AEPD (Spain) - TD/00034/2020

From GDPRhub
AEPD - TD/00034/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 9(2)(h) GDPR
Article 9(2)(i) GDPR
Article 17 GDPR
Article 17(3) GDPR
Type: Complaint
Outcome: Rejected
Started:
Decided:
Published:
Fine: None
Parties: n/a
National Case Number/Name: TD/00034/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The AEPD (Spanish DPA) held that where a patient seeks to have their medical records deleted by a controller such as a hospital, they may only be entitled to a partial deletion, particularly where the continued processing of the remaining information would be necessary for public health reasons.

English Summary

Facts

The complainant, a former patient at several hopsitals in Madrid, requested the deletion of certain medical practicioner's notes from her medical history. One of the hospitals to which she made this request responded that they could not comply with the complainant's requst in full because certain information would be necessary for any future physician "to have a true and updated knowledge of your health status, and to provide you with adequate health care".

Dispute

Does Article 17 GDPR entitle a former patient to have all their medical history erased by a controller such as a hospital?

Holding

The AEPD decided that Article 17 GDPR did not give the complainant the right to have all her medical data held by the hospital(s) erased, due to the remaining data being necessary for reasons of public interest in the area of public health.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

File No.: TD/00034/2020
RESOLUTION Nº: R/00161/2020
Having regard to the complaint lodged on 22 September 2019 with this Agency by Ms. A.A.A.,  (from now on the complaining party), against CONSEJERIA DESANIDAD DE LA COMUNIDAD DE MADRID - SERVICIO MADRILEÑO DE SALUD, with NIF S7800001E (from now on the complaining party), for not having duly attended to its right of suppression. Once the procedural actions provided for in Title VIII of the Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD) have been carried out, the following have been found

FIRST FACTS: 
The claimant, dated August 5, 2019, requests the right to withdraw from some notes with which she disagrees made by the physicians who have provided her with medical assistance.                     Subsequently, from October 18, 2019 to February 13, 2020, she has submitted sixteen other documents to different hospitals, in some cases requesting rectification in health centers and hospitals, and in other cases, making complaints because she has not been asked for consent to have MIR students present.   There are also complaints about disagreement with the diagnosis or treatment of the specialists in the different hospitals.                  
The complainant provides numerous responses from hospitals such as SanCarlos in Madrid, the head of patient care in the Madrid Healthcare and Primary Care Management, the Delegate Committee for Data Protection of the Madrid Healthcare Service, and the Doce de Octubre University Hospital, of which the latter provides up to four responses from different departments. There are several responses from various bodies.            
In the complaints presented to this Agency, the complainant speaks of medical treatment, diagnoses and the Law on Patient Autonomy.SECOND: In accordance with the functions set out in Regulation (EU)2016/679, of 27 April 2016, General Data Protection (RGPD), particularly those that respond to the principles of transparency and proactive responsibility on the part of the person responsible for the treatment, the complainant has been required to inform this Agency of the actions that have been taken to deal with the complaint. In summary, the following allegations were made:
-The representative/data protection representative of the respondent states in his submissions of 13 March 2020 that once the request for suppression was received, the necessary internal procedures were carried out to contact the doctors, who are responsible for assessing the interest in care of those requested to be suppressed.   Once this task had been carried out in a unified manner, according to the claimant, the response was sent to the claimant on 17 October 2019. The dispatch to which they refer is documented.                           According to the respondent: "...decided to partially admit said request for suppression, proceeding to eliminate 3 of the 4 annotations made by 3 health professionals from the San Fermin Health Center. The Responsible of the treatment has taken this decision, taking into account the established by the article 17 of the RGPD, as well as the established by the article 15 of the Law 41/2002, of November 14, basic regulator of the autonomy of the patient and of the rights and obligations in the matter of information and clinical documentation, as well as, and the indicated in the Royal Decree 1093/2010, of September 3, by which the minimum set of data of the clinical reports in the National Health System is approved.

