AEPD (Spain) - EXP202307719
From GDPRhub
| AEPD - EXP202307719 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 28(2) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 16.05.2023 |
| Decided: | 10.04.2025 |
| Published: | 10.04.2025 |
| Fine: | 500,000 EUR |
| Parties: | Generalitat Valencia Marina Salud S.A. |
| National Case Number/Name: | EXP202307719 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | cwa |
A processor was fined €500,000 after appointing sub-processors without authorisation from the controller in violation of Article 28(2) GDPR.
English Summary
Facts
The Ministry of Health and Public Health of Valencia (controller) has engaged the services of Marina Salud (processor) since 2009. The processor is a health organisation providing public health services under a contract.
On 19 January 2023, the controller performed an inspection on the processor’s premises. During this inspection, it was revealed that the processor was using a 3rd party health information system software, and refused to provide the controller with the contract in place between the processor and the 3rd party. The inspection revealed that the 3rd party software was being used for laboratory and pathological management, the management of anticoagulation treatment, human resources and the management of logistics in the hospital. Two further unauthorised sub-processors had been engaged by the processor, one for IT systems, and one for a laboratory information system.
On 27 January 2023, the controller reaffirmed their instructions to the processor for the processing, access and use of the health data, as well as mandating that the processor cannot engage any sub-processors without authorisation.
On 31 January 2023, the controller informed the processor that they were not going to extend the contract for the provision of services between them past its expiration (31 January 2024).
On 16 May 2023, the controller filed a complaint with the AEPD (Spanish DPA).
During the DPA’s investigation, the processor argued that they held a general authorisation from the controller to engage sub-processors.
Holding
The DPA rejected the processor’s claim in respect of having a general authorisation to engage sub-processors. The DPA referenced both an agreement between the controller and processor requiring the controller’s assent before a sub-processor could be engaged, as well as the processor’s obligation in Article 28(2) GDPR.
The DPA found that the processor had infringed Article 28(2) GDPR for engaging a sub-processor without the controller’s authorisation.
In deciding the fine to be imposed, the DPA considered the infringement to be serious in nature. The DPA had regard to the fact that the personal data in question was special category data, that three unauthorised sub-processors had been engaged, and the processor had a high turnover. The DPA levied a fine of €500,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/24 File No.: EXP202307719 SANCTIONING PROCEDURE RESOLUTION Based on the procedure initiated by the Spanish Data Protection Agency and based on the following BACKGROUND On November 7, 2024, a resolution proposal was issued, proposing the following: FIRST: The MINISTRY OF UNIVERSAL HEALTH AND PUBLIC HEALTH OF THE VALENCIAN GENERALITY (hereinafter, the complainant) filed a complaint with the Spanish Data Protection Agency on May 16, 2023. The complaint is directed against MARINA SALUD, S.A. with NIF A97563563 (hereinafter, the defendant). The grounds for the complaint are as follows: The complaining party is the contracting body within the framework of a contract related to the provision of healthcare services in the Denia Department of Health (in force since February 1, 2009). It states that the complaining party (the concessionaire), as the data processor, processes specially protected personal data under the responsibility of the Regional Ministry. The following sets forth a series of facts: “- In an inspection carried out on January 19, 2023, the complainant revealed the use of specific software. In this context, the accused party was required to present the license/support and/or service provision contracts signed with the companies that own the healthcare information system applications used at Denia Hospital, but they refused to do so. - On January 31, 2023, the accused party was notified of the intention not to renew the contract and its subsequent termination on January 31, 2024, as well as the rules for the recovery of direct management of the public service. - On January 27, 2023, instructions were issued for the processing, access, and use of data. The aforementioned instructions indicate that the concessionaire will not use another person in charge without authorization from the Regional Ministry." In short, the complainant, suspecting that the application of the current data processor is being dismantled, informs the AEPD that the defendant may be violating data protection regulations regarding the obligations of the data processor, putting, in its opinion, the return of the data and the recovery of the service at risk, just a few months before the end of the contract, as well as the security and fundamental rights of the individuals to whom said data relate. It does not provide a copy of the contract between the Regional Ministry and the concessionaire. The following documentation is provided with the complaint: -Instructions for data processing on behalf of third parties in accordance with Article 28 of the General Data Protection Regulation. -Transcript of the inspection carried out on January 19, 2023, at 11:04 a.m. and the record of the inspection carried out (***REFERENCE.1) dated January 19, 2023, at 12:45 p.m., requesting the accused party to provide a copy of the license, assistance, and/or service provision agreements signed with the owners of several applications detailed in the report. -Response from the accused party dated February 1, 2023, to the previous request, stating the following: "Consequently, it is not within the scope of the Health Inspection to request a copy of the license/assistance and/or service provision contracts signed with the companies that own the information system applications indicated in Section II of this document, since requesting this information is not intended to inspect aspects related to the health and public health field." -Request dated February 10, 2023, sent by the complaining party, requesting that they provide the information requested on January 19, 2023, contained in the Inspection Report ***REFERENCE 1. -Third request issued by the complaining party dated March 29, 2023, requesting the information indicated in the first request. - Email sent by ***COMPANY.1 on March 28, 2023 to the complaining party, expressing interest in submitting a proposal in the upcoming market consultation, despite, according to their statements, collaborating in the deinstallation of ***SYSTEM.1. - Communication from the contracting authority (complaining party) to the concessionaire of the Denia Health Department (respondent party), regarding the processing of data on behalf of third parties, dated April 6, 2023. SECOND: On June 7, 2023, the Director of the Spanish Data Protection Agency agreed to initiate preliminary investigations into the events described in the complaint. THIRD: The Subdirectorate General of Data Inspection proceeded to carry out preliminary investigations to clarify the facts in question, pursuant to the functions assigned to supervisory authorities in Article 57.1 and the powers granted in Article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Section Two, of the LOPDGDD (Spanish Data Protection Act), having learned of the following: Facts revealed in the complaint: By Resolution of the Regional Minister of Health dated February 7, 2005, the company reported was awarded the public service management contract for the provision of Comprehensive healthcare for Area 12, Denia Health Department. The contract was formalized on March 14, 2005, and services began on February 1, 2009. On January 19, 2023, an inspection was carried out at Denia Hospital, in which the Director of Systems and Information Technology of Denia Hospital appeared, accompanied by the Corporate Director of Information Systems of GRUPO RIBERA, the group to which the accused entity belongs. The following were found: -The hospital information system used at Denia Hospital is ***SISTEMA.1, owned by the company ***EMPRESA.3. -Laboratory and pathology management is carried out using the ***SISTEMA.2 information