AEPD (Spain) - PS/00250/2021
AEPD (Spain) - PS/00250/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32(1)(b) GDPR Article 32(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 01.07.2021 |
Published: | |
Fine: | None |
Parties: | Servicio Extremeño de Salud |
National Case Number/Name: | PS/00250/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | Resolucion de Procedimiento Sancionador (in ES) |
Initial Contributor: | Silvia Lorenzo Perez |
The Spanish DPA (AEPD) warned a regional health service for failing to put in place appropriate security measures to prevent access to patient’s medical history to unauthorised persons, in breach of Article 5(1)(f) and Article 32 GDPR.
English Summary
Facts
A data subject filed a complaint with the Spanish DPA (AEPD) claiming that a nurse employed by the regional health service of Extremadura (hereinafter “SES”) had unlawfully accessed his/her medical history without an authorisation from the complainant and without having any relation with the data subject that justified such access under national and EU law.
As part of the investigation the AEPD requested the following information from the SES:
- The causes that enabled the unlawful access from a third party;
- Detailed descriptions of the actions taken to halt the undue access to the patient’s information and to minimise the adverse effect on the data subject;
- Measures taken to prevent similar occurrences in the future;
- A copy of the risks assessment carried out as well as the data protection impact assessment, if any;
- Details of the technical and organizational measures adopted to guarantee a level of security appropriate to the risks detected with relation to the access by health personnel to the medical records of the patients and the security policy adopted by the entity in relation to it.
The SES replied that the patient's right to access includes “knowing in any case who has accessed your health data, the reason for access and the use that has been made of it". In order to effectively execute this right, the IT system that supports clinical information of patients requires the existence of a relationship that legitimizes the access of the healthcare professional to a specific medical record. Hence, when a healthcare professional requests access to the history of a patient being treated the IT system automatically understand that the relation is “medical care” between a healthcare provider and a patient. The person requesting access must also provide a specific reason.
The SES did not provide the risks assessment nor the data protection impact assessment as requested by the AEPD.
Holding
The AEPD found that the access by the third party unrelated to the claimant to his clinical history was unlawful because the selection of the reason for accessing the clinical history of a patient had not been not verified with the actual profile of the user. Hence, it held that there had been a violating the principles of integrity and confidentiality established in Article 5(1)(f) GDPR.
The AEPD held that medical histories are special categories of data under Article 9, the processing of which entails a number of risks that must be identified and addressed properly with adequate security measures to safeguarding the integrity and confidentiality of this data. These risks must be taken into account by the data controller who must establish the necessary technical and organizational measures to prevent the loss of control of the data by the person responsible for the treatment and, therefore, by the holders of the data that provided them.
However, in its investigation the AEPD did not find evidence that the mandatory risk analysis and the recommended impact assessment had been carried out by the SES. Moreover, the AEPD pointed that the SES had failed to put in place a process of verification, evaluation and continuous assessment of the effectiveness of the technical and organizational measures to guarantee the security of the processing. As a result, the AEPD held that technical and organizational measures implemented in the IT system were deficient and in breach of Article 32(1)(b) and (2), and warned the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/14 Procedure No.: PS / 00250/2021 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: The inspection actions are initiated by the receipt of a written statement of claim of A.A.A. (hereinafter, the claimant), in which they state that they have produced improper access to his medical history by a worker of the Extremadura Health Service (hereinafter SES), with professional category of nurse. The accesses are made without the authorization of the claimant and without mediation a relationship that justifies it. The claimant adds that improper accesses are perfectly identified in the Certificate of access to the clinical history, issued on 08/14/2020 by the Management of the Badajoz Health Area of the Extremadura Health Service (SES) in response to the Official letter issued by the Court of Instruction No. 2 of Badajoz, in which there are 5 accesses produced between 02/10/2007 to 15/07/2019. Indicates that more accesses are missing undue, which are pending obtaining by the Court. Relevant documentation provided by the claimant: - Certificates issued by the Court of Instruction No. 2 of Badajoz admitting for processing Complaint for revealing secrets and agreeing to take evidence. -Certificate of access to the clinical record in the information system of the SES of the claimant dated 08/14/2020. SECOND: In view of the notified facts and the documents provided by the SES, the Subdirectorate General for Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts described in the previous sections, by virtue of the