AEPD (Spain) - EXP202200999

From GDPRhub
Revision as of 10:00, 4 January 2023 by Kk (talk | contribs) (added two sentences to the holding about Article 6(1)(b) GDPR and explained why consetn was invalid)
AEPD - PS-00204-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 12 GDPR
Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 15.12.2022
Published:
Fine: 20.000 EUR
Parties: Hospital Recoletas Ponferrada
National Case Number/Name: PS-00204-2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Michelle Ayora

The Spanish DPA imposed a €16,000 fine on a hospital for a violation of Articles 6(1)(a), 12, and 15 GDPR. The consent request form had pre-ticked boxes and the hospital failed to grant access to a copy of that form in a timely manner.

English Summary

Facts

The data subject went to a hospital (the controller) for some health tests. They noticed that two boxes were pre-ticked when they had to read and consent to (parts of) the privacy notice. The first pre-ticked box referred to commercial communications, and the second one referred to the consent to disclose personal data regarding their stay at the hospital and their room number with third parties upon request.

Since it was an electronic consent form on a tablet, the data subject complained to the receptionist who changed the settings and handed the tablet which allowed the data subject to tick the options as they wished. Later, the data subject complained in writing to the controller about the occurence and requested from the controller a copy of the privacy notice signed by them but did not receive it. Therefore, the data subject submitted a complaint before the Spanish DPA, which started an investigation and notified the controller about an alleged violation of Articles 6(1) and 15 in connection with Article 12 GDPR.

In his own defense, the controller claimed that the pre-ticked clause about commercial communications was indeed a human error due to the long lines of patients waiting for their test in the morning, which made the receptionists change the settings to save time. Regarding the clause about communication of patients' personal data to third parties, the controller said that it did not apply to the data subject but to other patients who stayed at the hospital. The controller also mentioned that it was based on legitimate interest, and it was initially conceived as an opt-out box, giving to the patients the option to object to it when the privacy policy was in paper format, but the change to the electronic version on the tablet, made the system put it as a pre-ticked box. Additionally, the controller implemented measures, including staff training, in order to prevent such incidents in the future.

The controller submitted that the data subject's written complaint was attended verbally the same day, and admitted that it was not treated as an access request. However, the controller sent a copy of the information requested once it was notified about the DPA's investigation.

Holding

The DPA noted that the lawfulness of the processing carried out by the the controller for the management of the data subject's clinical history was covered by Article 6(1)(b) GDPR. However, for any other purposes, such as sharing personal data with third parties or for commercial purposes, the controller needed another legal basis, for example consent.

The DPA recalled that when processing is based on consent under Article 6(1)(a) GDPR, the consent must meet the requirements of, among others, Article 7 GDPR. The DPA observed deficiencies regarding the consent request and referred to Article 7 GDPR and Recital 32 GDPR. Specifically, the use of pre-ticked boxes rendered consent invalid, resulting in a lack of legal basis under Article 6(1) GDPR. Therefore, the DPA held that the controller unlawfully processed data for third-party sharing and commercial purposes.

Regarding the right to access, the DPA cited Recital 63, Articles 15, and 12 GDPR to conclude that in the written complaint submitted by the data subject to the controller, it was expressly stated that they were requesting access to the copy of the privacy policy signed on the tablet. However, the controller only provided the copy after the DPA started an investigation. Therefore, the access request was not processed in a timely manner, in violation of Articles 12 and 15 GDPR.

The DPA initially imposed two fines of €10,000 each for the violation of Articles 6(1) and 15 in connection with Article 12 GDPR. The fine was reduced to €16,000 in total since the controller benefited from one reduction for acceptance of guilt and another one, for the voluntary payment of the fine.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/17










     File No.: EXP202200999



     RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
       VOLUNTEER

Of the procedure instructed by the Spanish Agency for Data Protection and based on

to the following
                                  BACKGROUND

FIRST: On June 20, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate sanction proceedings against HOSPITAL

RECOLETAS PONFERRADA, S.L. (hereinafter the claimed party). Notified on
initiation agreement and after analyzing the allegations presented, on July 20,
In 2022, the resolution proposal that is transcribed below was issued:

<<
Procedure No.: PS/00204/2021 (EXP202200999)


