AEPD (Spain) - PS/00187/2019

From GDPRhub
AEPD - PS/00187/2019
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(11) GDPR
Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 83(5)(a) GDPR
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 25. 2.2020
Fine: 48.000 €
Parties: Anoymous
National Case Number/Name: PS/00187/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in es)
Initial Contributor: n/a

The AEPD fined 48 000 € a Spanish hospital group for the violation of Articles 5(1)(a) and 6(1)(a) GDPR, and thus, for the processing of personal data without any legal basis. The AEPD ruled that the data controller obtained the data subject's consent for the sharing of personal data to third parties through "opt-out" clause.

English Summary


The AEPD examined a complaint submitted against HM HOSPITALES 1989, S.A. for failing to properly obtain the complainant’s consent. The complainant argued that at the moment of her admission in the Hospital, she was requested to fill in a form which, among others, included the following clauses in relation to the treatment of her personal data:

“If you do not wish your personal data to be provided to third parties, check this box Likewise, and unless expressly stated, I authorize HM HOSPITALES 1989, S.A., as the person responsible for the file, to use the patient's personal data to send information about their products and services, being able to revoke this consent at any time. If you do not want to authorize the sending of advertising, check this box”

Therefore, the complainant argued that the method used by the Hospital to obtain her consent was not only confusing but contrary to GDPR, specifically, articles Articles 5(1)(a) and 6(1)(a) GDPR.

Though the Hospital acknowledged that the form was not adapted to the new GDPR rules, it also stated that the information given to the patients is in accordance with articles 13 and 14 GDPR. Moreover, it argued that in this specific case, the complainant had an insurance company, this made it absolutely necessary to transfer her personal data in order to proceed with the payment of the expenses derived from the medical services requested.


Does the GDPR allow the data controller to obtain the consent through "opt-out" clauses, only oferring the possibility for the data subject to expressly object to the sharing of her personal data with third party?


The AEPD hold that HM HOSPITALES 1989, S.A. obtained consent through the inaction of the complainant, and therefore acted contrary to the GDPR. It clarified that a pure inaction (the "opt-out") cannot ensure that the interested party unequivocally grants consent. Moreover, by using the double denial in its clauses, it creates confusion and also requires extra attention from the data subject. The AEPD concluded that this method should be regarded as tacit consent (the consent is deducted from inaction) and therefore contrary to the GDPR within the meaning of Article 4(11) GDPR.

For all the above, the AEPD hold that HM HOSPITALES 1989, S.A. breached Articles 5(1)(a) and 6(1)(a) GDPR and therefore, imposed a fine of €48,000 pursuant to Article 83(5) GDPR.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the **Spanish** original. Please refer to the **Spanish** original for more details.

to be completed