AEPD (Spain) - EXP202202889

From GDPRhub
AEPD - 00108-2022
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR
Article 15 GDPR
article 13, LOPDGDD
article 15, 18, Ley 41/2002
Type: Complaint
Outcome: Upheld
Decided: 06.09.2022
Fine: n/a
Parties: Dentoestetic Centro de Salud y Estética Dental SI
National Case Number/Name: 00108-2022
European Case Law Identifier: PD
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Patrikmatos

The Spanish DPA has obliged a dental clinic to respond, in ten days, a patient who had requested his clinical records without receiving any answer, as it was considered a legitimate exercise of his right to access.

English Summary


The data subject requested access to his medical records, but the controller, a dental clinic, did not respond. Therefore, the Spanish DPA has ordered the defendant to present the answer within ten days.


According to the Spanish DPA, the data subject’s request is assured by the right to Access of his medical records, so the controller could not let him with no answers, even if it claimed there was no data subject’s data in its records. That is because the request has forced the clinic to give to the claimant an express response, including any justified reasons for denying the request or for requesting any rectifications that might be necessary. Since the clinic did not observe the requirements of art. 15 and 18 of the Spanish regulation regarding clinical information and documentation (“Ley Española 41/2002”), nor the provisions on transparency of information and right to access that are in the art. 12 and 15 of GDPR, the Spanish DPA imposed to the clinic the obligation to observe the right of access exercised by the claimant, or at least expressly deny it with a motivated reason.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

