AEPD (Spain) - EXP202202309: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202202309 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00317-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code...")
 
 
(One intermediate revision by one other user not shown)
Line 63: Line 63:
}}
}}


The DPA sanctioned a medical center € 30,000, finding that it violated security principles when it required data subjects to take their temperature in a reception area where the data could be seen by third parties.
The DPA sanctioned a medical center € 30,000, finding that it violated confidentiality principles when it required data subjects to take their temperature in a reception area where the data could be seen by third parties.


== English Summary ==
== English Summary ==
Line 70: Line 70:
On 9 February 2022, a data subject filed a complaint with the Spanish DPA (AEPD) against a medical center, Centro Médico Salus Baleares, S.L. (the controller). During the COVID-19 pandemic, the controller required patients to take their temperature on a device in order to receive medical assistance. The device was located in the reception and waiting area and was within sight of third persons.  
On 9 February 2022, a data subject filed a complaint with the Spanish DPA (AEPD) against a medical center, Centro Médico Salus Baleares, S.L. (the controller). During the COVID-19 pandemic, the controller required patients to take their temperature on a device in order to receive medical assistance. The device was located in the reception and waiting area and was within sight of third persons.  


In its defense brief, the controller noted that the data subject had never actually taken their temperature and thus lacked standing to bring a complaint. The controller also noted that these protocols were in place during the COVID-19 pandemic, during which public health authorities had guidance in place that included temperature controls.
In its defense brief, the controller noted that actually the data subject had never their temperature taken and thus lacked standing to bring a complaint. The controller also noted that these protocols were in place during the COVID-19 pandemic, during which public health authorities had guidance in place that included temperature controls.


=== Holding ===
=== Holding ===
The AEPD found that the controller violated security and confidentiality principles under Articles 5(1)(f) and 32 GDPR. It fined the controller € 30,000 for the violations.
The AEPD found that the controller violated security and confidentiality principles under [[Article 5 GDPR#1f|Articles 5(1)(f)]] and [[Article 32 GDPR|32 GDPR]]. It fined the controller € 30,000 for the violations.


The AEPD noted that temperature is health data and thus a special category of data pursuant to [[Article 9 GDPR#1|Article 9(1) GDPR]]. At the same time, it acknowledged that in a public health crisis, employers are obligated to adopt extraordinary measures in line with public health guidance and observed that national laws on occupational risk prevention justified processing this sensitive data pursuant to [[Article 9 GDPR#2h|Article 9(2)(h) GDPR]]. Thus, taking individuals’ temperature in of itself was not prohibited in this case.
The AEPD noted that temperature is health data and thus a special category of data pursuant to [[Article 9 GDPR#1|Article 9(1) GDPR]]. At the same time, it acknowledged that in a public health crisis, employers are obligated to adopt extraordinary measures in line with public health guidance and observed that national laws on occupational risk prevention justified processing this sensitive data pursuant to [[Article 9 GDPR#2h|Article 9(2)(h) GDPR]]. Thus, taking individuals’ temperature in of itself was not prohibited in this case.


Nonetheless, such data must be safeguarded pursuant to the GDPR’s security and integrity obligations. The AEPD found that the temperature device permitted temperature data to be seen by third parties in the waiting area of the medical center. The controller lacked measures to protect against such potential observation individuals’ health data. As a result, the controller violated Articles 5(1)(f) and 32 GDPR.
Nonetheless, such data must be safeguarded pursuant to the GDPR’s security and integrity obligations. The AEPD found that the temperature device permitted temperature data to be seen by third parties in the waiting area of the medical center. The controller lacked measures to protect against such potential observationof  individuals’ health data. As a result, the controller violated [[Article 5 GDPR#1f|Articles 5(1)(f)]] and [[Article 32 GDPR|32 GDPR]].


== Comment ==
== Comment ==

Latest revision as of 12:14, 3 April 2024

AEPD - EXP202202309
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: n/a
Parties: Centro Médico Salus Baleares, S.L.
National Case Number/Name: EXP202202309
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA sanctioned a medical center € 30,000, finding that it violated confidentiality principles when it required data subjects to take their temperature in a reception area where the data could be seen by third parties.

English Summary

Facts

On 9 February 2022, a data subject filed a complaint with the Spanish DPA (AEPD) against a medical center, Centro Médico Salus Baleares, S.L. (the controller). During the COVID-19 pandemic, the controller required patients to take their temperature on a device in order to receive medical assistance. The device was located in the reception and waiting area and was within sight of third persons.

In its defense brief, the controller noted that actually the data subject had never their temperature taken and thus lacked standing to bring a complaint. The controller also noted that these protocols were in place during the COVID-19 pandemic, during which public health authorities had guidance in place that included temperature controls.

Holding

The AEPD found that the controller violated security and confidentiality principles under Articles 5(1)(f) and 32 GDPR. It fined the controller € 30,000 for the violations.

The AEPD noted that temperature is health data and thus a special category of data pursuant to Article 9(1) GDPR. At the same time, it acknowledged that in a public health crisis, employers are obligated to adopt extraordinary measures in line with public health guidance and observed that national laws on occupational risk prevention justified processing this sensitive data pursuant to Article 9(2)(h) GDPR. Thus, taking individuals’ temperature in of itself was not prohibited in this case.

Nonetheless, such data must be safeguarded pursuant to the GDPR’s security and integrity obligations. The AEPD found that the temperature device permitted temperature data to be seen by third parties in the waiting area of the medical center. The controller lacked measures to protect against such potential observationof individuals’ health data. As a result, the controller violated Articles 5(1)(f) and 32 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/36








     File No.: EXP202202309



                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
to the following



                                   BACKGROUND

FIRST: A.A.A. (hereinafter, the complaining party) dated February 9, 2022
filed a claim with the Spanish Data Protection Agency. The

claim is directed against CENTRO MÉDICO SALUS BALEARES, S.L. with NIF
B07060478 (hereinafter SALUS BALEARES). The reasons on which the
claim are the following:

That while in a SALUS BALEARES medical center (Asistel Moraira clinic) he was

asks you to take your temperature with a device located on the wall in front of the room
waiting area and next to the reception, therefore in view of third parties, the
viewing the body temperature it gives. He refuses to take it and with this he is
denies medical assistance (performing an analysis). He considers that he has been
discriminated against and their rights violated.


Along with the notification, photographs are provided showing the location of the
thermometer from the aforementioned medical center, as well as a copy of the claim form
presented by the complaining party.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5

December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to SALUS BALEARES,
to proceed with its analysis and report to this Agency within a period of one month,
of the actions carried out to adapt to the requirements provided for in the
data protection regulations.


The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on March 1, 2022, as
It appears in the acknowledgment of receipt that is in the file.


On March 28, 2022, this Agency received a response letter
indicating the following:

-The measurement system used is a laser thermometer located at the entrance
of the clinic, in which the user individually takes their temperature and the staff

admission of the medical clinic observes said measurement, without carrying out any type
temperature recording or identifying data of said user. Therefore, in
In no case is the temperature measurement carried out (laser measurement of the forehead or hand) a
processing of personal data, and therefore the intervention of the Agency


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/36








Spanish Data Protection, and the application of current regulations on the matter
of data protection does not apply as there is no data processing.


-Automatic temperature measurement of a user, without carrying out a record
rigged does not involve data processing, and therefore there is no purpose
established for said treatment.

-Likewise, if data processing were effectively considered, the
The purpose of this is the safety of workers and users of the clinic, seen from the

vertex of the coronavirus health pandemic, in which different
protocols to normalize the return to normality with this measure. (measurement of
temperature to users). There is a legal obligation under the Prevention Law
of Occupational Risks, which obliges the employer to implement measures to guarantee
safety in the work environment.


-Concrete instructions have been given so that the operators who have the function
assigned to control temperature verbally inform people about the
situation and the reason for said control, indicating that, at no time
Measurement results will be recorded, stored or used to
any other purpose than to advise on the security measures to be adopted.


-Concludes that as long as there is no official regulation that imposes a measure
different, the temperature taking protocol will continue to be implemented
workers and users, legitimized by compliance with a legal obligation.


THIRD: On May 9, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.

FOURTH: The entity CENTRO MÉDICO SALUS BALEARES, S.L. It's a company
established in 2000 and with a turnover of 34,816,282 euros in the

fiscal year 2021 and 39,597,787 in fiscal year 2022, according to a report issued by the
Axesor entity.

FIFTH: On May 8, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the claimed party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,

of the Common Administrative Procedure of Public Administrations (in
hereinafter, LPACAP), for the alleged violation of Article 5.1.f) of the RGPD and Article
32 of the GDPR, typified in Article 83.5 of the GDPR and Article 83.4 of the GDPR
respectively.


SIXTH: The aforementioned initiation agreement has been notified in accordance with the rules established in
Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), the claimed party presented a written
of allegations in which, in summary, he stated the following:


I. In reference to whether taking temperature involves data processing
personal character:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/36








SALUS BALEARES indicates that from what this Agency indicated in the Agreement itself
At the beginning, the criterion is clear that the measurement of temperature, without
Carrying out any type of registration is NOT data processing and therefore

would be excluded from the scope of application of the current regulations on
Data Protection.

Likewise, SALUS BALEARES points out that the Agency follows the same criteria in other
procedures in which it has been determined that the measurement of temperature at
through thermometers without registration of the interested parties is not a processing of personal data.

personal nature (Procedure No.: E/03884/2020)

However, SALUS BALEARES warns, this Agency wants to prove that, in the
This case, yes, it is data processing, because according to the photographs
provided by the claimant the result of the measurement is visible or public.