LAW ENFORCEMENT FUNDAMENTALS 
FIRST:   The Director of the Spanish Data Protection Agency is competent to decide, in accordance with the provisions of Article 56(2) in relation to Article 57(1)(f), both of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, RGPD);   anddin Article 47 of the Organic Law 3/2018 of December 5,,onnPersonal Data ProtectionnanddGuarantee of Digital Rights (hereinafter referred too as LOPDGDD). 
SECOND: Article 64.1 of the LOPDGDD, provides that: "1. When the procedure refers exclusively to the lack of attention to an application to exercise the rights established in articles 15 to 22 of Regulation (EU) 2016/679, it will be initiated by an agreement of admission to procedure, which will be adopted in accordance with the provisions of the following article.   Once this period has elapsed, the interested party may consider his claim to have been accepted".
THIRD: Article 12 of Regulation (EU) 2016/679 of 27 April 2016, General Data Protection (GDPS), provides: "1. The controller shall take appropriate measures to provide the data subject with any information referred to in Articles 13 and 14 and any communication pursuant to Articles 15 to 22 and 34 relating to the processing, in concise, transparent, intelligible and easily accessible form, with clear and simple language, in particular any information addressed specifically to a child. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. At the request of the data subject, the information may be provided orally provided that the identity of the data subject is established by other means.2. In the cases referred to in Article 11(2), the controller shall not refuse to act on request of the data subject for the purpose of exercising his rights under Articles 15 to 22, unless he can prove that he is not able to identify the data subject.3. The data controller shall provide the data subject with information concerning his or her actions on the basis of a request pursuant to Articles 15 to 22, and in any case within one month of receipt of the request. This period may be extended by another two months if necessary, taking into account the complexity and number of requests. The official shall inform the applicant of any such extension within one month of receipt of the application, stating the reasons for the delay.   Where the interested party submits the request by electronic means, the information shall be made available by electronic means where possible, unless the interested party requests otherwise.4. If the data controller does not comply with the request of the data subject, he shall inform the data subject without delay, and at the latest one month after receipt of the request, of the reasons for his failure to act and of the possibility of lodging a complaint with a supervisory authority and of taking legal action.5. The information provided under Articles 13 and 14 as well as any communication and any action taken under Articles 15 to 22 and 34 shall be free of charge. (a) charge a reasonable fee commensurate with the administrative costs incurred in providing the information or communication or in taking the action requested; or (b) refuse to act on the request. Without prejudice to Article 11, where the controller has reasonable doubt as to the identity of the natural person making the request referred to in Articles 15 to 21, he may request that additional information necessary to confirm the identity of the data subject be provided.7 The information to be provided to the data subject under Articles 13 and 14 may be transmitted in combination with standardised icons which provide an easily visible, intelligible and clearly legible overview of the intended processing.   Icons presented in electronic form shall be mechanically legible. 8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 in order to specify the information to be displayed by means of icons and the procedures for providing standard icons.”