system, owned by the company ***EMPRESA.4. -Anticoagulation treatment management uses the ***SISTEMA.3 system from the company ***EMPRESA.6 (since 12/19/2022). -The ***SISTEMA.4 application from the company ***EMPRESA.1 was implemented in Human Resources. -***SISTEMA.5, owned by ***EMPRESA.1, was used to manage hospital and department logistics. -Finally, there is a contract with the company ***EMPRESA.5, which manages infrastructure and telecommunications, and which indicates that it may contract other new services in the future. The inspection requires the submission of the contracts and licenses for the aforementioned products. (ANNEX II and III inspection report). On January 27, 2023, and in order to ensure compliance with data protection regulations, the "Instructions for the processing of data on behalf of third parties pursuant to Article 28 of the General Data Protection Regulation" (ANNEX I) were issued. This document states that the Regional Ministry is responsible for the processing of personal data and requires the concessionaire to process personal data under the Regional Ministry's responsibility, acting as data processor. This document sets out the obligations of Article 28 of the GDPR, specifies the operations to be performed, the category and type of data, and states that the concessionaire will not use another data processor without prior written authorization from the Regional Ministry. Instructions for terminating the service are also specified. The provision of services requires the concessionaire to process specially protected personal data for which the Regional Ministry is responsible, and the concessionaire is the data controller. On January 31, 2023, the concessionaire was notified of the intention not to renew the aforementioned contract and was informed of the rules for resuming direct management of the service and elements related to said public service. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/24 On February 1, 2023, a letter was received from the concessionaire (ANNEX IV), in which they communicated their refusal to submit the required documentation (license/assistance and/or service provision contracts signed with the companies that own the healthcare information systems applications used at Denia Hospital and the infrastructure and telecommunications management contract). For this reason, they were requested again on February 10, 2023 (ANNEX V and Vbis), indicating the possible sanctions in case of non-compliance. Finally, they were requested a third time (ANNEX VI). On March 28, 2023, an email was received from the company ***COMPANY.3 (ANNEX VII), in which, among other matters, they indicated the uninstallation of the Millennium system at the dealership. On April 6, 2023, MARINA SALUD was notified of the steps to follow in the event that they are modifying or intend to modify the current contract for data processing on behalf of third parties, which is attached as (ANNEX VIII). All the aforementioned ANNEXES correspond to the documentation provided by the complainant on May 15, 2023. Relevant documentation provided by the complainant: - Annex I.- Document "Instructions for data processing on behalf of third parties in accordance with Article 28 of the General Data Protection Regulation" of the Ministry of Universal Health and Public Health of the Generalitat Valenciana, dated January 27, 2023, which indicates that on February 7, 2005, the company MARINA SALUD SA was awarded the public service management concession contract whose purpose was to provide comprehensive healthcare in Area 12, and the contract was formalized on March 14, 2005. These instructions state: The Ministry of Health is the controller of personal data processing, and the concessionary entity is the data processor. Data processing includes the following operations: collection; adaptation or modification; recording; extraction; Access, verification, or interconnection; organization; consultation; structuring; use; storage; communication by transmission; destruction. Data types: identification and contact data (name and surname, DNI/NIE, postal address, telephone numbers, email address, etc.); personal characteristics data (sex, age, mother tongue, etc.); health data (diagnoses, treatments, vaccinations, diagnostic tests, etc.); other sensitive data (lifestyle, family, work, socioeconomic, etc.); data relating to sexual life; genetic data; professional data (training, qualifications, etc.); employment data (job title, employment history, salaries, etc.). Data categories: Users of the public health system. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/24 Regarding subcontracting, it states: "The concessionary entity will not use another data processor without the prior written authorization of the Regional Ministry." Upon termination of the service, the concessionary entity, as determined by the Regional Ministry and in accordance with these instructions, must return all personal data and, once the correct functioning of the public services has been verified and after prior notification to the Regional Ministry, delete any existing copies. The concessionary entity may retain the data, duly blocked, as long as liability may arise from the processing carried out on behalf of the Regional Ministry. It must also facilitate the transfer of the services to the Regional Ministry or to the entity it determines to take over the provision of said services when the current concession ends. - Annex II.- Document issued by the General Directorate of Research and Advanced Health Inspection of the Ministry of Universal Health and Public Health of the Generalitat Valenciana regarding a health inspection at Denia Hospital dated January 19, 2023. This document requires documentation related to the license and/or services of the applications/companies: ***SYSTEM.1, ***SYSTEM.2, ***SYSTEM.3, ***SYSTEM.4, ***SYSTEM.5, and the Infrastructure and Telecommunications Management Contract with ***COMPANY.5 in the separate Minutes. -Annex III.- Inspection Report No. ***REFERENCE.1 from the Directorate General of Research and High-Level Health Inspection, dated January 19, 2023. A copy of the contracts signed by MARINA SALUD SA with the companies owning ***SYSTEM.1, ***SYSTEM.2, ***SYSTEM.3, ***SYSTEM.4, ***SYSTEM.5, and the Infrastructure and Telecommunications Management Contract with ***COMPANY.5 must be provided within ten days. -Annex IV.- Response dated February 1, 2023, from MARINA SALUD SA to Report No. ***REFERENCE.1, indicating that it is not within the scope of the Health Inspection to request a copy of the contracts. - Annex V and Vbis.- Letter from ***PUESTO.1 dated February 10, 2023, requesting the request made on January 19, 2023, and reiterating it. - Annex VI.- Notification letter dated March 29, 2023, to MARINA SALUD SA, denying the filing of the proceedings and requesting the requested information again. - Annex VII.- Email dated March 28, 2023, sent from ***EMPRESA.1 to the Generalitat Valenciana (gva.es), stating the company's collaboration in the uninstallation of ***SISTEMA.1. - Annex VIII.- Document entitled "Communication from the contracting authority to the concessionaire of the Department of Health of Denia, regarding the processing of data on behalf of third parties" addressed to MARINA SALUD SA, dated April 6, 2023, which reminds the data processor of their duty to process the data only in accordance with the documented instructions of the controller. Any of the aforementioned changes made without the corresponding authorization would violate the aforementioned instructions of January 27, 2023. