AEPD (Spain) - PS-00587-2021

From GDPRhub
AEPD - PS-00587-2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4 GDPR
Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 9(1) GDPR
Article 24 GDPR
Article 25 GDPR
Article 32 GDPR
Article 57(1) GDPR
Article 58(2) GDPR
Article 83(4) GDPR
Article 83(5) GDPR
Article 83(7) GDPR
Article 28(1) LOPDGDD
Article 4 Law 41/2002
Article 47 LOPDGDD
Article 48(1) LOPDGDD
Article 63(2) LOPDGDD
Article 65(4) LOPDGDD
Article 71 LOPDGDD
Article 72 LOPDGDD
Article 73 LOPDGDD
Article 77 LOPDGDD
Type: Complaint
Outcome: Upheld
Started: 26.04.2021
Decided: 30.09.2022
Published:
Fine: n/a
Parties: Consejeria de Sanidad de la Comunidad de Madrid
National Case Number/Name: PS-00587-2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: isabela.maria.rosal

Spanish DPA held a controller responsible for a data breach since they did not have sufficient measures in place to avoid data breaches. Although some measures were applied, they did not provide an adequate level of protection for sensitive data.

English Summary

Facts

A third party unlawfully accessed the medical files of the data subject. The controller had registries of who accessed medical files, proving that the unlawful access really happened, configuring a data breach. Medical files are part of the special categories of data and the processing of sensitive data has higher risks. The data controller had some means of protection and access control of the data, but not enough.

Holding

The DPA held that a data breach occurred and that the controller should be considered liable since there were no sufficient measures to avoid unlawful access to the data (Article 5(1)(f) and Article 32 GDPR). Even though some measures were in place, they were not adequate for the protection required for sensitive data (Article 9 GDPR).

Comment

The controller mentioned various measures to be considered as means of avoiding a data breach, but the DPA found them not effective. For example, the access registry has the purpose of posterior control but does not help prevent data breaches. The DPA also highlighted the need of an proactive approach from the controller.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/26








     File No.: PS/00587/2021



                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
to the following

                                   BACKGROUND


FIRST: On November 22, 2020, A.A.A. (hereinafter, the part
claimant) filed a claim with the Spanish Data Protection Agency.

The claim is directed against the COMMUNITY HEALTH DEPARTMENT
DE MADRID, with NIF S7800001E, (hereinafter, the claimed party).

The claimant states that, on May 16, 2020, it presented a

claim before the Management of the University Hospital of La Paz where he worked, for
the alleged improper access to her medical history by a co-worker
work B.B.B. and that he has only received a response that his

claim to the Medical Directorate of the La Paz Hospital for investigation.

It indicates that on May 13, 2020, around 8 am, the aforementioned
nurse, from the operating room service in the general building of the University Hospital

Paz de Madrid, taking advantage of her status as a nurse and using her passwords
personal access, entered, without any assistance relationship, into his
clinical history, located in the "HCIS computer system" database.


He states that on the same day, May 13, 2020, he reported the events described to the
nursing supervision of the operating room service where the nurse worked, as well
as well as the Nursing Directorate of Hospital la Paz.


Provides a document dated 05/20/2020, where the head of the Information Service of the
La Paz University Hospital informs the claimant of the transfer to the Management
Medical center of the notification about “improper access to your medical history” and the

claim filed with Salud Madrid.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and Guarantee of Digital Rights

(hereinafter LOPDGDD), said claim was transferred to the claimed party,
to proceed with its analysis and report to this Agency within a period of one month,

of the actions carried out to adapt to the requirements provided for in the
data protection regulations.

There is no response in this Agency to the transfer of the claim.





C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/26








THIRD: On April 26, 2021, in accordance with article 65 of the
LOPDGDD, the Director of the Spanish Data Protection Agency agreed

admit for processing the claim presented by the complaining party.

FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in

issue, by virtue of the investigative powers granted to the authorities of
control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of
Data Protection, hereinafter RGPD), and in accordance with the provisions of the

Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the
following extremes of the claimed part:

DEPARTMENT OF HEALTH OF THE COMMUNITY OF MADRID, with NIF S7800001E,

with address at C/ MELCHOR FERNÁNDEZ ALMAGRO, N.º 1 - 28029 MADRID
(MADRID).

On 05/24/2021, information is required from the claimed party within the framework of the
present investigation file. Not receiving a response, the
request, receiving a response with the following results:

About access.


A copy of the access log to the Hospital information system has been requested
of La Paz on 05/13/2020 where the accesses made by the nurse are recorded
cited by the claimant. It is requested to provide the date and time of the accesses, the details of the
typology of the data accessed, as well as documentation accrediting the justification
tion existing for said accesses.

Given this, the claimed party only indicates that the La Paz University Hospital has

conducted an investigation of the facts and has concluded that access has occurred.
are by the nurse cited by the claimant, in the time period in which
She goes to the emergency room at 3:46 a.m. until he is discharged the same day at
10:12 a.m.

About access investigations.

A copy of the appropriate investigations mentioned in the document has been requested.

document from the Patient Care Service, as well as the final response issued
to the claimant, attaching to the request of this Agency a copy of the document
provided by the claimant where the Head of the Hospital Information Service
Universitario La Paz informs you of the transfer to the Medical Directorate of the center of the
notification about “improper access to your medical history” so that “the

carry out the appropriate investigations.”

In this regard, the claimed party indicates that the Peace Hospital has carried out
the appropriate investigations to clarify the facts described by the complainant.

They do not provide a copy of the required investigations. They provide a copy of a writing
dated 12/18/2020, indicating that it is the final response sent to the claimant, in
which the Hospital indicates that the Management will not contact her because “it is


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/26








An audit is carried out and the appropriate actions are taken, but this does not entail
that the interested party be informed.”

They indicate to this Agency that the aforementioned Hospital has a protocol according to which “if
improper access has occurred, it must be assessed by the Data Protection Committee.

Data (PD) what information would be given to the interested party, always informing them that the
right granted to it by the LOPD itself would only cover the
knowledge of the information subjected to processing, but not which people, within
within the scope of the organization of the person responsible for the file have been able to have access to
such information.”


Attached is the aforementioned protocol entitled Compliance Verification Audits in the
accesses to HC (Clinical History), a copy of which is present in the present proceedings of
inspection.

On the actions taken in order to minimize the adverse effects and for the
final resolution of the incident.

In this regard, they provide a report from the La Paz Hospital in which the sequence is detailed.
of the facts, as well as copies the reports from the Nursing Directorate.


