AEPD (Spain) - PS/00250/2021

From GDPRhub
Revision as of 20:52, 5 July 2021 by Cvl (talk | contribs) (→‎Holding)
AEPD (Spain) - PS/00250/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32(1)(b) GDPR
Article 32(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 01.07.2021
Published:
Fine: None
Parties: Servicio Extremeño de Salud
National Case Number/Name: PS/00250/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: Resolucion de Procedimiento Sancionador (in ES)
Initial Contributor: Silvia Lorenzo Perez

The Spanish DPA (AEPD) warned a regional health service for failing to put in place appropriate security measures to prevent access to patient’s medical history to unauthorised persons, in breach of Article 5(1)(f) and Article 32 GDPR.

English Summary

Facts

A data subject filed a complaint with the Spanish DPA (AEPD) claiming that a nurse employed by the regional health service of Extremadura (hereinafter “SES”) had unlawfully accessed his/her medical history without an authorisation from the complainant and without having any relation with the data subject that justified such access under national and EU law.

As part of the investigation the AEPD requested the following information from the SES:

  1. The causes that enabled the unlawful access from a third party;
  2. Detailed descriptions of the actions taken to halt the undue access to the patient’s information and to minimise the adverse effect on the data subject;
  3. Measures taken to prevent similar occurrences in the future;
  4. A copy of the risks assessment carried out as well as the data protection impact assessment, if any;
  5. Details of the technical and organizational measures adopted to guarantee a level of security appropriate to the risks detected with relation to the access by health personnel to the medical records of the patients and the security policy adopted by the entity in relation to it.

The SES replied that the patient's right to access includes “knowing in any case who has accessed your health data, the reason for access and the use that has been made of it". In order to effectively execute this right, the IT system that supports clinical information of patients requires the existence of a relationship that legitimizes the access of the healthcare professional to a specific medical record. Hence, when a healthcare professional requests access to the history of a patient being treated the IT system automatically understand that the relation is “medical care” between a healthcare provider and a patient. The person requesting access must also provide a specific reason.

The SES did not provide the risks assessment nor the data protection impact assessment as requested by the AEPD.

Holding

The AEPD found that the access by the third party unrelated to the claimant to his clinical history was unlawful because the selection of the reason for accessing the clinical history of a patient had not been not verified with the actual profile of the user. Hence, it held that there had been a violating the principles of integrity and confidentiality established in Article 5(1)(f) GDPR.

The AEPD held that medical histories are special categories of data under Article 9, the processing of which entails a number of risks that must be identified and addressed properly with adequate security measures to safeguarding the integrity and confidentiality of this data. These risks must be taken into account by the data controller who must establish the necessary technical and organizational measures to prevent the loss of control of the data by the person responsible for the treatment and, therefore, by the holders of the data that provided them.

However, in its investigation the AEPD did not find evidence that the mandatory risk analysis and the recommended impact assessment had been carried out by the SES. Moreover, the AEPD pointed that the SES had failed to put in place a process of verification, evaluation and continuous assessment of the effectiveness of the technical and organizational measures to guarantee the security of the processing. As a result, the AEPD held that technical and organizational measures implemented in the IT system were deficient and in breach of Article 32(1)(b) and (2), for what it warned the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/14








     Procedure No.: PS / 00250/2021

                RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                  BACKGROUND


FIRST: The inspection actions are initiated by the receipt of a written statement of
claim of A.A.A. (hereinafter, the claimant), in which they state that they have
produced improper access to his medical history by a worker of the
Extremadura Health Service (hereinafter SES), with professional category of
nurse. The accesses are made without the authorization of the claimant and without mediation

a relationship that justifies it.

The claimant adds that improper accesses are perfectly identified in
the Certificate of access to the clinical history, issued on 08/14/2020 by the Management of the
Badajoz Health Area of the Extremadura Health Service (SES) in response to the

Official letter issued by the Court of Instruction No. 2 of Badajoz, in which there are 5
accesses produced between 02/10/2007 to 15/07/2019. Indicates that more accesses are missing
undue, which are pending obtaining by the Court.

Relevant documentation provided by the claimant:


- Certificates issued by the Court of Instruction No. 2 of Badajoz admitting for processing
Complaint for revealing secrets and agreeing to take evidence.

-Certificate of access to the clinical record in the information system of the
SES of the claimant dated 08/14/2020.