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/24 RESULTS OF THE INVESTIGATION ACTIONS RIBERA SALUD SA is listed in AXESOR as a Spanish public limited company with the activity "Hospital Activities." Its website riberasalud.com states that it is a business group that provides public and private healthcare services. Among the companies that form part of the Group is MARINA SALUD SA, and its healthcare network includes the Denia Health Hospital. MARINA SALUD SA is listed in AXESOR as a Spanish public limited company with the activity "Hospital Activities." Its website, marinasalud.es, states that it is a healthcare company that provides public healthcare services, including the Denia Hospital. The Denia Hospital, on its website denia.com/hospital-marina-salud/, indicates that the Denia Health Department consists of one hospital, four integrated healthcare centers, eight health centers, 34 clinics, and two additional clinics during the summer. It was launched in 2009. On July 7, 2023, a request for information was sent to the defendant, and the responses received indicate: - The concessionaire has provided the "CONTRACT FOR THE MANAGEMENT OF PUBLIC SERVICES BY CONCESSION" signed with the Regional Ministry, signed on March 14, 2005 (Document No. 1), as well as the Specific Administrative Clauses and the Technical Specifications for said contract (Documents Nos. 2 and 3). The Personal Data Processing Agreement in compliance with Article 12 of the LOPD (Spanish Data Protection Act), signed by both parties on April 1, 2009, has also been provided (Document No. 4). This Agreement includes, among others, a clause relating to the "Duty of Return and Non-Retention" and "Subcontracting," which states that "the data controller authorizes the data processor to subcontract, on behalf of and for the account of the data controller, the processing of the data necessary for the provision of the services subject to the concession. For these purposes, the Data Processor shall inform the Data Controller of the identity of the companies to which it intends to subcontract the services subject to the contract underlying this agreement, as well as the services that are the subject of this subcontracting. The validity of the power of attorney granted by the data controller (which, in such case, must be in writing) shall be subject to the signing of a written contract between the Data Processor and the subcontracted company, which includes terms similar to those provided for in this agreement, with the full content established in Article 12 of the LOPD (Spanish Data Protection Act) and the express assumption by the data processor on its own behalf and the subcontractor shall be jointly and severally liable for any breach of the terms of processing by the subcontractor. The Data Processor must send the Data Controller a copy of the contract signed between the parties. The Data Controller has the power to revoke the agreement and deny subcontracting if the party fails to comply with applicable regulations. In this case, the data processor shall be solely responsible for the disposition of the information communicated to the subcontractor and must recover it, ensuring that the subcontractor does not store any copies. On January 27, 2023, the content of the contract was completed with the "Instructions for the processing of data on behalf of third parties pursuant to Art. 28 of the General Data Protection Regulation." (Document No. 5) which states that "The concessionary entity will not use another data processor without the prior written authorization of the Regional Ministry." The documents relating to the concession are available on the Transparency Portal of the Generalitat Valenciana, through the following link: https://gvaoberta.gva.es/es/concesiones-administrativas sanidad//documentos/UU0OMSTrPZLv/folder/162575572?p_auth=Fb4qewiS Procedure D (Tender Document). -The concessionaire has provided a copy of the contracts signed with third parties, in its capacity as data processor: -Data Protection Agreement, annexed to the contract signed with the company ***COMPANY.3, dated October 6, 2017, related to the use of the application ***SISTEMA.1 (Document No. 14). The annex was signed on September 27, 2018. -Contract for the Provision of Laboratory IT Services, signed with the company ***COMPANY.4, the purpose of which is "the acquisition by MARINA SALUD of the IT solution owned by ***COMPANY.4 called ***SISTEMA.2, which will act as the Laboratory IT System (LIA) for the computerization of the clinical analysis laboratory of the new Denia Hospital" (Document No. 15). This contract was signed on April 16, 2008. They also provide a data processor contract, adapted to the GDPR, dated May 5, 2022. (Document No. 16). -Contract for the provision of license and maintenance services without hosting for the computer application ***SISTEMA.3 and the APP ***SISTEMA.3, signed with the company ***EMPRESA.6. on April 12, 2022, for the use of a license to use the Patient Management Software and the maintenance and technical support service. Annex II contains the provisions related to the provision of services by the subprocessor. (Document No. 17). Contract for the provision of services without hosting for the computer application ***SISTEMA.3 and the APP ***SISTEMA.3, signed with the company ***EMPRESA.6. on April 12, 2022, for the use of a license to use the Patient Management Software and the maintenance and technical support service. The concessionaire states that the aforementioned subcontracting operations were carried out pursuant to the general power of attorney granted by the Regional Ministry in accordance with the provisions of the eighth clause of the Personal Data Processing Agreement, in compliance with Article 12 of the LOPD (Data Protection Act) provided (Document No. 4), which authorizes the person responsible for the subcontracting. -The concessionaire states that the following contracts are not part of the concession processing order: -Contract for the implementation of the ***EMPRESA.1 and ***SISTEMA.4 tools, signed with ***EMPRESA.7 (Document No. 6), dated July 12, 2010, maintenance services (Document No. 7), and a contract for the improvement of the operation of the system's user areas (Document No. 8), dated October 8, 2010. These contracts were no longer in effect as of the date of the respondent's response of August 14, 2023, since they were signed on November 1, 2009, with a four-year term. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/24 - Contract signed with the company ***COMPANY.8 related to the use of the tool ***SISTEMA.4 (Documents Nos. 9, 10) dated 03/22/2011 and updated on 05/09/22. - Framework contract for the provision of information technology services, signed with ***COMPANY.5 (Document No. 11), complementary personal data processing agreement (Document No. 12), and infrastructure and telecommunications services contracted within the scope of the aforementioned framework contract (Document No. 13) dated 03/17/22. - Framework contract for the provision of information technology services, signed with ***COMPANY.5 (Document No. 11), complementary personal data processing agreement (Document No. 12), and infrastructure and telecommunications services contracted within the scope of the aforementioned framework contract (Document No. 13) dated 03/17/22. -The concessionaire has provided a copy of the following documents: - "Rules for the recovery of direct management of the public comprehensive healthcare service of the Denia Health Department" (Document No. 18), which indicates the non-extension and subsequent termination of the contract, scheduled for January 31, 2024, prepared by the complainant. This document defines the preparatory work for the recovery of management without healthcare impact and specifies the tasks for the year prior to the termination of the contract. In this regard, the concessionaire provides the Decree of May 10, 2023, which admits the contentious-administrative appeal filed before the Superior Court of Justice of the Valencian Community, in relation to the aforementioned Rules (Document No. 19). The aforementioned appeal is against a resolution dated March 27, 2023, which dismissed an appeal for reconsideration against the communication dated January 31, 2023, announcing that the Denia Health Department's healthcare management contract would not be extended. - On January 23, 2024, a communication was published on the Department's website at https://www.san.gva.es/ca/web/sanidad, indicating that on February 1, 2024, the Denia Health Department will be managed by the Department. And on January 24, 2024, a publication by the Regional Minister of Health was published, stating that the transition of public management of the Denia Hospital, which will take effect on February 1, is proceeding smoothly. He indicates that the Regional Ministry has constant and fluid dialogue with the employees, with whom members of the Regional Ministry's direct team are carrying out the transition every day. (https://valenciaplaza.com/marciano-gomez-afirma-transicion-hospital-denia-siendo-ordenada-serena) (Proceedings of the D Communiqué). - On February 6, 2024, this Agency sent a letter requesting information to the Regional Ministry requesting information and documentation regarding the termination of the concession and the transfer of management of Area 12, Department of Health of Denia, which ended on February 1, 2024. On February 29, 2024, a response was received from ***PUESTO.2, in which it was reported that the concessionaire had provided the requested documentation. At the same time, the aforementioned Deputy Director confirmed that, through said documentation, she formally complies with the obligations established in this regard in the reversion regulations and her duties as the data processor on behalf of the Regional Ministry. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/24 FOURTH: According to the report collected from the AXESOR tool, the entity MARINA SALUD, S.A. is a company (...), established in 2005, with a turnover of ***AMOUNT.1 euros in 2022. FIFTH: On July 24, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent, in accordance with the provisions of Articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of Article 28 of the GDPR, classified in Article 83.4 of the GDPR. SIXTH: After notification of the aforementioned initiation agreement in accordance with the rules established in the LPACAP (General Data Protection Act), the respondent submitted a written statement of allegations in which, in summary, it stated, in its FIRST allegation, a list of the events that occurred. In its SECOND allegation, entitled, ON THE LACK OF VIOLATION OF DATA PROTECTION REGULATIONS BY MARINA SALUD, it indicated, among other things, the following: “1. The scope of the alleged breach attributed to Marina Salud. Our client is accused of committing an alleged violation of Article 28.2 of the GDPR, according to which “[t]he data processor shall not use another processor without the prior written authorization, whether specific or general, of the controller. In the latter case, the data processor will inform the controller of any planned changes in the incorporation or replacement of other data processors, thus giving the controller the opportunity to object to such changes." The AEPD understands, in the Start-Up Agreement, that our client did not communicate to the Data Controller the information related to the identity of the entities with which it had subcontracted the processing of personal data, which would determine non-compliance with the aforementioned provision. This is based on the complaint filed by the Regional Ministry, which, however, expressly states the latter's knowledge of the contracts signed by our client that involve the use of a subprocessor to carry out activities involving the processing of personal data. That is, the complaint focuses its rep***COMPANY.6 on the fact that our client has not provided the complainant with a copy of the contracts entered into with said entities. entities, but not due to the latter's lack of knowledge of which entities these were. Likewise, its content shows that our client did not breach its obligation to inform the data controller about the processing activities that were subcontracted, but only that our client had not provided the Regional Ministry responsible for the processing with a copy of the aforementioned contracts. 1. Regime applicable to the contracts entered into by MARINA SALUD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/24 Taking the foregoing into account, it is necessary to describe the framework applicable to the relationship between our client and the Regional Ministry at the time the contracts were signed, as well as the regime applicable to them. Regarding the relationship between our client and the Regional Ministry, in its capacity as data controller for the data processed by MARINA SALUD, it should be noted that, at least until the adoption of the Instructions, this relationship was governed by the Personal Data Processing Agreement in compliance with Article 12 of the LOPD (Spanish Data Protection Act), in which, as indicated, the Regional Ministry (as data controller) granted our client (as data processor) a general power of attorney to subcontract those processing activities that were necessary for the proper management of the services covered by the concession. As indicated, the Agreement expressly stipulated that the Regional Ministry authorized and, consequently, empowered Marina Salud "to subcontract, on behalf of and for the account of the data controller, the processing of data necessary for the provision of the services covered by the concession." 2. The Regional Ministry was aware of the subprocessors contracted by MARINA SALUD at the date of approval of the Instructions, and also stated their suitability for the purposes set forth in the GDPR and the LOPDGDD. As a result, the information provided in the Initiation Agreement is inconsistent with reality, given that: • The Regional Ministry responsible for the processing was aware of the subprocessors contracted by our client and the scope of the services provided by them at the time of filing its claim. • The Regional Ministry considered the aforementioned data processors suitable, (i) requiring our client not to replace them with others without its authorization; and (ii) directly hiring them as data processors once the concession was reverted. 3. The failure to provide the Regional Ministry with the contracts entered into with the subprocessors does not constitute a breach of personal data protection regulations. Much of the complaint filed by the Regional Ministry in its complaint to the Spanish Data Protection Agency (AEPD) is based exclusively on the fact that our client did not provide the Regional Ministry with copies of the contracts entered into with the subprocessors. However, Marina Salud considers it necessary to point out that neither the GDPR nor the LOPDGDD establish an obligation such as the one indicated above. 4. The Regional Ministry confirms the legality of MARINA SALUD's actions. In the THIRD allegation, entitled BREACH OF THE PRINCIPLE OF PROPORTIONALITY IN THE DETERMINATION OF THE PENALTY, it stated, among other things, the following: “[…] Indeed, in the present case, the breach allegedly attributed to our client, already refuted in the previous allegations, would be of an exclusively formal nature and would consist of not providing the data controller, at the latest until the date of the inspection that took place on January 19, 2023, that is, a few months after the execution of two of the three contracts analyzed in the Initiation Agreement, the identity of the sub-processors. “[…] the AEPD has not taken into consideration a fact that it is fully aware of from a mere reading. of the file: at this time, our client is not providing the services that constituted its source of income, as its corporate purpose is the management of the Denia Health Department. However, the AEPD considers this circumstance to be entirely irrelevant, taking as a reference figure for quantifying the fine our client's turnover in 2022, when it was actually operating as a concessionaire for the public service, which has now been reversed. SEVENTH: After notification of the proposed resolution in accordance with the rules established in the LPACAP (Spanish Public Health Act), the respondent submitted a written statement of allegations in which, in summary, it stated its ratification of the statements made in the allegations to the initiation agreement. From the actions taken in this procedure and the documentation in the file, the following have been established: PROVEN FACTS FIRST: By Resolution of the Regional Minister of Health dated February 7, 2005, MARINA SALUD, S.A. with Tax Identification Number (NIF) A97563563, the respondent, was awarded the public service management contract for the provision of comprehensive healthcare in Area 12 of the Denia Health Department. The contract was formalized on March 14, 2005, and services began on February 1, 2009. There is no evidence that has renewed the contract beyond May 25, 2022, the date until which permanent contracts remained valid under DT 5 of the LOPDGDD. SECOND: On April 1, 2009, the aforementioned parties formalized the Personal Data Processing Agreement under the contract indicated in FIRST FACT, in compliance with Article 12 of the LOPD (Data Protection Act), which, in its Eighth Clause, which regulates subcontracting, states the following: "The data controller authorizes the processor to subcontract, in the name and on behalf of the controller, the processing of the data necessary for the provision of the services subject to the concession. For these purposes, the processor shall inform the controller of the identity of the companies from which it intends to subcontract the services subject to this subcontracting. The validity of the power of attorney granted by the controller (which, in such case, must be in writing) shall be subject to the signing of a written contract between the processor and the subcontracted company, which includes terms similar to those provided for in this agreement, with the full content established. in Article 12 of the LOPD (Spanish Data Protection Act) and the express assumption by the data controller, on its own behalf, and the subcontractor of joint and several liability for any breach of the terms of the processing by the subcontractor....” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/24 The complaining party is the data controller of the Ministry of Health, and the accused party is MARINA SALUD, S.A., the data processor. THIRD: On January 19, 2023, the complaining party carried out an inspection. In the report, the accused party was required to provide a copy of the license, support, and/or service provision contracts signed with the owners of several applications detailed above, after verifying that they were being used at Denia Hospital. FOURTH: On January 27, 2023, the complaining party issued instructions for the processing of data on behalf of third parties in accordance with Article 28 of the GDPR, which detail, among other things, the following: "The Regional Ministry of Health is responsible for the processing of personal data, and the concessionaire is the data processor. Data processing includes the following operations: collection; adaptation or modification; registration; extraction; enabling access, comparison or interconnection; organization; consultation; structuring; use; storage; communication by transmission; destruction. Data types: identification and contact data (name and surname, DNI/NIE, postal address, telephone numbers, email address, etc.); personal characteristics data (gender, age, native language, etc.); health data (diagnoses, treatments, vaccinations, diagnostic tests, etc.); other sensitive data (lifestyle, etc.); life, family, work, socioeconomic, etc.); data relating to sexual life; genetic data; professional data (education, qualifications, etc.); employment data (job title, employment history, salaries, etc.). Data categories: Users of the public health system. Regarding subcontracting, it states: "The concessionaire will not use another data processor without prior written authorization from the Regional Ministry. At the end of the service, the concessionaire, as determined by the Regional Ministry and in accordance with these instructions, must return all personal data and, once the correct functioning of the public services has been verified and after prior notification from the Regional Ministry, delete any existing copies. The concessionaire may retain the data, duly blocked, as long as liability may arise from the processing carried out on behalf of the Regional Ministry. It must also facilitate the transfer of the services to the Regional Ministry or to the entity it determines to take over the provision of said services when the current concession ends." FIFTH: On January 31, 2023, the complaining party notified the respondent of its intention not to extend the contract and its subsequent termination on January 31, 2024, as well as the rules for the recovery of direct management of the public service. SIXTH: On February 1, 2023, the complaining party received a letter from the defendant, in which they communicated their refusal to provide the requested documentation (a copy of the contracts signed by MARINA SALUD SA with the companies that own ***SISTEMA.1, ***SISTEMA.2, ***SISTEMA.3, ***SISTEMA.4, ***SISTEMA.5, and the Infrastructure and Telecommunications Management Contract with C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/24 ***COMPANY.5), stating that it is not within the scope of the Health Inspectorate's duties to request copies of the contracts. SEVENTH: On April 6, 2023, the complaining party notified the accused party of the document entitled "Communication from the contracting body to the concessionaire of the Denia Health Department, regarding data processing on behalf of third parties," which indicates the steps to follow if they are modifying or intend to modify the current contract for data processing on behalf of third parties. EIGHTH: After the GDPR came into force, the defendant entered into the following contracts: - Data Protection Agreement, annexed to the contract signed with the company ***COMPANY.3, dated October 6, 2017, related to the use of the application ***SISTEMA.1 (Document No. 14). The annex was signed on September 27, 2018. - Contract for the Provision of Laboratory IT Services, signed with the company ***COMPANY.4, the purpose of which is "the acquisition by MARINA SALUD of the IT solution owned by ***COMPANY.4, called ***SISTEMA.2, which will act as the Laboratory IT System (LIA) for the computerization of the clinical analysis laboratory at the new Denia Hospital" (Document No. 15). This contract was signed on April 16, 2008. They also provide a data processor contract, adapted to the GDPR, dated May 5, 2022. (Document No. 16). - Contract for the provision of license and maintenance services without hosting for the computer application ***SISTEMA.3 and the APP ***SISTEMA.3, signed with the company ***EMPRESA.6 on April 12, 2022, for the use of a license for the Patient Management Software and the maintenance and technical support service. Annex II contains the provisions related to the provision of services by the subprocessor. (Document No. 17). The concessionaire states that the aforementioned subcontracting operations were carried out pursuant to the general power of attorney granted by the Regional Ministry in accordance with the provisions of the eighth clause of the Personal Data Processing Agreement (in compliance with Article 12 of the LOPD) provided (Document No. 4), which authorizes the data processor to carry out the subcontracting. NINTH: There is no evidence that the data controller was informed prior to the formalization of the contracts cited in FACT EIGHT. LEGAL BASIS I Jurisdiction In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/24 (General Data Protection Regulation, hereinafter GDPR), and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the President of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, Article 63.2 of the LOPDGDD establishes that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the regulatory provisions issued in its development, and, insofar as they do not contradict them, in a subsidiary capacity, by the general rules on administrative procedures." II Preliminary Questions In the present case, in accordance with the provisions of Articles 4.1 and 4.2 of the GDPR, it is evident that personal data are being processed by the complainant party as the data processor, which it carries out in the exercise of its powers and attributions. The "data controller" is defined in Article 4.7 of the GDPR as "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing; where Union or Member State law determines the purposes and means of processing, the controller or the specific criteria for its nomination may be laid down by Union or Member State law." For the provision of the services contemplated in the concession contract, relating to the provision of healthcare services in the Department of Health of Denia, the reporting party is required to process personal data in which it acts as data processor. These processes include the collection, adaptation or modification, recording, extraction, provision of access, alignment or interconnection, consultation, structuring, use, storage, communication by transmission, and destruction of personal data, which include special categories of data, health data (diagnoses, treatments, vaccinations, diagnostic tests), data relating to sexual activity, or genetic data. Article 4.8 of the GDPR defines "processor" as "the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller." The defendant acts as data processor, as can be seen from the Resolution of the Regional Minister of Health of February 7, 2005, in which the defendant was awarded the public service management concession contract (***REFERENCE 1), the purpose of which was to provide comprehensive healthcare for Area 12, Denia Health Department. The contract was formalized on March 14, 2005, with services beginning on February 1, 2009. The provision of the services contemplated in the concession contract requires the defendant, as the concessionary entity, to process personal data, especially those protected under the responsibility