AEPD (Spain) - PS/00024/2019

From GDPRhub
Revision as of 14:52, 6 February 2020 by Juliette Leportois (talk | contribs) (Created page with "{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" ! colspan="2" |AEPD - PS/00024/2019 |- | colspan="2" style="padding: 20px; background-color:#ffffff;"...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00024/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR

Article 15 GDPR

Article 56(2) GDPR

Article 57(1)(f) GDPR

Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 3.02.2020
Fine: None
Parties: Health Department of Madrid Vs. Anonymous
National Case Number: PS/00024/2019
European Case Law Identifier n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

The AEPD found that a data controller may not require from the data subject to collect the personal data requested himself or on his behalf if it can be sent with appropriate and adequate means instead. Indeed, the data controller was able to identify the data subject and to send the personal data via encrypted email. Therefore, it was not proportionate to answer that the right of access could be exercised only if the data subject has appointed someone to collect his personal data on his behalf instead of sending directly to him, under Article 12 and 15 GDPR.

English Summary

Facts

The complainant requested his medical records containing personal data to the University Hospital Puerta de Hierro by e-mail. He asked them to send the documentation by post to his place of residence in Honduras and later, noticed that he wanted the document to be sent in Greece. The hospital answered it would have been impossible to send him the documentation requested to the alleged place of residence, namely in Greece, by post.

Nevertheless, they answered it was only possible that someone collect the documentation on the behalf of the data subject, as it was not possible to verify the data subject’s identity.

Following the data controller’s answer, the complainant filed a complaint with the AEPD, pursuant to Articles 56 and 57(1)(f) GDPR for obstructing his right of access.

Dispute

Could the data controller require to the data subject to collect the personal data or to appoint someone to collect them on his behalf?

Holding

The AEPD noted that it that the exercise of the followings rights: access, rectification, deletion, limitation, portability and opposition has been refused.

The AEPD pointed out that the data controller could have been easily identified the data subject as he sent a photocopy of his identity card. It also noticed that the data controller could have use an encryption system and send the medical records by e-mail.

Therefore, the AEPD rejected the data controller’s argument and urged the data controller to comply with the data subject’s request within the ten workings following days.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

1