SECOND: In view of the notified facts and the documents provided by the
SES, the Subdirectorate General for Data Inspection proceeded to carry out
preliminary investigation actions to clarify the facts described
in the previous sections, by virtue of the powers of investigation granted to the

control authorities in article 57.1 of Regulation (EU) 2016/679 (Regulation
General Data Protection, hereinafter RGPD), and in accordance with the
established in Title VII, Chapter I, Second Section, of Organic Law 3/2018,
of December 5, Protection of Personal Data and guarantee of rights
digital (hereinafter LOPDGDD), having knowledge of the following

extremes:

 BACKGROUND

Date on which the claimed events took place: July 15, 2019


Claim entry date: October 13, 2020

Claimant: A.A.A. (the claimant)


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/14








Claimed: EXTREME HEALTH SERVICE (SES)
INVESTIGATED ENTITIES


SERVICIO EXTREMEÑO DE SALUD, with NIF S0611001I, and with address at Avda.de
las Américas 2, 06800 Mérida, Badajoz.

RESULT OF RESEARCH ACTIONS

On 11/12/2020 the claim was transferred to the SES within the framework of the

reference actions E / 9118/2020. The transfer document was collected on the day
11/23/2020 according to your acknowledgment of receipt. After the term granted, on 02/10/2021
resolution is issued admitting the claim and urging the present actions of
inspection.


On 02/16/2021, information and documentation was requested on the events at the
SES, having received no response as of the date of this report. The
The request was collected on 02/22/2021, according to acknowledgment of receipt. Attached to
request made the document for the transfer of the claim issued
above, indicating that there is no answer to it.


In the request made, the following information was requested from the SES:

1.- Copy of the report prepared and supporting documentation in relation to the
facts, which will contain the following aspects:


       1–1. Detailed specification of the causes that have made the events possible.

       1–2. Detailed description of the actions taken in order to minimize
       adverse effects and for the final resolution of the incident, indicating the date and
       time of action taken.


       1-3. Measures taken to prevent similar incidents from occurring,
       implementation dates and controls carried out to verify their effectiveness.

2.- Regarding the security of the processing of personal data previously
to the facts:


       2-1. Documentation accrediting the Risk Analysis that has led to the
       implementation of security measures and copy of the Evaluations of
       Impact, if any.


       2-2. Detail those technical and organizational measures adopted to
       guarantee a level of security appropriate to the risks detected with
       relation to the access by health personnel to the medical records of the
       patients. Security policy adopted by the entity in relation to it.


However, on 04/05/2021 a reply was received from the SES to the transfer
carried out on 11/12/2020 within the framework of the reference actions E / 09118/2020, in
the following terms:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/14









"I. ABOUT THE BACKGROUND

The aforementioned letter requests this Public Administration to rule on the
a claim received by the citizen -the claimant- on the 13th of

October 2020.

In this communication it is requested:

     The decision made regarding this claim.

     In the event of exercising the rights regulated in articles 15 to
    22 of the RGPD, accreditation of the response provided to the claimant.
     Report on the causes that have motivated the incident that has originated
    the claim.
     Report on the measures adopted to prevent the occurrence of

    similar incidents, implementation dates and controls carried out to
    check its effectiveness.
     Any other that you consider relevant.
     In this sense, this document complies with said request,

    providing in Annex 1 the communications with the claimant and, in the rest of the
    sections of this document, the information requested by the AEPD.

II. ABOUT THE ACCESS CONTROLS ALREADY ESTABLISHED IN THE
EXTREME HEALTH SERVICE


The Extremadura Health Service (hereinafter, SES) is an autonomous body of
administrative nature, dependent on the Ministry of Health and Dependency of the
Junta de Extremadura, which is entrusted with exercising the powers of
administration and management of health services, benefits and programs that governs their
operation by national and regional regulations that are applicable.


In this sense, the Law of the Autonomous Community of Extremadura 3/2005, of 8
July, on health information and patient autonomy, regulates in its article 35.3 the
The patient's right to access and obtain copies or certificates of the
documents that appear in your medical history, such as “knowing in any case who has
accessed your health data, the reason for access and the use that has been made of

they". Well, on the exercise of this right, which has been requested by the
claimant, it cannot be inferred from the documentation provided that there has been
any breach on the part of this Administration since, in view it is that this
information is in the hands of the complainant.