powers of investigation granted to the control authorities in article 57.1 of Regulation (EU) 2016/679 (Regulation General Data Protection, hereinafter RGPD), and in accordance with the established in Title VII, Chapter I, Second Section, of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of rights digital (hereinafter LOPDGDD), having knowledge of the following extremes: BACKGROUND Date on which the claimed events took place: July 15, 2019 Claim entry date: October 13, 2020 Claimant: A.A.A. (the claimant) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/14 Claimed: EXTREME HEALTH SERVICE (SES) INVESTIGATED ENTITIES SERVICIO EXTREMEÑO DE SALUD, with NIF S0611001I, and with address at Avda.de las Américas 2, 06800 Mérida, Badajoz. RESULT OF RESEARCH ACTIONS On 11/12/2020 the claim was transferred to the SES within the framework of the reference actions E / 9118/2020. The transfer document was collected on the day 11/23/2020 according to your acknowledgment of receipt. After the term granted, on 02/10/2021 resolution is issued admitting the claim and urging the present actions of inspection. On 02/16/2021, information and documentation was requested on the events at the SES, having received no response as of the date of this report. The The request was collected on 02/22/2021, according to acknowledgment of receipt. Attached to request made the document for the transfer of the claim issued above, indicating that there is no answer to it. In the request made, the following information was requested from the SES: 1.- Copy of the report prepared and supporting documentation in relation to the facts, which will contain the following aspects: 1–1. Detailed specification of the causes that have made the events possible. 1–2. Detailed description of the actions taken in order to minimize adverse effects and for the final resolution of the incident, indicating the date and time of action taken. 1-3. Measures taken to prevent similar incidents from occurring, implementation dates and controls carried out to verify their effectiveness. 2.- Regarding the security of the processing of personal data previously to the facts: 2-1. Documentation accrediting the Risk Analysis that has led to the implementation of security measures and copy of the Evaluations of Impact, if any. 2-2. Detail those technical and organizational measures adopted to guarantee a level of security appropriate to the risks detected with relation to the access by health personnel to the medical records of the patients. Security policy adopted by the entity in relation to it. However, on 04/05/2021 a reply was received from the SES to the transfer carried out on 11/12/2020 within the framework of the reference actions E / 09118/2020, in the following terms: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/14 "I. ABOUT THE BACKGROUND The aforementioned letter requests this Public Administration to rule on the a claim received by the citizen -the claimant- on the 13th of October 2020. In this communication it is requested: The decision made regarding this claim. In the event of exercising the rights regulated in articles 15 to 22 of the RGPD, accreditation of the response provided to the claimant. Report on the causes that have motivated the incident that has originated the claim. Report on the measures adopted to prevent the occurrence of similar incidents, implementation dates and controls carried out to check its effectiveness. Any other that you consider relevant. In this sense, this document complies with said request, providing in Annex 1 the communications with the claimant and, in the rest of the sections of this document, the information requested by the AEPD. II. ABOUT THE ACCESS CONTROLS ALREADY ESTABLISHED IN THE EXTREME HEALTH SERVICE The Extremadura Health Service (hereinafter, SES) is an autonomous body of administrative nature, dependent on the Ministry of Health and Dependency of the Junta de Extremadura, which is entrusted with exercising the powers of administration and management of health services, benefits and programs that governs their operation by national and regional regulations that are applicable. In this sense, the Law of the Autonomous Community of Extremadura 3/2005, of 8 July, on health information and patient autonomy, regulates in its article 35.3 the The patient's right to access and obtain copies or certificates of the documents that appear in your medical history, such as “knowing in any case who has accessed your health data, the reason for access and the use that has been made of they". Well, on the exercise of this right, which has been requested by the claimant, it cannot be inferred from the documentation provided that there has been any breach on the part of this Administration since, in view it is that this information is in the hands of the complainant. Translated this right to the information system that supports clinical information of patients in the Extremadura Health Service, it should be noted that the execution effective of this right to know who and for what access to the Clinical History, translates into the necessary existence of a relationship that legitimizes the access of the healthcare professional to a specific Medical Record. For this reason, when accessing the History of a patient currently being treated at the workplace clinical (be Hospitalization, Outpatient Consultations, Functional Tests, Hospital of Day, Operating Room ...), the computer system automatically understands that the reason Access is Healthcare, and this is reflected in said system. However, this is not a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/14 automatic process, but the system only allows access to patients who are either under active treatment or are