       PROPOSED RESOLUTION OF SANCTION PROCEDURE

Of the actions carried out by the Spanish Data Protection Agency before
the entity, HOSPITAL RECOLETAS PONFERRADA, S.L. with CIF.: B47767793, (in

hereinafter "the claimed party"), based on the brief presented by D.A.A.A., by the
alleged violation of data protection regulations: Regulation (EU)
2016/679, of the European Parliament and of the Council, of 04/27/16, regarding the Protection
of Natural Persons with regard to the Processing of Personal Data and the
Free Circulation of these Data (GDPR) and Organic Law 3/2018, of December 5,

Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD),
and considering the following:

                                  BACKGROUND:

FIRST: On 01/10/22, a document submitted by

the complaining party, in which it indicated, among others, that:

       “FIRST.- On 12/07/21 I went to the Recoletas Clinic to have some
       scheduled analyses. When my turn came I showed the flyer and they asked me for the
       insurance card to manage the service, after that they gave me the Tablet and I

       they said “you have to sign this data protection document to be able to
       process the information”, I took the electronic device and began to read it and
       I told him, "I do not agree with points 2 and 3 of the form that you have
       marking (one was to share my information with third-party companies and the other
       to receive propaganda)”; the clinic employee told me: “then don't

       we can assist you, without your signature nothing can be managed”, I reminded him
       that I did not refuse to sign the document but rather the items marked by them,
       I would sign ONLY with the first item that said "I authorize the clinic to manage
       my personal data…” (I am paraphrasing the document because I never

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/17








       I received a copy) then she did something on the tablet and handed it back to me
       and at that moment all the items appeared unlocked and I can
       mark those that I deemed appropriate after which I signed with my rubric.


       Finally the nurse appeared in the emergency room and I went with her to
       do the analytics. After leaving there I filled out the claim that appears in this
       same document and which I also accompany individually. In this
       claim also stated, one more, that no one had provided me with
       a copy of what he had signed not even a way to access it

       signed as required by law. (whose justification is attached as Doc.
       No. 1).

       SECOND.- At the Clinic I asked to speak with management to state my
       discomfort with everything that happened but that day there was no one and they offered me

       file a claim assuring me that a manager would call me at that
       week. The RECOLETAS network manager asked me for an email where he
       asked the Center where he had had a bad experience, after
       tell him that same afternoon (December 15) a manager of the Clinic got
       contacted me to apologize and ensure that he had spoken with
       the person responsible for what had happened who had confirmed that they

       they always filled in the data because people were older and he told me that
       indeed this was illegal and was not going to be repeated and that he would answer me by
       written claim filed.

       The response arrived on January 7 and is the one you see attached to this document and

       in a separate file. Despite saying so in the claim, I still have not
       they have given the copy of the sheet that I signed that day nor any means to access
       she".

Along with the previous letter, the following documentation is provided:


    - Copy of the claim form (No. 00XX) filed with the Clinic, sealed
       dated 12/07/21 where, among others, it denounces the same facts exposed
       before this Agency and indicated above and where, in addition, denounce before
       the address of the center as follows:


           or "(...) they have not provided me with the signed document as established by law."

    - Copy of the brief in response to claim No. 00XX, dated
       01/03/22, where the Clinic informs the claimant in the following terms:


               "I am writing to you in response to your Complaint letter with
               registration number 0XX with the date of entry into our Service
               Patient Care on December 7, 2021, in which
               shows his discomfort at the inconvenience derived from having to
               sign the document of the Data Protection Law.


               We are deeply sorry for the incident and thank you for your
               claim to proceed to review compliance with the regulations of
               data protection by the hospital.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/17









               Our clauses never appear pre-marked, although by mistake the
               admissions staff marked them instead of explaining the options for

               that were marked by you as required by law.

               We inform you that we have reminded our staff not to
               they can mark the clauses and that they must inform the patients the
               options that exist each time a protection clause is signed
               of data. We hope you will come back soon and see for yourself that

               clauses are not pre-marked. We are at your disposal
               for any questions or to expand the information of your claim”.

SECOND: On 02/08/22, this Agency transferred the claim
to the claimed party to respond to it, in accordance with the

stipulated in article 65.4 of the LOPDGDD Law. notification attempts
resulted in the following:

    - According to the certificate of the Electronic Notifications and Address Service
       Electronic, the shipment made to the claimed entity, on 02/08/22, through
       of the electronic notification service "NOTIFIC@", was accepted in

       destination the same day 02/08/22, being the recipient: (...)- B.B.B..

