TS - 1039/2022: Difference between revisions
No edit summary |
(→Facts) |
||
Line 79: | Line 79: | ||
=== Facts === | === Facts === | ||
This case resulted from a decision from the Basque Data Protection Authority (Agencia Vasca de Protección de Datos, 'DBEB/AVPD'), that issued a warning to the Basque Health Service (Osakidetza, 'the controller') for violating [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], in a case in which personal data related to gender reassignment were included in a report about | This case resulted from a decision from the Basque Data Protection Authority (Agencia Vasca de Protección de Datos, 'DBEB/AVPD'), that issued a warning to the Basque Health Service (Osakidetza, 'the controller') for violating [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], in a case in which personal data related to gender reassignment were included in a report about an injured foot. | ||
The case was appealed and taken to | The case was appealed and taken to court. In this case, the controller considered that for a breach of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] to take place, the data subject should have exercised their right to restriction (Article 18 GDPR) beforehand, so the controller could have verified if there was a reason for such data not to be processed and could have found a solution to the problem. | ||
=== Holding === | === Holding === | ||
Therefore, the | Therefore, the court was asked to decidce whether, in a case where the controller carries out a processing activity that the data subject considers to be excessive and data has been already collected, the data minimisation principle from [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] is directly enforceable, or whether the data subject should exercise beforehand the right to the restriction of processing provided for in [[Article 18 GDPR|Article 18 GDPR]]. | ||
As explained by the Court, [[Article 18 GDPR#1|Article 18(1) GDPR]], in particular in its paragraph d), which was wielded by the controller, is linked to the right to object from [[Article 21 GDPR#1|Article 21(1) GDPR]], that gives the data subject the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1). | As explained by the Court, [[Article 18 GDPR#1|Article 18(1) GDPR]], in particular in its paragraph d), which was wielded by the controller, is linked to the right to object from [[Article 21 GDPR#1|Article 21(1) GDPR]], that gives the data subject the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1). |
Revision as of 15:00, 17 August 2022
TS - 3207/2022 - STS 3207/2022 | |
---|---|
Court: | TS - 3207/2022 (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 18(1) GDPR Article 18(1)(d) GDPR Article 58 GDPR Article 77 GDPR Article 64(2) LOPDGDD Article 65 LOPDGDD |
Decided: | 19.07.2022 |
Published: | 09.08.2022 |
Parties: | Osakidetza-Servicio Vasco de Salud Agencia Vasca de Protección de Datos (DBEB/AVPD) |
National Case Number/Name: | STS 3207/2022 |
European Case Law Identifier: | ECLI:ES:TS:2022:3207 |
Appeal from: | DBEB/AVPD (Basque Country) Resolución de 21 de octubre de 2019 |
Appeal to: | |
Original Language(s): | Spanish |
Original Source: | CENDOJ (in Spanish) |
Initial Contributor: | Carmen Villarroel |
The Spanish Supreme Court ruled that the exercise of data protection rights from Articles 15 to 22 GDPR is not a prerequisite for filing a complaint with a data protection authority, so the latter may act even if the data subject has not addressed the data controller beforehand.
English Summary
Facts
This case resulted from a decision from the Basque Data Protection Authority (Agencia Vasca de Protección de Datos, 'DBEB/AVPD'), that issued a warning to the Basque Health Service (Osakidetza, 'the controller') for violating Article 5(1)(c) GDPR, in a case in which personal data related to gender reassignment were included in a report about an injured foot.
The case was appealed and taken to court. In this case, the controller considered that for a breach of Article 5(1)(c) GDPR to take place, the data subject should have exercised their right to restriction (Article 18 GDPR) beforehand, so the controller could have verified if there was a reason for such data not to be processed and could have found a solution to the problem.
Holding
Therefore, the court was asked to decidce whether, in a case where the controller carries out a processing activity that the data subject considers to be excessive and data has been already collected, the data minimisation principle from Article 5(1)(c) GDPR is directly enforceable, or whether the data subject should exercise beforehand the right to the restriction of processing provided for in Article 18 GDPR.
As explained by the Court, Article 18(1) GDPR, in particular in its paragraph d), which was wielded by the controller, is linked to the right to object from Article 21(1) GDPR, that gives the data subject the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1).
Both rights are of a temporary nature and relate to a disputed deletion of personal data collected on the basis of Article 6(1) (e) or (f). Therefore, in no case is such right applicable to this case.
Nonetheless, the Court highlighted that there is no procedural or enforceability prerequisite that may constrain the competence of a DPA to launch an infringement procedure. Nor the GDPR nor the Spanish Data Protection Act (LOPDGDD ) contain a provision that establishes such prerequisite.
The LOPDGDD differentiates between two different procedures for a GDPR infringement: the ones in which a data subject claims that their data protection rights have not been dealt with and the ones that relate to an investigation of a GDPR violation.
Hence, the exercise of data protection rights from Articles 15 to 22 GDPR is a different and independent way of protection than lodging a complaint with a DPA. Consequently, a data subject may exercise their rights alternately or simultaneously to filing a complaint when they consider that the controller has acted contrary to the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The resolutions that make up this database are disseminated for the purposes of knowledge and consultation of the decision criteria of the Courts, in compliance with the competence granted to the General Council of the Judiciary by art. 560.1.10º of the Organic Law of the Judiciary. The user of the database will be able to consult the documents as long as they do so for their own use. The use of the database for commercial uses, nor the massive download of information, is not allowed. The reuse of this information for the preparation of databases or for commercial purposes must follow the procedure and conditions established by the CGPJ through its Judicial Documentation Center. Any action that contravenes the above indications may lead to the adoption of appropriate legal measures.