facilities could not have access to the necessary information link this data with others that would make the person who carried out the investigation identifiable. temperature taking. SALUS BALEARES indicates that in order to interpret, the concept “information relating to an identified or identifiable natural person”, we must go to the considering 26 of the RGPD which determines that: “[…] to determine whether a natural person is identifiable, the following must be taken into account: all means, such as singling out, that may reasonably be used by the responsible for the treatment or any other person to directly or indirectly identify indirectly to the natural person. To determine if there is a probability reasonable for means to be used to identify a natural person, they must all objective factors must be taken into account, such as costs and time required for identification, taking into account both the technology available at the time of treatment and technological advances.” Due to the above, SALUS BALEARES understands that it was not possible identify users who took their temperature. In fact, this part is not can identify the people who appear in the photograph provided by the claimant. Sixth. –THE CONTEXT OF THE HEALTH CRISIS HAS NOT BEEN TAKEN INTO ACCOUNT SALUS BALEARES remembers the moment and the circumstances in which they were produced, as exceptional as a global pandemic. The healthcare sector who was the most punished. Safety measures such as temperature taking were essential to guarantee the health of all users who could access the clinic – both internal staff and patients. The AEPD itself has taken into account in previous resolutions. For the above reasons, SALUS BALEARES requests that the archive of the actions upon understanding that he has not committed any infraction. And subsidiarily, requests that the circumstances of the global health crisis be taken into account in the that SALUS BALEARES allegedly committed the infractions and mitigates the possible sanctions imposed. Of the actions carried out in this procedure and the documentation recorded in the file, the following have been accredited: PROVEN FACTS FIRST: It has been proven, through the photos provided by the claimant, that following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/36 -In the clinic an electronic device is used that measures temperature automatic, requiring users to stand close and in front of it. of the same. - The device was located on a wall in an area where it is located the waiting room and reception of the clinic - The result of the body temperature was reflected on the screen of the device for several seconds which, when the person moves away from it, It allowed it to be visible to third parties who were there. SECOND: SALUS BALEARES, in its written response to the transfer of the claim and request for information, presented on March 28, 2022 13 (Registration number: REGAGE22e00009701065), indicates the following: “The measurement system used is a laser thermometer located at the entrance of the clinic, in which the user individually takes their temperature and the staff admission of the medical clinic observes said measurement, without carrying out any type temperature recording or identifying data of said user. That is, they are used laser thermometers, for temperature measurements without this process going accompanied by the recording of the temperature obtained from the clinic users.” FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Previous issues In relation to taking people's temperatures as part of the measures adopted in workplaces to help prevent the spread of the pandemic of COVID-19, it is considered necessary to highlight that the body temperature of the people is health data in itself, in accordance with the definition contained in the Article 4, section 15, GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/36 According to Article 4 of the GDPR, sections 1 and 2, "personal data" means: “any information about an identified or identifiable natural person”; and by “processing”: “any operation or set of operations performed on data personal data or sets of personal data, whether by automated procedures or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of enabling access, collation or interconnection, limitation, suppression or destruction.” Based on the above, people's temperature controls can constitute a processing of health data relating to an identified natural person or identifiable, and as such must conform to one of the legal bases listed in article 6 of the RGPD and any of the specific exceptions that are listed in article 9 of the GDPR. In general, the employer has the obligation to guarantee the safety and health of the workers at your service in aspects related to the work, as can be seen from articles 14 and following of Law 31/1995, of 8 November, Occupational Risk Prevention. This obligation operates at the same time as exception that allows the processing of health data, under the protection of the circumstances provided for in article 9.2.h) of the RGPD, and as a legal basis that legitimizes the treatment, since the treatment is necessary for the fulfillment of a legal obligation imposed on the employer (article 6.1.c) of the GDPR). There is no doubt that in a health crisis situation such as the one caused by the COVID-19, the employer is obliged to adopt extraordinary measures aimed at preventing new infections and these measures must be applied taking into account the criteria defined by the health authorities. In the field of companies, the Ministry of Health, in its document “Procedure of action for occupational risk prevention services against exposure to SARS-CoV-2", indicates that "The intervention of companies, through prevention services (SPRL), against exposure to SARS-COV-2 has been and is crucial, adapting its activity with recommendations and measures updated prevention measures (…) with the general objective of limiting infections: measures of an organizational nature, collective protection, personal protection, especially vulnerable worker and level of risk, study and management of cases and contacts that occurred in the company and collaboration in the management of disability temporary” and adds that “companies, through prevention services, are calls to collaborate with health authorities in the early detection of all cases compatible with COVID-19 and their contacts, to control transmission.” In this context, it must be understood that the control of the body temperature of the workers carried out by employers, as a measure to allow access to workplaces in order to limit infections, given that fever is a symptom of the disease caused by SARS-CoV-2, as part of a set broader set of measures that include preventive, hygiene, protective, etc., meets the criteria indicated by the health authorities. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/36 In the case examined, SALUS BALEARES, in accordance with the criteria indicated, states that it carries out body temperature checks on its workers to meet its health and safety obligations. Consequently, In accordance with the reasoning, this processing of workers' health data finds its legitimacy in the cause provided for in article 6.1.c) of the RGPD and in the exceptions that enable the processing of health data, set out in the article 9.2.h) of the RGPD. III In relation to taking the temperature of users who access a establishment, temperature checks on people can constitute a processing of health data relating to an identified or identifiable natural person, and as such they must comply with one of the legal bases listed in article 6 of the RGPD and any of the specific exceptions listed in the Article 9 of the GDPR. To determine whether in a specific case data processing has occurred an identified or identifiable person, it must be based on the type of device employee and take into account other circumstances of the decision-making process. temperature that can make the person identifiable, such as in the case of whether or not the body temperature is recorded or that the capture of the temperature in the establishments open to the public is carried out with advertising, in such a way that the affected person can be identified by third parties. In the body temperature controls carried out at the entrance of the establishments open to the public to take the temperature of visitors or Clients typically use manual temperature measurement devices, such as a manual thermometer that is only designed to take temperature bodily. When these temperature controls are not accompanied by a control of identity of the people who intend to access the establishment, that is, when temperature measurement is not linked to a specific person through their registration or annotation, such measures would not be, in principle, included in the scope of application of the GDPR as the temperature is not associated with a person identified or identifiable. However, denying access or assistance to a person due to their temperature can reveal to third parties who have no justification for know that the person who has been denied entry has a temperature body above what is considered not relevant and, above all, that may be infected by the virus, since fever is a symptom of the disease caused by SARS-CoV-2. Likewise, if the temperature measurement is carried out in such a way that the result is visible or public, also means that it is revealed to third parties. Therefore, it is necessary establish in each case whether the specific circumstances that occurred in the process of taking the temperature of a specific person were derived events that made her identifiable. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/36 In the case examined, as has been proven by photographs provided by the complaining party, an electronic device is used that measures the temperature automatically, being necessary for users to place near and in front of it. Said device is located on a wall near the waiting room and next to the clinic reception, offering the body temperature on the front of said device, being perfectly visible by the people who are in said room, as well as by those who access and found in the reception area of the establishment. Personal temperature data is health data in itself. Likewise, in the assumption of having a high temperature, this also presupposes the existence of a disease and, in the context and time in which it is taken, the possible existence of the disease caused by SARS-CoV-2, and there is also undoubtedly data from health and that are being made publicly known to third parties and regarding of identified or directly identifiable persons. IV Allegations to the Startup Agreement In response to the allegations presented by the claimed entity, it should be noted the next: I. In reference to whether taking temperature involves data processing personal character. The defendant alleges that, as the Agency itself points out in the Initiation Agreement, when temperature checks are not accompanied by an identity check of the people who intend to access the establishment, that is, when the decision is made temperature is not linked to a specific person through their record or annotation. SALUS BALERAES adds that the Agency follows this same criterion in other procedures, such as E/03884/2020, in which it has been determined that the temperature measurement through thermometers without registration of the interested parties does not It is a processing of personal data. Faced with this, it is necessary to point out, first of all, what exactly was pointed out by this Agency in the Agreement to Start this sanctioning procedure is what is has been transcribed in the Background of Fact III, reproducing again some of the paragraphs to which the claim literally refers: “When these temperature controls are not accompanied by a control of identity of the people who intend to access the establishment, that is, when the temperature measurement is not linked to a specific person through its registration or annotation, such measures would not be found, in principle, included in the scope of application of the RGPD as the temperature to an identified or identifiable person. However, denying access or assistance to a person due to their temperature can reveal to third parties who have no justification for know that the person who has been denied entry has a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/36 body temperature above what is considered not relevant and, above all, that she may be infected by the virus, given that fever is a symptom of the disease caused by SARS-CoV-2. Likewise, if the temperature measurement is carried out in such a way that the result is visible or public, it also implies that is disclosed to third parties. Therefore, it is necessary to establish in each case whether of the specific circumstances that occurred in the decision-making process temperature of a specific person, events were derived that made it identifiable. In the case examined, as has been proven by photographs provided by the complaining party, a device is used electronic that measures the temperature automatically, being for this purpose It is necessary for users to stand near and in front of it. Saying device is located on a wall near the waiting room and next to the clinic reception, offering body temperature in front of said device, being perfectly visible to people who are in said room, as well as by those who access and are in the area of reception of the establishment” (emphasis added) On the other hand, in file E/03884/2020 that brings up the claim for, as he understands, maintain that as long as when taking the temperature a registration of interested parties is not data processing, it means what following: -This file refers to taking the body temperature of users of the Bilbao metro using thermal imaging cameras without recognition and without recording, which allowed knowing the temperature measurement without identification, without recording and without registration of people's data as their registration is not required ID. These data were displayed in real time and only by health personnel. -It was expressly indicated in said file that: “To determine whether in a specific case there has been a processing of data of an identified or identifiable person, it has been based on the type of device used and taking into account other circumstances of the temperature taking process that may make the person identifiable, such as in the case of registration or not body temperature or that the capture of temperature in the establishments open to the public are carried out with advertising, in such a way so that the affected person can be identified by third parties. (…) In the case examined, thermal imaging cameras are used and manual thermometers for temperature measurements without This process is accompanied by the recording of the temperature obtained of subway users. The attendance has not been confirmed either. of special circumstances that have allowed the aforementioned treatment to an identified or identifiable person. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/36 -And finally, it is decided by this Agency to archive the actions based on that: “according to what is reasoned, it is not appreciated in this case that the The data processing carried out refers to identified natural persons or identifiable, being consequently excluded from the scope of application of the GDPR.” (emphasis is ours). Therefore, both in what was indicated in Legal Basis II of the Agreement of Beginning of this sanctioning procedure and which is also reproduced in this proposed resolution, as well as in the case of file E/03884/2020, no The only emphasis is that the temperature is not recorded later with identification of the interested parties, but, in addition, the data must not be accessible by unauthorized third parties, and in the case of the Bilbao Metro you only see the result of body temperature by health personnel authorized for this purpose, without the rest of subway users can view the body temperature shown by the device. This means that the temperature is taken in such a way that it does not refers to identified or identifiable natural persons. However, in the case at hand, it has been shown, through the photographs provided by the claimant, that the body temperature detected by the device is perfectly visible to other people in the waiting room and in areas close to the reception, which allows personal data to be linked (the temperature) with an identified or identifiable person, since in the same When a person takes their temperature, the result is visible by the rest of the people who are at that moment in the waiting room or in the clinic reception area. Therefore, we would be here dealing with personal data referring to a person. identified or identifiable, since the body temperature data is displayed by third parties just when the person is directly taking the temperature at that same moment. That is, unauthorized third parties are viewing both the specific temperature and the person to whom that temperature belongs. AND that makes it perfectly identified or identifiable. Thus, in Opinion 4/2007 on the concept of personal data of the Group of Working Article 27 (136WP) states that: In general, a natural person can be considered “identified” when, within a group of people, it is "distinguished" from all the others group members. Therefore, the natural person is "identifiable" when, although it has not yet been identified, it is possible to do so (which is the meaning of the suffix "ble"). Thus, this second alternative is, in the practice, the sufficient condition to consider that the information enters the scope of application of the third component. (p. 12) This temperature taking treatment in this way in which it has been carried out represents a particularly intense interference in the rights of people affected. On the one hand, because it affects data related to people's health, not only because the value of body temperature is a health data in itself C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid Seeagpd.gob.es 19/36 but also because, based on it, it is assumed that a person suffers or does not suffer from a specific disease, such as coronavirus infection in these cases. On the other hand, regarding what was alleged by SALUS BALEARES regarding that the device is located on a wall next to reception, where there are elements ornamental to prevent the result of the measurement from being displayed, It means, first of all, that in the photographs provided by the claimant clearly shows that from the position in which he is (waiting room area) clearly visualizes the measuring device and the result it gives, since the ornamental element remains on the other side and does not interrupt visibility in any way, And, secondly, it is not appropriate to accept that said ornamental element, consisting on a plant in a medium-sized pot, located in a corner above the reception desk, may be considered a technical measure or appropriate organizational structure to ensure adequate security, specifically to guarantee the confidentiality of personal data, not only because it is inappropriate in himself, but because, as can be seen from the photos, it is easy to locate the other side of the counter (and on the other side of the floor) to perfectly view the result returned by the temperature measuring device. Likewise, the claimant points out that when the measurement is carried out by bringing the hand closer, a few centimeters from the device, the person's body visually obstructs the result, making it practically impossible for the temperature measurement be visible to no one but her. However, and contrary to what was alleged, the Photos provided show that the result produced by the device (the temperature body) remains on its screen for several seconds, since In the photos you can see that the person (a woman) who takes the temperature takes it see later in another photo far from the device and, however, the temperature shown It continues to be displayed in this one. On the other hand, SALUS BALEARES alleges that the present case of reliably by the Agency, since there is no record of any inspection visit to the clinic in question, in which it has been examined or reviewed whether the photographs taken They were a faithful reflection of reality. In this regard, the photos provided by the claimant clearly reflect the facts. Likewise, the defendant herself has used one of the photos provided by the claimant to assert the existence of the ornamental plant as a measure of protection against viewing the thermometer, describing its situation and taking the body temperature of the users according to said photo. In addition, SALUS BALEARES, as indicated in the Second Proven Fact, in its written response to the transfer of the claim and request for information addressed by this Agency, expressly indicated that “The measurement system used is of a laser thermometer located at the entrance of the clinic, in which the user individually the temperature is taken and the admission staff of the medical clinic observes said measurement, without carrying out any type of temperature record or identifying data of said user. That is, laser thermometers are used for temperature measurements without this process being accompanied by the recording of the temperature obtained from clinic users.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/36 Due to the above, both from the photos and from the statements of SALUS BALEARES, The circumstances of how the shooting was carried out have been perfectly accredited. temperature of the people who access the clinic. SALUS BALEARES alleges that the photographs do not prove that the claimant carry out its measurement, given that they do not display the moment in which that the interested party (claimant) takes his temperature, as well as what the As stated in his complaint, he did not measure his temperature, reason why he was not allowed to access the center, and that this means that he has not there has been no processing of his personal data. Faced with this, it must be clarified that the processing of personal data that is understood that breaches data protection regulations does not refer to the processing carried out or not made with respect to the claimant specifically, since he did not agree to your temperature will be taken, but rather the way the clinic takes your temperature at all the people who access it. That is, the treatment carried out regarding taking the temperature of all people who access the clinic. II. In reference to the quantification