AEPD (Spain) - TD/00251/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...")
 
No edit summary
Line 48: Line 48:
}}
}}


The Spanish DPA (AEPD) called on the Galician Healthcare Service to comply with the right to access of a data subject.  
The Spanish DPA (AEPD) called on the Galician Healthcare Service to comply with the a data subject's right of access.  


== English Summary ==
== English Summary ==

Revision as of 15:21, 14 December 2021

AEPD (Spain) - R/00862/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: None
Parties: SERVICIO GALLEGO DE SALUD
National Case Number/Name: R/00862/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) called on the Galician Healthcare Service to comply with the a data subject's right of access.

English Summary

Facts

The complainant exercised his right of access to his medical records against the Galician Healthcare Service, but his request was not legally answered. There is disagreement between the parties, since the claimant continues to state that it has not obtained the medical records and the respondent, on the other hand, states that it has complied with the right but does not provide documentary proof that the medical records have been sent and delivered to the claimant.

Holding

The Spanish DPA called on the Galicia Healthcare Service to send the complainant a certificate stating that it has complied with the right of access exercised by the complainant or a reasoned refusal, stating the reasons why the request should not be granted.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/7










     File No.: TD / 00251/2021



                              RESOLUTION NO: R / 00862/2021

Considering the claim made on June 9, 2021 before this Agency by A.A.A. (in
hereinafter, the complaining party), against SERVICIO GALLEGO DE SALUD (SERGAS)

(hereinafter, the claimed party), because their right has not been duly addressed
access.

The procedural actions provided for in Title VIII of the Law have been carried out.
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD), the following have been verified



                                      FACTS


FIRST: The complaining party exercised the right of access to their medical records
in front of the claimed, without your request having received the answer legally
established.
The complaining party provides various documentation related to the claim made
before this Agency and on the exercise of the right exercised.


SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a
mechanism prior to the admission for processing of claims made before
the AEPD, consisting of transferring them to the Data Protection Delegates
designated by those responsible or in charge of the treatment, for the intended purposes
in article 37 of the aforementioned norm, or to these when they have not been designated,

transferred the claim to the claimed entity so that it could proceed to its
analysis and respond to the complaining party and this Agency within a period of
month.

THIRD: The result of the transfer procedure indicated in the previous Fact does not

allowed to understand satisfied the claims of the complaining party. In
Consequently, dated September 3, 2021, for the purposes provided in its
Article 64.2 of the LOPDGDD, the Director of the Spanish Agency for the Protection of
Data agreed to admit the submitted claim for processing and the parties were informed that
the maximum term to resolve this procedure, which is understood to have started

by means of said agreement of admission to processing, it will be of six months.

The aforementioned agreement granted the claimed entity a hearing procedure, to
that within a period of fifteen business days it present the allegations it deems
convenient. Said entity manifests in the allegations that it has attended the right.


FOURTH: After examining the allegations presented by the defendant, they are the subject of
transfer to the complaining party, so that, within fifteen business days, it can formulate
allegations it deems appropriate.
The complaining party reaffirms that it has not obtained his medical history.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/7












                           FOUNDATIONS OF LAW

FIRST: The Director of the Spanish Agency for
Data Protection, in accordance with the provisions of section 2 of article 56 in
in relation to paragraph 1 f) of article 57, both of Regulation (EU) 2016/679 of the
European Parliament and of the Council of April 27, 2016 on the protection of

natural persons with regard to the processing of personal data and the free
circulation of these data (hereinafter, GDPR); and in article 47 of the LOPDGDD.

SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency
Spanish Data Protection is competent to perform the functions that

are assigned to it in its article 57, among them, that of enforcing the Regulation and
promote the awareness of those responsible and those in charge of the treatment
about their obligations, as well as dealing with claims
submitted by an interested party and investigate the reason for them.

Correlatively, article 31 of the RGPD establishes the obligation of those responsible

and those in charge of the treatment to cooperate with the control authority that requests it in
the performance of their duties. In the event that they have designated a
data protection officer, article 39 of the RGPD attributes to him the function of
cooperate with said authority.


Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has
Provided a mechanism prior to the admission for processing of the claims that are
made before the Spanish Agency for Data Protection, which consists of giving
transfer of the same to the data protection delegates designated by the
responsible or in charge of the treatment, for the purposes provided in article 37 of

the aforementioned norm, or to them when they have not been designated, to proceed to the
analysis of said claims and to respond to them within a month.