SALUS BALEARES reviews that, if the photographs provided in the
claim looks like the device is located on a wall next to reception,
where the right side includes ornamental elements to prevent the
right side the measurement result can be viewed, and are included
indications to perform the measurement by bringing your hand closer to the device.


SALUS BALEARES points out that when you bring your hand within a few centimeters of the
device, together with our body that visually obstructs from a rear flank
and the ornamental elements located in the reception to avoid a possible
right lateral visualization, it would be practically impossible for the measurement of the

temperature was visible to no one other than the person carrying out the
measurement.

Likewise, SALUS BALEARES points out that, due to the photographs provided in the
procedure, it is not proven in any way that at the time the claimant

carried out your measurement, there would be someone in the waiting room on the left
of the reception, given that all the images that have been provided in the
procedure do not refer to the moment in which the interested party (claimant) carried
carry out the measurement of your temperature to be able to enter the Asistel medical clinic
Moraira.


In this sense, SALUS BALEARES believes that this assumption has not been properly examined.
reliable manner by this Agency, since SALUS BALEARES is not aware
no inspection visit by the AEPD to the Asistel Moraira clinic, in relation
to the claim received, in which it was examined or reviewed whether the photographs
taken were a true reflection of reality or whether the temperature measurement system

was installed correctly to avoid any type of publicity or disclosure
of the measurement results. It must be said that since the day the
health recommendation to measure the temperature of those attending medical centers
was no longer mandatory, this clinic uninstalled the thermometer and therefore they have not been
carried out further measurements.


Furthermore, SALUS BALEARES points out that the claimant states in
your claim (annex 1 claim), that the measurement has NOT been carried out,
which is why he was not allowed to access clinical treatment. Fact that does not

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/36








more than reinforcing our argument that in the specific case in which we
We find, there has been no processing of personal data, according to the
definitions of “personal data” and “processing” in article 4 of the GDPR,

because the claimant never made his measurement.

II.-In reference to the quantification of sanctions

SALUS BALEARES points out that the sanctioning procedure establishes a
series of aggravating factors in relation to the alleged infringement of SALUS BALEARES of the

article 5.1.f) of the RGPD, which results in the imposition of a proposed sanction of
€20,000.00 (TWENTY THOUSAND EUROS). So:

Regarding the aggravating circumstances of article 83.2.a) RGPD


In this sense, SALUS BALEARES considers that the case has not been taken into account.
specific complaint reported by the claimant nor the specific circumstances of the clinic
Asistel Moraira, but the Agency has taken into account the global data of the
CMSB company.

Likewise, SALUS BALEARES reports that, with respect to confidentiality, as

has been argued in point I of this appeal, there has not been a treatment of
data, the claimant never measured his temperature, so there cannot be
confidentiality about an event that did not occur.

Regarding the number of interested parties, SALUS BALEARES reminds this Agency that

In the period of pandemic derived from the COVID-19 virus, in our country, the sector
entire healthcare system, including private healthcare as is the case in
CMSB, has been made available to all citizens, as requested
the Spanish Minister of Health, Salvador Illa, on March 15, 2020.
Joining forces, resources and energies to be able to attend to the maximum possible cases

and help overcome the COVID-19 crisis.

SALUS BALEARES brings up that the health authority, the Ministry of Health
or organizations in which it delegates, published, different protocols where
includes, as a necessary security measure for the return to normality of those
activities, the aforementioned temperature controls. For example, the Protocol

action for the reactivation of judicial activity and professional health, of the Council
General of the Judiciary, the basic protocol of action for the return to the
training and the restart of federated and professional competitions; or in the
Recommendations for the restoration of activity in swimming pools
public after the Covid-19 crisis. And also remember that the Government of

Spain, in the management of this emergency situation and, specifically, in relation
with the measures imposed on foreigners visiting Spain during the period
As long as this situation lasted, temperature checks were carried out on each person who
access the country, with the aim of guaranteeing maximum health security. Because
This is what SALUS BALEARES was looking for at all times, to avoid

spread of the Covid-19 crisis, which is why the reader was installed
body temperature.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/36








SALUS BALEARES indicates that, with a more specific character, the action
denounced, was carried out in compliance with Law 31/1995, of November 8,
of Occupational Risk Prevention (LPRL), which states that it is the obligation of the
Businessman ensure safety at work. This last obligation of the employer
must be understood in a broad sense, so the simple circumstance that the

employees of the Asistel Moraira medical clinic of SALUS BALEARES work in
contact with clients and users, would imply the need for the
protection provided to employees is extended to clients or users,
as a consequence of the fact that access to the SALUS BALEARES facilities by
part of infected clients or users could put the safety of the users at risk.
employees, and that of the users themselves among themselves. Even the lack of action in the

compliance with the worker protection obligations derived from the
LPRL could constitute a crime, as regulated in the
articles 316-318 of the Penal Code.

SALUS BALEARES reminds that this opinion is ratified by the Ministry

of Health in the document that has been prepared regarding “Procedure of action
for occupational risk prevention services against exposure to
SARSCOV-2” that makes the following recommendation to the prevention services of
occupational risks on page 3:

       “Given that contact with the virus can affect healthcare environments and not

       health, it is up to companies to evaluate the risk of exposure in which
       You can find hard-working people in each of the tasks
       differentiated that they carry out and follow the recommendations that on the
       individual issues the prevention service, following the guidelines and
       recommendations made by health authorities.


Furthermore, SALUS BALEARES says that it has not been reflected in the
sanction proposal, what has been the criteria established by this Agency to
determine that the number of affected people is high, if they do not know the number of clients
that is received at the Asistel Moraira clinic, no more claims have been submitted to the
respect and more taking into account that the total number of citizens registered in
Teulada, the population where the clinic in question is located, is 11,944

inhabitants (according to INE 2022 data).

This is why we consider that this aggravating criterion has not been
calculated objectively, in accordance with the facts reported.

       “Article 83.2.b) RGPD. Intentional or negligence in the infringement: Although

       It is considered that there was no intention on the part of SALUS BALEARES, yes
       the existence of negligence in compliance can be observed and
       observance of technical and organizational measures to ensure the
       security necessary for the protection of personal data, specifically
       to guarantee their confidentiality, since there was a

       taking the temperature of the users who came to the clinic in such a way that
       It was possible to view it by the rest of the people who were in
       the waiting room or reception area, reflecting negligence,
       especially if you take into account that it is health data. In this regard,
       It must be remembered that SALUS BALEARES is a clinic and therefore,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/36








       accustomed to the processing of personal data, specifically health data.

       It is worth remembering, in this sense, that of the National Court of 10/17/2007

       (rec.63/2006), that with respect to entities whose activity involves the
       continuous processing of customer data, indicates “…the Supreme Court comes
       understanding that imprudence exists whenever a legal duty is neglected
       of care, that is, when the offender does not behave with diligence
       required. And in assessing the degree of diligence, it must be weighed
       especially the professionalism or not of the subject, and there is no doubt that, in the

       case now examined, when the appellant's activity is constant and
       abundant handling of personal data, emphasis must be placed on rigor and
       “exquisite care to comply with the legal provisions in this regard.”

Indicates SALUS BALEARES which, in the aforementioned aggravating circumstance, refers to the

intentionality or negligence, and this Agency states in its writing that “it is
"considers that there was no intention on the part of SALUS BALEARES." About
negligence, is supported again by the lack of confidentiality, as has already been
made in the application of the aggravating circumstance of Article 83.2.a) of the RGPD. We reiterate the
proven facts that, there has been no data processing, the claimant has never
measured your temperature, so it is not a data processing of a nature

personnel, the RGPD and other regulations are not applicable to it, and in the case in
question, it is factually impossible for confidentiality to occur regarding a fact not
occurred, such as taking the temperature of the claimant's hand.

For all these reasons, we consider that the aggravating circumstance of negligence applied in the graduation

of the sanction does not apply.

       “Article 83.2.g) RGPD. Categories of personal data affected by the
       violation: Personal data related to health has been affected.


       It is necessary to remember at this point that the measurement system used is
       It is a laser thermometer located at the entrance of the clinic, in which the
       The user individually takes the temperature, without carrying out any type of
       temperature recording or identifying data of said user. That is, it
       use laser thermometers for temperature measurements without this
       process is accompanied by the recording of the temperature obtained from the

       clinic users.

SALUS BALEARES points out that, despite the fact that this Agency considers that the
body temperature is a health fact, the temperature measurement carried out (measurement
laser forehead or hand), it is NOT a processing of personal data, as has

has been proven previously. (Procedure No.: E/03884/2020 AEPD: Metro de
Bilbao)

SALUS BALEARES insists that there is no data processing, because as stated
stipulated in the first articles of the GDPR, and more specifically in article 2.1

regarding the material scope of application of this standard, “This Regulation is
applies to the fully or partially automated processing of personal data, as well as
to the non-automated processing of personal data contained or intended to be
included in a file.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/36









SALUS BALEARES Review that, after the description of the scope of application of the
regulation, from their point of view, there is no automated data processing

personal data, nor is it non-automated processing intended to be included in a
file, understanding this concept as “any structured set of data
personal, accessible according to specified criteria, whether centralized,
decentralized or distributed in a functional or geographical manner”, in accordance with the
article 4 GDPR, point six. For this reason, this action must be left out of the
scope of application of data protection regulations.


