AEPD (Spain) - TD/00251/2021: Difference between revisions
No edit summary |
No edit summary |
||
Line 53: | Line 53: | ||
=== Facts === | === Facts === | ||
The complainant exercised his right of access to his medical records against the Galician Healthcare Service, but his request was not legally answered. | The complainant exercised his right of access to his medical records under Article 15 GDPR against the Galician Healthcare Service, but his request was not legally answered. | ||
There is disagreement between the parties, since the claimant continues to state that it has not obtained the medical records. The respondent, on the other hand, states that it has complied with the request but does not provide documentary proof that the medical records have been sent and delivered to the claimant. | There is disagreement between the parties, since the claimant continues to state that it has not obtained the medical records. The respondent, on the other hand, states that it has complied with the request but does not provide documentary proof that the medical records have been sent and delivered to the claimant. | ||
=== Holding === | === Holding === | ||
The Spanish DPA called on the Galicia Healthcare Service to send the complainant a certificate stating that it has complied with the right of access, or a reasoned refusal stating the reasons why the request should not be granted. | The Spanish DPA called on the Galicia Healthcare Service to send the complainant a certificate stating that it has complied with the right of access under Article 15 GDPR, or a reasoned refusal stating the reasons why the request should not be granted. | ||
== Comment == | == Comment == |
Revision as of 15:29, 15 December 2021
AEPD (Spain) - R/00862/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 15 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | None |
Parties: | SERVICIO GALLEGO DE SALUD |
National Case Number/Name: | R/00862/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) called on the Galician Healthcare Service to comply with the a data subject's right of access.
English Summary
Facts
The complainant exercised his right of access to his medical records under Article 15 GDPR against the Galician Healthcare Service, but his request was not legally answered.
There is disagreement between the parties, since the claimant continues to state that it has not obtained the medical records. The respondent, on the other hand, states that it has complied with the request but does not provide documentary proof that the medical records have been sent and delivered to the claimant.
Holding
The Spanish DPA called on the Galicia Healthcare Service to send the complainant a certificate stating that it has complied with the right of access under Article 15 GDPR, or a reasoned refusal stating the reasons why the request should not be granted.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 File No.: TD / 00251/2021 RESOLUTION NO: R / 00862/2021 Considering the claim made on June 9, 2021 before this Agency by A.A.A. (in hereinafter, the complaining party), against SERVICIO GALLEGO DE SALUD (SERGAS) (hereinafter, the claimed party), because their right has not been duly addressed access. The procedural actions provided for in Title VIII of the Law have been carried out. Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the following have been verified FACTS FIRST: The complaining party exercised the right of access to their medical records in front of the claimed, without your request having received the answer legally established. The complaining party provides various documentation related to the claim made before this Agency and on the exercise of the right exercised. SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a mechanism prior to the admission for processing of claims made before the AEPD, consisting of transferring them to the Data Protection Delegates designated by those responsible or in charge of the treatment, for the intended purposes in article 37 of the aforementioned norm, or to these when they have not been designated, transferred the claim to the claimed entity so that it could proceed to its analysis and respond to the complaining party and this Agency within a period of month. THIRD: The result of the transfer procedure indicated in the previous Fact does not allowed to understand satisfied the claims of the complaining party. In Consequently, dated September 3, 2021, for the purposes provided in its Article 64.2 of the LOPDGDD, the Director of the Spanish Agency for the Protection of Data agreed to admit the submitted claim for processing and the parties were informed that the maximum term to resolve this procedure, which is understood to have started by means of said agreement of admission to processing, it will be of six months. The aforementioned agreement granted the claimed entity a hearing procedure, to that within a period of fifteen business days it present the allegations it deems convenient. Said entity manifests in the allegations that it has attended the right. FOURTH: After examining the allegations presented by the defendant, they are the subject of transfer to the complaining party, so that, within fifteen business days, it can formulate allegations it deems appropriate. The complaining party reaffirms that it has not obtained his medical history. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/7 FOUNDATIONS OF LAW FIRST: The Director of the Spanish Agency for Data Protection, in accordance with the provisions of section 2 of article 56 in in relation to paragraph 1 f) of article 57, both of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter, GDPR); and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency Spanish Data Protection is competent to perform the functions that are assigned to it in its article 57, among them, that of enforcing the Regulation and promote the awareness of those responsible and those in charge of the treatment about their obligations, as well as dealing with claims submitted by an interested party and investigate the reason for them. Correlatively, article 31 of the RGPD establishes the obligation of those responsible and those in charge of the treatment to cooperate with the control authority that requests it in the performance of their duties. In the event that they have designated a data protection officer, article 39 of the RGPD attributes to him the function of cooperate with said authority. Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has Provided a mechanism prior to the admission for processing of the claims that are made before the Spanish Agency for Data Protection, which consists of giving transfer of the same to the data protection delegates designated by the responsible or in charge of the treatment, for the purposes provided in article 37 of the aforementioned norm, or to them when they have not been designated, to proceed to the analysis of said claims and to respond to them within a month. In accordance with these regulations, prior to the admission for processing of the claim that gives rise to the present procedure, it was transferred to the responsible entity to proceed with its analysis, provide a response to this Agency within a month and certify having provided the claimant with the proper response, in the event of exercise of the rights regulated in articles 15 to 22 of the GDPR. The result of said transfer did not allow for the satisfaction of the claims of the complaining party. Consequently, dated September 3, 2021, for the purposes provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit the submitted claim for processing. Saying The agreement of admission for processing determines the opening of the present procedure of lack of attention to a request to exercise the rights established in the Articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the which: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/7 "one. When the procedure refers exclusively to the lack of attention of a request to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, will start by agreement of admission for processing, which will be adopt in accordance with the provisions of the following article. In this case, the deadline to resolve the procedure will be six months from from the date on which the claimant was notified of the admission agreement to Procedure. After this period, the interested party may consider his claim". The purging of administrative responsibilities in the framework of of a sanctioning procedure, whose exceptional nature implies that it is chosen, whenever possible, due to the prevalence of alternative mechanisms that have I amparo in the current regulations. It is the exclusive competence of this Agency to assess whether there are responsibilities administrative procedures that must be purged in a sanctioning procedure and, in Consequently, the decision on its opening, there being no obligation to initiate a procedure before any request made by a third party. Such a decision must be based on the existence of elements that justify said start of the activity sanctioning, circumstances that do not concur in the present case, considering that with this procedure, the guarantees and Claimant's rights. THIRD: The rights of people in terms of data protection Personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the LOPDGDD. The rights of access, rectification, deletion, opposition, right to limitation of treatment and right to portability. The formal aspects related to the exercise of these rights are established in the Articles 12 of the RGPD and 12 of the LOPDGDD. It also takes into account what is expressed in Considerations 59 and following of the GDPR. In accordance with the provisions of these rules, the data controller must arbitrate formulas and mechanisms to facilitate the interested party the exercise of their rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3 of the RGPD), and is obliged to respond to requests made no later than one month, unless you can show that you are unable to identify the interested, and to express their reasons in case they were not to attend said request. The person responsible is responsible for the proof of compliance with the duty of Respond to the request for the exercise of their rights made by the affected party. The communication addressed to the interested party on the occasion of their request must express themselves in a concise, transparent, intelligible and easily accessible way, with a clear and simple language. In the case of the right of access to personal data, in accordance with the established in article 13 of the LOPDGDD, when the exercise of the right is refers to a large amount of data, the person in charge may request the affected party to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/7 specify the "data or processing activities to which the request refers." The Right will be understood to be granted if the person in charge provides remote access to the data, the request being considered as attended (although the interested party may request the information referring to the extremes provided for in article 15 of the RGPD). The exercise of this right may be considered repetitive on more than one occasion. during the period of six months, unless there is legitimate cause for it. On the other hand, the request will be considered excessive when the affected party chooses a medium other than the one offered that involves a disproportionate cost, which must be assumed by the affected party. FOURTH: In accordance with the provisions of article 15 of the RGPD and article 13 of the LOPDGDD, "the interested party has the right to obtain from the person responsible for the treatment confirmation of whether or not personal data concerning you is being processed and, as such case, right of access to personal data ”. Like the rest of the rights of the interested party, the right of access is a very personal right. Allows the citizen to obtain information about the treatment what is being done of your data, the possibility of obtaining a copy of the data personal concerns that are being processed, as well as information, in particular, about the purposes of the treatment, the categories of data personal concerned, the recipients or categories of recipients to whom the communicated or will be communicated the personal data, the foreseen term or criteria conservation, the possibility of exercising other rights, the right to present a claim before the supervisory authority, the information available on the origin of the data (if these have not been obtained directly from the owner), the existence of automated decisions, including profiling, and information about transfers of personal data to a third country or to an international organization. The possibility of obtaining a copy of the personal data being processed does not negatively affect the rights and freedoms of others, that is, the right to Access will be granted in a way that does not affect third party data. The right of access in relation to medical records is specifically regulated in Article 18 of Law 41/2002, of November 14, basic regulating the Autonomy of the Patient and Rights and Obligations Regarding Information and Clinical Documentation (hereinafter LAP), whose literal wording expresses: "one. The patient has the right of access, with the reservations indicated in section 3 of this article, to the documentation of the medical history and to obtain a copy of the data contained in it. The health centers will regulate the procedure that ensure the observance of these rights. 