AEPD (Spain) - EXP202203996

From GDPRhub
Revision as of 09:25, 30 September 2022 by Michelle.ayora (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PD-00...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PD-00125-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 15 GDPR
§18 Ley 41/2002, de 14 de noviembre, básica reguladora de la Autonomía del Paciente y de Derechos y Obligaciones en Materia de Información y Documentación Clínica
Type: Complaint
Outcome: Upheld
Started: 23.03.2022
Decided:
Published: 19.09.2022
Fine: n/a
Parties: n/a
National Case Number/Name: PD-00125-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Michelle Ayora

Resolution regarding the right to access (art. 15 GDPR) and its formalities art. 12(2) GDPR. The Health service of the Balearic Islands (Controller) didn’t comply with the period stablished and delivered a copy of the documentation six months after the request.


English Summary

Facts

Data subject submits a complaint against the DPA since her request to access (15/01/2022) to her and her daughter’s medical record and administrative file (assistance of pregnancy, childbirth and subsequent clinical care), has not been answered.

The data controller is the Heath Service of the Balearic Islands (IB-SALUT) and the request included documentation from three different hospitals and clinics. During the proceeding before the DPA the controller sent some parts of the file required, however, the last piece of documents was delivered to the data subject on 15/06/2022 which was late since the period stablished in the GDPR and national legislation is one month.

The justification of the data controller was the excess of work from that period and the fact that the request included documents from diverse entities which delayed the collection of the medical records.

The DPA reminds of the legislation regarding Patients’ autonomy and their rights and obligations regarding information and medical records, which states the patient’s right to access it as well as request a copy.


Holding

The DPA upholds the complaint since the access to the requested medical record was fulfilled late. It alluded to art. 12 GDPR (12 of the national legislation) and recital 59 and following which foresees the period of one month to satisfy the request.

Notwithstanding, the data controller was not fined since by the moment of the resolution the requested had been fulfilled.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/8










     File No.: EXP202203996



                              RESOLUTION No.: R/00628/2022

Considering the claim made on March 23, 2022 before this Agency by D.
A.A.A. on behalf of Ms. B.B.B. , against the HEALTH SERVICE OF THE

ILLES BALEARS (IB-SALUT), for not having been duly attended to their right to
access.

Carrying out the procedural actions provided for in Title VIII of the Law
Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD), the following have been verified



                                      FACTS


FIRST: Dated 01/15/2022, D. A.A.A. on behalf of Ms. B.B.B. (in
hereinafter, the complaining party) exercised the right of access to the clinical history and
administrative file before the HEALTH SERVICE OF THE BALEARIC ISLANDS
(IB-SALUT) (hereinafter, the claimed one), without your request having received the
legally established response.


The complaining party makes it clear that he requested the clinical history and file
administrative of the mother and minor daughter C.C.C. in connection with assistance
of pregnancy, childbirth and subsequent clinical care of both up to the present or
time of processing this application. All this with respect to the center of
primary care health of Manacor Sa Torre, the Manacor Hospital and the

Son Espases University Hospital.

The complaining party provides various documentation related to the claim raised
before this Agency and on the exercise of the exercised right.


SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a
mechanism prior to the admission to processing of the claims that are formulated before
the AEPD, consisting of transferring them to the Data Protection Delegates
designated by those responsible or in charge of the treatment, for the purposes foreseen
in article 37 of the aforementioned rule, or to these when they have not been designated,

transferred the claim to the claimed entity so that it could proceed with its
analysis and respond to the complaining party and this Agency within a
month, no response.

THIRD: The result of the transfer process indicated in the previous Fact does not
allowed to understand satisfied the claims of the claimant. In

Consequently, on May 31, 2022, for the purposes provided in its article
64.2 of the LOPDGDD, the Director of the Spanish Agency for Data Protection
agreed to admit the submitted claim for processing and informed the parties that the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/8








maximum term to resolve this procedure, which is understood to have started
through said admission agreement, it will be six months.


The aforementioned agreement granted the respondent entity a hearing procedure, to
that within a period of fifteen business days present the allegations that it deems
convenient. Said entity made, in summary, the following allegations:

The representative/Delegate of Data Protection of the claimed person states that,
due to the need to analyze it and contact the different areas

in charge of managing the rights of the interested parties of the Management of the centers
hospitals and Primary Care to request information regarding said
request, has made it impossible to deliver within the established period.