Next, SALUS BALEARES states that, regardless of whether the situation
should be located under the defense of data protection regulations or not,
due to the existence or not of automated or non-automated processing, of
According to the material scope of application, it can also be argued that, in the

In this specific case, the use of the information necessary to comply with the
purpose of temperature control, as implemented by SALUS
BALEARIC ISLANDS, does not constitute personal data if we look at the definition that the
GDPR offers about this concept in the first point of article 4, when it stipulates
that personal data will be “any information about an identified natural person or
identifiable ("the interested party"); Any person will be considered an identifiable natural person

whose identity can be determined, directly or indirectly, in particular by
an identifier, such as a name, an identification number, data
location, an online identifier or one or more elements of identity
physical, physiological, genetic, mental, economic, cultural or social of said person.”


In fact, indicates SALUS BALEARES, the first part is divided into 4 elements well
differentiated, that the now extinct Working Group of article 29 (GT29) already
had analyzed separately: “Information” + “About” + “Natural person” +
“Identified or identifiable.”


In the opinion of SALUS BALEARES, in the case at hand, in the verification of the
temperature the first 3 are met, but not the one indicated in fourth place. That is to say,
Of course, the temperature measurement may be associated with a natural person,
but what will not be possible, according to the data that the clinic collects, will be
know the identity of that person, in a reasonable manner, in accordance with GT29 itself
established, since there is no collection or association with another direct or indirect identifier

that allows knowing the identity of a person.

In these cases, according to the report on the concept of personal data issued by the
GT29 already in 2007, we will simply find ourselves faced with anonymous data that does not
require the protection of privacy legislation, for the simple fact that

that this last right will not be affected.

Likewise, SALUS BALEARES reports that this line of argument it defends has been
that taken by different Control Authorities in the European Union:


       “CNIL (France): Publicly recognizes that the regulations on the
       Data processing only applies to automated processing (in particular,
       IT) or the non-automated processing of personal data intended to be
       included in a file. Therefore, he concludes that if there was only verification of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/36








       the temperature by means of a manual thermometer (such as, for example, a
       contactless infrared) at the entrance of a site, without leaving a trace, or any other
       operation being carried out (such as information feedback, etc.),

       This situation does not fall under data protection regulations.
       This statement can be consulted at the following link:

       https://www.cnil.fr/fr/la-cnil-appelle-la-vigilance-sur-lutilisation-des-cameras
       ditesintelligentes-et-des-cameras Autoriteit Persoonsgegevens (Netherlands):


       Along the same lines, the Dutch Supervisory Authority recognizes that the GDPR
       It is not applicable to situations in which only the temperature is read, without it
       recorded or stored in an automated system, as applicable
       to the present action for which a claim has been received. Yes it leaves
       open the situation to which said control may affect other rights, but not

       to data protection in this case.

       This statement can be consulted at the following link:

       https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/corona/temperaturen-
       tijdens-crown


SALUS BALEARES concludes that, although body temperature may be a
health data, it as such does not constitute personal data, since it
does not identify the interested party, and therefore the current regulations regarding the protection of
data, would not be applicable, and would nullify the application of this aggravating circumstance of the

proposed sanction.

       Article 76.2.b) LOPDGDD. Linking the offender's activity with the
       carrying out processing of personal data: The development of the
       business activity carried out by SALUS BALEARES represents a

       continuous processing of personal data, many of them health data. Therefore,
       This is a company used to processing personal data.

In reference to this last aggravating factor, SALUS BALEARES points out that it has once again
taken into account the activity of the entire group and not the specific activity of the clinic
Asistel Moraira, where the violation in matters of

data protection, as argued above, refuting the application
of the aggravating circumstance of Article 83.2.a) RGPD when considering the number of interested parties
affected high, when it is not.

The total number of patients at the Asistel Moraira clinic in all of 2022, the year in which

the claim occurred, it was 2,375 people.

III.-In reference to the AGREEMENTS of initiation of the sanctioning procedure

SALUS BALEARES alleges that the Startup Agreement shows a defect of

form, which entails the cancellation of all or part of the proposed sanction, since
agrees in duplicate to initiate sanctioning proceedings against her, for alleged
violation of Article 5.1.f) proposing a sanction of an administrative fine of
amount of 20,000.00 euros (TWENTY THOUSAND EUROS), thus violating the principle of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/36








procedural law NON BIS IN IDEM. This principle establishes the prohibition of
that the same act can be sanctioned several times when there is identity of
subject, of facts and foundation, as is the case at hand, which is intended

double punish CMSB with a fine of 20,000.00 euros (TWENTY THOUSAND EUROS)
for the same alleged breach. That is why it requests this Agency to
annul the proposed sanction or recalculate its value.

SALUS BALEARES also indicates that, in reference to the proposed sanction of
10,000.00 euros (TEN THOUSAND EUROS) for alleged violation of article 32 of the RGPD,

It is made clear to this Agency that in file EXP202202309 there has been no
proceeded to initiate any sanctioning procedure against SALUS BALEARES
motivated by the violation of article 32 of the RGPD, which is why it requests that
declare this sanctioning procedure null and void, since in accordance with the provisions of the
administrative procedural regulations, a proposal for

sanction without having initiated an administrative sanctioning procedure.

For the above reasons, SALUS BALEARES begs that it be agreed to close the
file relating to this claim, declaring this null and void
sanctioning procedure for defects of form and annul the proposals for
sanction.


SEVENTH: On January 15, 2024, a Proposed Resolution was formulated,
proposing that the Director of the Spanish Data Protection Agency
sanction CENTRO MEDICO SALUS BALEARES, S.L., with NIF B07060478, for a
violation of article 5.1.f) of the RGPD, typified in article 83.5 of the RGPD, with a

fine of 20,000.00 euros (TWENTY THOUSAND EUROS), and for a violation of article 32
of the RGPD, typified in article 83.4 of the RGPD, with a fine of 10,000.00 euros
(TEN THOUSAND EUROS).

EIGHTH: The aforementioned Proposed Resolution was notified in accordance with the regulations

established in Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), the part claimed
presented a written statement of allegations in which, in summary, it states the following:

First. – THE AEPD HAS NOT PROVEN ANY FACT THAT SUPPOSES THE
COMMISSION OF AN INFRINGEMENT BY CMSB AND THE IMPOSITION OF

THE PROPOSED SANCTIONS.

SALUS BALEARES alleges that the sanction proposal is based on evidence
insufficient. Only one photograph appears in the administrative file.
made by the complainant.


SALUS BALEARES understands that the proposed resolution lacks evidence
enough to undermine the presumption of innocence. The eventual resolution that
issue with support from the evidence contained in the administrative file, considers
SALUS BALEARES which would be null and void as it is manifestly

unmotivated, indicating the following reasons:




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/36








1. The proposed resolution considers proven the facts constituting
infringement that is attributed to SALUS BALEARES on the sole basis of the photographs
provided by the complainant.


2. The AEPD has not carried out any verification on the reality and date of the
photographs taken.

3. Likewise, the AEPD has not carried out evidentiary activity in the processing of the
administrative file for the imposition of the sanction on SALUS BALEARES. This

is, he has not appeared at my client's premises to verify the reality that
presumably indicated in the photographs.

4. From the images provided by the complainant, the AEPD deduces the
following proven facts:

- The clinic uses an electronic device to measure temperature using a
proximity sensor.
- The device is located in the waiting room and at the reception of the
clinic.
- The person's temperature is shown on the thermometer screen.


However, in the opinion of SALUS BALEARES, these are facts that do not distort its
presumption of innocence.

Second. – SALUS BALEARES HAS NOT PROCESSED THE COMPLAINANT'S DATA.


SALUS BALEARES reiterates that, within the process of taking the temperature of the
complainant, there was no processing of personal data. In any moment
events that made this user identifiable, all based on
to the following objective circumstances:


1. The claimant did not submit to a temperature check.

2. Temperature was taken using a device that measured the
temperature without registration, therefore, none of the shots were stored.

3. The device was located on a wall next to reception, where the

right side includes ornamental elements to prevent from the side
right the measurement result could be displayed. Additionally, the measurement
temperature was carried out by approximating the person's hand in
question. For this reason, the screen of the device itself was covered by both the hand
from the person taking the temperature, as well as from the body itself.


4. Likewise, the mandatory distance that had to be maintained between people did not
allowed the display of this data except for the person who was taking the test.
temperature.


5. All facility staff had to access the facilities wearing a mask.
(including patients having their temperature taken).



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/36








6. Notification to patients to access the consultation is not done using data
personal. Calling clients is made with a code, maintaining their anonymity
at all times.

In this sense, SALUS BALEARES alleges that in the case of verification of the

body temperature as a preventive measure against the spread of COVID-19, no
None of the following operations contemplated by the GDPR in its entirety were carried out:
Article 4 when it defines what is meant by “processing” of personal data:

       ▪ Record: body temperature measurement was not recorded in any type of
       system or device, automated or non-automated.

       ▪ Structuring: the information was not structured as data processing was not carried out.
       personal information.
       ▪ Modification: the information was not changed or altered.
       ▪ Conservation: the information was not stored for a certain period of time.
       time.

       ▪ Extraction: the information was not obtained from an original system or device
       for sending or transferring to another system or device.
       ▪ Dissemination: the data was not transferred or communicated to a person other than the
       interested.
       ▪ Communication by transmission: the data was not sent to another recipient
       from your system or source device through electronic means.

       ▪ Comparison: data from two or more treatments or systems were not analyzed to
       establish similarities and differences and develop some type of assessment.
       ▪ Limitation: it was not applicable since the device did not store
       data or carry out any further processing.
       ▪ Communication: due to existing measures and where it was placed
       the device, no data was revealed to a person other than the interested party.