Translated this right to the information system that supports clinical information

of patients in the Extremadura Health Service, it should be noted that the execution
effective of this right to know who and for what access to the Clinical History,
translates into the necessary existence of a relationship that legitimizes the access of the
healthcare professional to a specific Medical Record. For this reason, when accessing the
History of a patient currently being treated at the workplace
clinical (be Hospitalization, Outpatient Consultations, Functional Tests, Hospital of

Day, Operating Room ...), the computer system automatically understands that the reason
Access is Healthcare, and this is reflected in said system. However, this is not a
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/14








automatic process, but the system only allows access to
patients who are either under active treatment or are on the agenda
of the professional or, they belong to the patients assigned to him in his quota.


When the Medical History is accessed by searching for a patient (not
selecting it directly from a job list), the system forces you to choose a
access reason from among those configured for each profile. In this
In this sense, the following will appear to a specialist in Specialized Care:


      The Patient Management reason is selected when accessing the History
     is related to an action to be performed on a patient who is not
     is in the Clinical Workstation at that time, such as consultation or
     documentation review, reporting, prior preparation of
     consultation or surgical intervention, review of clinical orders and citations ...


      The Research Study motif is selected, as its own name
     indicates, when access to the Medical History is related to work of
     research in which that patient is included.


      The DCL Request reason will be used when access to the History is made
     to respond to a Request for Clinical Documentation from the
     own patient or an authorized person.


      The Occupational Disability reason is only available to profiles of
     Inspection and will select it when access to History is related to
     an occupational problem of the patient.

      Access ONLY to the Patient Diary is not a reason for accessing the

     Record; is the name with which access to the Agenda is identified
     in the log of records of accesses to the patient's Agenda.

However, even if this access filter has been established, this does not imply that the
access is total, since each of the reasons that would legitimize access and that

just outlined does not imply unrestricted access to clinical information.
Therefore, each of the accesses is accompanied by access restrictions, since
that full access to health information would not make sense when the reason for
justifies access is an administrative reason.


In this way, the Extremaduran public health regulations governing the SES,
is a regulation that offers greater rights to citizens regarding their
clinical information; this with the recognition of the right to know who has
accessed your health information. The exercise of this right, as well as the guarantee
of the confidentiality of the health information processed in the SES becomes effective
through access controls to clinical information.


Therefore, it can be inferred that the accesses referred to by the complainant occurred
fulfilling the requirements of legitimacy of access that are derived from the
obligations of the data protection regulations and those imposed by
internally from the Extremadura Health Service. Thus, in Fact TWO

used as an argument, the idea that, as noted, the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/14








access was made taking advantage of her “professional category of nurse”, since,
If the situations described in this section did not occur, access would not have been
possible. Therefore, it is not possible to understand as valid the argument used that

produced an access “without mediating between them a care relationship of
nurse / patient ”since the system requests for access to clinical information
the existence of a reason that legitimizes the access.

Likewise, the arguments described in Fact must also be rejected.
THIRD, where the accesses made by Mrs. B.B.B. are noted, since

all accesses to the information should and were, motivated by any of the
the scenarios anticipated and detailed in advance.

III. ABOUT THE FORUM


This part does not attempt to question the authority of the AEPD, nor the information
provided by the complainant; However, the SES in its responsibility does not consider
appropriate to respond to complaints or requests that do not start from a solid base. In this
In this sense, the FIRST Fact of the brief presented by the complainant refers to
facts that must be understood as subjective or, at least, hardly
objective, such as the exercise of "strict control over life and person"

that did not allow the complainant "to develop a normal life and rebuild his life
sentimental".

As it is not objectifiable information, the SES considers that it should not pronounce in
this sense and that, rather, corresponds to another area, specifically the bodies

judicial, establish if the facts are as reported. Understand, then,
that there is a spirit of this Administration to collaborate, insofar as it is
possible, but that it is understood that the events denounced have to do with
actions or omissions typified in the Penal Code on which the SES could not
do something else other than collaborate with the judicial bodies that resolve them.


Defined the legitimacy of the accesses to the information of a patient (the complainant)
by a public health system worker (the one denounced), given that
Without the existence of such legitimacy, access would be technically impossible, the SES
understands that the reported situation must be waited until it has the status of
Proven Fact (understood as the account of events subject to prosecution

that the judicial body has considered true). This, because it is also understood that
the events reported do not correspond to a breach of the regulations
of data protection of the SES as Responsible for the Treatment if not, rather
as a crime (which could well be classified as revealing secrets) committed by
a person, yes, a worker of the SES, in a private sphere in which the SES

as an employer it has no scope.