of sanctions SALUS BALEARES states that it does not agree with the circumstances that have arisen. had as aggravating factors of the sanction indicated in the Initiation Agreement. Thus, SALUS BALEARES indicates that, in relation to article 83.2.a), it has been considered that the nature of the infringement is serious because it entails a loss of confidentiality and, therefore, of disposition and control over personal data, but that, however, there was no data processing because the claimant never reached measure their temperature, so no confidentiality could be violated. Faced with this, as indicated in the previous point, this procedure disciplinary action has not been initiated because it is considered that confidentiality has been violated of the claimant's data, but because confidentiality has been violated in the taking the temperature of the people who enter the clinic, since the The result of said temperature was visible to the rest of the people there. they could find, that is, by unauthorized third parties. Likewise, SALUS BALEARES points out that, regarding the number of interested parties affected, this Agency has not indicated the criteria to determine that the number of affected is high, not knowing the number of clients received in the clinic and not other claims have been filed. Faced with this, it is worth remembering that those affected cannot be considered to have been few or isolated, since taking the temperature in the indicated circumstances has been going on for the long period of time it was mandatory as a preventive measure during the pandemic derived from the COVID-19 virus. TO For greater detail, the claimant itself in its brief of allegations to the Agreement of Home expressly recognizes that the number of patients at the Asistel Moraira clinic In all of 2022, the year in which the claim occurred, it was 2,375 people, non-negligible number of people. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/36 Regarding the fact that temperature measurement was recommended in accordance with the health regulations established by the competent health organizations, as well as as by the Law on the Prevention of Occupational Risks with respect to its employees, means that, as indicated in the First Legal Basis of the Agreement of Beginning and which is reproduced again in the First Fundamental of Law of the present proposal and to which reference should be made, temperature measurement as a measure protection against COVID 19 is legitimized. That is, it has not been questioned whether the treatment is legal, that it can be carried out. However, The fact that there is legitimacy for the treatment is not an obstacle for it to be to carry out in compliance with the rest of the obligations and requirements imposed by the regulations regarding data protection, including, especially, guaranteeing the confidentiality of the personal data processed. In relation to the application of article 83.2.b) of the GDPR, you do not agree SALUS BALEARES in which the existence of negligence is applied because it insists in which there was no processing of personal data, since the claimant never arrived to measure the temperature. Likewise, it indicates that the aggravating circumstance of article 83.2.g) of the GDPR, relative to the category of data affected, which in the present case would be data health, for the same reason that there has been no data processing personal, as determined in file E/03884/2020. In this regard, it is appropriate to refer to what is argued in this Ground of Right regarding data processing involved in taking body temperature carried out by the defendant, especially the fact that, in the present case, as the result of the body temperature is visible to the rest of the people who may be in the area at the same time that a person takes their temperature, this means that it is identified or identifiable, so, and contrary to what the claimant claims, we would be in the case of the definition of personal data in article 4 of the GDPR, sections 1 and 2, according to which, “personal data” means: “any information about a identified or identifiable natural person”; and by “treatment”: “any operation or set of operations performed on personal data or data sets personal data, whether by automated procedures or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of enabling access, collation or interconnection, limitation, deletion or destruction.” Therefore, body temperature is personal data, specifically data of health and, in accordance with the circumstances under which the temperature is taken in the premises of the person claimed (in a visible way for the rest of the people who are located in the area where the measurement is carried out), is information that is collected with respect to an identifiable natural person. Finally, SALUS BALEARES points out, regarding the aggravating circumstance of article 76.2.b) of the LOPDGDD, referring to the linking of the offender's activity with the performance of processing of personal data, which has taken into account the activity of the entire group and not the specific activity of the Asistel Moraira clinic, where supposedly has produced the violations in terms of data protection. However, he points out C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/36 SALUS BALEARES than the number of patients at the Asistel Moraira clinic throughout 2022, the year in which the claim occurred, was 2,375 people. In this regard, it is meant that the aggravating circumstance refers to the fact that the development of the activity carried out by the person claimed involves continuous processing of data personal (not only with respect to temperature taking, but also with respect to the service care provided, medical records, etc.), which are also health, That is, it is not a residual or sporadic treatment, which requires greater diligence on the part of the defendant, and this regardless of the specific number of patients that one of the clinics in question received in one year. III. Form defects in the Startup Agreement that make it void SALUS BALEARES alleges that the non bis in idem principle has been breached, which prohibits the same act from being punished several times. Faced with this, it is necessary to explain the difference between the violation of art. 5.1.f and the article 32 of the GDPR. The art. 5.1.f) of the RGPD is violated when there is a loss of confidentiality, integrity or availability of personal data, which may occur or not due to the absence or deficiency of security measures. This principle only determines the channel through which the maintenance of confidentiality, integrity or availability when explicit “through the application of appropriate technical and organizational measures”, which are not Strictly security. The appropriate technical and organizational measures referred to in art. 5.1.f) GDPR are not the security measures of art. 32 of the GDPR. This would simplify the essence of the GDPR whose compliance is not limited to the implementation of measures technical and organizational security; would mean reducing the guarantee required by the principle of integrity and confidentiality to be achieved only with security measures. security. It should be noted that there are multiple technical or organizational measures that are not security and that the person responsible for the treatment can implement as a channel to guarantee this principle. However, art. 32 of the GDPR includes the obligation to implement measures appropriate technical and organizational security measures