That there has been no desire not to satisfy the request to exercise the right of

access to the medical records of the claimant and his daughter, a minor.

That the lack of attention in type and form of the request coincides with a discharge period
workload, which inadvertently caused a delay in managing the
request of right of the interested party and once it was verified that it had not proceeded
to respond automatically, a request was made to process the

same.

FOURTH: After examining the allegations presented by the respondent, they are subject to
transfer to the complaining party, so that, within fifteen business days, it can formulate
allegations you deem appropriate:


The complaining party states that, despite having exercised the rights, the
response has been unsatisfactory as no response has been given to each and every one of
the requests made in the original request, being that at the current date no
received any documentation from the Primary Care Health Center of Sa

Towers.

That information security incidents cannot serve as a
excuse to be distracted from the obligations inherent to the position of DPD. that the
omissions or delays in the responses to the exercises of rights by the Ib
Salut and its care centers are a common practice. What is normal and usual

said requests are biased, limited or partial, forcing to request that
complement the documentation, which sometimes means that the deadlines
prescribe before administrations and insurers.

The presentations of some protocols are of no use if they are not complied with and the mere

mention of the existence of protocols does not imply that they are carried out and
implemented correctly, as in the case at hand, for this reason, the
opening of the informative file and possibly sanctioning the Ib Salut.

FIFTH: After examining the allegations presented by the complaining party, they are subject to

of transfer to the claimed, so that, within fifteen business days, it formulates
allegations you deem appropriate:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/8








The defendant sets forth chronologically the background related to
the request for the clinical history of the complaining party and indicates that, constantly,
produces an improvement in the management and procedure in terms of data protection

within the scope of the Health Service and it should be noted that all the Managements
have online training on the protocol, as well as access to the latest
rights care versions.

The protocols and improvements carried out by the different managements of IB-
Salut in relation to access to the data contained in the clinical history.


In relation to the claim, at the date of preparation of this report,
proceeded to satisfy the request for access to the existing clinical history in three
hospitals.


                           FOUNDATIONS OF LAW

FIRST: The Director of the Spanish Agency for
Data Protection, in accordance with the provisions of section 2 of article 56 in
in relation to section 1 f) of article 57, both of Regulation (EU) 2016/679 of the
European Parliament and of the Council of April 27, 2016 on the protection of

individuals with regard to the processing of personal data and the free
circulation of these data (hereinafter GDPR); and in article 47 of the LOPDGDD.

SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency
Spanish Data Protection is competent to perform the functions that

are assigned to it in its article 57, among them, that of enforcing the Regulation and
promote awareness of controllers and processors
about the obligations incumbent on them, as well as dealing with claims
presented by an interested party and investigate the reason for them.


Correlatively, article 31 of the RGPD establishes the obligation of those responsible
and those in charge of the treatment to cooperate with the control authority that requests it in
the performance of their duties. In the event that they have appointed a
data protection delegate, article 39 of the RGPD attributes to it the function of
cooperate with that authority.


Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has
foreseen a mechanism prior to the admission to processing of the claims that are
formulated before the Spanish Agency for Data Protection, which consists of giving
transfer of the same to the data protection delegates designated by the
responsible or in charge of the treatment, for the purposes provided in article 37 of

the aforementioned norm, or to these when they have not been designated, so that they proceed to the
analysis of said claims and to respond to them within a month.

In accordance with this regulation, prior to the admission for processing of the
claim that gives rise to this procedure, it was transferred to the

responsible entity to proceed with its analysis, respond to this Agency
within a month and prove that they have provided the claimant with the due response,
in the event of exercising the rights regulated in articles 15 to 22 of the
GDPR.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/8









The result of said transfer did not allow to understand satisfied the claims of the
claiming party. Consequently, on May 31, 2022, for the purposes

provided for in article 64.2 of the LOPDGDD, the Director of the Spanish Agency for
Data Protection agreed to admit the submitted claim for processing. Saying
agreement of admission to procedure determines the opening of the present procedure of
lack of attention to a request to exercise the rights established in the
articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the
which:


"1. When the procedure refers exclusively to the lack of attention of a
request to exercise the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, will start by agreement of admission to process, which will be
shall adopt in accordance with the provisions of the following article.

In this case, the term to resolve the procedure will be six months from
from the date on which the claimant was notified of the admission agreement to
Procedure. Once this period has elapsed, the interested party may consider their
claim".