Yes, mediating a sentence that establishes the denounced facts as facts
tested, having the SES knowledge of them, the measures will be taken
appropriate internal regulations based on the Internal Regime as described in the

legal notices of the logins of the users of the information system.
Until then, the SES understands that this procedure should be filed
and, in the event of a ruling favorable to the defendant, notify the SES to
that the corresponding internal sanctions be established.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/14









 IV. ON THE FULFILLMENT OF THE OBLIGATIONS OF THE SES AS
RESPONSIBLE FOR THE TREATMENT


On the other hand, regarding the obligations of the Extremadura Health Service, as
responsible for the treatment, and in coordination with what was stated at the beginning of the
Second claim (II), the SES has been fulfilling its obligations as
responsible for the Treatment regarding the requests made by the complainant. I know
pointed out in the aforementioned allegation the existence, as a result of the Extremadura legislative development

of a right to "know who has access to clinical information" and, given the information
provided by the complainant, it is understood that the SES has complied with said
obligations.

A different question is, if the complainant understands that the person reported has

breached its confidentiality obligations and, if so, once it is shown
As a proven fact, you can contact the SES to take the measures
timely.

V. ON THE MEASURES ALREADY APPLIED BY THE SES


Prior to having knowledge of the complaint that is transferred, the SES, in the field of
its proactive responsibility had already taken measures that guarantee the
confidentiality of information.

(1) Access control: access to clinical information of patients in the

Extremadura Health Service is only given when the control standards for
access;

to. First, the control of access to information is segregated into
function of the professional role of the information system, that is, only those

that, due to their functions and obligations, they must access clinical information
and, within these, depending on the purpose, you have access to all or part of said
information.

b. Being legitimized to access clinical information by the professional role, the
Access to citizens' data is not free for users, having to mediate

a relationship that legitimizes access to specific data, namely, to be part of the
"Quota" of the healthcare professional, have him or her mentioned in the agenda or that he / she is in a
active treatment. Otherwise, access is not possible.

c. Granted, where appropriate, access having given the two circumstances

above, this is not necessarily a total access or an access to the History
Complete clinic since the accesses are defined for specific purposes and
These, in turn, have defined what information they give access to based on that purpose.

We speak, therefore, of a double legitimation based on (1) the professional role and (2) the

purpose of access and, this added to the need for the existence of a reason that
legitimize access.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/14








 (2) Legal notice at the beginning of the session in which users are reminded that the
The information accessed is confidential and should only be treated with the
purpose that legitimizes access.

Uses other than the aforementioned purposes are considered inappropriate and could
be considered labor misconduct or, where appropriate, a crime and lead to the initiation of the file
in the corresponding legal field.

“[…] It is contrary to good faith to attempt to access information for which there is no
has permissions or privileges or is not directly related to their

functions, as well as filtering of any type of data, especially of character
personal, outside the corporate network.

In this sense, the user of the computer system […] knows the responsibilities
established in the Criminal Code, in the Data Protection regulations and in the rest

of the Spanish legislation on the illicit use, contrary to morality, good faith and
customs of computer tools, without prejudice to liability
derived from the applicable internal regulations.

In order to guarantee compliance with the security policy, the SES may
monitor communications and / or files received / sent by users by

means of the entity's resources and systems in the event of suspicions
founded that resources are being misused. […] "

Acceptance of this legal notice is mandatory to access the system of
information.


(3) Training pills, reminders, circulars ... regarding secrecy duties
and confidentiality, security advice and the like that, from the Subdirectorate of
Information Systems together with the figure of the Data Protection Delegate will
they launch to all users of the system, as well as other resources accessible from the

“SES portal” to which all users of the information system have access
of the SES.

THIRD: On May 26, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure for the complained party, by the
alleged violation of Article 32 of the RGPD, Article 5.1.f) of the RGPD, typified in the

Article 83.5 of the RGPD.

FOURTH: Notified the agreement to initiate this sanctioning procedure, the
SES, as responsible, has not presented any allegations.


In view of all the actions, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts,


                                 PROVEN FACTS


FIRST: It is proven that a third party unrelated to the claimant agreed
wrongly to his clinical history obtained in the SES, on several occasions without
the SES intervened to prevent it once the incident was known.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/14








SECOND: The cause that caused the improper access was the lack of measures
technical and organizational implemented in the information and control system of
SES accesses.


THIRD: It is clear that a third party had knowledge of the data of the
claimants in the SES clinical record categorized as special
as indicated in art. 9 of the GDPR.

                            FOUNDATIONS OF LAW


                                             I
By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Data Protection Agency is competent to initiate and to

solve this procedure.