In one of these reports from the Nursing Directorate of Hospital La Paz it states:

“On Thursday, May 13 […the claimant…] requested a meeting with me to
inform me of an event that has occurred and that I, as Supervisor of the
Unity, be knowledgeable. He spent the night in the emergency room because, while
guard in the operating room, begins with […]. During your stay in the emergency room, you receive
a WhatsApp from a colleague of hers from the operating room where she literally says "the

plate is fine." […the claimant...] responds "how do you know? Have you looked at my
Clinic history? His partner responds that she has indeed consulted him in her
story, apologizing to him at that very moment.

[…the claimant…] states that this fact seriously violates her privacy and that
This colleague (I quote verbatim) "has been making her life impossible

for 3 years, and this is the straw that breaks the camel's back.

Seeing the seriousness of the matter, I notified my Area Deputy and […the claimant…]
expresses its desire that these events do not go unpunished.

Likewise, we spoke with the colleague who has entered the clinical history
immediately admitting his mistake and apologizing repeatedly.
He expresses his desire to speak with […the claimant…] and apologize to her. Once

spoken with the two parties involved and, in response to the demand of […the claimant…],
informs you of the ways available in the hospital to make claims that
consider appropriate. He is also informed that his partner is interested in
personally apologize for viewing your Story without your permission and
in case at any point in your professional relationship you have felt wronged with your
attitude toward her.”


Regarding the measures adopted to prevent similar incidents from occurring,
implementation dates and controls carried out to verify its effectiveness.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/26








They only mention again the audit protocol for verification of the
compliance in accesses to HC (Clinical History) of the edition date
03/23/2021, indicating that it can be observed in section 4 (Development), a

process of reactive and proactive audits, the latter being monthly
and following a specific structure and monitoring, to meet the requirements of
the Ministry of Health in case of improper access to medical records.

Regarding the security of personal data processing existing with
prior to the events.

It has been requested to detail the technical and organizational measures adopted to guarantee

a level of security appropriate to the risks detected in relation to access
by healthcare personnel to the patients' clinical records and the Health Care Policy.
security adopted by the entity in relation to it.

They mention in this regard that, in the Security Policy of the Ministry of Health,
whose copy they provide, includes a “Decalogue of good practices for users of
information systems of the Ministry of Health” which is mandatory

compliance for all personnel who provide services in the Ministry (article
12.2).

 Regarding the duty to respect data privacy, among other obligations, in
The Decalogue establishes the following:

- Users must access, exclusively, the information necessary for the de-
development of the functions inherent to its activity and only to which it is authorized

(3.1).

- In accessing this information, users are obliged to comply with all the conditions
security measures established by data protection regulations, and other re-
applicable requirements in accordance with the standards and procedures established in the CSCM
(3.2).

- All people involved in any phase of data processing

personal nature are obliged to professional secrecy with respect to these (3.3).

They indicate that the aforementioned Security Policy contemplates that “Failure to comply with
any of the behavioral guidelines contained in this Decalogue of
good practices may give rise to the corresponding disciplinary responsibility, if
if applicable, in application of the regulatory norms of the legal regime
disciplinary action of the user.”


They state that the La Paz University Hospital has a series of measures
established in order to maintain and consolidate the security of information and
privacy, such as the preservation of access traces and the realization
periodic training for staff.

FIFTH: On January 3, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the claimed party,

in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (in


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/26








hereinafter, LPACAP), for the alleged violation of article 5.1.f) of the RGPD and article
32 of the RGPD, typified in articles 83.5 and 83.4 of the RGPD, respectively.


The initiation agreement was sent, in accordance with the rules established in the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), through electronic notification,
being received on January 5, 2022, as stated in the certificate included
on the record.

SIXTH: Once the initiation agreement was notified, the claimed party presented a written

allegations in which, in summary, he stated:

-that the Hospital Responsible for Data Processing, Hospital Universitario La
Paz (HULP), carried out an investigation of the events, concluding after it that
There were improper accesses to your medical history during the interval in which the
complainant was in the emergency room (3:46 a.m. until 10:12 a.m. of the same

day on which you are discharged: June 13, 2020),

-that there are adequate and sufficient security measures for the management of
Clinical Records, whenever user activities are recorded, retaining
the information necessary to monitor, analyze, investigate and document

improper or unauthorized activities, allowing the identification of the
person who acts, the center having a protocol established for such purposes, in
which includes a process of reactive and proactive audits, the latter being
on a monthly basis and following a specific structure and monitoring, to address
the requirements of the Ministry of Health in case of improper access to

medical records,

-that they have a security policy at the level of the Ministry of Health, which
provides for specific organizational measures to maintain confidentiality
of the information accessed by the organization's workers,


-that in the medical records management system there is a segregation of profiles
for the use of the tool, based on the work performance of each of the
positions.

The document that establishes the assignment of Users and type profiles is attached, in the

which state that: “it can be verified that due compliance is given to the principle
of minimum privilege, in accordance with the provisions of Annex II [op.acc.3] of the
National Security Scheme strictly limiting each user to the minimum
necessary to fulfill its obligations. Likewise, privileges are limited
that users only access information necessary for the fulfillment of their

functions.

Therefore, there are different defined user models, such as:

• Administrative User
• Medical User (one per specialty)

• Nurse User (midwives, supervisors, nurses)
• Consultation User (only gives access to view the information, but does not allow registration)
• User for other non-medical groups
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/26









User models are composed of different profiles, and each profile
allows access to certain functions or competencies, always having

Please note that, according to Law 41/2002, of November 14, the basic regulation of
patient autonomy and rights and obligations regarding information and
clinical documentation, article 16 indicates that the clinical history is a
instrument intended fundamentally to guarantee adequate assistance to the
patient, that is, the medical history must be accessible in such a way that it can be
ensure that adequate care is provided to each patient, taking into account

the diversity of health professionals existing in the center. For example, in the
emergency cases, this medical history must be accessible to ensure the
vital interests of each citizen.

When a professional joins the center, they are assigned the model user

established, but if the professional changes his functions or requires new functions,
must have the approval of the Management. In the event that a user claims
new functions and there is no established model user, Management values the
relevance of creating a new model user.

Thus, and as we can see in the protocol, there are no generic users,

but rather, they are users created according to the functions they have
assigned, with univocal and nominal access for each professional with their access number.
“Personal ID.”