In accordance with these regulations, prior to the admission for processing of the
claim that gives rise to the present procedure, it was transferred to the
responsible entity to proceed with its analysis, provide a response to this Agency

within a month and certify having provided the claimant with the proper response,
in the event of exercise of the rights regulated in articles 15 to 22 of the
GDPR.

The result of said transfer did not allow for the satisfaction of the claims of the

complaining party. Consequently, dated September 3, 2021, for the purposes
provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for
Data Protection agreed to admit the submitted claim for processing. Saying
The agreement of admission for processing determines the opening of the present procedure of
lack of attention to a request to exercise the rights established in the

Articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the
which:



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/7








"one. When the procedure refers exclusively to the lack of attention of a
request to exercise the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, will start by agreement of admission for processing, which will be

adopt in accordance with the provisions of the following article.
In this case, the deadline to resolve the procedure will be six months from
from the date on which the claimant was notified of the admission agreement to
Procedure. After this period, the interested party may consider his
claim".


The purging of administrative responsibilities in the framework of
of a sanctioning procedure, whose exceptional nature implies that it is chosen,
whenever possible, due to the prevalence of alternative mechanisms that have
I amparo in the current regulations.


It is the exclusive competence of this Agency to assess whether there are responsibilities
administrative procedures that must be purged in a sanctioning procedure and, in
Consequently, the decision on its opening, there being no obligation to initiate a
procedure before any request made by a third party. Such a decision must
be based on the existence of elements that justify said start of the activity
sanctioning, circumstances that do not concur in the present case, considering that

with this procedure, the guarantees and
Claimant's rights.

THIRD: The rights of people in terms of data protection
Personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the

LOPDGDD. The rights of access, rectification, deletion,
opposition, right to limitation of treatment and right to portability.

The formal aspects related to the exercise of these rights are established in the
Articles 12 of the RGPD and 12 of the LOPDGDD.


It also takes into account what is expressed in Considerations 59 and following of the
GDPR.

In accordance with the provisions of these rules, the data controller
must arbitrate formulas and mechanisms to facilitate the interested party the exercise of their

rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3
of the RGPD), and is obliged to respond to requests made no later than one
month, unless you can show that you are unable to identify the
interested, and to express their reasons in case they were not to attend said
request. The person responsible is responsible for the proof of compliance with the duty of

Respond to the request for the exercise of their rights made by the affected party.

The communication addressed to the interested party on the occasion of their request must
express themselves in a concise, transparent, intelligible and easily accessible way, with a
clear and simple language.


In the case of the right of access to personal data, in accordance with the
established in article 13 of the LOPDGDD, when the exercise of the right is
refers to a large amount of data, the person in charge may request the affected party to

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7








specify the "data or processing activities to which the request refers." The
Right will be understood to be granted if the person in charge provides remote access to the data,
the request being considered as attended (although the interested party may request the information

referring to the extremes provided for in article 15 of the RGPD).

The exercise of this right may be considered repetitive on more than one occasion.
during the period of six months, unless there is legitimate cause for it.

On the other hand, the request will be considered excessive when the affected party chooses a medium

other than the one offered that involves a disproportionate cost, which must be
assumed by the affected party.

FOURTH: In accordance with the provisions of article 15 of the RGPD and article 13 of the
LOPDGDD, "the interested party has the right to obtain from the person responsible for the treatment

confirmation of whether or not personal data concerning you is being processed and, as such
case, right of access to personal data ”.

Like the rest of the rights of the interested party, the right of access is a
very personal right. Allows the citizen to obtain information about the treatment
what is being done of your data, the possibility of obtaining a copy of the data

personal concerns that are being processed, as well as
information, in particular, about the purposes of the treatment, the categories of data
personal concerned, the recipients or categories of recipients to whom the
communicated or will be communicated the personal data, the foreseen term or criteria
conservation, the possibility of exercising other rights, the right to present a

claim before the supervisory authority, the information available on the origin of
the data (if these have not been obtained directly from the owner), the existence of
automated decisions, including profiling, and information about
transfers of personal data to a third country or to an international organization.
The possibility of obtaining a copy of the personal data being processed does not

negatively affect the rights and freedoms of others, that is, the right to
Access will be granted in a way that does not affect third party data.