THIRD: On 04/10/22, by the Director of the Spanish Agency for
Protection of Data, an agreement is issued to admit the processing of the claim
presented by the claimant, in accordance with article 65 of the LPDGDD Law, to the

not receive any response to requests made from this Agency.

FOURTH: On 06/20/22, the Board of Directors of the Spanish Agency for the Protection of
Data signs the initiation of this disciplinary procedure against the entity
claimed, when appreciating reasonable indications of violation of article 6.1 GDPR, by

the deficiencies detected when obtaining the consent of the patients
for the subsequent processing of your personal data, imposing an initial sanction of
€10,000; and for the violation of article 15 GDPR, with respect to article 12 of the
same Regulation, by not providing the claimant with access to the document on
data protection signed on the Tablet, imposing an initial penalty of 10,000
euro.


FIFTH: On 07/13/22, the respondent entity formulated, in summary, the following
allegations to the initiation of the file:

       “On 12/07/21 the patient comes to the center first thing in the morning

       to carry out some analysis, moment in which long queues of
       patients who come to the hospital for fasting clinical tests,
       together with the rest of the patients who attend consultations, scheduled surgeries,
       etc.


       The admission employees, given the large influx of patients, in the context
       current pandemic, and the uneasiness to dissolve said queue and ensure that it
       comply with security measures to avoid contagion decided to


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/17








       in a timely manner to speed up the queue pre-check the boxes of the patients, something
       that should never have happened.


       You can see in Doc. 2 response to the patient the content of the
       boxes of the existing clause that day that may or may not be checked:

               ฀ I consent to the processing of my personal data
               ฀ I consent to the sending of commercial communications by means
               emails about activities, events or services provided that

               may be of interest to you.
               ฀ I authorize to provide information in person or by telephone, to
               third parties who request it, only in relation to their
               stay in the center, as well as the Hospital room number
               Recoletas Ponferrada S.L. - CIF: B-47767793, registered in the Registry

               Mercantile of Valladolid to the Volume: 1,521; Folio: 111, Sheet: VA-29098 –
               inscription 1

       The first box is essential since if the patients do not consent, they will not
       your data can be processed.


       Regarding the second box, the consent for the sending of
       commercial communications there is a human error when adapting the
       signature box on tablets.

       The basis of legitimacy of this purpose is the legitimate interest, protected by

       an impact assessment prior to its implementation in our clauses
       informative. Therefore, in the paper clause format that was implemented
       there was a negative box that, if checked by the patients
       sending these communications was refused.


       Although, when said clause is transcribed to the Tablet, the consent, by mistake,
       the box becomes positive, not adapting to the legitimation base
       contemplated. Observing this incident, the decision has been made to modify
       the basis of legitimacy of this purpose, which, as of the end of March
       2022 has become consent.


       The admissions staff knew that this purpose was originally based on the
       legitimate interest and that therefore was negative in our clause
       of data protection on paper.

       The last box, as can be seen, applies to patients in case of

       admission to the hospital to give information to third parties, never to
       third-party companies, is a clause that was put so that patients
       they can decide if they want us to give their room number or information
       about your status to relatives, friends or related people.


       Checking this box does not apply to the service provided to this patient because it is
       ambulatory, in case of hospital admission the procedure is always
       ask the patient again about this point.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/17








       After signing the document, the patient did not request a copy of the
       informative clause for patients signed, because if he had done so, he would have been
       delivered.


       The patient, that same day, December 7, 2021, filed a claim
       which was resolved by the manager of the center in a timely manner.

       That prior to the written response, the patient maintained a
       conversation with the manager related to the claim filed in the

       that a verbal response was given to the claim, not referring to it in the
       answer that what he wanted was a copy of what was signed, which is why it was not
       saw the need to include that information in the answer, because otherwise
       Otherwise, without a doubt, the data protection sheet would have been attached.


       That on February 8, notification was received from the AEPD in which we were
       transfers the claim filed by the patient and the AEPD
       ask us for more information.

       That, as observed in Doc. 4, which should have been sent on the 8th of
       March 2022 to the AEPD and did not have entry due to systems failure

       computer systems, from the moment the claim is received,
       begin to implement all kinds of measures and controls to ensure that no
       nothing similar happens again.