of the complainant. In such processing, the concessionary entity (the complainant) acts as the data processor, pursuant to Article 4(7) and (8) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter GDPR). III Allegations to the Initiation Agreement and Proposed Resolution In response to the allegations presented by the respondent entity, the following should be noted: Regarding the allegation regarding the absence of a violation of data protection regulations by the respondent party, it should be noted that the respondent party used other subprocessors based on a general authorization, included in the Agreement signed between the parties in 2009, so compliance with the provisions of the second section of Article 28 would be mandatory, which refers specifically to cases in which a general authorization from the data controller exists, as is the case at hand: "In the latter case, the processor shall inform the controller of any planned changes in the incorporation or replacement of other processors, thus giving the controller the opportunity to object to such changes." It should be remembered that the GDPR has been mandatory since May 25, 2018, as already indicated in the Initiation Agreement, which preceded the inspection carried out by the complaining party on January 19, 2023, the instructions issued by the complaining party on January 27, 2023, and the communication of non-continuation of the contract on January 31, 2023. In the present case, there is no evidence that the complaining party, as the data processor, informed the data controller, the complaining party, of the data processing contracts signed after that date with the other subprocessors. Considering that the contracts concluded involve the addition of other subprocessors, they would fall under the category of changes provided for in Article 28.2 and should have been notified prior to their execution so that the data controller would have had the opportunity to object to such changes. For the sake of completeness, it should be emphasized again that the obligation to inform the data controller of the identity of the companies with which it intended to subcontract was already present in the Personal Data Processing Agreement in compliance with Article 12 of the LOPD (Spanish Data Protection Act), signed on April 1, 2009. Clause Eight, which regulates subcontracting, stated the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/24 "The data controller authorizes the data processor to subcontract, in the name and on behalf of the data controller, the processing of the data necessary for the provision of the services subject to the concession. For these purposes, the data processor shall inform the data controller of the identity of the companies from which it intends to subcontract the services subject to this subcontracting. Therefore, what is included in the GDPR is not new, although the alleged violation is limited exclusively to the obligation of 28.2 of the contracts with the subprocessors already detailed in the Startup Agreement, which are the following: -Data Protection Agreement, annex to the contract signed with the company ***COMPANY.3., dated October 6, 2017, related to the use of the application ***SISTEMA.1 (Document No. 14). The annex was signed on September 27, 2018. - Contract for the Provision of Laboratory IT Services, entered into with the company ***EMPRESA.4, the purpose of which is "the acquisition by MARINA SALUD of the IT solution owned by ***EMPRESA.4, called ***SISTEMA.2, which will act as the Laboratory IT System (LIA) for the computerization of the clinical analysis laboratory of the new Denia Hospital" (Document No. 15). This contract was signed on April 16, 2008. They also provide a data processor contract, adapted to the GDPR, dated May 5, 2022 (Document No. 16). - Contract for the provision of license and maintenance services without hosting for the computer application ***SISTEMA.3 and the APP ***SISTEMA.3, signed with the company ***EMPRESA.6 on April 12, 2022, for the use of a license for the Patient Management Software and the maintenance and technical support service. Annex II contains the provisions related to the provision of services by the subcontractor. (Document No. 17). The concessionaire states that the aforementioned subcontracting was carried out pursuant to the general power of attorney granted by the Regional Ministry in accordance with the provisions of Clause Eight of the Personal Data Processing Agreement in compliance with Article 12 of the LOPD (Data Protection Act) provided (Document No. 4), which authorizes the subcontractor to carry out the subcontracting. As detailed in the initial agreement, the obligation to provide information persists as long as the relationship between the data controller and the data processor is maintained. This obligation must be provided before the aforementioned contracts are signed, so that, in accordance with Article 28.2, the data controller has the opportunity to object. As the defendant indicated in its allegations, DT5 of the LOPDGDD states that "Data processor contracts signed prior to May 25, 2018, under the provisions of Article 12 of Organic Law 15/1999, of December 13, on the Protection of Personal Data, will remain in force until the expiration date indicated therein and, if they were agreed to indefinitely, until May 25, 2022." This Agency is not questioning the validity of the contracts at any time. The parties could have requested compliance with the GDPR, although there is no record that they did so. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/24 In any case, the obligation of Article 28 had to be fulfilled, but the contract also already indicated that the controller must be informed of any subcontracts made. (Personal data processing agreement in compliance with Article 12 of the LOPD (Spanish Data Protection Act), which, in its Eighth Clause, which regulates subcontracting, states that: "The data controller authorizes the data processor to subcontract, on behalf of and for the account of the data controller, the processing of the data necessary for the provision of the services subject to the concession. For these purposes, the data processor shall inform the data controller of the identity of the companies from which it intends to subcontract the services subject to this subcontracting.) On another note, in no case has this Agency considered the fact that copies of the contracts signed with said entities, as required by the inspection, have not been provided. Likewise, the fact that the Administration was aware of the contracts despite not having communicated them, as stated by the accused party, is not relevant in this case. The obligation arose when the contracts were signed since, by virtue of the principle of proactive responsibility, The person responsible for such contracts must be able to prove that they fulfilled the obligation, but have not done so. For all the above reasons, this claim is dismissed. With regard to the claim regarding the violation of the principle of proportionality in determining the sanction, it should be noted that the reasoning for the proposed sanction followed the criteria of Article 83.2 of the GDPR and Article 76.2 of the LOPDGDD. In the present case, and with respect to section a) of Article 83.2 of the GDPR, the duration of the violation must be taken into consideration, and it would be a permanent violation, since permanent violations create an unlawful state whose cessation depends on the will of its perpetrator. Therefore, as long as a subprocessor continues to be used, the obligation to inform persists, since the obligation is imposed so that the controller is informed, and they must be informed as long as a subprocessor is operating. The motivation is also fully justified, following section g) of Article 83.2 of the GDPR regarding the personal data affected, health data considered a special category of personal data, according to Article 9 of the GDPR. Likewise, the criteria set forth in Section 2 of Article 76 "Sanctions and Corrective Measures" of the LOPDGDD (Spanish Data Protection Act) have been applied to determine the sanction, which emphasizes that the connection between the offender's activity and the processing of personal data (Section b) may be taken into account. This is the case of the accused party, who, although its main activity is the management of the Denia Health Department, requires the processing of personal data in order to carry out this activity. In this case, special categories of