-that have the signature of a Confidentiality Commitment, through which

informs the worker at the time of formalizing his contract with the hospital, about the
security and privacy policies that are mandatory for employees of the
Hospital,

-that training is provided regarding the security of personal data

staff,

-that the claimed party acknowledged its mistake and apologized to the complaining party,
indicating the lack of intentionality when accessing your information, from what they understand
that both technical and organizational security measures, carried out by
the person responsible for the Treatment, are optimal and valid to guarantee the security and

confidentiality of patient data.

SEVENTH: On March 11, 2022, the instructor of the procedure issued
proposed resolution for violation of the provisions of article 5.1 f) of the RGPD.


The aforementioned proposed resolution was sent, in accordance with the rules established in
Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), through electronic notification,
being received on March 12, 2022, as stated in the certificate provided
on the record.

EIGHTH: On March 28, 2022, the claimed entity presented a written statement of

allegations to the Proposed Resolution, in which, in summary, he stated in relation to
tion with the established security measures that, in application of the National Scheme
Security, user activities are recorded, retaining the information
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/26








information necessary to monitor, analyze, investigate and document independent activities.
authorized or unauthorized, allowing the identification at all times of the person
túa, which have the implementation of a reactive and proactive audit process.

The latter are monthly in nature and follow a structure and follow-up.
specifically, to meet the requirements of the Ministry of Health in case of
improper access to medical records, that there is a segregation of profiles for the
use of the tool, based on the work performance of each of the
positions, limiting each user's access to the minimum, which on the part of the employees
two, a Confidentiality Commitment is signed, through which the worker is informed

lowerer at the time of formalizing his relationship of his duties in this matter and that
An information box (banner) appears warning that access to the platform
It must be done for healthcare purposes.

And in relation to other considerations, he states that the clinical history is an instrument

fundamentally intended to guarantee adequate care to the patient, it is
That is, the medical record must be accessible in such a way that it can be ensured that it is
provides adequate assistance to each patient, and training is provided regarding
to the security of personal data, that the appropriate investigations were carried out.
investigations, which led to the necessary actions to solve the problems.
incidents that occurred, being able to identify at all times the person who made the access

due to the history and that the mitigating measures carried out by the Hospital,
at the request of the affected party, have consisted of a warning

Finally, it mentions the Sanctioning procedure of the AEPD Procedure No.:
AP/00056/2014. In said resolution issued on February 9, 2021, the AEPD had

opportunity to speak out on possible improper and unjustified access to history
clinic of a patient worker of the Madrid Health Service. The AEPD, states the
interested, would have come to the conclusion that SERMAS had established
sufficient security measures.

NINTH: In view of the facts considered proven and in accordance with the
powers that article 58.2 of Regulation (EU) 2016/679 (General Regulation of

Data Protection, hereinafter RGPD), grants each control authority and according to
the provisions of articles 47 and 48.1 of Organic Law 3/2018, of December 5,
of Personal Data Protection and guarantee of digital rights (hereinafter,
LOPDGDD) and in use of the power provided for in article 90.2 of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations,

On August 23, 2022, the claimed party is notified of the consideration of
that, from the proven facts, not only the violation of article 5.1.f) of the
RGPD, but also that of article 32 of the same legal text.

TENTH: Once the Proposed Resolution was notified, the claimed party presented a written
of allegations in which, in summary, he stated that an adequate provision of the
healthcare involves the participation of several services from the same center for the

achievement of the ultimate goal of the patient's well-being and health, which, in fact, in the
health practice, it is common that an emergency service can lead to a
operating room service, in which it would be strictly necessary to preserve the
vital interests of the affected person, that the health personnel of both services have
immediate access to the patient's medical history in order to provide adequate

emergency healthcare.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/26








They provide a report issued by the University Hospital of La Paz in which it is indicated, in
relation to the measure proposed by the AEPD that each of the professionals
could have access to the medical records of only those patients

which carry out their activity, that this measure is extremely complex and difficult
to apply both at a technical and organizational level, and above all from the point of view
care, and this is because health professionals and especially the nursing area
mería, are subject to continuous shift changes; can carry out their activity
on a rotating basis, going from morning to afternoon or night shift. Likewise, and
Regarding the unit, service or medical specialty, criteria could not be applied either.

rios of exclusion since health personnel can change location. A prof-
sional can carry out his activity in a plant or specialty and the next day
or next turn in a different one.

They therefore consider that health personnel must have access to the different

diagnostic tests performed or consult reports from other specialists and/or professionals.
sionals that may influence the pathology you are treating. They also add that the
Patients can exercise their right to Free Choice of Specialist, Free Choice
Health Center, request one according to opinion or be referred at optional request
to a different center to carry out a test or treatment not included in the portfolio
of service of the center of origin. In these situations, health professionals,

They must be able to access the patient's complete clinical history to provide an
adequate care for the patient.

Finally, they consider it necessary that the configuration system profiles come
configured as they are until now since it is the best way to pre-

Serve the health of patients who come to the hospital where they receive care
health and indicate that there is already a strong segregation of profiles for the use
of the tool, based on the work performance of each of the positions, limiting
giving each user access to the minimum.


In view of everything that has been done, by the Spanish Data Protection Agency
In this procedure, the following are considered proven facts:

                                 PROVEN FACTS

FIRST: On November 22, 2020, the claimant filed

claim before the Spanish Data Protection Agency, for the alleged access
due to her medical history, by a co-worker.

SECOND: The Hospital Responsible for Data Processing carried out a
investigation of the facts, concluding after the same that accesses occurred
undue additions to her medical history during the interval in which the complainant

was in the emergency room (3:46 a.m. until 10:12 a.m. on the same day in which
discharged: June 13, 2020).

                           FOUNDATIONS OF LAW

                                            Yo


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/26








control authority and as established in articles 47 and 48.1 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve

this procedure, the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures.”

                                           II
In response to the allegations presented by the entity claimed in the Agreement of

initiation of the sanctioning procedure, the following must be noted:

The GDPR broadly defines “data security breaches.”
“personal violations” (hereinafter security bankruptcy) as “all those violations of the
security that causes the accidental or unlawful destruction, loss or alteration of
personal data transmitted, stored or otherwise processed, or the

unauthorized communication or access to said data.”

In the present case, it is clear that a data security breach occurred
personal in the circumstances indicated above, categorized as a gap of
confidentiality, as a consequence of exposure to a third party, of the

personal data relating to the health of the complaining party.

Article 32 of the GDPR states the following:

"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks of

variable probability and severity for people's rights and freedoms
physical, the person responsible and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:


a) pseudonymization and encryption of personal data
b) the ability to guarantee confidentiality, integrity, availability and resilience
permanent treatment systems and services;
c) the ability to restore the availability and access to personal data of
quickly in case of physical or technical incident;

d) a process of regular verification, evaluation and assessment of the effectiveness of the
technical and organizational measures to guarantee the security of the treatment.