       THIRD.- OBTAINING CONSENT


       At the time of the event as reported to the patient on the
       data protection there are two bases of legitimacy of the treatment:

       - The management of the medical service requested as a basis of legitimation of the

       treatment of health data. In this sense, although it includes a
       checkbox to reinforce the fact that the patient is aware that
       we are treating your data the basis of legitimation is the one contained in the
       Article 6.1.b) of the GDPR.

       - The legitimate interest in sending commercial communications on the

       required medical service. Therefore, the basis of legitimacy is the
       contained in article 6.1.f) of the GDPR. The GDPR is also defined in the
       Recital 47 with the following tenor (...).

       Notwithstanding the foregoing, and despite the unfortunate incident that occurred, the

       claimant had the opportunity to read the data protection clause and
       be informed of the way in which Grupo Recoletas treats your data.

       FOURTH.- COMPLIANCE WITH THE PROVISIONS OF ART. 15 GDPR.


       In relation to the second legal basis in point IV "on the
       management of the access request made by the claimant” we refer to
       documents No. 2 and 3 attached to this claim to prove that


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/17








       After the claim filed with the AEPD, the information was transferred
       requested in compliance with art. 15 GDPR.


       Regarding the art. 12 GDPR as explained in the response to the AEPD
       which is attached as Doc. 4 the information made available to the interested party
       At the time of signing it complies with the requirements of art. 13 GDPR.

       Lastly, regarding the response to the claim filed by the
       concerned on December 7, 2021 at the Hospital, as has been

       commented, it was not treated as a right of access but as a complaint
       answering the patient both verbally and in writing, understanding that
       I was responding to your requests.

       FIFTH.- THE MEASURES ADOPTED


       Once what happened was learned and in compliance with the principle
       of proactive responsibility, the following measures were implemented:

    - Training: After analyzing the incident that occurred, it has been decided that the best
       way to fix it for the future is staff training.


       In this sense, all the Clinic staff were sent the documentation of
       training so that they could read it and a session of
       face-to-face training at the Clinic from 2:30 p.m. to 3:30 p.m.


       The attendance control sheet for said training is attached as Doc.6.

    - Review of the procedures: it has been verified in situ that currently
       comply with the procedure adapted to the provisions of the Regulation in
       regarding the way to obtain the consent of the interested parties.


       - Random control: It was checked randomly with several
       consents whether or not all the clauses were checked and
       observed that the same boxes were not always checked on the same day for
       part of the patients.


    - Creation of standard procedure: you have written an internal procedure and
       standardized for Grupo Recoletas admissions personnel in which
       includes the detail of the way in which the admissions staff must treat the
       data, request consent and information to collect. Attached
       procedure as Doc. 7.


    - Adaptation of the data protection clause: It has been decided to modify the
       basis of legitimacy for the processing of data for the purpose of sending
       of commercial communications.


       The change in the basis of legitimation of this purpose is motivated by the
       change of instrument for obtaining consent.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/17








       Initially the informative data protection clauses were signed in
       paper and in each section the pertinent boxes were included, so that the
       The patient read the paragraph and decided whether or not to check the box.


       Box that in the purpose of commercial communications was negative (if not
       was marked was tacitly accepted based on legitimate interest)

       When tablets were introduced, the boxes had to be included at the end, all
       together, in this way when adapting the clauses to the Tablet the box remained in

       affirmative but the legitimation continued as a legitimate interest.

       Finally, aware of this issue, it has been decided to modify the base of
       legitimation of this purpose to the express consent The
       data protection clause since it has been verified that the clause

       that appears on the Tablet requests express consent (and not based on the
       legitimate interest) for the treatment of the data with the purpose of carrying out
       commercial communications, for this reason the legitimacy has been changed
       of the treatment and the wording of that purpose, being the basis of legitimacy
       of said clause the consent of the interested party. Clause is attached
       current data protection as Doc. 8


       - Response to the interested party: As already mentioned, it has been
       replied to the interested party by sending the signed data protection clause,
       the answer corresponds to Doc. 2.


       SIXTH.- THE PROPOSED SANCTION

       In accordance with all of the above, we understand that Grupo Recoletas has
       at all times had a proactive attitude focused on eliminating any
       risk that may occur in the processing of the data of the interested parties.


       In this sense, we understand that there is no place for the proposed sanctions
       due for not having breached the precepts 6.1. and 15 GDPR.