to ensure a level of security appropriate to the risk. Of security. Just for security. Furthermore, its objective is to guarantee a level of security appropriate to the risk while that in the case of article 5.1.f) of the RGPD, confidentiality and integrity. As can be seen, the two articles pursue different purposes, although they may be related. Already entering fully into the examination of the non bis in idem, the Court's Judgment National of July 23, 2021 (rec. 1/2017) provides that, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/36 “(…) In accordance with the legislation and jurisprudence set forth, the non bis in idem principle prevents punishing the same subject twice for the same act with support in the same foundation, the latter understood as the same legal interest protected by the sanctioning regulations in question. In fact, when there is the triple identity of subject, fact and foundation, the sum of sanctions creates a sanction unrelated to the judgment of proportionality carried out by the legislator and materializes the imposition of a sanction not legally provided for, which also violates the principle of proportionality. But in order to speak of "bis in idem" a triple identity must occur. between the terms compared: objective (same facts), subjective (against the same subjects) and causal (for the same basis or reason for punishing): a) Subjective identity assumes that the affected subject must be the same, regardless of whatever the nature or judicial or administrative authority that prosecutes and with independence of who the accuser or specific body is that has resolved, or that be tried alone or in conjunction with other affected parties. b) Factual identity assumes that the facts prosecuted are the same, and rules out the cases of real competition of infractions in which there is not the same illegal act but before several. c) The identity of the foundation or cause implies that the sanctioning measures do not can coincide if they respond to the same nature, that is, if they participate in a same teleological foundation, what happens between penal and administrative sanctions, but not between the punitive and the merely coercive.” Taking as reference what was previously explained, the principle has not been violated non bis in idem, since the violation of art. 5.1.f) of the RGPD is specified in a clear loss of confidentiality, while the violation of art. 32 of the GDPR reduces to the absence and deficiency of security measures (security only) suitable. Having said all that, it is not considered that there is a violation of the principle of non bis in idem, enshrined in article 25 of the Spanish Constitution. Finally, SALUS BALEARES alleges that the Startup Agreement indicates a penalty of 10,000 euros for a violation of article 32 of the RGPD, but that, without However, this Agency has not proceeded to initiate any procedure sanctioning in the present file against her motivated by the violation of the article 32 of the RGPD, which is why it requests the annulment of the procedure. In this regard, it should be noted that, in the Agreement to Start this procedure sanctioning, in the Fundamentals of Law VII, VIII and IX of the same it is indicated with clarity of the facts, the infringement that they represent (infringement of article 32), the classification of the infraction (article 83.4 of the RGPD) as well as the sanction that could be relapse for it. Likewise, in the operative part of the same it is clearly indicated that disciplinary procedure is initiated against SALUS BALEARES for violation of the article C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/36 32 of the RGPD, typified in article 83.4 of the RGPD and that the sanction could involve a fine of 10,000 euros. For the above reasons, the Startup Agreement does not suffer from any cause of nullity or voidability. In conclusion, all allegations made are rejected. V Allegations to the Proposed Resolution In response to the allegations presented by the claimed entity, it should be noted the next: First: The AEPD has not proven any fact that implies the commission of a infringement by SALUS BALEARES and the imposition of sanctions proposals SALUS BALEARES alleges again that the sanction proposal is based on a insufficient evidence to undermine the presumption of innocence because in the administrative file only contains a photograph taken by the complainant and the AEPD has not carried out evidentiary activity in the processing of the file, since he has not appeared at the premises to verify the reality that presumably indicated in the photographs. In this regard, as already noted in the Proposed Resolution, the claimant Along with his claim, he provided three photographs that are in the file: -In the first, a person (woman) appears looking at the wall and placing her hand on it. certain height. -In the second photo, the same person is a little further away from the area above and then an electronic temperature taking device is displayed on the area of the wall where said person was previously located and is displayed in red digital numbers one value (36.1) -In the third photograph, the same person is a little further away, in the area reception and the device continues to indicate the previous value (36.1) In all the photographs you can see the reception area very close (almost attached) to the right of the device. In two of them another person is even visualized (a man) in the reception area, which, by simply taking a step back, would allow you to display the temperature displayed by the device In these photographs, as has been pointed out in the First Proven Fact, clearly reflect the following facts: -In the clinic an electronic device is used that measures temperature automatic, requiring users to stand close and in front of it. of the same. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/36 - The device was located on a wall in an area where it is located the waiting room and reception of the clinic - The result of the body temperature was reflected on the screen of the device for several seconds which, when the person moves away from it, It allowed it to be visible to third parties who were there. On the other hand, SALUS BALEARES has at no time denied the veracity of the Photographs. Furthermore, in his written response to the transfer of the claim and request of information, presented on March 28, 2022 13, indicated the following: “The measurement system used is a laser thermometer located at the entrance of the clinic, in which the user individually takes their temperature and the staff admission of the medical clinic observes said measurement, without carrying out any type temperature recording or identifying data of said user. That is, they are used laser thermometers, for temperature measurements without this process going accompanied by the recording of the temperature obtained from the clinic users.” Likewise, the defendant herself has used one of the photos provided by the claimant to assert the existence of the ornamental plant as a measure of protection against viewing the thermometer, describing its location and taking the body temperature of the users according to said photo. Due to the above, both from the photos and from the statements of SALUS BALEARES, The circumstances of how the shooting was carried out have been perfectly accredited. temperature of the people who access the clinic, not being necessary, for Therefore, in no way does this Agency appear at the premises of the claimed party to verify what is considered fully proven and