2. When evaluating the adequacy of the security level, particular consideration will be given to
takes into account the risks presented by data processing, in particular as
consequence of the accidental or unlawful destruction, loss or alteration of data

personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/26








3. Adherence to a code of conduct approved pursuant to Article 40 or to a
certification mechanism approved pursuant to article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the

present article.

4. The controller and the person in charge of the treatment will take measures to ensure that
any person acting under the authority of the person responsible or in charge and
has access to personal data can only process said data following
instructions of the person responsible, unless it is obliged to do so by virtue of the Law of

the Union or the Member States.”

The aforementioned article contemplates that “the person responsible and the person in charge of the treatment
Appropriate technical and organizational measures will be applied to ensure a level of
security appropriate to the risk.” Consequently, it does not adopt a closed relationship of

technical and organizational measures, but these must be appropriate in
depending on the previously analyzed risk level.

That said, article 32.1 includes an obligation of means and not an obligation
of result. In effect, it indicates that “the person responsible and the person in charge of the treatment applies
appropriate technical and organizational measures will be taken to ensure a level of security.

“adequate to the risk,” That is, it imposes the obligation to establish a level of security
security, and that level must be a function of the risk analysis that every person responsible
must carry out in accordance with section 2 of said article:

      "2. When evaluating the adequacy of the security level, particular consideration will be given to

      takes into account the risks presented by data processing, in particular as con-
      sequence of accidental or unlawful destruction, loss or alteration of data
      transmitted, preserved or otherwise processed, or the communication
      “unauthorized use or access to said data.”


The technological evolution and sophistication of unauthorized access systems to systems
data issues means that regulations cannot unconditionally impose
a total assurance of the absence of integrity or confidentiality breaches.
But it does require that those responsible for the treatments must carry out an analysis of
risks and the implementation of an “adequate security level” for them.


This duty is therefore characterized as an obligation of means. This is what he has declared
The Supreme Court stated in its recent ruling of February 15, 2022:

      “The obligation to adopt the necessary measures to guarantee the safety
      of personal data cannot be considered an obligation of result, which

      implies that a leak of personal data to a third party exists
      responsibility regardless of the measures adopted and the activity
      displayed by the person responsible for the file or processing.

      In the obligations of means the commitment that is acquired is to adopt

      the technical and organizational means, as well as deploying diligent activity
      in its implementation and use that tends to achieve the expected result with
      means that can reasonably be described as suitable and sufficient for its


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/26








      achievement, which is why they are called obligations of "diligence" or "commitment."
      treatment".


      The difference lies in the responsibility in both cases, since while
      In the obligation of result, one responds to a harmful result due to the failure of the
      security system, whatever its cause and the diligence used. In the
      obligation of means, it is enough to establish technically adequate measures and
      implement and use them with reasonable diligence.


      In the latter, the sufficiency of the security measures that the person responsible
      must be established must be put in relation to the state of technology in
      from time to time and the level of protection required in relation to personal data.
      are treated, but a result is not guaranteed. As established in art. 17.1
      of Directive 95/46/EC regarding the security of the treatment, the person responsible

      of the treatment has the obligation to apply the technical and organizational measures
      "Such measures must guarantee, taking into account the known
      existing technical foundations and the cost of application, a level of security
      appropriate in relation to the risks presented by the treatment and the nature
      nature of the data that must be protected. And in the same sense it is pronounced
      nowdays the art. 31 of the European Union Regulation 2016/679, of the

      Parliament and of the Council regarding the protection of natural persons in respect
      regarding the processing of personal data and the free circulation of these
      data and by which Directive 95/46/EC is repealed, by establishing with respect to the
      security of processing than appropriate technical and organizational measures
      They are «Taking into account the state of the art, the costs of application, and the

      nature, scope, context and purposes of the processing, as well as risks
      of varying probability and severity for the rights and freedoms of persons.
      They sound physical […]».

      We have already reasoned that the obligation that falls on the person responsible for the file

      and on the person in charge of the treatment regarding the adoption of necessary measures.
      rias to guarantee the security of personal data is not a
      obligation of result but of means, without the infallibility of the
      measures taken. Only the adoption and implementation of measures is required.
      technical and organizational measures, which in accordance with the state of technology and in
      connection with the nature of the processing carried out and the personal data in

      issue, reasonably allow to avoid its alteration, loss, treatment or
      Unauthorized access."

Having established the above, that is, that the obligation of means imposed by article 32 of the
RGPD consists of adopting security measures in the treatment, aimed at

avoid the production of a security breach in it. These obligations of-
must be established based on the risks that have been analyzed, and taking into account
taking into account the state of technology at any given time and the level of protection required.
do in relation to the personal data processed.


Consequently, the analysis must be performed to determine whether the incident has occurred.
Compliance consists of determining whether the measures were sufficient to avoid
reduce the risk of a security breach. In this case, it must be checked whether the measures
were adequate to ensure that unauthorized access to the history did not occur.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/26








clinical history of the claimant such as the one that occurred in this case. This with inde-
whether said access actually occurred or not.


It is appropriate to analyze the allegations made in this procedure by the COUNCIL.
HEALTH ESTURY. In relation to the established security measures:

    - In application of the National Security Scheme, activities are recorded
        of users, retaining the information necessary to monitor, analyze,
        investigate and document improper or unauthorized activities, allowing

        identify at all times the person acting

    - Implementation of a process of reactive and proactive audits, these being
        last monthly and following a specific structure and monitoring,
        to meet the requirements of the Ministry of Health in case of access

        you are inappropriate for medical records


    - There is a segregation of profiles for the use of the tool, in
        based on the performance of the work of each of the positions, limiting each
        user access to the minimum.


    - A Confidentiality Commitment is signed by employees,
        through which the worker is informed at the time of formalizing his/her relationship.
        tion of their duties in this matter.

    - An information box (banner) appears warning that access to the platform

        taforma must be carried out for healthcare purposes

And in relation to other considerations he states:

    - The clinical history is an instrument designed fundamentally to guarantee
        adequate patient care, that is, the medical history must be accessible

        possible in such a way as to ensure that adequate assistance is provided.
        cia to each patient

    - Training is provided regarding the security of personal data.
        sonal


    - The appropriate investigations were carried out, which led to the actions
        necessary to solve the events that occurred, being able to identify in
        at all times the person who made the improper access to the history.