Third. – THE EVENTUAL DATA PROCESSING WAS SECURE. THROUGHOUT
MOMENT THE INDICATIONS OF THE LOPD AND THE
REGULATION.

SALUS BALEARES points out that it applied the necessary measures to guarantee the

confidentiality of the temperature data taking into account the provisions of the article
32 of the GDPR, which advocates that “the technique, the costs of application, and the nature,
the scope, context and purposes of the processing, as well as probability risks and
“variable severity for the rights and freedoms of natural persons.”

SALUS BALEARES indicates that the recording was carried out within the facilities of the

clinic. And, inside the clinic, in a place with individual access to clients. This is,
At no time can another client/patient observe the temperature indicated on the
thermometer.

Likewise, SALUS BALEARES points out that, at that time, the clinic did not have

necessary personnel to assume only the temperature control function of
neither the users nor the facilities had an adjoining space that could allow
take the temperature individually, but at the same time it would facilitate the work staff
being able to control the action protocols against COVID.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/36








Quarter. – FROM THE ISOLATED TEMPERATURE DATA THE
IDENTITY OF THE PERSON.


SALUS BALEARES alleges, in relation to the temperature data, that although
considered a health fact, at the time of taking the temperature the possible
Users of the facilities could not have access to the necessary information
link this data with others that would make the person who carried out the investigation identifiable.
temperature taking.


SALUS BALEARES indicates that in order to interpret, the concept “information
relating to an identified or identifiable natural person”, we must go to the
considering 26 of the RGPD which determines that:

“[…] to determine whether a natural person is identifiable, the following must be taken into account:

all means, such as singling out, that may reasonably be used by the
responsible for the treatment or any other person to directly or indirectly identify
indirectly to the natural person. To determine if there is a probability
reasonable for means to be used to identify a natural person, they must
all objective factors must be taken into account, such as costs and time required
for identification, taking into account both the technology available at the time

of treatment and technological advances.”

Due to the above, SALUS BALEARES understands that it was not possible
identify users who took their temperature. In fact, this part is not
can identify the people who appear in the photograph provided by the

claimant.

Sixth. –THE CONTEXT OF THE HEALTH CRISIS HAS NOT BEEN TAKEN INTO ACCOUNT

SALUS BALEARES remembers the moment and the circumstances in which they were

produced, as exceptional as a global pandemic. The healthcare sector
who was the most punished. Safety measures such as temperature taking
were essential to guarantee the health of all users who could
access the clinic – both internal staff and patients. The AEPD itself has
taken into account in previous resolutions.


For the above reasons, SALUS BALEARES requests that the archive of the
actions upon understanding that he has not committed any infraction. And subsidiarily,
requests that the circumstances of the global health crisis be taken into account in the
that SALUS BALEARES allegedly committed the infractions and mitigates the
possible sanctions imposed.


Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:



                               PROVEN FACTS

FIRST: It has been proven, through the photos provided by the claimant, that
following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/36









-In the clinic an electronic device is used that measures temperature
automatic, requiring users to stand close and in front of it.

of the same.
- The device was located on a wall in an area where it is located
the waiting room and reception of the clinic
- The result of the body temperature was reflected on the screen of the
device for several seconds which, when the person moves away from it,
It allowed it to be visible to third parties who were there.


SECOND: SALUS BALEARES, in its written response to the transfer of the
claim and request for information, presented on March 28, 2022 13
(Registration number: REGAGE22e00009701065), indicates the following:
“The measurement system used is a laser thermometer located at the entrance

of the clinic, in which the user individually takes their temperature and the staff
admission of the medical clinic observes said measurement, without carrying out any type
temperature recording or identifying data of said user. That is, they are used
laser thermometers, for temperature measurements without this process going
accompanied by the recording of the temperature obtained from the clinic users.”



                           FOUNDATIONS OF LAW

                                           Yo
                                     Competence


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions

in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."

                                           II

                                  Previous issues

In relation to taking people's temperatures as part of the measures
adopted in workplaces to help prevent the spread of the pandemic
of COVID-19, it is considered necessary to highlight that the body temperature of the

people is health data in itself, in accordance with the definition contained in the
Article 4, section 15, GDPR.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/36








According to Article 4 of the GDPR, sections 1 and 2, "personal data" means:
“any information about an identified or identifiable natural person”; and by
“processing”: “any operation or set of operations performed on data
personal data or sets of personal data, whether by automated procedures
or not, such as the collection, registration, organization, structuring, conservation,

adaptation or modification, extraction, consultation, use, communication by
transmission, dissemination or any other form of enabling access, collation or
interconnection, limitation, suppression or destruction.”

Based on the above, people's temperature controls can
constitute a processing of health data relating to an identified natural person or

identifiable, and as such must conform to one of the legal bases listed in
article 6 of the RGPD and any of the specific exceptions that are
listed in article 9 of the GDPR.

In general, the employer has the obligation to guarantee the safety and

health of the workers at your service in aspects related to the
work, as can be seen from articles 14 and following of Law 31/1995, of 8
November, Occupational Risk Prevention. This obligation operates at the same time as
exception that allows the processing of health data, under the protection of the
circumstances provided for in article 9.2.h) of the RGPD, and as a legal basis that
legitimizes the treatment, since the treatment is necessary for the fulfillment of

a legal obligation imposed on the employer (article 6.1.c) of the GDPR).

There is no doubt that in a health crisis situation such as the one caused by the
COVID-19, the employer is obliged to adopt extraordinary measures
aimed at preventing new infections and these measures must be applied
taking into account the criteria defined by the health authorities.


In the field of companies, the Ministry of Health, in its document
“Procedure of action for occupational risk prevention services
against exposure to SARS-CoV-2", indicates that "The intervention of companies,
through prevention services (SPRL), against exposure to SARS-COV-2
has been and is crucial, adapting its activity with recommendations and measures

updated prevention measures (…) with the general objective of limiting infections:
measures of an organizational nature, collective protection, personal protection,
especially vulnerable worker and level of risk, study and management of cases and
contacts that occurred in the company and collaboration in the management of disability
temporary” and adds that “companies, through prevention services, are
calls to collaborate with health authorities in the early detection of all

cases compatible with COVID-19 and their contacts, to control transmission.”

In this context, it must be understood that the control of the body temperature of the
workers carried out by employers, as a measure to allow access to
workplaces in order to limit infections, given that fever is a

symptom of the disease caused by SARS-CoV-2, as part of a set
broader set of measures that include preventive, hygiene, protective,
etc., meets the criteria indicated by the health authorities.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/36








In the case examined, SALUS BALEARES, in accordance with the criteria
indicated, states that it carries out body temperature checks on its workers
to meet its health and safety obligations. Consequently,

In accordance with the reasoning, this processing of workers' health data
finds its legitimacy in the cause provided for in article 6.1.c) of the RGPD and in the
exceptions that enable the processing of health data, set out in the article
9.2.h) of the RGPD.

                                          III


In relation to taking the temperature of users who access a
establishment, temperature checks on people can constitute a
processing of health data relating to an identified or identifiable natural person,
and as such they must comply with one of the legal bases listed in article 6

of the RGPD and any of the specific exceptions listed in the
Article 9 of the GDPR.

To determine whether in a specific case data processing has occurred
an identified or identifiable person, it must be based on the type of device
employee and take into account other circumstances of the decision-making process.

temperature that can make the person identifiable, such as in the case of
whether or not the body temperature is recorded or that the capture of the temperature in the
establishments open to the public is carried out with advertising, in such a way that the
affected person can be identified by third parties.


In the body temperature controls carried out at the entrance of the
establishments open to the public to take the temperature of visitors or
Clients typically use manual temperature measurement devices, such as
a manual thermometer that is only designed to take temperature
bodily.


When these temperature controls are not accompanied by a control of
identity of the people who intend to access the establishment, that is, when
temperature measurement is not linked to a specific person through their
registration or annotation, such measures would not be, in principle, included in the
scope of application of the GDPR as the temperature is not associated with a person

identified or identifiable.

However, denying access or assistance to a person due to their
temperature can reveal to third parties who have no justification for
know that the person who has been denied entry has a temperature

body above what is considered not relevant and, above all, that may be
infected by the virus, since fever is a symptom of the disease caused
by SARS-CoV-2.

Likewise, if the temperature measurement is carried out in such a way that the result is visible

or public, also means that it is revealed to third parties. Therefore, it is necessary
establish in each case whether the specific circumstances that occurred in the
process of taking the temperature of a specific person were derived
events that made her identifiable.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/36









In the case examined, as has been proven by photographs
provided by the complaining party, an electronic device is used that measures the

temperature automatically, being necessary for users to
place near and in front of it. Said device is located on a wall
near the waiting room and next to the clinic reception, offering the
body temperature on the front of said device, being perfectly visible
by the people who are in said room, as well as by those who access and
found in the reception area of the establishment.


Personal temperature data is health data in itself. Likewise, in the
assumption of having a high temperature, this also presupposes the existence of a
disease and, in the context and time in which it is taken, the possible existence of the
disease caused by SARS-CoV-2, and there is also undoubtedly data from

health and that are being made publicly known to third parties and regarding
of identified or directly identifiable persons.

                                           IV
                           Allegations to the Startup Agreement


In response to the allegations presented by the claimed entity, it should be noted
the next:

I. In reference to whether taking temperature involves data processing
personal character.


The defendant alleges that, as the Agency itself points out in the Initiation Agreement,
when temperature checks are not accompanied by an identity check
of the people who intend to access the establishment, that is, when the decision is made
temperature is not linked to a specific person through their record or

annotation. SALUS BALERAES adds that the Agency follows this same criterion in
other procedures, such as E/03884/2020, in which it has been determined that the
temperature measurement through thermometers without registration of the interested parties does not
It is a processing of personal data.