personal data, as indicated in Article 9 of the GDPR, are involved, as these data are linked to people's health. The above is based on data obtained from the Preliminary Investigation Actions, which indicate the following: "Denia Hospital, on its website denia.com/hospital-marina-salud/, indicates that the Denia Health Department consists of one hospital, four integrated healthcare centers, eight health centers, 34 clinics, and two additional clinics during the summer. It was launched in 2009. MARINA SALUD SA is listed in AXESOR as a Spanish public limited company with the activity "Hospital Activities." Its website marinasalud.es states that it is a healthcare company that provides public healthcare services, including to Denia Hospital. RIBERA SALUD SA is listed in AXESOR as a Spanish public limited company with the activity "Hospital Activities." Its website riberasalud.com states that it is a business group that provides public and private healthcare services. Among the companies that form part of the Group is MARINA SALUD SA. and its healthcare network includes the Denia Health Hospital." The claim of disproportionateness cannot be upheld in this case. First, let us remember that, regarding the reference used to quantify the fine, the Agency has taken into account the latest available data published in the AXESOR tool, which shows a turnover of ***AMOUNT.1 euros for 2022. The fine of €500,000 represents 0.3% of turnover. Taking into account that the GDPR allows fines of up to 2% of said turnover, it could not be considered disproportionate. Also taking into account the aggravating factors indicated, the data falls under Article 9 of the GDPR, and the entity is accustomed to processing such data. It should be added that for fixed amounts, the limit would be €10 million, meaning that, under either parameter, the amount is clearly within the minimum range. Furthermore, and despite the allegations, the respondent has not provided any additional information to justify the aforementioned decrease in its turnover, with the latest available figure being the one used by this AEPD to quantify the proposed fine. Therefore, the Agency does not have any elements other than those already used to quantify the sanction to be imposed. Regarding the complainant's claim that the violation would be purely formal in nature, and therefore the amount would be disproportionate, it can be stated that this is not the case, since the failure to communicate the existence of subcontractors prevents the controller from properly exercising its supervisory powers. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/24 And we must not lose sight of the fact that we are dealing with the provision of a public service as important as healthcare, where the processing of special-category data is routine. The Administration cannot ignore the possible existence of subcontractors (subcontractors in data protection) who have access to personal health data. For all the reasons stated above, this claim is dismissed. IV Data Processor Article 28 of the GDPR, "Data Processor," states the following: "1. Where processing is to be carried out on behalf of a controller, the controller shall only choose a processor that offers sufficient guarantees to implement appropriate technical and organizational measures to ensure that the processing complies with the requirements of this Regulation and ensures the protection of the rights of the data subject. 2. The processor shall not use another processor without the prior written authorization, whether specific or general, of the controller. In the latter case, the processor shall inform the controller of any planned changes to the addition or replacement of other processors, thus giving the controller the right to object to such changes...)" In the present case, the defendant party, when subcontracting the services subject to the concession, had prior written authorization of a general nature signed by the controller when the Personal Data Processing Agreement was concluded in compliance with Article 28 of the GDPR. 12 of the LOPD (Organic Law on Personal Data Protection), signed on April 1, 2009. Said Agreement, in its Eighth Clause, which regulates subcontracting, states the following: "The data controller authorizes the data processor to subcontract, in the name and on behalf of the data controller, the processing of the data necessary for the provision of the services subject to the concession. For these purposes, the data processor shall inform the data controller of the identity of the companies from which it intends to subcontract the services subject to this subcontracting. The validity of the power of attorney granted by the data controller (which, in such case, must be in writing) shall be subject to the signing of a written contract between the Data Processor and the subcontracted company, which includes terms similar to those provided for in this agreement, with the full content established in Article 12 of the LOPD (Spanish Data Protection Act) and the express assumption by the data processor, on its own behalf, and the subcontractor of joint and several liability for any breach of the terms of processing by the subcontractor..." This agreement is signed based on the existing contract between the parties for the provision of healthcare services in the Denia Department of Health by concession, dated March 14, 2005, with the start date of services being February 1, 2009. At that time, as reflected in the transcribed clause, there was an obligation to inform the controller of the identity of the companies with which the contract was intended to be subcontracted. Similarly, Article 28.2 of the GDPR is mandatory as of May 25, 2018. In the present case, there is no evidence that the accused party has informed the data controller of the contracts signed after that date with the subprocessors. These are the following, also detailed in the EIGHTH PROVEN FACT: -Data Protection Agreement, annexed to the contract signed with the company ***COMPANY.3., dated October 6, 2017, related to the use of the application ***SISTEMA.1 (Document No. 14). The annex was signed on September 27, 2018. - Contract for the Provision of Laboratory IT Services, entered into with the company ***EMPRESA.4, the purpose of which is "the acquisition by MARINA SALUD of the IT solution owned by ***EMPRESA.4, called ***SISTEMA.2, which will act as the Laboratory IT System (LIA) for the computerization of the clinical analysis laboratory at the new Denia hospital" (Document No. 15). This contract was signed on April 16, 2008. They also provide a data processor contract, adapted to the GDPR, dated May 5, 2022. (Document No. 16). -Service contract for the provision of licensing and maintenance services without hosting for the computer application ***SISTEMA.3 and the APP ***SISTEMA.3, signed with the company ***EMPRESA.6 on April 12, 2022, for the use of a license for the Patient Management Software and the maintenance and technical support service. Annex II contains the provisions related to the provision of services by the subprocessor. (Document No. 17). On January 27, 2023, the contracting authority issued instructions, a series of general obligations for the data processor, which are derived from Article 28 of the GDPR and, for the purposes of subcontracting, indicate the following: "The concessionaire shall not use another data processor without the prior written authorization of the Regional Ministry. To this end, the concessionaire must inform the Regional Ministry of any such provision at least 10 business days in advance. In subcontracting, the subcontractor shall also have the status of data processor and shall be obliged to comply with the obligations established in this document for the data processor, including those relating to international transfers, and any instructions that the Regional Ministry may establish. It is the concessionaire's responsibility to regulate the relationship with the subcontractor so that the latter is subject to the same conditions regarding processing. of personal data and the guarantee of the rights of the data subjects. In the event of non-compliance by the subprocessor, the concessionaire will remain fully responsible to the Regional Ministry for compliance with its obligations as data processor. The authorizations referred to in the first paragraph of this section will be subject to the concessionaire being able to confirm the suitability of the proposed entity, specifically its knowledge, capacity, and willingness to