    - The mitigating measures carried out by the Hospital, in response to the request of
        the affected person, have consisted of a warning

Finally, it mentions the Sanctioning procedure of the AEPD Procedure No.:
AP/00056/2014. In said resolution issued on February 9, 2021, the AEPD had
occasion to speak out on possible improper and unjustified access to history

clinic of a patient worker of the Madrid Health Service. The AEPD, states the
interested, would have come to the conclusion that SERMAS had established measures
sufficient security measures.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/26









In relation to these allegations, the following must be meant:


Of the five security measures described, it can be ruled out from the beginning that
four of them can be effective in preventing unauthorized access. In
First of all, logging access or carrying out audits are measures to
react a posteriori, once the access had occurred. Secondly, the bank
ner has only informative purposes, without preventing the professional from continuing in
in case access was not justified. Finally, the commitment to trust

Deniality does not, in itself, prevent unauthorized access.

Only the segmentation of access profiles to medical records could con-
be considered a valid and effective tool for avoiding events such as the presence of
I marry you. The DEPARTMENT OF HEALTH provides a very detailed annex with the profiles

of each of the types of professional category, distinguishing between
administrative and health, and within this last category, by types and specialties of
staff.

Now, a measure that would be basic is not reflected in the document, and that is that
each of the health professionals could have access to the medical records

only of those patients on whom they carry out their care activity.

In this sense, article 16 of Law 41/2002, of November 14, basic regulation
of patient autonomy and rights and obligations regarding information.
tion and clinical documentation provides that “1. The clinical history is an instrument

fundamentally aimed at guaranteeing adequate patient care. The teachers
care professionals of the center who carry out the diagnosis or treatment of the patient.
patient have access to their clinical history as a fundamental instrument to
their adequate assistance.
2. Each center will establish the methods that enable access to

the clinical history of each patient by the professionals who assist them” (the emphasis
is ours).

From reading this precept it is clearly inferred that, although the clinical history is
the instrument to provide health care to the patient, which must be
guaranteed, so is the fact that access can only occur

to the clinical history by the professionals who assist you, not in general terms, but
on a particular basis carrying out the diagnosis or treatment of the patient.

Let us remember that the factual situation that gave rise to this procedure consists of
consists of access by a nursing person from the Operating Room Service

regarding a patient who received medical assistance in the Emergency Department.

It is true that, as the interested party states, “the clinical history is an instrument intended
fundamentally to guarantee adequate care to the patient, that is, the
medical history must be accessible in such a way that it can be ensured that it is provided

adequate assistance to each patient”, but it is no less important that they can implement
measures, based on the patients assigned to each professional, of the service in
that health tasks are performed, and the work shifts of each professional.
nal, that prevent a professional from accessing sensitive medical data.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/26








regarding a patient for whom no care activity has been entrusted to the patient.
guna. The strong segregation of profiles that they say they have implemented has not prevented
access to a patient's medical history by a nurse who is not

He was entrusted with the treatment of the patient. This denotes the absence of measures
adequate security.

The lack of adoption of a measure such as the one described means that it cannot be considered
that there are security measures that provide an adequate level of protection
to existing risks. In fact, the HEALTH DEPARTMENT itself recognizes the

illegality of the conduct, since a disciplinary file was processed against
the person who carried out the improper access, and which concluded with the imposition of a
warning.

In relation to the precedent invoked (exp. AP/00056/2014), it is necessary to point out that

This is a sanctioning procedure that was carried out for very previous events.
res upon the entry into force of the GDPR. The latter came into force in May 2018, while
after the events occurred in May 2013. In said file, a
carried out a file of actions based on the fact that the DEPARTMENT OF HEALTH accredited
had to put into practice the measures required by the now repealed Royal Decree 1720/2007,
of December 21, (RLOPD) by which the regulations for the development of the Law are approved

Organic 15/1999, of December 13, on Protection of Personal Data.
(LOPD)

The system established by the previous LOPD differs substantially from that established by
the current GDPR. While that established a system of security measures

ity established normatively (in conjunction with the RLOPD) to be understood
Once security obligations have been met, the current GDPR is based on the
principles of proactive responsibility and data protection by design, that is,
in establishing the measures that are necessary based on the risks
values inherent to a given treatment. There is, therefore, no number

rus clausus of measures that the data controller must adopt, but rather
These must be established case by case, based on the risk analysis and the
data that is being processed.

In this regard, article 5.2 GDPR establishes, after listing the principles
related to the protection of personal data, the following:


      "2. The person responsible for the treatment will be responsible for compliance with the provisions
      put in section 1 and able to demonstrate it (“proactive responsibility”).”

And regarding the principle of data protection by design, the GDPR requires:


      "1. Taking into account the state of the art, the cost of the application and the na-
      nature, scope, context and purposes of the processing, as well as the risks of diversity
      probability and seriousness that the treatment entails for the rights and freedoms
      data of natural persons, the person responsible for the treatment will apply, both in the

      time of determining the means of treatment as well as at the time of the procedure.
      pio processing, appropriate technical and organizational measures, such as pseudonymization
      mization, designed to effectively apply the protection principles
      such as data minimization, and integrate necessary safeguards into

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/26








      processing, in order to comply with the requirements of this Regulation and protect
      the rights of the interested parties


For all these reasons, the reference to the precedent constituted by file AP/00056/2014
lacks any virtuality, since it was processed under the protection of a rational regulation.
radically different from the current one.

Furthermore, the criteria of the AEPD in relation to this type of access does not authorize
two has a clear precedent, produced in a sanctioning procedure processed

after the entry into force of the GDPR. This is file reference PS/00250/2021,
in which the EXTREMEÑO HEALTH SERVICE was sanctioned for an identical problem
to the one we are dealing with in this file. In the narration of the events it appears:

      “Inspection actions begin upon receipt of a written complaint.

      mation of A.A.A. (hereinafter, the claimant), in which he states that
      improper access to your medical history by a worker
      of the Extremadura Health Service (hereinafter SES), with professional category
      of nurse. The accesses are made without the authorization of the claimant and without
      that mediates a relationship that justifies it.”


This procedure should conclude with the imposition of two sanctions for these acts.
two: one for the violation of article 5.1.f) RGPD, in the terms explained in
the proposed resolution and another for that of article 32 of the Regulation. That is the criterion
of this Agency in relation to this type of assumptions.



                                           III
In response to the latest allegations presented by the claimed entity, it must be
point out the following:

First of all, we are faced with a special category of personal data
(article 9.1 GDPR) to which the principle of prohibition of processing is applicable,
unless any of the circumstances provided for in section 2 occur. Therefore,
incorporate an innate danger, and must be held to a higher standard of protection
high.