accredited and also, not contradicted by the claimant. Second: SALUS BALEARES has not processed the complainant's data SALUS BALEARES once again claims that there was no data processing personal rights of the claimant, since he did not submit to the taking of temperature. In this regard, as already indicated in the Proposed Resolution, the treatment of personal data that is understood to breach the data protection regulations. data does not refer to the processing carried out or not carried out with respect to the claimant in specifically, since he, in fact, did not agree to have his temperature taken, but about the way in which the clinic takes the temperature of all the people who they access it. That is, the treatment carried out with respect to taking temperature to all people who access the clinic. Likewise, SALUS BALEARES refers to several issues such as not They record temperature measurement data; that there are ornamental elements (a plant) to prevent the result from being visible from the right side of measurement; that the mandatory distance that had to be maintained between people did not allowed the visualization of the data; that the screen of the measuring device was covered by the body of the person who came to take the temperature; that all people had to access the facilities with a mask. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/36 Faced with this, it is appropriate to refer to everything answered and argued in the Proposal of Resolution. Thus, it was indicated, first of all, that in the photographs provided by the claimant it is clearly evident that from the position in which he is (zone of waiting room) the measuring device and the result shown are clearly displayed. throws, since the ornamental element is on the other side and does not interrupt the visibility in any way, And, secondly, it is not appropriate to accept that said ornamental element, consisting on a plant in a medium-sized pot, located in a corner above the reception desk, may be considered a technical measure or appropriate organizational structure to ensure adequate security, specifically to guarantee the confidentiality of personal data, not only because it is inappropriate in himself, but because, as can be seen from the photos, it is easy to locate the other side of the counter (and on the other side of the floor) to perfectly view the result returned by the temperature measuring device. Likewise, in that when the measurement is carried out by bringing the hand closer, just a few centimeters of the device, the person's body visually obstructs the result, making it practically impossible for the temperature measurement to be visible by no one but her, it means, contrary to this, that from the photos provided It is evident that the result produced by the device (body temperature) is remains on the screen for several seconds, since the photos show appreciates that the person (a woman) who takes the temperature is seen later in another photo away from the device and yet the temperature returned remains being visualized in this one. Fourth: The eventual data processing was secure. At all times they were respected the indications of the LOPDGDD and the RGPD In this section, SALUS BALEARES fundamentally denies that in any moment patients could see another patient's temperature. In light of this, it is appropriate to refer to what was stated in the previous section of this Foundation of Law. Fourth: From the isolated temperature data the identity of the temperature could not be known. person The defendant alleges again that, although the temperature data is a data of health, at the time of taking the temperature, the possible users of the facilities could not have the necessary information that would link that data with others that would make the person who proceeds to take the temperature identifiable, for example which is not data relating to an identified or identifiable natural person. Faced with this, as already indicated in the Proposed Resolution, it has been evidenced, through the photographs provided by the claimant, that the body temperature detected by the device is perfectly visible to others people who are in the waiting room and in areas near the reception, which allows linking personal data (temperature) with an identified person C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/36 or identifiable, since at the same moment that a person takes the temperature, the result is visible to the rest of the people who are in that area. moment in the waiting room or reception area of the clinic. Therefore, we would be here dealing with personal data referring to a person. identified or identifiable, since the body temperature data is displayed by third parties just when the person is directly taking the temperature at that same moment. That is, unauthorized third parties are viewing directly both the specific temperature and the person to whom that temperature belongs. temperature. And that makes it perfectly identified or identifiable. What seems to confuse the claim is that a person is identifiable with power obtain your identifying data (name and surname), which is not the case. In this regard, in Opinion 4/2007 on the concept of personal data of the Article 27 Working Group (136WP) states that: In general terms, a natural person can be considered “identified” when, within a group of people, she is "distinguished" from all other members of the group. cluster. Consequently, the natural person is "identifiable" when, although not has yet been identified, it is possible to do so (which is the meaning of the suffix "ble"). Thus, this second alternative is, in practice, the sufficient condition for consider that the information falls within the scope of application of the third component. (p. 12) This temperature taking treatment in this way in which it has been carried out involves a particularly intense interference in the rights of people affected. On the one hand, because it affects data related to people's health, not only because the value of body temperature is a health data in itself but also because, based on it, it is assumed that a person suffers or does not suffer from a specific disease, such as coronavirus infection in these cases. Fifth: The context of the health crisis has not been taken into account The defendant alleges that the moment and circumstances in which the They were as exceptional as a global pandemic. However, this has not been taken into account by the AEPD. In this sense, it should be noted that both in the Initiation Agreement and in the Proposed Resolution, as well as in this Resolution, in its Basis of Right II, the situation of the pandemic caused by COVID has been taken into account 19, precisely for the purpose of justifying the legality of temperature treatment body under the circumstances provided for in article 9.2.h) of the RGPD and, as a legal basis that legitimizes the treatment, since it is necessary to compliance with an imposed legal obligation (article 6.1.c) of the RGPD. However, once you are authorized to process the data in question, This is in no way an obstacle to the fulfillment of the rest of the obligations that imposed by the GDPR, such as guaranteeing the confidentiality of personal data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/36 (article 5.1.f) and to adopt the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk of the treatment (article 32). For the above reasons, the allegations are dismissed. SAW Article 5.1. f) GDPR Article 5.1.f) “Principles relating to processing” of the GDPR