AEPD (Spain) - PS-00204-2022
|AEPD - PS-00204-2022|
|Relevant Law:||Article 6(1) GDPR|
Article 12 GDPR
Article 15 GDPR
|Parties:||Hospital Recoletas Ponferrada|
|National Case Number/Name:||PS-00204-2022|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
|Initial Contributor:||Michelle Ayora|
The Spanish DPA imposed a €16,000 fine on a hospital for a violation of Articles 6(1)(a), 12, and 15 GDPR. The consent request form had pre-ticked boxes and the hospital failed to grant access to a copy of that form in a timely manner.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject went to a hospital (the controller) for some health tests. They noticed that two boxes were pre-ticked when they had to read and consent to (parts of) the privacy notice. The first pre-ticked box referred to commercial communications, and the second one referred to the consent to disclose personal data regarding their stay at the hospital and their room number with third parties upon request.
Since it was an electronic consent form on a tablet, the data subject complained to the receptionist who changed the settings and handed the tablet which allowed the data subject to tick the options as they wished. Later, the data subject complained in writing to the controller about the occurence and requested from the controller a copy of the privacy notice signed by them but did not receive it. Therefore, the data subject submitted a complaint before the Spanish DPA, which started an investigation and notified the controller about an alleged violation of Articles 6(1) and 15 in connection with Article 12 GDPR.
The controller submitted that the data subject's written complaint was attended verbally the same day, and admitted that it was not treated as an access request. However, the controller sent a copy of the information requested once it was notified about the DPA's investigation.
Holding[edit | edit source]
The DPA noted that the lawfulness of the processing carried out by the the controller for the management of the data subject's clinical history was covered by Article 6(1)(b) GDPR. However, for any other purposes, such as sharing personal data with third parties or for commercial purposes, the controller needed another legal basis, for example consent.
The DPA recalled that when processing is based on consent under Article 6(1)(a) GDPR, the consent must meet the requirements of, among others, Article 7 GDPR. The DPA observed deficiencies regarding the consent request and referred to Article 7 GDPR and Recital 32 GDPR. Specifically, the use of pre-ticked boxes rendered consent invalid, resulting in a lack of legal basis under Article 6(1) GDPR. Therefore, the DPA held that the controller unlawfully processed data for third-party sharing and commercial purposes.
The DPA initially imposed two fines of €10,000 each for the violation of Articles 6(1) and 15 in connection with Article 12 GDPR. The fine was reduced to €16,000 in total since the controller benefited from one reduction for acceptance of guilt and another one, for the voluntary payment of the fine.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.