Recital 51 provides, regarding the special categories of personal data,

that:

 “Personal data deserve special protection, which, by their nature, are
particularly sensitive in relation to fundamental rights and freedoms,
since the context of their treatment could entail significant risks for the
fundamental rights and freedoms. […] Such personal data should not be

treated, unless treatment is permitted in specific situations
contemplated in this Regulation, taking into account that the States
Members may establish specific provisions on data protection with
in order to adapt the application of the rules of this Regulation to the
compliance with a legal obligation or the fulfillment of a mission carried out in
public interest or in the exercise of public powers conferred on the person responsible for the

treatment. In addition to the specific requirements of that treatment,
the general principles and other rules of this Regulation, in particular as regards
refers to the conditions of legality of the treatment. They must be established
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/26








explicit exceptions to the general prohibition of processing of these categories
special personal data, among other things when the interested party gives his or her
explicit consent or in the case of specific needs, in particular

when the treatment is carried out within the framework of legitimate activities by
certain associations or foundations whose objective is to allow the exercise of the
fundamental liberties".

It is a priority to determine the role played by the Ministry of Health.

It follows that the person responsible for processing the data that forms part of the
clinical history is the health center, public or private; They have the obligation to
prepare it, guard it and implement the necessary security measures so that it does not
is lost, is not communicated to uninterested parties or can be accessed by third parties

Not allowed.
The GDPR explicitly introduces the principle of liability (article 5.2 GDPR),
That is, the person responsible for the treatment will be responsible for compliance with the

provided in section 1 of article 5 and must be able to demonstrate it
“proactive responsibility”.

Report 0064/2020 of the Legal Office of the AEPD has clearly expressed
that “The GDPR has represented a paradigm shift in addressing the regulation of
right to the protection of personal data, which is based on the

principle of “accountability” or “proactive responsibility” as pointed out
repeatedly by the AEPD (Report 17/2019, among many others) and is included in the
Explanation of reasons for Organic Law 3/2018, of December 5, on the Protection of
Personal Data and guarantee of digital rights (LOPDGDD)”.

The complained party, in its capacity as responsible for said treatment, should
have adopted and implemented, proactively, the technical measures and
organizational measures that are appropriate to evaluate and guarantee a level of
security adequate to probable risks of diverse nature and severity

linked to the health data processing carried out.

For these purposes, article 24 of the RGPD under the heading “Responsibility of the
responsible for the treatment” provides:

       "1. Taking into account the nature, scope, context and purposes of the treatment
       as well as the risks of varying probability and severity for the rights
       rights and freedoms of natural persons, the person responsible for the treatment applied

       will take appropriate technical and organizational measures in order to guarantee and be able to
       show that the treatment is in accordance with this Regulation. sayings
       Measures will be reviewed and updated when necessary.
       2. When provided in relation to treatment activities,
       The measures mentioned in paragraph 1 shall include the application, for
       part of the person responsible for the treatment, of the appropriate protection policies

       of data. (…)”

For its part, article 25 of the RGPD under the heading “Data protection from the
master and by default” provides:


       "1. Taking into account the state of the art, the cost of the application and the na-
       nature, scope, context and purposes of the treatment, as well as the risks of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/26








       deals with the probability and seriousness of the treatment for the rights and
       freedoms of natural persons, the person responsible for the treatment will apply, both
       at the time of determining the means of treatment as well as at the time

       of the treatment itself, appropriate technical and organizational measures, such as
       pseudonymization, designed to effectively apply the principles of
       data protection, such as data minimization, and integrate safeguards
       necessary in the treatment, in order to comply with the requirements of this Regulation.
       ment and protect the rights of interested parties.


       2. The data controller will apply the technical and organizational measures
       with a view to ensuring that, by default, they are only processed
       ment the personal data that are necessary for each of the purposes
       specific to the treatment. This obligation will apply to the amount of data
       personal data collected, to the extent of its treatment, to its conservation period.

       vation and its accessibility. Such measures will ensure in particular that,
       Defect, personal data are not accessible, without the intervention of the person.
       sona, to an indeterminate number of natural persons. (…)”

Likewise, the LOPDGDD in article 28.1 states that:


       “Those responsible and in charge, taking into account the elements enumerated
       two in articles 24 and 25 of Regulation (EU) 2016/679, will determine the
       appropriate technical and organizational measures that must be applied in order to guarantee
       chalk and certify that the treatment is in accordance with the aforementioned regulation, with the
       This organic law, its implementing regulations and the applicable sectoral legislation

       wire."

Consequently, the responsibility of the person responsible for the work must be established.
treatment for any processing of personal data carried out by himself or by
your account. In particular, the person responsible must be obliged to apply opportune measures.
and effective and must be able to demonstrate the conformity of the processing activities.

compliance with the GDPR, including the effectiveness of the measures (GDPR recital 74).

In summary, this principle requires a conscious, diligent, committed and
proactive on the part of the controller regarding all data processing
personal actions that you carry out.


In the present case, the claimed entity is accused of failing to implement
the technical and organizational measures necessary to guarantee a level of security
appropriate to the risk derived from the processing of patients' health data (categories).
special category of personal data in accordance with the provisions of article 9.1 of the
RGPD), in order to prevent the violation of the principle of confidentiality, as
It emerges from the assessment of the set of facts analyzed.

In general, it should be noted that in the treatment of medical records there is no
You must wait until the improper access has occurred to react later

(which would shift the responsibility to the worker instead of the person responsible for the
treatment) but, based on the aforementioned principles of responsibility
proactive and data protection from the design, prevent improper access from
produce.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/26








From the above, it is evident that the defendant, as responsible for the treatment,
subject of study, has not shown the diligence that was required to establish

the security measures that are necessary to prevent the filtration or dissemination of
this type of data to third parties. In this sense, the configuration of the technical measures
and organizational must be carried out so that, prior to carrying out the
processing of personal data, it is guaranteed that you can only have access to
the stories of those personnel who carry out their assistance activity on the owner of

are.

In the event that the computer application that controls access to medical records
was correctly programmed, it could determine, at the moment in which it was
bids for access, if the person requests it (depending on their specialty, shift or activity in

that moment) must be legitimate to access it.

Finally, data protection by design must be complemented by implementation.
Periodic auditing, so that failures in the system can be detected
which, in turn, advise modifying the access protocols in case of independent access.

bidos.
Consequently, the allegations must be rejected, meaning that the

arguments presented do not distort the essential content of the infringement that
is declared committed nor do they constitute sufficient justification or exculpation.