       Notwithstanding the foregoing, if the AEPD does interpret that there is
       infraction, the points of article 83 would be applicable as mitigating

       GDPR:

       c) any measure taken by the controller or processor
       to alleviate the damages and losses suffered by the interested parties;


       We refer to the measures imposed in the previous section.

       e) any previous infringement committed by the person in charge or in charge of the
       treatment; Lack of previous sanctions by the Hospital
       Recoletas Ponferrada, S.L.


       k) any other aggravating or mitigating factor applicable to the circumstances of the
       case, such as the financial benefits obtained or the losses avoided, direct
       or indirectly, through the infringement.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/17









       In the absence of financial benefits obtained or losses avoided, the Group
       Recoletas we try to be very scrupulous with the fulfillment of the

       data protection regulations, otherwise apart from possible sanctions
       implies deterioration of our brand image at a reputational level with the
       loss of customers that this may entail.

       Article 83.1. RDPG establishes the following: Each control authority
       ensure that the imposition of administrative fines in accordance with

       this article for the violations of this Regulation indicated in the
       paragraphs 4, 5 and 6 are in each individual case effective, proportionate and
       deterrents”.
                                PROVEN FACTS


First: According to the claimant, when he went to the Recoletas Clinic to have a
some analysis, at the reception they gave him a Tablet to sign the document of
protection noticing that the boxes on the form were pre-ticked on the
accepted option. When he refused to accept points 2 and 3 of the form, the
receptionist did something on the Tablet and passed it again with the unchecked items
being able to then mark those that the patient considered appropriate.


These facts were corroborated by the Clinic in the letter sent to the claimant
in response to the claim filed (Nº 00XX) and where they inform you, regarding
to the pre-marked boxes, the following: "(...) Our clauses never appear
pre-marked, although the admissions staff mistakenly marked them instead of explaining

the options so that they were marked by you as established by law (…)”.

Second: The claimant provides, together with the document submitted to this Agency, a copy of the
aforementioned claim form (No. 00XX) that he filed with the Clinic, stamped with date
12/07/21 where, in addition to reporting the facts set forth in the first section,

indicates the following to the Center's Management: "(...) they have not provided me with the document
signed as required by law.

Third: In the written response to the claim submitted by the claimant
before the Clinic, is, in addition to apologizing for the events that occurred and for
recognize that the boxes were pre-ticked for a specific event due to

an error by the reception staff, they informed him that they had given an order to the
staff not to pre-check the boxes again before offering the Tablet to
patients. But at no time is the patient informed about his request for
I access the signed document on the Tablet.


Fourth: In the brief of allegations presented by the Clinic at the initiation of the
this disciplinary procedure indicates that the following have been implemented
measures so that the events indicated in the previous points do not happen again,
providing the following documentation:


    - Training on data protection procedures. I know
       attached as Doc.6 the attendance control sheet for said training.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/17








    - Review of the procedures: it has been verified in situ that currently
       comply with the procedure adapted to the provisions of the Regulation in
       regarding the way to obtain the consent of the interested parties.

    - Random control: It was checked randomly with several consents
       whether or not all the clauses were checked and it was observed that they were not
       always on the same day the same boxes were marked by the
       patients.
    - Creation of standard procedure: you have written an internal procedure and
       standardized for Grupo Recoletas admissions personnel in which

       includes the detail of the way in which the admissions staff must treat the
       data, request consent and information to collect. Attached
       procedure as Doc. 7.
    - Adaptation of the data protection clause: It has been decided to modify the
       basis of legitimacy for the processing of data for the purpose of sending

       of commercial communications. Data protection clause is attached
       current as Doc. 8.
    - Reply to the interested party, sending the data protection clause
       signed, the answer corresponds to Doc. 2.

                           FUNDAMENTALS OF LAW


       I-Competition

The Director of
the Spanish Data Protection Agency, by virtue of the powers established in

Article 58.2 of the GDPR and the LOPDGDD Law.

       II.- On the deficiencies observed in obtaining the consent of the
       patients.


On the legality of the processing of personal data, recital (40) GDPR
indicates that:

       For processing to be lawful, personal data must be processed with
       the consent of the interested party or on some other established legitimate basis
       in accordance with Law, either in this Regulation or by virtue of another

       Law of the Union or of the Member States referred to in this
       Regulation, including the need to comply with the legal obligation applicable to the
       controller or the need to perform a contract in which
       whether the interested party is a party or in order to take measures at the request of the
       interested party prior to the conclusion of a contract.