RESOLUTION Nº: R/00649/2022
Considering the claim formulated on March 1, 2022 before this Agency by A.A.A. (hereinafter the claimant), against DENTOESTETIC CENTRO DE SALUD Y ESTÉTICA DENTAL, S.L. (hereinafter the claimed party), for not having duly attended to their request to exercise the rights established in the
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data (hereinafter, GDPR) . The procedural actions provided for in Title VIII of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD), the following have been verified: FACTS FIRST: The claimant exercised the right of access to his medical history against the claimant, without his request having received the legally established response. The complaining party provides various documentation related to the claim filed with this Agency and on the exercise of the exercised right. SECOND: Once the procedure provided for in article 65.4 of the LOPDGDD was completed, the claim was admitted for processing and the entity claimed was granted a hearing procedure, so that within fifteen business days it could present the allegations it deems appropriate. The requested entity has not accredited, on the occasion of the formalized procedures, that it has responded to the request for the exercise of rights that was presented to it by the complaining party. FUNDAMENTALS OF LAW FIRST: The Director of the Spanish Data Protection Agency is competent to resolve, in accordance with the provisions of section 2 of article 56 in
relation to section 1 f) of article 57, both of the GDPR; and in article 47 of the LOPDGDD. SECOND: In accordance with the provisions of article 55 of the GDPR, the Spanish Agency for Data Protection is competent to carry out the functions assigned to it in article 57, including that of enforcing the Regulation and promoting public awareness. the managers and those in charge of the treatment about the obligations incumbent on them, as well as to treat the claims presented by an interested party and investigate the reason for them. Correlatively, article 31 of the GDPR establishes the obligation of those responsible and in charge of the treatment to cooperate with the control authority that requests it in
the performance of their functions. In the event that they have designated a data protection officer, article 39 of the GDPR attributes to the latter the function of cooperating with said authority. In the same way, the internal legal system, in article 65.4 of the LOPDGDD, has provided for a mechanism prior to the admission for processing of the claims that are formulated before the Spanish Agency for Data Protection, which consists of transferring them to the data protection delegates appointed by those responsible or in charge of the treatment, for the purposes provided in article 37 of the aforementioned standard, or to them when they have not designated them, so that they proceed to the analysis of said claims and respond to them within the term of one month. In accordance with this regulation, prior to the admission for processing of the
claim that gives rise to this procedure, it was forwarded to the responsible entity so that it could proceed with its analysis, respond to this Agency within a period of one month and certify that it provided the claimant with the appropriate response, in the event of exercise of the rights regulated in articles 15 to 22 of the GDPR. The result of said transfer did not make it possible to understand the claimants' claims satisfied. Consequently, on May 19, 2022, for the purposes provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit the claim submitted for processing. Said agreement for admission to processing determines the opening of this procedure for lack of attention to a request to exercise the rights established in the
articles 15 to 22 of the GDPR, regulated in article 64.1 of the LOPDGDD, according to which: “1. When the procedure refers exclusively to the lack of attention to a request to exercise the rights established in articles 15 to 22 of Regulation (EU) 2016/679, it will begin with an agreement for admission to processing, which will be adopted in accordance with the established in the following article. In this case, the term to resolve the procedure will be six months from the date on which the claimant was notified of the agreement for admission to processing. After that period, the interested party may consider his claim upheld. The depuration of administrative responsibilities within the framework is not considered opportune.
of a disciplinary procedure, the exceptional nature of which implies that, whenever possible, the prevalence of alternative mechanisms that are protected by current regulations is chosen. It is the exclusive competence of this Agency to assess whether there are administrative responsibilities that must be cleared in a disciplinary procedure and, consequently, the decision on its opening, there being no obligation to initiate a procedure before any request made by a third party. Said decision must be based on the existence of elements that justify said initiation of the sanctioning activity, circumstances that do not occur in the present case, considering that with this procedure the guarantees and rights of the claimant are duly restored. THIRD: The rights of individuals regarding the protection of personal data are regulated in articles 15 to 22 of the GDPR and 13 to 18 of the LOPDGDD. The rights of access, rectification, deletion, opposition, right to limitation of treatment and right to portability are contemplated. The formal aspects related to the exercise of these rights are established in articles 12 of the GDPR and 12 of the LOPDGDD. Furthermore, what is expressed in Recitals 59 et seq. of the GDPR is taken into account. In accordance with the provisions of these regulations, the data controller
must arbitrate formulas and mechanisms to facilitate the interested party to exercise their rights, which will be free of charge (without prejudice to the provisions of articles 12.5 and 15.3 of the GDPR), and is obliged to respond to requests made no later than one month, except that can demonstrate that it is not in a position to identify the interested party, and to express its reasons in case it was not going to attend said
request. The proof of compliance with the duty to respond to the request for the exercise of their rights made by the affected party falls on the person responsible. The communication addressed to the interested party on the occasion of their request must be expressed in a concise, transparent, intelligible and easily accessible manner, with a
clear and simple language. In the case of the right of access to personal data, in accordance with the
established in article 13 of the LOPDGDD, when the exercise of the right refers to a large amount of data, the controller may request the affected party to specify the "data or processing activities to which the request refers". The right will be understood as granted if the person in charge provides remote access to the data, taking the request for granted (although the interested party may request the information referring to the points provided in article 15 of the GDPR). The exercise of this right may be considered repetitive on more than one occasion during the period of six months, unless there is legitimate cause for it. On the other hand, the request will be considered excessive when the affected party chooses a means
other than the one offered that involves a disproportionate cost, which must be borne by the affected party.
FOURTH: In accordance with the provisions of article 15 of the GDPR and article 13 of the LOPDGDD, "the interested party has the right to obtain from the data controller confirmation of whether or not personal data concerning him or her is being processed and, in such case, the right of access to personal data”. Like the rest of the rights of the interested party, the right of access is a very personal right. It allows the citizen to obtain information about the treatment that is being made of their data, the possibility of obtaining a copy of the personal data that concerns them and that are being processed, as well as