The purging of administrative responsibilities in the framework of the

of a sanctioning procedure, whose exceptional nature implies that it is chosen,
whenever possible, due to the prevalence of alternative mechanisms that have
protection in current regulations.

It is the exclusive competence of this Agency to assess whether there are responsibilities

administrative that must be purged in a sanctioning procedure and, in
consequently, the decision on its opening, not existing obligation to initiate a
procedure before any request made by a third party. Such a decision must
be based on the existence of elements that justify said start of the activity
sanctioning, circumstances that do not concur in the present case, considering that

With this procedure, the guarantees and guarantees are duly restored.
claimant's rights.

THIRD: The rights of individuals in terms of data protection
personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the
LOPDGDD. The rights of access, rectification, deletion,

opposition, right to limitation of treatment and right to portability.

The formal aspects related to the exercise of these rights are established in the
articles 12 of the RGPD and 12 of the LOPDGDD.


It also takes into account what is expressed in Considerations 59 and following of the
GDPR.

In accordance with the provisions of these rules, the data controller
must arbitrate formulas and mechanisms to facilitate the interested party in the exercise of their

rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3
of the RGPD), and is obliged to respond to the requests made no later than one
month, unless you can show that you are unable to identify the
interested party, and to express his reasons in case he was not going to attend said

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/8








request. The proof of compliance with the duty of
respond to the request to exercise their rights made by the affected party.


The communication addressed to the interested party on the occasion of their request must
be expressed in a concise, transparent, intelligible and easily accessible manner, with a
clear and simple language.

Regarding the right of access to personal data, in accordance with the
established in article 13 of the LOPDGDD, when the exercise of the right is

refers to a large amount of data, the person in charge may request the affected party to
specify the “data or treatment activities to which the request refers”. The
right will be understood granted if the person in charge provides remote access to the data,
taking the request as granted (although the interested party may request the information
referring to the ends provided for in article 15 of the RGPD).


The exercise of this right may be considered repetitive on more than one occasion.
for a period of six months, unless there is legitimate cause for it.

On the other hand, the request will be considered excessive when the affected party chooses a means
other than the one offered that involves a disproportionate cost, which must be

assumed by the affected party.

FOURTH: In accordance with the provisions of article 15 of the RGPD and article 13 of the
LOPDGDD, "the interested party has the right to obtain from the data controller
confirmation of whether or not personal data concerning you is being processed and, in such

case, right of access to personal data”.

Like the rest of the rights of the interested party, the right of access is a
personal right. Allows the citizen to obtain information about the treatment
what is being done with your data, the possibility of obtaining a copy of the data

that concern you and that are being processed, as well as
information, in particular, on the purposes of the treatment, the categories of data
individuals in question, the recipients or categories of recipients to whom
communicated or will be communicated the personal data, the foreseen term or criteria
of conservation, the possibility of exercising other rights, the right to present a
claim before the control authority, the information available on the origin of

the data (if these have not been obtained directly from the owner), the existence of
automated decisions, including profiling, and information about
transfers of personal data to a third country or to an international organization.
The possibility of obtaining a copy of the personal data subject to treatment does not
will adversely affect the rights and freedoms of others, that is, the right to

Access will be granted in such a way that it does not affect the data of third parties.

The right of access in relation to the clinical history is specifically regulated in
Article 18 of Law 41/2002, of November 14, basic regulation of the
Patient Autonomy and Rights and Obligations Regarding Information and

Clinical Documentation (hereinafter LAP), whose literal tenor expresses:

"1. The patient has the right of access, with the reservations indicated in section 3
of this article, to the documentation of the clinical history and to obtain a copy of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/8








data contained in it. The health centers will regulate the procedure that
guarantee the observance of these rights.
2. The patient's right of access to the clinical history can also be exercised by

duly accredited representation.
3. The right of access of the patient to the documentation of the clinical history does not
may be exercised to the detriment of the right of third parties to confidentiality
of the data contained in it collected in the therapeutic interest of the patient, nor in
detriment of the right of the professionals participating in its elaboration, which
they can oppose to the right of access the reservation of their subjective annotations.

4. Health centers and individual exercise physicians will only facilitate the
access to the medical history of deceased patients to people linked to it,
for family or de facto reasons, unless the deceased had prohibited it
expressly and so accredited. In any case the access of a third party to the history
clinic motivated by a risk to your health will be limited to the pertinent data. I don't know

will provide information that affects the privacy of the deceased or the annotations
subjective of the professionals, nor that it harms third parties”.