Faced with this, it is necessary to point out, first of all, what exactly was pointed out by this

Agency in the Agreement to Start this sanctioning procedure is what is
has been transcribed in the Background of Fact III, reproducing again some of the
paragraphs to which the claim literally refers:

       “When these temperature controls are not accompanied by a control of

       identity of the people who intend to access the establishment, that is,
       when the temperature measurement is not linked to a specific person
       through its registration or annotation, such measures would not be found, in
       principle, included in the scope of application of the RGPD as the
       temperature to an identified or identifiable person.


       However, denying access or assistance to a person due to their
       temperature can reveal to third parties who have no justification for
       know that the person who has been denied entry has a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/36








       body temperature above what is considered not relevant and, above all,
       that she may be infected by the virus, given that fever is a symptom of the
       disease caused by SARS-CoV-2. Likewise, if the temperature measurement

       is carried out in such a way that the result is visible or public, it also implies
       that is disclosed to third parties. Therefore, it is necessary to establish in each case whether
       of the specific circumstances that occurred in the decision-making process
       temperature of a specific person, events were derived that
       made it identifiable.


       In the case examined, as has been proven by
       photographs provided by the complaining party, a device is used
       electronic that measures the temperature automatically, being for this purpose
       It is necessary for users to stand near and in front of it. Saying
       device is located on a wall near the waiting room and next to the

       clinic reception, offering body temperature in front of said
       device, being perfectly visible to people who are
       in said room, as well as by those who access and are in the area of
       reception of the establishment” (emphasis added)



On the other hand, in file E/03884/2020 that brings up the claim for,
as he understands, maintain that as long as when taking the temperature a
registration of interested parties is not data processing, it means what
following:


       -This file refers to taking the body temperature of users of the
       Bilbao metro using thermal imaging cameras without recognition and without
       recording, which allowed knowing the temperature measurement without identification,
       without recording and without registration of people's data as their registration is not required
       ID. These data were displayed in real time and only by

       health personnel.

       -It was expressly indicated in said file that:

                “To determine whether in a specific case there has been a
               processing of data of an identified or identifiable person, it has been

               based on the type of device used and taking into account other
               circumstances of the temperature taking process that may
               make the person identifiable, such as in the case of registration or
               not body temperature or that the capture of temperature in the
               establishments open to the public are carried out with advertising, in such a way

               so that the affected person can be identified by third parties.
               (…)

               In the case examined, thermal imaging cameras are used and
               manual thermometers for temperature measurements without

               This process is accompanied by the recording of the temperature obtained
               of subway users. The attendance has not been confirmed either.
               of special circumstances that have allowed the aforementioned
               treatment to an identified or identifiable person.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/36










       -And finally, it is decided by this Agency to archive the actions based on

       that: “according to what is reasoned, it is not appreciated in this case that the
       The data processing carried out refers to identified natural persons or
       identifiable, being consequently excluded from the scope of application of the
       GDPR.” (emphasis is ours).

Therefore, both in what was indicated in Legal Basis II of the Agreement of

Beginning of this sanctioning procedure and which is also reproduced in this
proposed resolution, as well as in the case of file E/03884/2020, no
The only emphasis is that the temperature is not recorded later with
identification of the interested parties, but, in addition, the data must not be accessible by
unauthorized third parties, and in the case of the Bilbao Metro you only see the result

of body temperature by health personnel authorized for this purpose, without the rest
of subway users can view the body temperature shown by the
device. This means that the temperature is taken in such a way that it does not
refers to identified or identifiable natural persons.

However, in the case at hand, it has been shown, through the photographs

provided by the claimant, that the body temperature detected by the device is
perfectly visible to other people in the waiting room and in
areas close to the reception, which allows personal data to be linked (the
temperature) with an identified or identifiable person, since in the same
When a person takes their temperature, the result is visible by the

rest of the people who are at that moment in the waiting room or in the
clinic reception area.

Therefore, we would be here dealing with personal data referring to a person.
identified or identifiable, since the body temperature data is displayed

by third parties just when the person is directly taking the
temperature at that same moment. That is, unauthorized third parties are viewing
both the specific temperature and the person to whom that temperature belongs. AND
that makes it perfectly identified or identifiable.

Thus, in Opinion 4/2007 on the concept of personal data of the Group of

Working Article 27 (136WP) states that:

       In general, a natural person can be considered “identified”
       when, within a group of people, it is "distinguished" from all the others
       group members. Therefore, the natural person is "identifiable"

       when, although it has not yet been identified, it is possible to do so (which is
       the meaning of the suffix "ble"). Thus, this second alternative is, in the
       practice, the sufficient condition to consider that the information enters the
       scope of application of the third component. (p. 12)


This temperature taking treatment in this way in which it has been carried out
represents a particularly intense interference in the rights of people
affected. On the one hand, because it affects data related to people's health,
not only because the value of body temperature is a health data in itself

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 19/36








but also because, based on it, it is assumed that a person suffers or does not suffer from a
specific disease, such as coronavirus infection in these cases.


On the other hand, regarding what was alleged by SALUS BALEARES regarding that the
device is located on a wall next to reception, where there are elements
ornamental to prevent the result of the measurement from being displayed,
It means, first of all, that in the photographs provided by the claimant
clearly shows that from the position in which he is (waiting room area)
clearly visualizes the measuring device and the result it gives, since the

ornamental element remains on the other side and does not interrupt visibility in any way,

And, secondly, it is not appropriate to accept that said ornamental element, consisting
on a plant in a medium-sized pot, located in a corner
above the reception desk, may be considered a technical measure or

appropriate organizational structure to ensure adequate security, specifically to
guarantee the confidentiality of personal data, not only because it is inappropriate in
himself, but because, as can be seen from the photos, it is easy to locate the other
side of the counter (and on the other side of the floor) to perfectly view the
result returned by the temperature measuring device.


Likewise, the claimant points out that when the measurement is carried out by bringing the hand closer,
a few centimeters from the device, the person's body visually obstructs the
result, making it practically impossible for the temperature measurement
be visible to no one but her. However, and contrary to what was alleged, the
Photos provided show that the result produced by the device (the temperature

body) remains on its screen for several seconds, since
In the photos you can see that the person (a woman) who takes the temperature takes it
see later in another photo far from the device and, however, the temperature shown
It continues to be displayed in this one.


On the other hand, SALUS BALEARES alleges that the present case of
reliably by the Agency, since there is no record of any inspection visit to the
clinic in question, in which it has been examined or reviewed whether the photographs taken
They were a faithful reflection of reality.

In this regard, the photos provided by the claimant clearly reflect the

facts. Likewise, the defendant herself has used one of the photos provided by the
claimant to assert the existence of the ornamental plant as a measure of
protection against viewing the thermometer, describing its situation and
taking the body temperature of the users according to said photo. In addition,
SALUS BALEARES, as indicated in the Second Proven Fact, in its

written response to the transfer of the claim and request for information addressed
by this Agency, expressly indicated that “The measurement system used is
of a laser thermometer located at the entrance of the clinic, in which the user
individually the temperature is taken and the admission staff of the medical clinic
observes said measurement, without carrying out any type of temperature record or

identifying data of said user. That is, laser thermometers are used for
temperature measurements without this process being accompanied by the recording of the
temperature obtained from clinic users.”


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/36








Due to the above, both from the photos and from the statements of SALUS BALEARES,
The circumstances of how the shooting was carried out have been perfectly accredited.
temperature of the people who access the clinic.


SALUS BALEARES alleges that the photographs do not prove that the claimant
carry out its measurement, given that they do not display the moment in which
that the interested party (claimant) takes his temperature, as well as what the
As stated in his complaint, he did not measure his temperature,
reason why he was not allowed to access the center, and that this means that he has not

there has been no processing of his personal data.

Faced with this, it must be clarified that the processing of personal data that is understood
that breaches data protection regulations does not refer to the processing carried out
or not made with respect to the claimant specifically, since he did not agree to

your temperature will be taken, but rather the way the clinic takes your temperature at
all the people who access it. That is, the treatment carried out
regarding taking the temperature of all people who access the clinic.

II. In reference to the quantification of sanctions


SALUS BALEARES states that it does not agree with the circumstances that have arisen.
had as aggravating factors of the sanction indicated in the Initiation Agreement.

Thus, SALUS BALEARES indicates that, in relation to article 83.2.a), it has been
considered that the nature of the infringement is serious because it entails a loss of

confidentiality and, therefore, of disposition and control over personal data, but
that, however, there was no data processing because the claimant never reached
measure their temperature, so no confidentiality could be violated.

Faced with this, as indicated in the previous point, this procedure

disciplinary action has not been initiated because it is considered that confidentiality has been violated
of the claimant's data, but because confidentiality has been violated in the
taking the temperature of the people who enter the clinic, since the
The result of said temperature was visible to the rest of the people there.
they could find, that is, by unauthorized third parties.


Likewise, SALUS BALEARES points out that, regarding the number of interested parties
affected, this Agency has not indicated the criteria to determine that the number of
affected is high, not knowing the number of clients received in the clinic and not
other claims have been filed.