And in application to this, article 6.1 of the GDPR, establishes, on the legality of the
treatment of personal data obtained from users the following:

    1. The treatment will only be lawful if at least one of the following is fulfilled

       conditions: a) the interested party gave his consent for the treatment of his
       personal data for one or more specific purposes; b) the treatment is
       necessary for the performance of a contract in which the interested party is a party or
       for the application at his request of pre-contractual measures; c) the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/17








        processing is necessary for compliance with an applicable legal obligation
        to the data controller; d) processing is necessary to protect
        vital interests of the data subject or of another natural person; e) the treatment is

        necessary for the fulfillment of a mission carried out in the public interest or in
        the exercise of public powers conferred on the data controller; f) the
        processing is necessary for the satisfaction of legitimate interests
        pursued by the data controller or by a third party, provided that
        such interests are not overridden by the interests or the rights and freedoms
        of the interested party that require the protection of personal data,

        in particular when the interested party is a child.

In the present case, the legality of the processing of personal data carried out by the Clinic
ca for the management of the claimant's clinical history is covered in point b) of the
Article 6.1 GDPR: "b) the treatment is necessary for the execution of a contract in

to which the interested party is a party (…)”.

But for any other purpose to which it is intended to dedicate the personal data obtained,
must be protected in some other point of the aforementioned article 6.1 GDPR, if it does not have
fit in section b). Therefore, in our case, when the Clinic intends to use
personal data to transfer them to third parties or to send you commercial communications

cials, requests the consent of the affected party through the existing boxes in the
form to be signed at the Clinic reception.

However, what the claimant denounces is that when he went to sign the document
acceptance of the privacy policy, he found that the boxes correspond-

consent to transfer personal data to other companies and to re-
receive commercial communications were already marked "I accept".

In this case, when the processing of personal data is based on the con-
sentiment of the interested party, article 7 of the GDPR establishes the following:


       1. When the treatment is based on the consent of the interested party, the res-
       responsible must be able to demonstrate that he consented to the treatment of
       your personal information.

       2. If the consent of the interested party is given in the context of a statement

       writing that also refers to other matters, the request for consent will be
       presented in such a way that it is clearly distinguished from the other cases, from
       intelligible and easily accessible form and using clear and simple language. No
       Any part of the statement that constitutes a breach of the
       present Regulation.


       3. The interested party will have the right to withdraw their consent at any mo-
       mint. The withdrawal of consent will not affect the legality of the treatment
       based on consent prior to its withdrawal. Before giving your consent
       lien, the interested party will be informed of it. It will be so easy to withdraw the consent

       I lie how to give it

       4. When evaluating whether the consent has been freely given, it will be taken into account in
       to the greatest extent possible whether, among other things, the execution of a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/17








       contract, including the provision of a service, is subject to the consent of the
       processing of personal data that is not necessary for the execution of dif-
       nice contract.


And regarding the way to obtain said consent, recital (32) GDPR
provides that it:

       It must be given by a clear affirmative act that reflects a manifestation of
       free, specific, informed and unequivocal will of the interested party to accept the

       processing of personal data concerning you" and that "silence,
       boxes already checked or inaction should not constitute consent.”
       Likewise, consent is required to be granted: “for all
       processing activities carried out for the same purpose or purposes. When
       the processing has multiple purposes, consent must be given for all

       them". Finally, it establishes that: "if the consent of the interested party has to be
       give as a result of a request by electronic means, the request must be clear,
       concise and not unnecessarily disrupt the use of the service for which it is
       lend”.

Therefore, the fact that the person responsible for the processing of personal data

obtained from the patients of the Clinic obtain their consent through a
form where the boxes of the purposes for which they will be used, apart from
the management of the patient's clinical history, are already marked in "I accept",
could constitute a violation of article 6.1 of the GDPR.


Notwithstanding the foregoing, the Clinic management recognizes that the boxes are
were pre-marked for a specific event due to an error by the personnel of
reception by pre-checking the boxes before offering the Tablet to the patient so that
firm, and that they had ordered the staff not to do it again and although they have
measures have been implemented so that this does not happen again in the future, this action will not

produces in itself a reduction of the prejudices suffered by the patient if not that
the only thing that has occurred is the action required by the norm and for the future.

Nor does the mitigation applying article 83.2.e) “all
previous infraction committed by the person in charge or the person in charge of the treatment" because
this section would only fit as an aggravating circumstance when the entity had

previously committed other similar infractions, therefore, we proceed to issue the
Next:

       II.- On the management of the access request made by the claimant.