comply with the requirements imposed by the applicable legal regulations, particularly those relating to information security and personal data protection, as well as the instructions of the Regional Ministry, for the provision of the service subject to the data processing assignment. For these purposes, the concessionaire must provide a declaration of suitability of the subcontractor in the terms set forth. Likewise, if the concessionaire already has subcontracts that involve the processing of personal data for which the Regional Ministry is responsible, these must be notified within 15 business days following notification of these instructions. These instructions merely reinforce the data processor's obligations already contained in Article 28 of the GDPR, which are fully enforceable from the entry into force of the GDPR, as previously indicated. Furthermore, they were issued only a few days before the reporting party's non-renewal of the service management contract. Based on the evidence available at the time of the resolution of the sanctioning procedure, the facts disclosed are considered to constitute an infringement, attributable to the reported party for violating Article 28.2 of the GDPR. V Classification and classification of the infringement of Article 28.2 of the GDPR The aforementioned infringement of Article 28.2 of the GDPR constitutes the commission of one of the infringements classified in Article 83.4 of the GDPR, which, under the heading "General conditions for the imposition of administrative fines," provides: "4. Violations of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of up to EUR 10,000,000 or, in the case of a company, by an amount equivalent to a maximum of 2% of the total annual global turnover of the preceding financial year, whichever is higher: a) the obligations of the controller and the processor under Articles 8, 11, 25 to 39, 42, and 43; For the purposes of the statute of limitations for infringements, the alleged infringement expires after one year, in accordance with Article 74 of the LOPDGDD (Spanish Data Protection Act), which classifies the following conduct as minor: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/24 The remaining infringements of a purely formal nature of the articles mentioned in sections 4 and 5 of Article 83 of the GDPR are considered minor and will expire after one year, and in particular the following: l) The contracting of other data processors by a data processor without prior authorization from the controller or without informing the controller of changes in the subcontracting process when legally required. The infringement is permanent because an unlawful state has been created, the cessation of which depends on the will of its perpetrator. The violation of this type is maintained by the will of the perpetrator and continues until the unlawful situation is abandoned, for which reason it is not considered time-barred. VI Proposed sanction For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available at the time of the resolution of the sanctioning procedure, it is considered appropriate to grade the sanction to be imposed according to the following criteria established in Article 83.2 of the GDPR: - The nature, severity, and duration of the violation, taking into account the nature, scope, or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damages they have suffered. (paragraph a): for failure to report the three contracts entered into with subprocessors, as long as a subprocessor continues to be used, the obligation to report persists, since the obligation is imposed so that the controller is informed, and must This may be the case as long as a subprocessor is acting, from the date of the signature of the contracts with ***COMPANY.3 dated 09/27/18, ***SISTEMA.3 (***COMPANY.6) dated 04/12/22, and ***COMPANY.4 dated 05/05/22 (Update of a contract dated 04/16/08), until the inspection carried out by the data controller on 01/19/2023. - The categories of personal data affected by the breach (section g): the categories of personal data affected by the breach are health data, which are considered special categories of data. Likewise, it is considered appropriate to grade the sanction to be imposed according to the following criteria established in section 2 of Article 76 "Sanctions and Corrective Measures" of the LOPDGDD: - The connection between the offender's activity and the processing of personal data (section b): the processing of personal data constitutes, in the provision of the contract with the Administration, an inherent or substantial part of the entrusted service. The balance of the circumstances contemplated in Article 83.2 of the GDPR and 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/24 Article 28.2 of the GDPR, allows for the imposition of an administrative fine of €500,000.00. Therefore, in accordance with applicable legislation and having assessed the criteria for graduating sanctions whose existence has been proven, the Presidency of the Spanish Data Protection Agency RESOLVES: FIRST: TO IMPOSE a fine of 500,000.00 euros (FIVE HUNDRED THOUSAND euros) on MARINA SALUD, S.A., with NIF A97563563, for a violation of Article 28 of the GDPR, as defined in Article 83.4 of the GDPR. SECOND: TO NOTIFY MARINA SALUD, S.A. of this resolution. THIRD: This resolution will become enforceable once the deadline for filing an optional appeal for reconsideration (one month from the day following notification of this resolution) has expired, without the interested party having exercised this right. The sanctioned party is hereby notified that they must pay the imposed sanction once this resolution becomes enforceable, in accordance with the provisions of Article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in Article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to Article 68 of the General Collection Regulations. 62 of Law 58/2003, of December 17, by depositing the fine, indicating the sanctioned party's NIF (Tax Identification Number) and the procedure number shown in the heading of this document, into the restricted account IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency at CAIXABANK, S.A. Otherwise, collection will be carried out during the enforcement period. Once the notification has been received and enforced, if the enforcement date is between the 1st and 15th of each month, inclusive, the deadline for making the voluntary payment will be the 20th of the following month or the next business day after, and if it is between the 16th and last day of each month, inclusive, the payment deadline will be the 5th of the second following month or the next business day after. In accordance with the provisions of Article 50 of the LOPDGDD (Spanish Organic Law on the Protection of Personal Data), this Resolution will be made public once it has been notified to the interested parties. Any appeal against this resolution, which terminates the administrative process pursuant to Article 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the President of the Spanish Data Protection Agency within one month from the day following notification of this resolution, or directly file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of Article 25 and Section 5 of the Fourth Additional Provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this decision, as provided for in Article 46.1 of the aforementioned Law. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/24 Finally, it is noted that, in accordance with the provisions of Article 90.3 a) of the LPACAP (Spanish Civil Code), a final administrative decision may be provisionally suspended if the interested party expresses their intention to file an administrative appeal. If this is the case, the interested party must formally notify this fact in writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other registries provided for in Article 16.4 of the aforementioned Law 39/2015, of October 1. They must also submit to the Agency the documentation proving the effective filing of the administrative appeal. If the Agency does not become aware of the filing of the administrative appeal within two months from the day following notification of this resolution, it will terminate the precautionary suspension. 1479-111224 Olga Pérez Sanjuán The Deputy Director General of Data Inspection, in accordance with Article 48.2 of the LOPDGDD (Spanish Data Protection Act), due to a vacancy in the position of President and Deputy President C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es