The right of access in relation to medical records is specifically regulated in
Article 18 of Law 41/2002, of November 14, basic regulating the
Autonomy of the Patient and Rights and Obligations Regarding Information and

Clinical Documentation (hereinafter LAP), whose literal wording expresses:

"one. The patient has the right of access, with the reservations indicated in section 3
of this article, to the documentation of the medical history and to obtain a copy of the
data contained in it. The health centers will regulate the procedure that

ensure the observance of these rights.
2. The patient's right of access to the medical record can also be exercised by
duly accredited representation.
3. The patient's right of access to the documentation of the medical record does not
can be exercised to the detriment of the right of third parties to confidentiality

of the data contained in it collected in the therapeutic interest of the patient, or in
prejudice to the right of the professionals participating in its preparation, who
They can oppose the right to access the reservation of their subjective annotations.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/7








4.Health centers and individual practitioners will only facilitate the
access to the medical history of deceased patients to people linked to him,
for family or factual reasons, unless the deceased had prohibited it

expressly and thus accredited. In any case the access of a third party to the story
clinic motivated by a risk to your health will be limited to relevant data. I dont know
provide information that affects the privacy of the deceased or the annotations
subjective of the professionals, nor that it harms third parties ”.

In this sense, it is necessary to highlight article 15 of the LPA that collects the content

minimum of medical history:

"one. The medical history will incorporate the information that is considered transcendental for the
accurate and up-to-date knowledge of the patient's health status. All patient or
The user has the right to be recorded, in writing or in the technical support more
adequate, of the information obtained in all their care processes, carried out

by the health service both in the field of primary care and care
specialized.
2. The main purpose of the medical record will be to facilitate health care, leaving
proof of all those data that, under medical criteria, allow the knowledge
truthful and updated of the state of health.

The minimum content of the clinical history will be the following:
a) The documentation related to the clinical-statistical sheet.
b) The entry authorization.
c) The emergency report.
d) Anamnesis and physical examination.

e) Evolution.
f) Medical orders.
g) The consultation sheet.
h) Complementary examination reports.
i) Informed consent.
j) The anesthesia report.

k) The operating room report or delivery record.
l) The pathological anatomy report.
m) The evolution and planning of nursing care.
n) The therapeutic application of nursing.
ñ) The constant graph.

o) The clinical discharge report.
Paragraphs b), c), i), j), k), I), ñ) and o) will only be required in the completion of the
clinical history in the case of hospitalization processes or as required.
3. The completion of the clinical history, in the aspects related to the
direct patient care, it will be the responsibility of the professionals who
intervene in it.

4. The clinical history will be kept with unit and integration criteria, in each
care institution as a minimum, to facilitate the best and most timely
knowledge by the physicians of the data of a certain patient in each
care process ”.


Regarding the preservation of the clinical history, article 17 of the LPA, in its
points 1 and 5, provides that:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/7








"one. Health centers are obliged to keep clinical documentation
in conditions that guarantee its correct maintenance and safety, although not
necessarily in the original support, for the proper assistance to the patient during the

time appropriate to each case and, at least, five years from the date
of discharge from each healthcare process ...
5. Health professionals who carry out their activity individually are
responsible for the management and custody of the healthcare documentation
generate ”.


FIFTH: In the case analyzed here, the complaining party exercised its right to
access to the medical history and after analyzing the documentation submitted by
both parties, we conclude that it is not credited to have attended the right.
There is a disagreement between the parties since the complaining party continues to state
that he has not obtained the medical history and, the claimed party on the contrary manifests

having attended the right but does not document the sending and delivery of the
clinical history to the claimant.
Apart from other discrepancies, they must be resolved in the corresponding forums
and, considering that the purpose of the present procedure is that the guarantees and
the rights of those affected are duly restored, proceeds to estimate the
present claim.


Considering the cited precepts and others of general application,
the Director of the Spanish Agency for Data Protection RESOLVES:

FIRST: ESTIMATE the claim made by A.A.A. and urge SERVICE

GALLEGO DE SALUD (SERGAS) with CIF Q6550006H, so that, within the
ten business days following notification of this resolution, send to the party
Claimant certification stating that he has met the right of access
exercised by the latter or is reasonedly denied indicating the reasons why it is not
proceed to meet your request. The actions carried out as a consequence of the

This Resolution must be communicated to this Agency within the same period. The
Failure to comply with this resolution could lead to the commission of the offense
considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, in accordance with
with art. 58.2 of the RGPD.

SECOND: NOTIFY this resolution to A.A.A. and to GALICIAN SERVICE OF

HEALTH (SERGAS).

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after notification of this resolution or directly

Contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/7











day following notification of this act, as provided in article 46.1 of the
referred Law.

                                                                                               1188-080921

Mar Spain Martí
Director of the Spanish Agency for Data Protection

































































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es