establishes: "1. The personal data will be: (…) f) treated in such a way as to ensure adequate safety of the personal data, including protection against unauthorized processing or unlawful and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures ("integrity and confidentiality»).” Taking body temperature involves a particularly intense interference in the rights of affected people. On the one hand, because, as has been indicated previously, affects data related to people's health, not only because the value of body temperature is a health fact in itself but also because, From it, it is assumed that a person may or may not suffer from a specific disease, such as coronavirus infection in these cases. Therefore, the fact that, in accordance with the regulations applicable in each case (regulations health or that relating to the prevention of occupational risks) can and/or must legally monitor the body temperature of employees and users of a establishment does not mean that these data should not be processed with application of the principles and guarantees that protect the fundamental right to data protection. Therefore, temperature controls must be carried out in such a way that comply with all the guarantees and obligations established by the regulations regarding personal data protection. In the present case, the body temperature of the users who access the clinic It is taken in such a way that it is capable of being viewed by anyone located in the waiting room and reception area, which means that is being revealed to third parties who have no justification for knowing that The affected person has a specific temperature. All this represents a violation of the obligation to guarantee the confidentiality of personal data. For all the above and in accordance with the evidence available, it is considers that the known facts constitute an infringement, attributable to SALUS BALEARES, for violation of article 5.1.f) of the RGPD. VII Classification of the violation of article 5.1.f) of the RGPD C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/36 The aforementioned violation of article 5.1.f) of the RGPD implies the commission of the violations typified in article 83.5 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 constitute infractions. and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law.” For the purposes of the limitation period, article 72 “Infringements considered very “serious” of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” VIII Penalty for violation of article 5.1.f) of the RGPD For the purposes of deciding on the imposition of an administrative fine and its amount, In accordance with the evidence available, the sanction should be graduated to impose in accordance with the following criteria established in article 83.2 of the GDPR: As aggravating factors: - Article 83.2.a) RGPD: Nature, severity and duration of the infringement. The nature of the infraction is considered to be serious since it entails a loss of confidentiality and, therefore, of disposition and control over the data personal. High number of interested parties affected: all people who have accessed the clinic for as long as the patient's temperature has been monitored. form and with the circumstances outlined. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/36 - Article 83.2.b) RGPD. Intentional or negligence in the infringement: Although considers that there was no intention on the part of SALUS BALEARES, it can observe the existence of negligence in compliance and observance of the technical and organizational measures to guarantee the security necessary for the protection of personal data, specifically to ensure confidentiality of the same, since the temperature of the users was taken They came to the clinic in such a way that it was possible to visualize it for the rest of their lives. people who were in the waiting room or reception area, which reflects negligence, especially considering that it involves health data. TO In this regard, it must be remembered that SALUS BALEARES is a clinic and, therefore, accustomed to the processing of personal data, specifically health data. It is worth remembering, in this sense, the Judgment of the National Court of 10/17/2007 (rec. 63/2006), that with respect to entities whose activity involves the continuous processing of customer data, indicates “…the Supreme Court comes understanding that imprudence exists whenever a legal duty of care, that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to professionalism or not of the subject, and there is no doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of personal data has of insisting on rigor and exquisite care to comply with legal provisions when regard. -Article 83.2.g) RGPD. Categories of personal data affected by the breach: Personal data related to health has been affected. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 “Sanctions and measures “corrective measures” of the LOPDGDD: As aggravating factors: - Article 76.2.b) LOPDGDD. Linking the offender's activity with the performance of personal data processing: The development of the activity business carried out by SALUS BALEARES involves a continuous treatment of personal data, many of them health. Therefore, it is a company accustomed to the processing of personal data. For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available, taking into account the circumstances of the case and the criteria established in article 83.2 of the RGPD with regarding the infraction committed by violating the provisions of article 5.1.f) of the RGPD allows a fine of €20,000 (TWENTY THOUSAND EUROS) to be set. IX Article 32 of the GDPR Article 32 “Security of processing” of the GDPR establishes: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/36 "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for people's rights and freedoms physical, the person responsible and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk, which, if applicable, includes, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore availability and access to data personnel quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to takes into account the risks presented by data processing, in particular as consequence of the accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data. 3. Adherence to a code of conduct approved pursuant to Article 40 or to a certification mechanism approved pursuant to article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the person responsible or in charge and has access to personal data can only process said data following instructions of the person responsible, unless it is obliged to do so by virtue of the Law of the Union or the Member States.” (emphasis is ours) Article 32 does not establish static security measures, but will correspond to the responsible for determining those security measures that are necessary to guarantee the confidentiality, integrity and availability of personal data, Therefore, the same data processing may involve security measures different depending on the specific specificities in which said data treatment. Recital 83 of the GDPR states: In order to maintain security and prevent the treatment infringes the provisions of this Regulation, the person responsible or the The person in charge must evaluate the risks inherent to the treatment and apply measures to mitigate them, such as encryption. These measures must guarantee a level of security appropriate, including confidentiality, taking into account the state of the art and the cost of its application with