Faced with this, it is worth remembering that those affected cannot be considered to have been
few or isolated, since taking the temperature in the indicated circumstances
has been going on for the long period of time it was mandatory
as a preventive measure during the pandemic derived from the COVID-19 virus. TO
For greater detail, the claimant itself in its brief of allegations to the Agreement of

Home expressly recognizes that the number of patients at the Asistel Moraira clinic
In all of 2022, the year in which the claim occurred, it was 2,375 people,
non-negligible number of people.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/36








Regarding the fact that temperature measurement was recommended in accordance with
the health regulations established by the competent health organizations, as well as
as by the Law on the Prevention of Occupational Risks with respect to its employees,

means that, as indicated in the First Legal Basis of the Agreement
of Beginning and which is reproduced again in the First Fundamental of Law of the
present proposal and to which reference should be made, temperature measurement as a measure
protection against COVID 19 is legitimized. That is, it has not been
questioned whether the treatment is legal, that it can be carried out. However,
The fact that there is legitimacy for the treatment is not an obstacle for it to be

to carry out in compliance with the rest of the obligations and requirements imposed by the
regulations regarding data protection, including, especially, guaranteeing
the confidentiality of the personal data processed.

In relation to the application of article 83.2.b) of the GDPR, you do not agree

SALUS BALEARES in which the existence of negligence is applied because it insists
in which there was no processing of personal data, since the claimant never arrived
to measure the temperature.

Likewise, it indicates that the aggravating circumstance of article 83.2.g) of the
GDPR, relative to the category of data affected, which in the present case would be data

health, for the same reason that there has been no data processing
personal, as determined in file E/03884/2020.

In this regard, it is appropriate to refer to what is argued in this Ground of
Right regarding data processing involved in taking body temperature

carried out by the defendant, especially the fact that, in the present case,
as the result of the body temperature is visible to the rest of the
people who may be in the area at the same time that a
person takes their temperature, this means that it is identified or
identifiable, so, and contrary to what the claimant claims, we would be

in the case of the definition of personal data in article 4 of the GDPR, sections 1 and
2, according to which, “personal data” means: “any information about a
identified or identifiable natural person”; and by “treatment”: “any operation or
set of operations performed on personal data or data sets
personal data, whether by automated procedures or not, such as collection, registration,
organization, structuring, conservation, adaptation or modification, extraction,

consultation, use, communication by transmission, dissemination or any other form of
enabling access, collation or interconnection, limitation, deletion or destruction.”

Therefore, body temperature is personal data, specifically data of
health and, in accordance with the circumstances under which the temperature is taken in

the premises of the person claimed (in a visible way for the rest of the people who are
located in the area where the measurement is carried out), is information that is
collected with respect to an identifiable natural person.

Finally, SALUS BALEARES points out, regarding the aggravating circumstance of article 76.2.b) of

the LOPDGDD, referring to the linking of the offender's activity with the performance of
processing of personal data, which has taken into account the activity of the entire
group and not the specific activity of the Asistel Moraira clinic, where supposedly
has produced the violations in terms of data protection. However, he points out

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/36








SALUS BALEARES than the number of patients at the Asistel Moraira clinic throughout
2022, the year in which the claim occurred, was 2,375 people.


In this regard, it is meant that the aggravating circumstance refers to the fact that the development of the
activity carried out by the person claimed involves continuous processing of data
personal (not only with respect to temperature taking, but also with respect to the service
care provided, medical records, etc.), which are also health,
That is, it is not a residual or sporadic treatment, which requires greater
diligence on the part of the defendant, and this regardless of the specific number of

patients that one of the clinics in question received in one year.

III. Form defects in the Startup Agreement that make it void

SALUS BALEARES alleges that the non bis in idem principle has been breached, which

prohibits the same act from being punished several times.

Faced with this, it is necessary to explain the difference between the violation of art. 5.1.f and the
article 32 of the GDPR.

The art. 5.1.f) of the RGPD is violated when there is a loss of confidentiality,

integrity or availability of personal data, which may occur or
not due to the absence or deficiency of security measures.

This principle only determines the channel through which the
maintenance of confidentiality, integrity or availability when explicit

“through the application of appropriate technical and organizational measures”, which are not
Strictly security.

The appropriate technical and organizational measures referred to in art. 5.1.f)
GDPR are not the security measures of art. 32 of the GDPR. This would simplify the

essence of the GDPR whose compliance is not limited to the implementation of measures
technical and organizational security; would mean reducing the guarantee required by
the principle of integrity and confidentiality to be achieved only with security measures.
security.

It should be noted that there are multiple technical or organizational measures that are not

security and that the person responsible for the treatment can implement as a channel to
guarantee this principle.

However, art. 32 of the GDPR includes the obligation to implement measures
appropriate technical and organizational security measures to ensure a level of

security appropriate to the risk. Of security. Just for security.

Furthermore, its objective is to guarantee a level of security appropriate to the risk while
that in the case of article 5.1.f) of the RGPD, confidentiality and
integrity. As can be seen, the two articles pursue different purposes, although

they may be related.

Already entering fully into the examination of the non bis in idem, the Court's Judgment
National of July 23, 2021 (rec. 1/2017) provides that,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/36









“(…) In accordance with the legislation and jurisprudence set forth, the non bis in idem principle
prevents punishing the same subject twice for the same act with support in the

same foundation, the latter understood as the same legal interest protected by
the sanctioning regulations in question. In fact, when there is the triple identity of
subject, fact and foundation, the sum of sanctions creates a sanction unrelated to the judgment of
proportionality carried out by the legislator and materializes the imposition of a sanction
not legally provided for, which also violates the principle of proportionality.


But in order to speak of "bis in idem" a triple identity must occur.
between the terms compared: objective (same facts), subjective (against the
same subjects) and causal (for the same basis or reason for punishing):

a) Subjective identity assumes that the affected subject must be the same, regardless of

whatever the nature or judicial or administrative authority that prosecutes and with
independence of who the accuser or specific body is that has resolved, or that
be tried alone or in conjunction with other affected parties.

b) Factual identity assumes that the facts prosecuted are the same, and rules out
the cases of real competition of infractions in which there is not the same

illegal act but before several.

c) The identity of the foundation or cause implies that the sanctioning measures do not
can coincide if they respond to the same nature, that is, if they participate in a
same teleological foundation, what happens between penal and

administrative sanctions, but not between the punitive and the merely
coercive.”

Taking as reference what was previously explained, the principle has not been violated
non bis in idem, since the violation of art. 5.1.f) of the RGPD is specified in a

clear loss of confidentiality, while the violation of art. 32 of the GDPR
reduces to the absence and deficiency of security measures (security only)
suitable.

Having said all that, it is not considered that there is a violation of the principle of non bis in
idem, enshrined in article 25 of the Spanish Constitution.


Finally, SALUS BALEARES alleges that the Startup Agreement indicates a
penalty of 10,000 euros for a violation of article 32 of the RGPD, but that, without
However, this Agency has not proceeded to initiate any procedure
sanctioning in the present file against her motivated by the violation of the article

32 of the RGPD, which is why it requests the annulment of the procedure.

In this regard, it should be noted that, in the Agreement to Start this procedure
sanctioning, in the Fundamentals of Law VII, VIII and IX of the same it is indicated with
clarity of the facts, the infringement that they represent (infringement of article 32),

the classification of the infraction (article 83.4 of the RGPD) as well as the sanction that could be
relapse for it. Likewise, in the operative part of the same it is clearly indicated that
disciplinary procedure is initiated against SALUS BALEARES for violation of the article


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/36








32 of the RGPD, typified in article 83.4 of the RGPD and that the sanction could involve
a fine of 10,000 euros.


For the above reasons, the Startup Agreement does not suffer from any cause of nullity or
voidability.

In conclusion, all allegations made are rejected.

                                           V

                      Allegations to the Proposed Resolution

In response to the allegations presented by the claimed entity, it should be noted
the next:


First: The AEPD has not proven any fact that implies the commission of a
infringement by SALUS BALEARES and the imposition of sanctions
proposals

SALUS BALEARES alleges again that the sanction proposal is based on a
insufficient evidence to undermine the presumption of innocence because in the

administrative file only contains a photograph taken by the
complainant and the AEPD has not carried out evidentiary activity in the processing of the
file, since he has not appeared at the premises to verify the reality that
presumably indicated in the photographs.


In this regard, as already noted in the Proposed Resolution, the claimant
Along with his claim, he provided three photographs that are in the file:

-In the first, a person (woman) appears looking at the wall and placing her hand on it.
certain height.

-In the second photo, the same person is a little further away from the area
above and then an electronic temperature taking device is displayed on
the area of the wall where said person was previously located and is displayed in
red digital numbers one value (36.1)

-In the third photograph, the same person is a little further away, in the area

reception and the device continues to indicate the previous value (36.1)

In all the photographs you can see the reception area very close (almost attached) to the
right of the device. In two of them another person is even visualized (a
man) in the reception area, which, by simply taking a step back,

would allow you to display the temperature displayed by the device

In these photographs, as has been pointed out in the First Proven Fact,
clearly reflect the following facts:


-In the clinic an electronic device is used that measures temperature
automatic, requiring users to stand close and in front of it.
of the same.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/36








- The device was located on a wall in an area where it is located
the waiting room and reception of the clinic
- The result of the body temperature was reflected on the screen of the

device for several seconds which, when the person moves away from it,
It allowed it to be visible to third parties who were there.

On the other hand, SALUS BALEARES has at no time denied the veracity of the
Photographs. Furthermore, in his written response to the transfer of the claim and request
of information, presented on March 28, 2022 13, indicated the following:


“The measurement system used is a laser thermometer located at the entrance
of the clinic, in which the user individually takes their temperature and the staff
admission of the medical clinic observes said measurement, without carrying out any type
temperature recording or identifying data of said user. That is, they are used

laser thermometers, for temperature measurements without this process going
accompanied by the recording of the temperature obtained from the clinic users.”

