AEPD (Spain) - EXP202209677

From GDPRhub
Revision as of 06:35, 9 October 2024 by Ao (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202209677 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/buscador?search=EXP202209677 |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202209677
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 32 GDPR
Article 57(1) GDPR
Article 58(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 29.08.2022
Decided: 30.09.2024
Published:
Fine: 200,000 EUR
Parties: HM HOSPITALES 1989
National Case Number/Name: EXP202209677
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: ao

The DPA fined a controller €200,000 for failing to ensure a level of security appropriate to the large-scale processing of sensitive medical data, therefore violating Article 32 GDPR.

English Summary

Facts

The data subject filed a complaint against the controller, a hospital group, with the Spanish DPA (AEPD) on 29 August 2022. The data subject exposed several security deficiencies in the maintenance of the software which the controller used in all of its hospitals. On the 19 September 2022 the DPA urged the Subdirectorate General for Data Inspection to initiate an investigative procedure as per Article 57(1) and Article 58(1) GDPR.

The software called “Doctoris” was used by the controller and held all patient related data ranging from e-mail addresses to sensitive data such as laboratory results as well as political opinions and race. The controller had contracted with a processor to host the databases, storage and backup servers.

The investigation found that although an impact evaluation had taken place in 2023, the auditing company did not have access to all of the data concerned and the report only briefly references IT security. On 26 April 2024, the controller stated that it had carried out audits in some but not all data centres in accordance with its half-year audit plan.

Holding

The DPA recognized that the controller had implemented the required minimum level of encryption necessary for the processing. However, this encryption only protected the system if there was a physical loss of control. It provided no barrier at all in the case of improper access to the data. The court pointed out that the mere fact that the encryption system had to be improved in 2023 shows that the system was, at the time, insufficient.

The court highlighted that Article 32 GDPR sets out a proactive obligation on the controller to periodically review the technical and organisational measures in place. It found that the controller had failed to ensure the effectiveness of its measures through the lack of comprehensive audits across all its hospitals. As aggravating factors, the DPA listed the controller’s negligence regarding the infringement as well as the link between the controller’s role as the management of hospitals and the large scale processing of sensitive data.

The court concluded that the systems inadequacy was assessed in relation to the high risk for the data subjects due to the large-scale processing of sensitive data. It held that any subsequent improvements did not affect the initial infringement of Article 32 GDPR and therefore set the fine at €200,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1 / 45
File No.: EXP202209677
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and based on
the following
BACKGROUND
FIRST: D. A.A.A. (hereinafter, the complainant) dated August 29, 2022...