respect to the risks and the nature of the data personnel that must be protected. When assessing risk in relation to the safety of data, the risks arising from the processing of the data must be taken into account. personal data, such as the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/36 unauthorized communication or access to said data, susceptible in particular to cause physical, material or immaterial damage and harm. (emphasis is our) Data security requires the application of technical or organizational measures appropriate in the processing of personal data to protect said data against access, use, modification, dissemination, loss, destruction or accidental damage, unauthorized or illicit. In this sense, security measures are key when to guarantee the fundamental right to data protection. It is not possible existence of the fundamental right to data protection if it is not possible to guarantee their confidentiality, integrity and availability. It should not be forgotten that, in accordance with article 32.1 of the GDPR, measures technical and organizational measures to be applied to guarantee a level of security appropriate to the risk must take into account the state of the art, application costs, nature, scope, context and purposes of the processing, as well as the risks of variable probability and severity for people's rights and freedoms physical. In this sense, derived from the activity to which SALUS BALEARES is dedicated and the personal data it processes, it is obliged to carry out a risk analysis and a implementation of appropriate technical and organizational measures to guarantee a level of security appropriate to the risk of its activity for the rights and freedoms of the people, especially taking into account that their activity involves processing personal data. health. In the present case, the processing of health data (temperature taking) of in such a way and using means that are not appropriate to guarantee a adequate security of personal data, namely to ensure the confidentiality of the same, since the body temperature data is susceptible from being viewed by unauthorized third parties. This reveals negligent action when anticipating a risk. easily detectable and evaluable (temperature within sight and in an access area public) and not implementing measures to avoid or mitigate it. In accordance with the evidence available, it is considered that the Known facts constitute an infringement, attributable to SALUS BALEARIC ISLANDS, for violation of article 32 of the RGPD. x Classification of the violation of article 32 of the RGPD The aforementioned violation of article 32 of the RGPD implies the commission of the violations typified in article 83.4 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/36 global total annual business volume of the previous financial year, opting for the largest amount: a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of Regulation (EU) 2016/679, are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: (…) f) The lack of adoption of those technical and organizational measures that are appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of the Regulation (EU) 2016/679. XI Penalty for violation of article 32 of the GDPR For the purposes of deciding on the imposition of an administrative fine and its amount, In accordance with the evidence available, the sanction should be graduated to impose in accordance with the following criteria established in article 83.2 of the GDPR: As aggravating factors: - Article 83.2.a) RGPD: Nature, severity and duration of the infringement. The nature of the infraction is considered to be serious since it entails a loss of confidentiality and, therefore, of disposition and control over the data personal. High number of interested parties affected: all people who have accessed the clinic for as long as the patient's temperature has been monitored. form and with the circumstances outlined. - Article 83.2.b) RGPD. Intentional or negligence in the infringement: Although considers that there was no intention on the part of SALUS BALEARES, it can C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 34/36 observe the existence of negligence in compliance and observance of the technical and organizational measures to guarantee the security necessary for the protection of personal data, specifically to ensure confidentiality of the same, since the temperature of the users was taken They came to the clinic in such a way that it was possible to visualize it for the rest of their lives. people who were in the waiting room or reception area, which reflects negligence, especially considering that it involves health data. It is worth remembering, in this sense, the Judgment of the National Court of 10/17/2007 (rec. 63/2006), that with respect to entities whose activity involves the continuous processing of customer data, indicates “…the Supreme Court comes understanding that imprudence exists whenever a legal duty of care, that is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to professionalism or not of the subject, and there is no doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of personal data has of insisting on rigor and exquisite care to comply with legal provisions when regard. -Article 83.2.g) RGPD. Categories of personal data affected by the breach: Personal data related to health has been affected. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 “Sanctions and measures “corrective measures” of the LOPDGDD: As aggravating factors: - Article 76.2.b) LOPDGDD. Linking the offender's activity with the performance of personal data processing: The development of the activity business carried out by SALUS BALEARES (clinic) involves a treatment continuous collection of personal data, many of them health data. Therefore, it is a company accustomed to the processing of personal data. The balance of the circumstances contemplated in article 83.2 of the RGPD with Regarding the infraction committed by violating the provisions of article 32 of the RGPD, allows setting a penalty of 10,000 (ten thousand euros). Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE CENTRO MÉDICO SALUS BALEARES, S.L., with NIF B07060478, for a violation of article 5.1.f) of the RGPD, typified in article 83.5 of the RGPD, a fine of 20,000.00 euros (TWENTY THOUSAND EUROS), and, for a violation of article 32 of the RGPD, typified in article 83.4 of the RGPD, a fine of 10,000.00 euros (TEN THOUSAND EUROS), which adds up to a total amount of €30,000. (THIRTY THOUSAND EUROS). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 35/36 THIRD: NOTIFY this resolution to CENTRO MÉDICO SALUS BALEARES, S.L. FOURTH: This resolution will be enforceable once the deadline to file the optional resource for replacement (one month counting from the day following the notification of this resolution) without the interested party having made use of this power. The sanctioned person is warned that he must make effective the sanction imposed once This resolution is executive, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Real Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, through your entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00-0000-0000-0000-0000-0000 open in the name of the Agency Spanish Data Protection in the banking entity CAIXABANK, S.A. in case Otherwise, it will be collected during the executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 36/36 contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-16012024 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es