Regarding the right of access of the interested parties to their personal data, the
recital (63) GDPR indicates that:

       Interested parties must have the right to access personal data
       collected that concern him and to exercise this right with ease and at

       reasonable intervals, in order to know and verify the legality of the treatment.
       This includes the right of the interested parties to access data related to the
       health, for example, the data of your medical records that contain
       information such as diagnoses, test results, evaluations of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/17








       physicians and any treatments or interventions performed. All
       The interested party must, therefore, have the right to know and to be
       communicate, in particular, the purposes for which the data is processed

       personal information, its treatment period, its recipients, the implicit logic in
       any automatic processing of personal data and, at least when
       based on profiling, the consequences of said treatment. Yes
       possible, the data controller should be empowered to provide
       remote access to a secure system that offers the interested party access
       directly to your personal data. This right must not adversely affect

       the rights and freedoms of third parties, including trade secrets or the
       intellectual property and, in particular, intellectual property rights that
       protect computer programs. However, these considerations are not
       must result in the refusal to provide all information to the
       interested. If you process a large amount of data relating to the data subject, the

       controller should be empowered to request that, before
       information is provided, the interested party specifies the information or activities
       treatment to which the request refers.

In this sense, article 15 GDPR establishes the following:


       1. The interested party shall have the right to obtain from the data controller
       confirmation of whether or not personal data concerning you is being processed
       and, in such case, right of access to personal data and to the following
       information: a) the purposes of the treatment; b) the categories of personal data
       concerned; c) the recipients or categories of recipients to whom

       The personal data were communicated or will be communicated, in particular
       recipients in third parties or international organizations; d) if possible, the
       expected period of conservation of personal data or, if this is not possible,
       the criteria used to determine this term; e) the existence of the right to
       request from the person in charge the rectification or deletion of personal data or the

       limitation of the processing of personal data relating to the interested party, or to
       oppose such treatment; f) the right to file a claim with
       a control authority; g) when the personal data has not been obtained
       of the interested party, any available information about its origin; h) the
       existence of automated decisions, including profiling, to
       referred to in Article 22, paragraphs 1 and 4, and, at least in such cases,

       significant information about the applied logic, as well as the importance and
       expected consequences of such processing for the data subject.

       2. When personal data is transferred to a third country or to a
       international organization, the interested party shall have the right to be informed of the

       adequate guarantees under article 46 relating to the transfer.

       3. The controller will provide a copy of the personal data
       treatment object. The person in charge may receive for any other copy
       requested by the interested party a reasonable fee based on the costs

       administrative. When the interested party submits the application by means
       emails, and unless the latter requests that it be provided otherwise, the
       Information will be provided in a commonly used electronic format.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/17








       4. The right to obtain a copy mentioned in section 3 will not affect
       negatively to the rights and freedoms of others.


Whereas, Article 12 of the GDPR establishes that:

       "1. The person responsible for the treatment will take the appropriate measures to facilitate the
       interested all information indicated in articles 13 and 14, as well as
       any communication pursuant to articles 15 to 22 and 34 relating to the
       treatment, in a concise, transparent, intelligible and easily accessible form, with a

       clear and simple language, in particular any information directed
       specifically a child. The information will be provided in writing or by other
       means, including, if applicable, by electronic means. When requested by the
       interested party, the information may be provided verbally provided that
       prove the identity of the data subject by other means.


       2. The data controller will provide the interested party with the exercise of their
       rights under articles 15 to 22. In the cases referred to in the
       Article 11(2), the controller shall not refuse to act at the request of the
       data subject in order to exercise their rights under articles 15 to 22,
       unless you can demonstrate that you are unable to identify the

       interested.

       3. The person in charge of the treatment will provide the interested party with information regarding
       its actions on the basis of a request under articles 15 to
       22, and, in any case, within one month from receipt of the

       application. This period may be extended by another two months if necessary,
       taking into account the complexity and number of requests. The responsible
       will inform the interested party of any of said extensions within a period of one
       month from receipt of the request, indicating the reasons for the delay.
       When the interested party submits the application by electronic means, the

       Information will be provided by electronic means where possible, unless
       that the interested party requests that it be provided in another way.