FOURTH: Article 12 of the LOPDGDD determines the following:1. The rights recognized in Articles 15 to 22 of Regulation (EU)2016/679, may be exercised directly or through a legal or voluntary representative.2. The data controller shall be obliged to inform the data subject of the means at his disposal to exercise the rights to which he is entitled. The means must be easily accessible to the data subject.   The exercise of the right may not be denied on the sole ground that the data subject has opted for otromedio.3. The person in charge may process, on behalf of the person responsible, the requests for the exercise of his rights made by the affected parties if this is established in the contract or legal act that binds them.4.   When the laws applicable to certain processing operations establish a special regime affecting the exercise of the rights provided for in Chapter III of Regulation (EU) 2016/679, the provisions of those laws shall apply.6. In any case, the holders of parental authority may exercise the rights of access, rectification, cancellation, opposition or any other rights that may correspond to them in the context of this organic law in the name and on behalf of minors under fourteen years of age.7 The actions carried out by the person responsible for the treatment to attend the requests of exercise of these rights will be free of charge, without prejudice to the provisions of articles 12.5 and 15.3 of the Regulation (EU)2016/679 and in the paragraphs 3 and 4 of article 13 of this organic law "
FIFTH: Article 17 of the RGPD states that: "1. The data subject shall have the right to obtain without undue delay from the data controller the deletion of personal data relating to him, who shall be obliged to delete the personal data without undue delay in any of the following circumstances a) personal data are no longer necessary for the purposes for which they were collected or otherwise processed; b) the data subject withdraws the consent on the basis of which the processing was carried out in accordance with Article 6(1)(a) or Article 9(2)(a) and this is not based on any other legal basis; c) the data subject opposes the processing according to Article 21(1) and no other legitimate grounds prevail for the processing, or the data subject opposes the processing according to Article 21(2); (e) personal data must be deleted in order to comply with a legal obligation under Union law or the law of the Member States applicable to the controller Where he has made personal data public and is required, pursuant to paragraph 1, to delete such data, the controller shall, taking into account the technology available and the cost of implementation, take reasonable steps, including technical measures, to inform the controllers who are processing the personal data of the request of the data subject to delete any link to such personal data or any copy or replica thereof. 3. Paragraphs 1 and 2 shall not apply where processing is necessary: (b) in order to comply with a legal obligation requiring the processing of data imposed by Union law or by law of the Member States on the controller or in order to carry out a task carried out in the public interest or in the exercise of public authority vested in the controller; (c) for reasons of public interest in the field of public health in accordance with Article 9(2)(h) and (i) and (3); (d) for archiving purposes in the public interest, for the purposes of scientific or historical research or for statistical purposes, in accordance with Article 89(1), insofar as the right referred to in paragraph 1 is likely to make impossible or seriously impede the achievement of the objectives of such processing; or (e) for the purpose of lodging, exercising or defending complaints. ”
SIXTH: In the case analyzed here, the claimant exercised his right of withdrawal and in accordance with the rules mentioned above, his request obtained the legally required response. We have studied the extensive documentation submitted by the claimant and only those issues raised by the complainant that are included within the object of claims on data protection will be analyzed and assessed. The claimant, through the Data Protection Agency, requests the deletion of certain medical practitioner's notes from her medical history and, as we have verified from the documentation provided by herself, she has been attended to. There is a reply from the Madrid Primary Care Management dated 17 October 2019, in which they inform you: "...we inform you that we have proceeded to process the deletion of the following data (...) As for the note dated 14/06/2016, made by a professional of the San Fermin Health Centre, it is not possible for us to attend to your right of deletion considering it not in accordance with the law, given that taking into account what is indicated in the aforementioned article 15 of the Law on Patient Autonomy, under the criterion it has been determined that such information is necessary for any physician to have a true and updated knowledge of your health status, and to provide you with adequate health care... "There is a request identical to the above and also answered on 11 December 2019. Therefore, we can consider that the majority of the requested suppression has been attended to and the part that has not been suppressed has been rejected, with good reason. Despite having received this response in October 2019, the complainant insisted on sending all types of documentation, treatment, diagnosis, etc.   It is clear that there is a discrepancy between the parties that is related to medical issues. And, which they will have to resolve in other forums, it does not affect the fact that the complainant requested the deletion of four paragraphs and the claimant once he had the information answered saying that he was deleting three of them and the fourth one denied it with reasons.   Therefore, we consider that the right has been fulfilled. 

In view of the aforementioned precepts and others of general application, the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO REMOVE the claim formulated by Ms. A.A.A. against the HEALTH COUNCIL OF THE COMMUNITY OF MADRID - MADRID HEALTH SERVICE. 
SECOND: TO NOTIFY this resolution to Ms. A.A.A. and to the CONSEJERIA DESANIDAD DE LA COMUNIDAD DE MADRID - SERVICIO MADRILEÑO DE SALUD. 
In accordance with the provisions of article 50 of the LOPDGDD, this resolution will be made public once it has been notified to the interested parties.  48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this resolution or the address of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46. 1 of the aforementioned Law. 
Mar España Martí
Director of the Spanish Data Protection Agency

Translated with www.DeepL.com/Translator (free version)