The claimed entity is charged with committing an infraction due to violation of the
article 5.1.f) of the RGPD, which governs the principle of confidentiality and integrity of the

personal data, as well as the proactive responsibility of the person responsible for the
processing to demonstrate compliance and article 32 of the GDPR.
                                            IV


Regarding health data, recital 35 of the GDPR states the following:

























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/26








“Personal data related to health must include all data
relating to the state of health of the interested party that provide information about his state of health.
physical or mental health past, present or future. Information is included about the

natural person collected on the occasion of their registration for health care purposes,
or on the occasion of the provision of such assistance, in accordance with the Directive
2011/24/EU of the European Parliament and of the Council; any number, symbol or data
assigned to a natural person who uniquely identifies him or her for the purposes
sanitary; information obtained from tests or examinations of a part of the body or
of a bodily substance, including that from genetic data and samples

biological, and any information relating, by way of example, to a disease, a
disability, risk of disease, medical history, treatment
clinical or physiological or biomedical state of the interested party, regardless of their
source, for example a doctor or other healthcare professional, a hospital, a device
medical, or an in vitro diagnostic test.”


For its part, article 4 of the GDPR defines:

“2) “treatment”: any operation or set of operations performed on
personal data or sets of personal data, whether by procedures
automated or not, such as the collection, registration, organization, structuring,

conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of enabling
access, collation or interconnection, limitation, deletion or destruction;”

7) "responsible for the treatment" or "responsible": the natural or legal person,

public authority, service or other body that, alone or jointly with others, determines the
purposes and means of processing; whether Union or Member State law
determines the purposes and means of the treatment, the person responsible for the treatment or the
Specific criteria for their appointment may be established by Union Law.
or of the Member States;


10) "third party": natural or legal person, public authority, service or other body
of the interested party, the person responsible for the treatment, the person in charge of the treatment and the
persons authorized to process personal data under the direct authority of the
responsible or the person in charge;”





                                           V
The processing of data from medical records is regulated in the Law

41/2002, of November 14, basic regulation of patient autonomy and
rights and obligations regarding clinical information and documentation.

Its article 3 states:


“Clinical history: the set of documents that contain the data, evaluations and
information of any kind about the situation and clinical evolution of a
patient throughout the care process.”


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/26








In article 16, the uses of medical history are established:

"1. The clinical history is an instrument designed fundamentally to guarantee

adequate patient care. The care professionals at the center who
perform the diagnosis or treatment of the patient have access to the medical history
of this as a fundamental instrument for their adequate assistance.

2. Each center will establish the methods that enable access to
the medical history of each patient by the professionals who assist them.”


                                            SAW
                                Article 5.1.f) of the GDPR

Article 5.1.f) of the RGPD establishes the following:

“Article 5 Principles relating to treatment:

1. The personal data will be:


(…)

f) processed in such a way as to ensure adequate data security
personal data, including protection against unauthorized or unlawful processing and against

its loss, destruction or accidental damage, through the application of technical measures
or organizational arrangements (“integrity and confidentiality”).”

In relation to this principle, Recital 39 of the aforementioned GDPR states that:

“[…]Personal data must be treated in a way that guarantees security and

appropriate confidentiality of personal data, including to prevent access
or unauthorized use of said data and the equipment used in the treatment.”

It must be added that, in relation to the category of data to which a third party
someone else has had access to, they are in the special category according to

provided in art. 9 of the RGPD, a circumstance that represents an added risk that
must be assessed in the risk management study and that the degree requirement increases
of protection in relation to the security and safeguarding of the integrity and
confidentiality of these data.


Consequently, it is considered that the proven facts are constitutive of
infringement, attributable to the claimed party, due to violation of article 5.1.f) of the
GDPR.

                                           VII
                Classification of the violation of article 5.1.f) of the RGPD


Article 83.5 of the GDPR provides the following:

"5. Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/26








global total annual business volume of the previous financial year, opting for
the largest amount:

    a) the basic principles for the treatment, including the conditions for the
        consent in accordance with articles 5, 6, 7 and 9;”


For its part, article 71 of the LOPDGDD, under the heading “Infringements” determines what
following:

“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result

contrary to this organic law.”

For the purposes of the limitation period for infringements, article 72 of the LOPDGDD,
Under the heading of infractions considered very serious, it establishes the following:

"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:


          a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679.”

                                           VIII

                                  Article 32 of the GDPR


Article 32 of the GDPR, security of processing, establishes the following:

         1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person responsible and the person in charge of the treatment will apply technical and

appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:

          a) pseudonymization and encryption of personal data;


          b) the ability to guarantee the confidentiality, integrity, availability and
permanent resilience of treatment systems and services;
          c) the ability to restore availability and access to data
personnel quickly in the event of a physical or technical incident;


          d) a process of regular verification, evaluation and assessment of effectiveness
of the technical and organizational measures to guarantee the security of the treatment.

         2. When evaluating the adequacy of the security level, particular consideration will be given to
take into account the risks presented by data processing, in particular as
consequence of the accidental or unlawful destruction, loss or alteration of data

personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data (The emphasis is from the AEPD).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/26









Recital 75 of the GDPR lists a series of factors or assumptions associated with
risks to the guarantees of the rights and freedoms of the interested parties:


“The risks to the rights and freedoms of natural persons, of seriousness and
variable probability, may be due to data processing that could cause
physical, material or immaterial damages, particularly in cases where
that the treatment may give rise to problems of discrimination, usurpation of
identity or fraud, financial loss, reputational damage, loss of

confidentiality of data subject to professional secrecy, unauthorized reversal of the
pseudonymization or any other significant economic or social harm; in the
cases in which the interested parties are deprived of their rights and freedoms or are
prevents you from exercising control over your personal data; in cases where the data
processed personal reveals ethnic or racial origin, political opinions, religion

or philosophical beliefs, militancy in unions and the processing of genetic data,
data relating to health or data on sexual life, or convictions and offenses
criminal or related security measures; in cases in which they are evaluated
personal aspects, in particular the analysis or prediction of aspects related to the
performance at work, economic situation, health, preferences or interests
personal, reliability or behavior, situation or movements, in order to create or

use personal profiles; in cases in which personal data of
vulnerable people, particularly children; or in cases where the treatment
involves a large amount of personal data and affects a large number of
interested.”


In the present case, as stated in the facts and in the context of the file
E/05028/2021, the AEPD requested to provide the date and time of the accesses, the details of the
typology of the data accessed, as well as the documentation accrediting the
existing justification for such access. In the documentation provided, the
claimed only recognizes the existence of said accesses although it does not pronounce itself

about their legitimacy nor does it provide a copy of the required investigation.