on the agenda of the professional or, they belong to the patients assigned to him in his quota. When the Medical History is accessed by searching for a patient (not selecting it directly from a job list), the system forces you to choose a access reason from among those configured for each profile. In this In this sense, the following will appear to a specialist in Specialized Care: The Patient Management reason is selected when accessing the History is related to an action to be performed on a patient who is not is in the Clinical Workstation at that time, such as consultation or documentation review, reporting, prior preparation of consultation or surgical intervention, review of clinical orders and citations ... The Research Study motif is selected, as its own name indicates, when access to the Medical History is related to work of research in which that patient is included. The DCL Request reason will be used when access to the History is made to respond to a Request for Clinical Documentation from the own patient or an authorized person. The Occupational Disability reason is only available to profiles of Inspection and will select it when access to History is related to an occupational problem of the patient. Access ONLY to the Patient Diary is not a reason for accessing the Record; is the name with which access to the Agenda is identified in the log of records of accesses to the patient's Agenda. However, even if this access filter has been established, this does not imply that the access is total, since each of the reasons that would legitimize access and that just outlined does not imply unrestricted access to clinical information. Therefore, each of the accesses is accompanied by access restrictions, since that full access to health information would not make sense when the reason for justifies access is an administrative reason. In this way, the Extremaduran public health regulations governing the SES, is a regulation that offers greater rights to citizens regarding their clinical information; this with the recognition of the right to know who has accessed your health information. The exercise of this right, as well as the guarantee of the confidentiality of the health information processed in the SES becomes effective through access controls to clinical information. Therefore, it can be inferred that the accesses referred to by the complainant occurred fulfilling the requirements of legitimacy of access that are derived from the obligations of the data protection regulations and those imposed by internally from the Extremadura Health Service. Thus, in Fact TWO used as an argument, the idea that, as noted, the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/14 access was made taking advantage of her “professional category of nurse”, since, If the situations described in this section did not occur, access would not have been possible. Therefore, it is not possible to understand as valid the argument used that produced an access “without mediating between them a care relationship of nurse / patient ”since the system requests for access to clinical information the existence of a reason that legitimizes the access. Likewise, the arguments described in Fact must also be rejected. THIRD, where the accesses made by Mrs. B.B.B. are noted, since all accesses to the information should and were, motivated by any of the the scenarios anticipated and detailed in advance. III. ABOUT THE FORUM This part does not attempt to question the authority of the AEPD, nor the information provided by the complainant; However, the SES in its responsibility does not consider appropriate to respond to complaints or requests that do not start from a solid base. In this In this sense, the FIRST Fact of the brief presented by the complainant refers to facts that must be understood as subjective or, at least, hardly objective, such as the exercise of "strict control over life and person" that did not allow the complainant "to develop a normal life and rebuild his life sentimental". As it is not objectifiable information, the SES considers that it should not pronounce in this sense and that, rather, corresponds to another area, specifically the bodies judicial, establish if the facts are as reported. Understand, then, that there is a spirit of this Administration to collaborate, insofar as it is possible, but that it is understood that the events denounced have to do with actions or omissions typified in the Penal Code on which the SES could not do something else other than collaborate with the judicial bodies that resolve them. Defined the legitimacy of the accesses to the information of a patient (the complainant) by a public health system worker (the one denounced), given that Without the existence of such legitimacy, access would be technically impossible, the SES understands that the reported situation must be waited until it has the status of Proven Fact (understood as the account of events subject to prosecution that the judicial body has considered true). This, because it is also understood that the events reported do not correspond to a breach of the regulations of data protection of the SES as Responsible for the Treatment if not, rather as a crime (which could well be classified as revealing secrets) committed by a person, yes, a worker of the SES, in a private sphere in which the SES as an employer it has no scope. Yes, mediating a sentence that establishes the denounced facts as facts tested, having the SES knowledge of them, the measures will be taken appropriate internal regulations based on the Internal Regime as described in the legal notices of the logins of the users of the information system. Until then, the SES understands that this procedure should be filed and, in the event of a ruling favorable to the defendant, notify the SES to that the corresponding internal sanctions be established. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/14 IV. ON THE FULFILLMENT OF THE OBLIGATIONS OF THE SES AS RESPONSIBLE FOR THE TREATMENT On the other hand, regarding the obligations of the Extremadura Health Service, as responsible for the treatment, and in coordination with what was stated at the beginning of the Second claim (II), the SES has been fulfilling its obligations as responsible for the Treatment regarding the requests made by the complainant. I know pointed out in the aforementioned allegation the existence, as a result of the Extremadura legislative development of a right to "know who has access to clinical information" and, given the information provided by the complainant, it is understood that the SES has complied with said obligations. A different question is, if the complainant understands that the person reported has breached its confidentiality obligations and, if so, once it is shown As a proven fact, you can contact the SES to take the measures timely. V. ON THE MEASURES ALREADY APPLIED BY THE SES Prior to having knowledge of the complaint that is transferred, the SES, in the field of its proactive responsibility had already taken measures that guarantee the confidentiality of information. (1) Access control: access to clinical information of patients in the Extremadura Health Service is only given when the control standards for access; to. First, the control of access to information is segregated into function of the professional role of the information system, that is, only those that, due to their functions and obligations, they must access clinical information and, within these, depending on the purpose, you have access to all or part of said information. b. Being legitimized to access clinical information by the professional role, the Access to citizens' data is not free for users, having to mediate a relationship that legitimizes access to specific data, namely, to be part of the "Quota" of the healthcare professional, have him or her mentioned in the agenda or that he / she is in a active treatment. Otherwise, access is not possible. c. Granted, where appropriate, access having given the two circumstances above, this is not necessarily a total access or an access to the History Complete clinic since the accesses are defined for specific purposes and These, in turn, have defined what information they give access to based on that purpose. We speak, therefore, of a double legitimation based on (1) the professional role and (2) the purpose of access and, this added to the need for the existence of a reason that legitimize access. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/14 (2) Legal notice at the beginning of the session in which users are reminded that the The information accessed is confidential and should only be treated with the purpose that legitimizes access. Uses other than the aforementioned purposes are considered inappropriate and could be considered labor misconduct or, where appropriate, a crime and lead to the initiation of the file in the corresponding legal field. “[…] It is contrary to good faith to attempt to access information for which there is no has permissions or privileges or is not directly related to their functions, as well as filtering of any type of data, especially of character personal, outside the corporate network. In this sense, the user of the computer system […] knows the responsibilities established in the Criminal Code, in the Data Protection regulations and in the rest of the Spanish legislation on the illicit use, contrary to morality, good faith and customs of computer tools, without prejudice to liability derived from the applicable internal regulations. In order to guarantee compliance with the security policy, the SES may monitor communications and / or files received / sent by users by means of the entity's resources and systems in the event of suspicions founded that resources are being misused. […] " Acceptance of this legal notice is mandatory to access the system of information. (3) Training pills, reminders, circulars ... regarding secrecy duties and confidentiality, security advice and the like that, from the Subdirectorate of Information Systems together with the figure of the Data Protection Delegate will they launch to all users of the system, as well as other resources accessible from the “SES portal” to which all users of the information system have access of the SES. THIRD: On May 26, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure for the complained party, by the alleged violation of Article 32 of the RGPD, Article 5.1.f) of the RGPD, typified in the Article 83.5 of the RGPD. FOURTH: Notified the agreement to initiate this sanctioning procedure, the SES, as responsible, has not presented any allegations. In view of all the actions, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts, PROVEN FACTS FIRST: It is proven that a third party unrelated to the claimant agreed wrongly to his clinical history obtained in the SES, on several occasions without the SES intervened to prevent it once the incident was known. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/14 SECOND: The cause that caused the improper access was the lack of measures technical and organizational implemented in the information and control system of SES accesses. THIRD: It is clear that a third party had knowledge of the data of the claimants in the SES clinical record categorized as special as indicated in art. 9 of the GDPR. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II Article 5.1.f) of the RGPD establishes the following: "Article 5 Principles relating to treatment 1. The personal data will be: (…) f) treated in such a way as to guarantee adequate data security personal data, including protection against unauthorized or illegal processing and against its loss, destruction or accidental damage, through the application of technical measures or appropriate organizational arrangements ('integrity and confidentiality'). " In the present case, it is proven that the personal data of the claimant relating to his medical history that appear in the SES information system were unduly accessed by a third party, violating the principles of integrity and confidentiality, both established in the aforementioned article 5.1.f) of the RGPD. III Establishes article 32 of the RGPD, security of treatment, the following: 1. Taking into account the state of the art, the costs of application, and the nature, scope, context and purposes of the treatment, as well as risks of variable probability and severity for people's rights and freedoms physical, the person in charge and the person in charge of the treatment will apply technical measures and appropriate organizational arrangements to ensure a level of security appropriate to the risk, that in your case include, among others: a) pseudonymisation and encryption of personal data; b) the ability to guarantee confidentiality, integrity, availability and permanent resilience of treatment systems and services; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/14 c) the ability to restore availability and access to data personnel quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, it will be particularly important take into account the risks presented by the data processing, in particular as consequence of accidental or illegal destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data (The underlining is from the AEPD). Recital 75 of the GDPR lists a series of factors or assumptions associated with Risks to the guarantees of the rights and freedoms of the interested parties: “The serious and serious risks to the rights and freedoms of natural persons variable probability, may be due to the processing of data that could cause Physical, material or immaterial damages, particularly in cases where that the treatment may give rise to problems of discrimination, usurpation of identity or fraud, financial loss, reputational damage, loss of confidentiality of data subject to professional secrecy, unauthorized reversal of the pseudonymization or any other significant economic or social damage; in the cases in which the interested parties are deprived of their rights and freedoms or are prevent exercising control over your personal data; in cases where the data personal treaties reveal ethnic or racial origin, political opinions, religion or philosophical beliefs, union membership and the processing of genetic data, data relating to health or data on sexual life, or convictions and offenses criminal or related security measures; in the cases in which they are evaluated personal aspects, in particular the analysis or prediction of aspects related to the job performance, financial situation, health, preferences or interests personal, reliability or behavior, situation or movements, in order to create or use personal profiles; in the cases in which personal data of vulnerable people, particularly children; or in cases in which the treatment involves a large amount of personal data and affects a large number of interested. " In the present case, of the investigative actions carried out the selection The reason for accessing the medical history of a SAS patient is not verified with the access profile of the user leaving, consequently, access to information to the discretion of the user who accesses. Therefore, as a consequence of the lack of implementation of technical measures and adequate organizational requirements that are mandatory for the Public Administrations as indicated in RD 3/2010, which regulates the National Scheme of Security (ENS), has caused third-party access to the data housed in the SES medical records information system. The performance of the mandatory risk analysis and, where appropriate, impact assessment act on the treatment of health data of SAS patients. Nor does it appear that the SAS has in place a process of verification, evaluation and continuous assessment C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/14 of the effectiveness of technical and organizational measures to guarantee the safety of the treatment. IV The actions carried out include the absence of security measures adequate technical and organizational nature, with which the SES had performs treatment operations in relation to the health data of the records clinical There is also no evidence of the adequacy of the SES treatment operations to the National Security Scheme at the time of improper access. The consequence of this implementation of deficient security measures was the Exposure to a third party of the personal data related to the health of the claimant. In other words, the affected party has been deprived of control over their data. personal information regarding your medical history. It should be added that, in relation to the category of data to which the third person someone else has had access, they are in the category of specials according to provided in art. 9 of the RGPD, a circumstance that supposes an added risk that is must be assessed in the risk management study and that increases the requirement of the degree protection in relation to security and safeguarding the integrity and confidentiality of this data. This risk must be taken into account by the data controller who must establish the necessary technical and organizational measures to prevent the loss of control of the data by the person responsible for the treatment and, therefore, by the holders of the data that provided them. V Article 83.4.a) of the RGPD states the following: (…) "4. Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the highest amount: a) The obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 to 39, 42 and 43 ". Article 83.5.a) of the RGPD, states the following: (…) "5. Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the highest amount: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/14 a) the basic principles for the treatment, including the conditions for the consent in accordance with articles 5, 6, 7 and 9 "; Article 76 of the LOPDGDD under the heading "Sanctions and corrective measures", notes the following: 1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the criteria of graduation established in section 2 of the aforementioned article. 1. It will be possible, complementary or alternatively, the adoption, when appropriate, of the remaining corrective measures referred to in article 83.2 of Regulation (EU) 2016/679. SAW Article 71 of the LOPDGDD establishes the following under the heading "Infractions": The acts and conducts referred to in sections 4, 5 constitute offenses. and 6 of Article 83 of Regulation (EU) 2016/679, as well as those resulting contrary to the present organic law. Establishes article 72.1.a) of the LOPDGDD, under the heading "Infractions considered very serious ”, the following: "1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in Article 5 of Regulation (EU) 2016/679. " In the present case, the offending circumstances provided for in article 72.1.a) of the LOPDGDD transcribed above. It establishes article 73 of the LOPDGDD, under the heading “Infractions considered serious ”the following: "Based on what is established in article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: f) Failure to adopt technical and organizational measures that result appropriate to ensure a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of Regulation (EU) 2016/679. In the present case, the offending circumstances provided for in article 73 concur section f) of the LOPDGDD transcribed above. VII C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/14 Establishes Law 40/2015, of October 1, on the Legal Regime of the Public Sector, in Chapter III relative to the “Principles of the sanctioning power”, in article 28 under the heading "Responsibility", the following: "1. They can only be sanctioned for acts constituting an administrative offense. natural and legal persons, as well as, when a Law recognizes their capacity to act, the affected groups, the unions and entities without legal personality and the independent or autonomous patrimonies, who are responsible for them to title of fraud or guilt " Lack of diligence in implementing appropriate security measures with the consequence of the violation of the principle of confidentiality, constitutes the element of guilt. VIII Article 58.2 of the RGPD states the following: 2. Each supervisory authority shall have all the following corrective powers listed below: (…) b) direct a warning to any person in charge or in charge of the treatment when the treatment operations have infringed the provisions of this Regulation; For its part, the Spanish legal system has chosen not to sanction with the imposition of administrative fine on public entities, such as the SES, such as indicated in article 77.1. c) and sections 2, 4, 5 and 6 of the LOPDDGG: << 1. The regime established in this article will be applicable to the treatments of who are responsible or in charge: c) The General Administration of the State, the Administrations of the communities autonomous entities and the entities that make up the Local Administration. 2. When the managers or managers listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this law organic, the competent data protection authority will issue a resolution sanctioning them with warning. The resolution will also establish the measures to be taken to stop the conduct or correct the effects of the infraction that had been committed. The resolution will be notified to the person in charge of the treatment, the body of the that depends hierarchically, where appropriate, and those affected who had the condition interested party, if applicable. 4. The data protection authority must be notified of the resolutions that fall in relation to the measures and actions referred to in the sections previous. 5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/14 of the autonomous communities the actions carried out and the resolutions issued under this article. 6. When the competent authority is the Spanish Agency for Data Protection, This will publish on its website with due separation the resolutions referring to the entities of section 1 of this article, expressly indicating the identity of the responsible or in charge of the treatment that had committed the infringement. >> Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of the sanctions whose existence has been accredited, the Director of the Spanish Agency for Data Protection, RESOLVES: FIRST: IMPOSE EXTREMEÑO DE SALUD SERVICE, with NIF S0611001I, for the violation of Article 32 of the RGPD typified in Article 83.4.a) of the RGPD the sanction of APERCIBIMENTO, and for the violation of article 5.1.f) of the RGPD, typified in Article 83.5.a) of the RGPD, the sanction of APERCIBIMENTO. SECOND: NOTIFY this resolution to SERVICIO EXTREMEÑO DE HEALTH. THIRD: COMMUNICATE this resolution to the Ombudsman, of in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency is not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/14 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es