Likewise, the defendant herself has used one of the photos provided by the
claimant to assert the existence of the ornamental plant as a measure of
protection against viewing the thermometer, describing its location and

taking the body temperature of the users according to said photo.

Due to the above, both from the photos and from the statements of SALUS BALEARES,
The circumstances of how the shooting was carried out have been perfectly accredited.
temperature of the people who access the clinic, not being necessary, for

Therefore, in no way does this Agency appear at the premises of the claimed party to
verify what is considered fully proven and accredited and also, not
contradicted by the claimant.

Second: SALUS BALEARES has not processed the complainant's data


SALUS BALEARES once again claims that there was no data processing
personal rights of the claimant, since he did not submit to the taking of
temperature.

In this regard, as already indicated in the Proposed Resolution, the treatment

of personal data that is understood to breach the data protection regulations.
data does not refer to the processing carried out or not carried out with respect to the claimant in
specifically, since he, in fact, did not agree to have his temperature taken,
but about the way in which the clinic takes the temperature of all the people who
they access it. That is, the treatment carried out with respect to taking

temperature to all people who access the clinic.

Likewise, SALUS BALEARES refers to several issues such as not
They record temperature measurement data; that there are ornamental elements
(a plant) to prevent the result from being visible from the right side

of measurement; that the mandatory distance that had to be maintained between people did not
allowed the visualization of the data; that the screen of the measuring device was
covered by the body of the person who came to take the temperature;
that all people had to access the facilities with a mask.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/36









Faced with this, it is appropriate to refer to everything answered and argued in the Proposal
of Resolution. Thus, it was indicated, first of all, that in the photographs provided by the

claimant it is clearly evident that from the position in which he is (zone of
waiting room) the measuring device and the result shown are clearly displayed.
throws, since the ornamental element is on the other side and does not interrupt the visibility in
any way,

And, secondly, it is not appropriate to accept that said ornamental element, consisting

on a plant in a medium-sized pot, located in a corner
above the reception desk, may be considered a technical measure or
appropriate organizational structure to ensure adequate security, specifically to
guarantee the confidentiality of personal data, not only because it is inappropriate in
himself, but because, as can be seen from the photos, it is easy to locate the other

side of the counter (and on the other side of the floor) to perfectly view the
result returned by the temperature measuring device.

Likewise, in that when the measurement is carried out by bringing the hand closer, just a few
centimeters of the device, the person's body visually obstructs the result,
making it practically impossible for the temperature measurement to be visible

by no one but her, it means, contrary to this, that from the photos provided
It is evident that the result produced by the device (body temperature) is
remains on the screen for several seconds, since the photos show
appreciates that the person (a woman) who takes the temperature is seen later in
another photo away from the device and yet the temperature returned remains

being visualized in this one.

Fourth: The eventual data processing was secure. At all times they were respected
the indications of the LOPDGDD and the RGPD


In this section, SALUS BALEARES fundamentally denies that in any
moment patients could see another patient's temperature.

In light of this, it is appropriate to refer to what was stated in the previous section of this
Foundation of Law.


Fourth: From the isolated temperature data the identity of the temperature could not be known.
person

The defendant alleges again that, although the temperature data is a data of
health, at the time of taking the temperature, the possible users of the

facilities could not have the necessary information that would link that data with
others that would make the person who proceeds to take the temperature identifiable, for example
which is not data relating to an identified or identifiable natural person.

Faced with this, as already indicated in the Proposed Resolution, it has been

evidenced, through the photographs provided by the claimant, that the
body temperature detected by the device is perfectly visible to others
people who are in the waiting room and in areas near the reception,
which allows linking personal data (temperature) with an identified person

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/36








or identifiable, since at the same moment that a person takes the
temperature, the result is visible to the rest of the people who are in that area.
moment in the waiting room or reception area of the clinic.


Therefore, we would be here dealing with personal data referring to a person.
identified or identifiable, since the body temperature data is displayed
by third parties just when the person is directly taking the
temperature at that same moment. That is, unauthorized third parties are viewing
directly both the specific temperature and the person to whom that temperature belongs.

temperature. And that makes it perfectly identified or identifiable.

What seems to confuse the claim is that a person is identifiable with power
obtain your identifying data (name and surname), which is not the case.


In this regard, in Opinion 4/2007 on the concept of personal data of the
Article 27 Working Group (136WP) states that:

In general terms, a natural person can be considered “identified” when,
within a group of people, she is "distinguished" from all other members of the group.
cluster. Consequently, the natural person is "identifiable" when, although not

has yet been identified, it is possible to do so (which is the meaning of the suffix "ble").
Thus, this second alternative is, in practice, the sufficient condition for
consider that the information falls within the scope of application of the third component.
(p. 12)


This temperature taking treatment in this way in which it has been carried out
involves a particularly intense interference in the rights of people
affected. On the one hand, because it affects data related to people's health,
not only because the value of body temperature is a health data in itself
but also because, based on it, it is assumed that a person suffers or does not suffer from a

specific disease, such as coronavirus infection in these cases.

Fifth: The context of the health crisis has not been taken into account

The defendant alleges that the moment and circumstances in which the
They were as exceptional as a global pandemic. However, this has not

been taken into account by the AEPD.

In this sense, it should be noted that both in the Initiation Agreement and in the
Proposed Resolution, as well as in this Resolution, in its Basis of
Right II, the situation of the pandemic caused by COVID has been taken into account

19, precisely for the purpose of justifying the legality of temperature treatment
body under the circumstances provided for in article 9.2.h) of the RGPD and,
as a legal basis that legitimizes the treatment, since it is necessary to
compliance with an imposed legal obligation (article 6.1.c) of the RGPD.


However, once you are authorized to process the data in question,
This is in no way an obstacle to the fulfillment of the rest of the obligations that
imposed by the GDPR, such as guaranteeing the confidentiality of personal data


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/36








(article 5.1.f) and to adopt the appropriate technical and organizational measures to
guarantee a level of security appropriate to the risk of the treatment (article 32).


For the above reasons, the allegations are dismissed.


                                           SAW
                                Article 5.1. f) GDPR


Article 5.1.f) “Principles relating to processing” of the GDPR establishes:

"1. The personal data will be:
(…)


       f) treated in such a way as to ensure adequate safety of the
       personal data, including protection against unauthorized processing or
       unlawful and against its loss, destruction or accidental damage, through the application
       of appropriate technical or organizational measures ("integrity and
       confidentiality»).”


Taking body temperature involves a particularly intense interference in the
rights of affected people. On the one hand, because, as has been indicated
previously, affects data related to people's health, not only because the
value of body temperature is a health fact in itself but also because,
From it, it is assumed that a person may or may not suffer from a specific

disease, such as coronavirus infection in these cases.

Therefore, the fact that, in accordance with the regulations applicable in each case (regulations
health or that relating to the prevention of occupational risks) can and/or must
legally monitor the body temperature of employees and users of a

establishment does not mean that these data should not be processed with application of the
principles and guarantees that protect the fundamental right to data protection.

Therefore, temperature controls must be carried out in such a way that
comply with all the guarantees and obligations established by the regulations regarding
personal data protection.


In the present case, the body temperature of the users who access the clinic
It is taken in such a way that it is capable of being viewed by anyone
located in the waiting room and reception area, which means that
is being revealed to third parties who have no justification for knowing that

The affected person has a specific temperature. All this represents a violation
of the obligation to guarantee the confidentiality of personal data.

For all the above and in accordance with the evidence available, it is
considers that the known facts constitute an infringement, attributable to

SALUS BALEARES, for violation of article 5.1.f) of the RGPD.

                                           VII
                Classification of the violation of article 5.1.f) of the RGPD

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/36









The aforementioned violation of article 5.1.f) of the RGPD implies the commission of the violations
typified in article 83.5 of the RGPD that under the heading “General conditions

for the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for

the largest amount:

       a) the basic principles for the treatment, including the conditions for the
       consent under articles 5, 6, 7 and 9; (…)”


In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4, 5 constitute infractions.
and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary
to this organic law.”

For the purposes of the limitation period, article 72 “Infringements considered very

“serious” of the LOPDGDD indicates:

"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the

following:

       a) The processing of personal data violating the principles and guarantees
       established in article 5 of Regulation (EU) 2016/679. (…)”


                                           VIII

                  Penalty for violation of article 5.1.f) of the RGPD

For the purposes of deciding on the imposition of an administrative fine and its amount,
In accordance with the evidence available, the sanction should be graduated to

impose in accordance with the following criteria established in article 83.2 of the
GDPR:

As aggravating factors:


- Article 83.2.a) RGPD: Nature, severity and duration of the infringement.

The nature of the infraction is considered to be serious since it entails a
loss of confidentiality and, therefore, of disposition and control over the data
personal.


High number of interested parties affected: all people who have accessed the
clinic for as long as the patient's temperature has been monitored.
form and with the circumstances outlined.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/36









- Article 83.2.b) RGPD. Intentional or negligence in the infringement: Although
considers that there was no intention on the part of SALUS BALEARES, it can

observe the existence of negligence in compliance and observance of the
technical and organizational measures to guarantee the security necessary for the
protection of personal data, specifically to ensure confidentiality
of the same, since the temperature of the users was taken
They came to the clinic in such a way that it was possible to visualize it for the rest of their lives.
people who were in the waiting room or reception area, which

reflects negligence, especially considering that it involves health data. TO
In this regard, it must be remembered that SALUS BALEARES is a clinic and, therefore,
accustomed to the processing of personal data, specifically health data.