2. The patient's right of access to the medical record can also be exercised by duly accredited representation. 3. The patient's right of access to the documentation of the medical record does not can be exercised to the detriment of the right of third parties to confidentiality of the data contained in it collected in the therapeutic interest of the patient, or in prejudice to the right of the professionals participating in its preparation, who They can oppose the right to access the reservation of their subjective annotations. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/7 4.Health centers and individual practitioners will only facilitate the access to the medical history of deceased patients to people linked to him, for family or factual reasons, unless the deceased had prohibited it expressly and thus accredited. In any case the access of a third party to the story clinic motivated by a risk to your health will be limited to relevant data. I dont know provide information that affects the privacy of the deceased or the annotations subjective of the professionals, nor that it harms third parties ”. In this sense, it is necessary to highlight article 15 of the LPA that collects the content minimum of medical history: "one. The medical history will incorporate the information that is considered transcendental for the accurate and up-to-date knowledge of the patient's health status. All patient or The user has the right to be recorded, in writing or in the technical support more adequate, of the information obtained in all their care processes, carried out by the health service both in the field of primary care and care specialized. 2. The main purpose of the medical record will be to facilitate health care, leaving proof of all those data that, under medical criteria, allow the knowledge truthful and updated of the state of health. The minimum content of the clinical history will be the following: a) The documentation related to the clinical-statistical sheet. b) The entry authorization. c) The emergency report. d) Anamnesis and physical examination. e) Evolution. f) Medical orders. g) The consultation sheet. h) Complementary examination reports. i) Informed consent. j) The anesthesia report. k) The operating room report or delivery record. l) The pathological anatomy report. m) The evolution and planning of nursing care. n) The therapeutic application of nursing. ñ) The constant graph. o) The clinical discharge report. Paragraphs b), c), i), j), k), I), ñ) and o) will only be required in the completion of the clinical history in the case of hospitalization processes or as required. 3. The completion of the clinical history, in the aspects related to the direct patient care, it will be the responsibility of the professionals who intervene in it. 4. The clinical history will be kept with unit and integration criteria, in each care institution as a minimum, to facilitate the best and most timely knowledge by the physicians of the data of a certain patient in each care process ”. Regarding the preservation of the clinical history, article 17 of the LPA, in its points 1 and 5, provides that: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/7 "one. Health centers are obliged to keep clinical documentation in conditions that guarantee its correct maintenance and safety, although not necessarily in the original support, for the proper assistance to the patient during the time appropriate to each case and, at least, five years from the date of discharge from each healthcare process ... 5. Health professionals who carry out their activity individually are responsible for the management and custody of the healthcare documentation generate ”. FIFTH: In the case analyzed here, the complaining party exercised its right to access to the medical history and after analyzing the documentation submitted by both parties, we conclude that it is not credited to have attended the right. There is a disagreement between the parties since the complaining party continues to state that he has not obtained the medical history and, the claimed party on the contrary manifests having attended the right but does not document the sending and delivery of the clinical history to the claimant. Apart from other discrepancies, they must be resolved in the corresponding forums and, considering that the purpose of the present procedure is that the guarantees and the rights of those affected are duly restored, proceeds to estimate the present claim. Considering the cited precepts and others of general application, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: ESTIMATE the claim made by A.A.A. and urge SERVICE GALLEGO DE SALUD (SERGAS) with CIF Q6550006H, so that, within the ten business days following notification of this resolution, send to the party Claimant certification stating that he has met the right of access exercised by the latter or is reasonedly denied indicating the reasons why it is not proceed to meet your request. The actions carried out as a consequence of the This Resolution must be communicated to this Agency within the same period. The Failure to comply with this resolution could lead to the commission of the offense considered in article 72.1.m) of the LOPDGDD, which will be sanctioned, in accordance with with art. 58.2 of the RGPD. SECOND: NOTIFY this resolution to A.A.A. and to GALICIAN SERVICE OF HEALTH (SERGAS). In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after notification of this resolution or directly Contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/7 day following notification of this act, as provided in article 46.1 of the referred Law. 1188-080921 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es