       4. If the person responsible for the treatment does not process the request of the interested party, he will
       will inform without delay, and no later than one month after receipt of the
       application, the reasons for not acting and the possibility of presenting

       a claim before a control authority and to exercise actions
       judicial.(…)

In the present case, it has been verified that in the brief that the claimant submitted
before the management of the Clinic, he denounced verbatim "not having received the

data protection document signed on the Tablet" but in the reply that
The Clinic address makes no reference to this claim in any
moment to this fact nor is said information provided.

Faced with this, the Clinic indicates in its brief of allegations to the initiation of this

disciplinary procedure that: "(...) we refer to documents No. 2 and 3
attached to this claim to prove that after the claim filed against
The AEPD transferred the information requested in compliance with art. 15 GDPR”, in
based on the requirement set forth by this Agency, of the measure to be adopted by

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/17








the one claimed, in the brief initiating this proceeding and that, insofar as
to the response to the claim filed by the interested party on the 7th of
December 2021 at the Hospital, "(...) it was not treated as a right of access but rather

as a complaint answering the patient both verbally and in writing understanding
that their requirements were being responded to."

Therefore, according to the available evidence, after the analysis
carried out on the documents provided by the requested entity, it is verified that
the claimant's right of access has been contested after the claim filed

before the AEPD, but this action does not in itself produce a reduction in the
prejudices suffered by the individual concerned, if not the only thing that has occurred is
action required by law.

Nor does the mitigation applying article 83.2.e) “all

previous infraction committed by the person in charge or the person in charge of the treatment" because
this section would only fit as an aggravating circumstance when the entity had
previously committed other similar infractions, therefore, we proceed to issue the
Next:

                           PROPOSED RESOLUTION


FIRST: That by the Director of the Spanish Data Protection Agency
proceed to sanction for violation of article 6.1 of the GDPR, with respect to the
deficiencies detected when obtaining the consent of the patients, to the
entity, HOSPITAL RECOLETAS PONFERRADA, S.L. with CIF.: B47767793, with

in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of
Common Administrative Procedure of Public Administrations (LPACAP),
imposing a penalty of 10,000 euros.

SECOND: That by the Director of the Spanish Data Protection Agency

proceed to penalize violation of article 15 of the GDPR, with respect to article 12 of the
same Regulation to the entity, HOSPITAL RECOLETAS PONFERRADA, S.L. with
CIF.: B47767793, in accordance with the provisions of articles 63 and 64 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (LPACAP), imposing a penalty of 10,000 euros.


By virtue of this, you are notified of the foregoing, and the procedure is revealed.
so that within ten business days you can allege whatever you consider in your
defense and present the documents and information that it deems pertinent, in
According to article 89.2 in relation to art. 82.2 of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations.


C.C.C.
THE PROCEDURE INSTRUCTOR








C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/17

























List of documents pending in Procedure PS/00204/2022, the list of documents pending is notified
in the procedure so that you can obtain copies of those you deem appropriate, by appointment:

1. Complaint and documentation
2. Petition and Reports.
3. Agreement to start the disciplinary procedure.
4. Allegations to the initiation agreement and attached documents.
5. Beginning of the test practice period, notification to the accused.






>>


SECOND: On October 31, 2022, the claimed party has proceeded to pay
of the sanction in the amount of 16,000 euros making use of the reduction provided for in
the motion for a resolution transcribed above.


THIRD: The payment made entails the waiver of any action or resource in the
against the sanction, in relation to the facts referred to in the

resolution proposal.

                            FUNDAMENTALS OF LAW


                                             Yo
                                      Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679

(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions

regulations dictated in its development and, insofar as they do not contradict them, with character
28001 – Madrid 6 sedeagpd.gob.es 16/17








subsidiary, by the general rules on administrative procedures."

                                            II

                             Termination of the procedure

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations (hereinafter LPACAP), under the heading
"Termination in disciplinary proceedings" provides the following:


"1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction has only a pecuniary nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature but the

inadmissibility of the second, the voluntary payment by the presumed perpetrator, in
any moment prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offence.

3. In both cases, when the sanction is solely pecuniary in nature, the

The competent body to resolve the procedure will apply reductions of at least
20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or resource against the sanction.


The percentage reduction provided for in this section may be increased
according to regulations."

According to what has been stated,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202200999, in
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to HOSPITAL RECOLETAS

PONFERRADA, S.L.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.


Against this resolution, which puts an end to the administrative process as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/17













                                                                                                          968-171022

Mar Spain Marti
Director of the Spanish Data Protection Agency







































































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es