It is worth remembering, in this sense, the Judgment of the National Court of

10/17/2007 (rec. 63/2006), that with respect to entities whose activity involves the
continuous processing of customer data, indicates “…the Supreme Court comes
understanding that imprudence exists whenever a legal duty of
care, that is, when the offender does not behave with the required diligence. And in the
assessment of the degree of diligence, special consideration must be given to professionalism or
not of the subject, and there is no doubt that, in the case now examined, when the activity

of the appellant is constant and abundant handling of personal data has
of insisting on rigor and exquisite care to comply with legal provisions when
regard.

 -Article 83.2.g) RGPD. Categories of personal data affected by the breach:

Personal data related to health has been affected.

Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and measures
“corrective measures” of the LOPDGDD:


As aggravating factors:

- Article 76.2.b) LOPDGDD. Linking the offender's activity with the performance
of personal data processing: The development of the activity
business carried out by SALUS BALEARES involves a continuous treatment of

personal data, many of them health. Therefore, it is a company
accustomed to the processing of personal data.

For the purposes of deciding on the imposition of an administrative fine and its amount,
in accordance with the evidence available, taking into account the

circumstances of the case and the criteria established in article 83.2 of the RGPD with
regarding the infraction committed by violating the provisions of article 5.1.f) of the
RGPD allows a fine of €20,000 (TWENTY THOUSAND EUROS) to be set.

                                           IX

                                 Article 32 of the GDPR

Article 32 “Security of processing” of the GDPR establishes:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/36








"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks of
variable probability and severity for people's rights and freedoms

physical, the person responsible and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:

       a) pseudonymization and encryption of personal data;
       b) the ability to guarantee the confidentiality, integrity, availability and

       permanent resilience of treatment systems and services;
       c) the ability to restore availability and access to data
       personnel quickly in the event of a physical or technical incident;
       d) a process of regular verification, evaluation and assessment of effectiveness
       of the technical and organizational measures to guarantee the security of the

       treatment.

2. When evaluating the adequacy of the security level, particular consideration will be given to
takes into account the risks presented by data processing, in particular as
consequence of the accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or

unauthorized access to said data.

3. Adherence to a code of conduct approved pursuant to Article 40 or to a
certification mechanism approved pursuant to article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the

present article.

4. The controller and the person in charge of the treatment will take measures to ensure that
any person acting under the authority of the person responsible or in charge and
has access to personal data can only process said data following

instructions of the person responsible, unless it is obliged to do so by virtue of the Law of
the Union or the Member States.” (emphasis is ours)

Article 32 does not establish static security measures, but will correspond to the
responsible for determining those security measures that are necessary to
guarantee the confidentiality, integrity and availability of personal data,

Therefore, the same data processing may involve security measures
different depending on the specific specificities in which said
data treatment.

Recital 83 of the GDPR states: In order to maintain security and prevent

the treatment infringes the provisions of this Regulation, the person responsible or the
The person in charge must evaluate the risks inherent to the treatment and apply measures to
mitigate them, such as encryption. These measures must guarantee a level of security
appropriate, including confidentiality, taking into account the state of the art and the
cost of its application with respect to the risks and the nature of the data

personnel that must be protected. When assessing risk in relation to the safety of
data, the risks arising from the processing of the data must be taken into account.
personal data, such as the accidental or unlawful destruction, loss or alteration of
personal data transmitted, stored or otherwise processed, or the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/36








unauthorized communication or access to said data, susceptible in particular to
cause physical, material or immaterial damage and harm. (emphasis is
our)


Data security requires the application of technical or organizational measures
appropriate in the processing of personal data to protect said data
against access, use, modification, dissemination, loss, destruction or accidental damage,
unauthorized or illicit. In this sense, security measures are key when
to guarantee the fundamental right to data protection. It is not possible

existence of the fundamental right to data protection if it is not possible to guarantee
their confidentiality, integrity and availability.

It should not be forgotten that, in accordance with article 32.1 of the GDPR, measures
technical and organizational measures to be applied to guarantee a level of security appropriate to the

risk must take into account the state of the art, application costs,
nature, scope, context and purposes of the processing, as well as the risks of
variable probability and severity for people's rights and freedoms
physical.

In this sense, derived from the activity to which SALUS BALEARES is dedicated and

the personal data it processes, it is obliged to carry out a risk analysis and a
implementation of appropriate technical and organizational measures to guarantee a level
of security appropriate to the risk of its activity for the rights and freedoms of the
people, especially taking into account that their activity involves processing personal data.
health.


In the present case, the processing of health data (temperature taking) of
in such a way and using means that are not appropriate to guarantee a
adequate security of personal data, namely to ensure the
confidentiality of the same, since the body temperature data is susceptible

from being viewed by unauthorized third parties.

This reveals negligent action when anticipating a risk.
easily detectable and evaluable (temperature within sight and in an access area
public) and not implementing measures to avoid or mitigate it.


In accordance with the evidence available, it is considered that the
Known facts constitute an infringement, attributable to SALUS
BALEARIC ISLANDS, for violation of article 32 of the RGPD.

                                           x

                 Classification of the violation of article 32 of the RGPD

The aforementioned violation of article 32 of the RGPD implies the commission of the violations
typified in article 83.4 of the RGPD that under the heading “General conditions
for the imposition of administrative fines” provides:


“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/36








global total annual business volume of the previous financial year, opting for
the largest amount:


       a) the obligations of the controller and the processor pursuant to Articles 8,
       11, 25 to 39, 42 and 43; (…)”

In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result

contrary to this organic law.”

For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:


“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
       f) The lack of adoption of those technical and organizational measures that

       are appropriate to guarantee a level of security appropriate to the risk
       of the treatment, in the terms required by article 32.1 of the Regulation
       (EU) 2016/679.






                                          XI
                  Penalty for violation of article 32 of the GDPR


For the purposes of deciding on the imposition of an administrative fine and its amount,
In accordance with the evidence available, the sanction should be graduated to
impose in accordance with the following criteria established in article 83.2 of the
GDPR:


As aggravating factors:

- Article 83.2.a) RGPD: Nature, severity and duration of the infringement.

The nature of the infraction is considered to be serious since it entails a

loss of confidentiality and, therefore, of disposition and control over the data
personal.

High number of interested parties affected: all people who have accessed the
clinic for as long as the patient's temperature has been monitored.

form and with the circumstances outlined.

- Article 83.2.b) RGPD. Intentional or negligence in the infringement: Although
considers that there was no intention on the part of SALUS BALEARES, it can

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 34/36








observe the existence of negligence in compliance and observance of the
technical and organizational measures to guarantee the security necessary for the
protection of personal data, specifically to ensure confidentiality

of the same, since the temperature of the users was taken
They came to the clinic in such a way that it was possible to visualize it for the rest of their lives.
people who were in the waiting room or reception area, which
reflects negligence, especially considering that it involves health data.

It is worth remembering, in this sense, the Judgment of the National Court of

10/17/2007 (rec. 63/2006), that with respect to entities whose activity involves the
continuous processing of customer data, indicates “…the Supreme Court comes
understanding that imprudence exists whenever a legal duty of
care, that is, when the offender does not behave with the required diligence. And in the
assessment of the degree of diligence, special consideration must be given to professionalism or

not of the subject, and there is no doubt that, in the case now examined, when the activity
of the appellant is constant and abundant handling of personal data has
of insisting on rigor and exquisite care to comply with legal provisions when
regard.

 -Article 83.2.g) RGPD. Categories of personal data affected by the breach:

Personal data related to health has been affected.

Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and measures
“corrective measures” of the LOPDGDD:



As aggravating factors:

- Article 76.2.b) LOPDGDD. Linking the offender's activity with the performance

of personal data processing: The development of the activity
business carried out by SALUS BALEARES (clinic) involves a treatment
continuous collection of personal data, many of them health data. Therefore, it is a
company accustomed to the processing of personal data.

The balance of the circumstances contemplated in article 83.2 of the RGPD with

Regarding the infraction committed by violating the provisions of article 32 of the RGPD,
allows setting a penalty of 10,000 (ten thousand euros).

Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of the sanctions whose existence has been proven, the Director of the

Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE CENTRO MÉDICO SALUS BALEARES, S.L., with NIF
B07060478, for a violation of article 5.1.f) of the RGPD, typified in article
83.5 of the RGPD, a fine of 20,000.00 euros (TWENTY THOUSAND EUROS), and, for a

violation of article 32 of the RGPD, typified in article 83.4 of the RGPD, a fine
of 10,000.00 euros (TEN THOUSAND EUROS), which adds up to a total amount of €30,000.
(THIRTY THOUSAND EUROS).


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/36








THIRD: NOTIFY this resolution to CENTRO MÉDICO SALUS
BALEARES, S.L.


FOURTH: This resolution will be enforceable once the deadline to file the
optional resource for replacement (one month counting from the day following the
notification of this resolution) without the interested party having made use of this power.
The sanctioned person is warned that he must make effective the sanction imposed once
This resolution is executive, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of the

Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Real
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, through your entry, indicating the NIF of the sanctioned person and the number of
procedure that appears in the heading of this document, in the account

restricted IBAN number: ES00-0000-0000-0000-0000-0000 open in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A. in case
Otherwise, it will be collected during the executive period.

Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the deadline to make the payment

voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the

day following the notification of this act, as provided for in article 46.1 of the
referred Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/36











contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.

                                                                                        938-16012024

Sea Spain Martí
Director of the Spanish Data Protection Agency

































































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es