The consequence of this implementation of deficient security measures was the
exposure to a third party outside of personal data related to the health of the
complaining party. That is, the affected person has been deprived of control over her
personal data related to your clinical history.


It must be added that, in relation to the category of data to which a third party
someone else has had access to, they are in the special category according to
provided in art. 9 of the RGPD, a circumstance that represents an added risk that
must be assessed in the risk management study and that the degree requirement increases

of protection in relation to the security and safeguarding of the integrity and
confidentiality of these data.

This risk must be taken into account by the person responsible for the treatment who must
establish the necessary technical and organizational measures to prevent the loss of

control of the data by the person responsible for the treatment and, therefore, by the
holders of the data who provided them.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/26








Therefore, the proven facts constitute an infringement, attributable to the
claimed party, for violation of article 32 RGPD.


                                            IX

                  Classification of the violation of article 32 of the RGPD

The aforementioned violation of article 32 of the RGPD implies the commission of the violations
typified in article 83.4 of the RGPD that under the heading “General conditions

for the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the

global total annual business volume of the previous financial year, opting for
the largest amount:

       a) the obligations of the controller and the processor pursuant to Articles 8,
           11, 25 to 39, 42 and 43; (…)”


In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”


For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:


“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the
following:


f) The lack of adoption of those technical and organizational measures that result
appropriate to guarantee a level of security appropriate to the risk of the treatment,
in the terms required by article 32.1 of Regulation (EU) 2016/679”








                                            x

                                    Responsibility

Establishes Law 40/2015, of October 1, on the Legal Regime of the Public Sector, in
Chapter III relating to the “Principles of the Sanctioning Power”, in article 28
under the heading “Responsibility”, the following:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/26








"1. They may only be sanctioned for acts constituting an administrative infraction.
natural and legal persons, as well as, when a Law recognizes their capacity to
act, the groups of affected people, the unions and entities without legal personality and the

independent or autonomous assets, which are responsible for them
title of fraud or guilt.”

Lack of diligence in implementing appropriate security measures
with the consequence of the breach of the principle of confidentiality constitutes the
element of guilt.


                                           XI
                                        Sanction

Article 83 “General conditions for the imposition of administrative fines” of the

GDPR in section 7 establishes:

“Without prejudice to the corrective powers of the supervisory authorities under the
Article 58(2), each Member State may lay down rules on whether
can, and to what extent, impose administrative fines on authorities and organizations
public establishments in that Member State.”


Likewise, article 77 “Regime applicable to certain categories of
responsible or in charge of processing” of the LOPDGDD provides the following:

"1. The regime established in this article will apply to the treatments of

who are responsible or in charge:

(…)

c) The General Administration of the State, the Administrations of the communities

autonomous and the entities that make up the Local Administration.

2. When the persons responsible or in charge listed in section 1 commit
any of the infractions referred to in articles 72 to 74 of this law
organic, the competent data protection authority will dictate
resolution sanctioning them with a warning. The resolution will establish

Likewise, the measures that should be adopted to stop the conduct or correct it.
the effects of the infraction that has been committed.

The resolution will be notified to the person responsible or in charge of the treatment, to the body of the
that depends hierarchically, if applicable, and to those affected who have the condition

of interested party, if applicable.

3. Without prejudice to what is established in the previous section, the authority for the protection of
data will also propose the initiation of disciplinary actions when there are
sufficient evidence for this. In this case, the procedure and sanctions to apply

will be those established in the legislation on disciplinary or sanctioning regime that
results of application.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/26








Likewise, when the infractions are attributable to authorities and managers, and are
prove the existence of technical reports or recommendations for the treatment that
had not been duly attended to, in the resolution in which the

sanction will include a reprimand with the name of the responsible position and
will order the publication in the Official State or autonomous Gazette that
correspond.

(…)


5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued
under the protection of this article.”

In the present case, it is considered appropriate to sanction the party with a warning

claimed, for violation of article 5.1.f) of the RGPD and for violation of article 32
of the GDPR, due to the lack of diligence in implementing the appropriate measures
of security with the consequence of the breach of the principle of confidentiality.

                                          XII
                                       Measures


Article 58.2 of the GDPR provides: “Each supervisory authority will have all the
following corrective powers indicated below:

        d) order the person responsible or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where applicable,
in a certain manner and within a specified period;”


Likewise, it is appropriate to impose the corrective measure described in article 58.2.d) of the
RGPD and order the complained party to, within a period of one month, establish the measures
adequate safety measures so that treatments are adapted to the demands

contemplated in articles 5.1 f) and 32 of the RGPD, preventing the occurrence of
similar situations in the future.

The text of the resolution establishes what infractions have been committed and
the events that have given rise to the violation of the regulations for the protection of
data, from which it is clearly inferred what measures to adopt, without prejudice

that the type of procedures, mechanisms or specific instruments to
implementing them corresponds to the sanctioned party, since it is responsible for the
treatment who fully knows its organization and must decide, based on the
proactive responsibility and risk approach, how to comply with the GDPR and
LOPDGDD.


Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of the sanctions whose existence has been proven, the Director of the
Spanish Data Protection Agency RESOLVES:


FIRST: SANCTION with WARNING the HEALTH DEPARTMENT OF
THE COMMUNITY OF MADRID, with NIF S7800001E, for a violation of the article
5.1.f) of the RGPD, typified in article 83.5 of the RGPD.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/26








SECOND: SANCTION with WARNING to the HEALTH DEPARTMENT
OF THE COMMUNITY OF MADRID, with NIF S7800001E, for a violation of the article

32 of the RGPD, typified in article 83.4 of the RGPD.

THIRD: REQUIRE the HEALTH DEPARTMENT OF THE COMMUNITY OF
MADRID, to implement, within one month, the necessary corrective measures
to adapt their actions to the personal data protection regulations, which
prevent similar events from being repeated in the future, as well as to inform this
Agency in the same period on the measures adopted.


FOURTH: NOTIFY this resolution to the HEALTH DEPARTMENT OF THE
COMMUNITY OF MADRID, with NIF S7800001E.

FIFTH: COMMUNICATE this resolution to the Ombudsman, in accordance

with the provisions of article 77.5 of the LOPDGDD.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly

contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the

day following the notification of this act, as provided for in article 46.1 of the
referred Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative procedure within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
                                                                               938-120722
Sea Spain Martí
Director of the Spanish Data Protection Agency







C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es