information, in particular, on the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data was communicated or will be communicated, the expected period or conservation criteria, the possibility of exercise other rights, the right to file a claim with the control authority, the information available on the origin of the data (if these have not been obtained directly from the owner), the existence of automated decisions, including profiling, and information about transfers of personal data to a third country or to an international organization. The possibility of obtaining a copy of the personal data subject to treatment will not negatively affect the rights and freedoms of others, that is, the right of access will be granted in such a way that it does not affect the data of third parties. The right of access in relation to the clinical history is specifically regulated in article 18 of Law 41/2002, of November 14, basic regulation of Patient Autonomy and Rights and Obligations in the field of Clinical Information and Documentation (in hereinafter LAP), whose literal wording expresses: “1. The patient has the right of access, with the reservations indicated in section 3 of this article, to the documentation of the clinical history and to obtain a copy of the data contained therein. The health centers will regulate the procedure that guarantees the observance of these rights. 2. The patient's right of access to the clinical history can also be exercised by duly accredited representation. 3. The patient's right of access to the documentation of the clinical history cannot be exercised to the detriment of the right of third parties to the confidentiality of the data contained therein collected for the therapeutic interest of the patient, nor to the detriment of the right of professionals participants in its preparation, which
They can oppose the right of access to the reservation of their subjective annotations. 4. Health centers and individual practice physicians will only provide access to the clinical history of deceased patients to persons related to them, for family or factual reasons, unless the deceased had expressly prohibited it and this is proven. In any case, the access of a third party to the
medical history motivated by a risk to your health will be limited to the pertinent data. No information will be provided that affects the privacy of the deceased or the subjective notes of professionals, or that harms third parties. In this sense, it is necessary to highlight article 15 of the LPA that includes the minimum content of the clinical history: “1. The clinical history will incorporate the information that is considered transcendental for the truthful and updated knowledge of the patient's state of health. Every patient or
The user has the right to have a record, in writing or in the most appropriate technical support, of the information obtained in all their care processes, carried out by the health service, both in the field of primary care and specialized care. 2. The main purpose of the clinical history is to facilitate health care, leaving a record of all the data that, under medical criteria, allow accurate and updated knowledge of the state of health. The minimum content of the clinical history will be the following: a) The documentation related to the clinical-statistical sheet. b) The entry authorization. c) The emergency report. d) Anamnesis and physical examination. d) Evolution. f) Medical orders. g) The interconsultation sheet. h) Complementary examination reports. i) Informed consent. j) The anesthesia report. k) The operating room report or delivery record. l) The pathology report. m) The evolution and planning of nursing care. n) The therapeutic application of nursing. ñ) The graph of constants. o) The clinical discharge report. Paragraphs b), c), i), j), k), I), ñ) and o) will only be required in the completion of the clinical history in the case of hospitalization processes or as provided. 3. The completion of the clinical history, in aspects related to direct patient care, will be the responsibility of the professionals who
intervene in it. 4. The clinical history will be taken with unity and integration criteria, in each
healthcare institution, as a minimum, to facilitate the best and most timely knowledge by physicians of the data of a certain patient in each healthcare process” (the underlining is from the Spanish Agency for Data Protection). Regarding the conservation of the clinical history, article 17 of the LPA, in its points 1 and 5, provides that: “1. Health centers have the obligation to keep clinical documentation in conditions that guarantee its proper maintenance and safety, although not
necessarily in the original support, for due care to the patient during the time appropriate to each case and, at least, five years from the date of discharge of each care process...
5. Health professionals who carry out their activity individually are responsible for the management and custody of the healthcare documentation they generate.” FIFTH: In the case analyzed here, the complaining party exercised his right of access to the clinical history. After the period established in the aforementioned regulations, your request did not obtain the legally required response. The claimed entity has not responded to the claimant's request or the requirements that have been sent to it by this Agency. The aforementioned rules do not allow the request to be ignored as if it had not been raised, leaving it without the answer that those responsible must necessarily issue, even in the event that there is no data on the interested party in the entity's files or even in those cases in which it does not meet the established requirements, in which case the addressee of said request is also obliged to request the correction of the deficiencies observed or, where appropriate, deny the request with reasons indicating the reasons why it is not appropriate to consider the right concerned.
Therefore, the request that is formulated obliges the person in charge to give an express response, in any case, using any means that justifies the receipt of the response. Since no copy of the necessary communication that must be addressed to the claimant informing him of the decision he has adopted regarding the request for the exercise of rights has been provided, it is appropriate to uphold the claim that gave rise to this procedure. In view of the aforementioned precepts and others of general application, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: ESTIMATES the claim made by A.A.A. and urge DENTOESTETIC CENTRO DE SALUD Y ESTÉTICA DENTAL, S.L., with NIF B83409797, so that, within ten business days following the notification of this resolution, it sends the claimant a certification by which the right is met. of access exercised or is denied on grounds, indicating the
reasons for which it is not appropriate to attend to the request, in accordance with the provisions of the body of this resolution. The actions carried out as a consequence of this Resolution must be communicated to this Agency within the same period. Failure to comply with this resolution could lead to the commission of the offense considered in article 72.1.m) of the LOPDGDD, which will be penalized accordingly.
according to art. 58.2 of the GDPR. SECOND: NOTIFY this resolution to A.A.A. and to DENTOESTETIC
CENTRO DE SALUD Y ESTÉTICA DENTAL, S.L. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative procedure (article 18.4 of the LOPD), and in accordance with the provisions of article 123 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, An appeal for reinstatement may be optionally filed with the Director of the Spanish Agency for Data Protection, within a month from the day following the notification of this resolution, or a contentious-administrative appeal may be filed directly with the Chamber of Contentious-Administrative Court of the National Court, in accordance with the provisions of article 25 and section 5 of the Fourth Additional Provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within the term two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned legal text.