In this sense, we must highlight article 15 of the LPA that includes the content
minimum medical history:


"1. The clinical history will incorporate the information that is considered transcendental for the
truthful and up-to-date knowledge of the patient's health status. Every patient or
The user has the right to record, in writing or in the most technical support
adequate, of the information obtained in all its assistance processes, carried out
by the health service both in the field of primary care and

specialized.
2. The main purpose of the clinical history will be to facilitate healthcare, leaving
proof of all those data that, under medical criteria, allow the knowledge
truthful and up-to-date health status.
The minimum content of the clinical history will be the following:
a) The documentation related to the clinical-statistical sheet.

b) The entry authorization.
c) The emergency report.
d) History and physical examination.
e) Evolution.
f) Medical orders.

g) The interconsultation sheet.
h) The reports of complementary explorations.
i) Informed consent.
j) The anesthesia report.
k) The operating room report or birth registration.
l) The pathological anatomy report.

m) The evolution and planning of nursing care.
n) The therapeutic application of nursing.
ñ) The graph of constants.
o) The discharge clinical report.
Paragraphs b), c), i), j), k), I), ñ) and o) will only be required in the completion of the

clinical history in the case of hospitalization processes or so available.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/8








3. Completion of the clinical history, in aspects related to the
direct assistance to the patient, will be the responsibility of the professionals who
intervene in it.

4. The clinical history will be kept with unit and integration criteria, in each
care institution at least, to facilitate the best and most timely
knowledge by the doctors of the data of a certain patient in each
healthcare process”.

Regarding the conservation of the clinical history, article 17 of the LPA, in its

points 1 and 5, provides that:

"1. Health centers are obliged to keep clinical documentation
in conditions that guarantee its correct maintenance and safety, although
necessarily in the original support, for the due assistance to the patient during the

time appropriate to each case and, at least, five years from the date
discharge from each healthcare process...
5. Health professionals who carry out their activity individually are
responsible for the management and custody of the care documentation that
generate”.


FIFTH: In the case analyzed here, the claimant requested the clinical history
and administrative file of the mother and minor daughter C.C.C. regarding
assistance during pregnancy, childbirth and subsequent clinical assistance, with respect to the center
of primary attention health of Manacor Sa Torre, of the Hospital of Manacor and of the
University Hospital of Son Espases and your request did not obtain a legal response

required, given that the required access was not provided.

The LAP establishes a series of obligations for healthcare professionals and centres, in
its article 15 collects the minimum content of the clinical history, it also indicates
an obligation to preserve the clinical history for the health center

established in article 17. The LOPD, in relation to articles 17, 18 and,
especially article 15 of the LAP, recognizes a right of access to all
of the clinical history by its owner or representative.


That said, having examined the documentation in the proceeding and as
follows from the allegations made and the documentation provided to the
procedure, the entity claimed in the process of transferring the claim
accredited the communication sent to the interested party, taking into account the right of access to the

medical history.

In relation to what was stated by the complaining party that no copy of the
clinical history corresponding to the Sa Torres Primary Care Health Center,
claims it in the process of allegations, has entry in this Agency on 07/15/2022,

copy of the documentation sent by the Primary Care Health Center of Sa
Torres dated May 27, 2022 and delivered on June 15, 2022, according to a copy
of the acknowledgment of receipt processed by the Post Office.

Based on the foregoing, considering that this procedure has as
object that the guarantees and rights of those affected are duly

restored, and given that the right of access to the clinical history was served outside the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/8








established period, it is appropriate to estimate for formal reasons the present claim to the
having issued the response extemporaneously without requiring the performance of

additional actions by the person responsible for the file

Considering the aforementioned precepts and others of general application,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: ESTIMATE for formal reasons, the claim made by D. A.A.A. in
representation of Ms. B.B.B., against the HEALTH SERVICE OF LAS ILLES
BALEARIC ISLANDS (IB-SALUT). However, the issuance of a new certification by
part of said entity, as the response was issued extemporaneously without

requires the performance of additional actions by the person in charge.

SECOND: NOTIFY this resolution to D. A.A.A. on behalf of Ms.
BBB and to the HEALTH SERVICE OF THE BALEARIC ISLANDS (IB-SALUT).


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the

LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the

aforementioned Law.


                                                                               1188-080921
Sea Spain Marti
Director of the Spanish Data Protection Agency




















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es