                                             II
Article 5.1.f) of the RGPD establishes the following:

"Article 5 Principles relating to treatment


1. The personal data will be:
(…)

f) treated in such a way as to guarantee adequate data security

personal data, including protection against unauthorized or illegal processing and against
its loss, destruction or accidental damage, through the application of technical measures
or appropriate organizational arrangements ('integrity and confidentiality'). "

In the present case, it is proven that the personal data of the claimant

relating to his medical history that appear in the SES information system were
unduly accessed by a third party, violating the principles of
integrity and confidentiality, both established in the aforementioned article 5.1.f) of the RGPD.

                                            III
Establishes article 32 of the RGPD, security of treatment, the following:


         1. Taking into account the state of the art, the costs of application, and the
nature, scope, context and purposes of the treatment, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person in charge and the person in charge of the treatment will apply technical measures and

appropriate organizational arrangements to ensure a level of security appropriate to the risk,
that in your case include, among others:

          a) pseudonymisation and encryption of personal data;


          b) the ability to guarantee confidentiality, integrity, availability and
permanent resilience of treatment systems and services;



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/14








          c) the ability to restore availability and access to data
personnel quickly in the event of a physical or technical incident;


          d) a process of regular verification, evaluation and assessment of effectiveness
of the technical and organizational measures to guarantee the security of the treatment.

         2. When evaluating the adequacy of the security level, it will be particularly important
take into account the risks presented by the data processing, in particular as
consequence of accidental or illegal destruction, loss or alteration of data

personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data (The underlining is from the AEPD).

Recital 75 of the GDPR lists a series of factors or assumptions associated with
Risks to the guarantees of the rights and freedoms of the interested parties:


“The serious and serious risks to the rights and freedoms of natural persons
variable probability, may be due to the processing of data that could cause
Physical, material or immaterial damages, particularly in cases where
that the treatment may give rise to problems of discrimination, usurpation of

identity or fraud, financial loss, reputational damage, loss of
confidentiality of data subject to professional secrecy, unauthorized reversal of the
pseudonymization or any other significant economic or social damage; in the
cases in which the interested parties are deprived of their rights and freedoms or are
prevent exercising control over your personal data; in cases where the data

personal treaties reveal ethnic or racial origin, political opinions, religion
or philosophical beliefs, union membership and the processing of genetic data,
data relating to health or data on sexual life, or convictions and offenses
criminal or related security measures; in the cases in which they are evaluated
personal aspects, in particular the analysis or prediction of aspects related to the
job performance, financial situation, health, preferences or interests

personal, reliability or behavior, situation or movements, in order to create or
use personal profiles; in the cases in which personal data of
vulnerable people, particularly children; or in cases in which the treatment
involves a large amount of personal data and affects a large number of
interested. "


In the present case, of the investigative actions carried out the selection
The reason for accessing the medical history of a SAS patient is not verified with the
access profile of the user leaving, consequently, access to information to
the discretion of the user who accesses.


Therefore, as a consequence of the lack of implementation of technical measures and
adequate organizational requirements that are mandatory for the Public Administrations
as indicated in RD 3/2010, which regulates the National Scheme of
Security (ENS), has caused third-party access to the data
housed in the SES medical records information system. The

performance of the mandatory risk analysis and, where appropriate, impact assessment act
on the treatment of health data of SAS patients. Nor does it appear that
the SAS has in place a process of verification, evaluation and continuous assessment


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/14








of the effectiveness of technical and organizational measures to guarantee the safety of the
treatment.
                                           IV

The actions carried out include the absence of security measures
adequate technical and organizational nature, with which the SES had
performs treatment operations in relation to the health data of the records
clinical There is also no evidence of the adequacy of the SES treatment operations to the
National Security Scheme at the time of improper access.


The consequence of this implementation of deficient security measures was the
Exposure to a third party of the personal data related to the health of the
claimant. In other words, the affected party has been deprived of control over their data.
personal information regarding your medical history.


It should be added that, in relation to the category of data to which the third person
someone else has had access, they are in the category of specials according to
provided in art. 9 of the RGPD, a circumstance that supposes an added risk that is
must be assessed in the risk management study and that increases the requirement of the degree
protection in relation to security and safeguarding the integrity and
confidentiality of this data.


This risk must be taken into account by the data controller who must
establish the necessary technical and organizational measures to prevent the loss of
control of the data by the person responsible for the treatment and, therefore, by the
holders of the data that provided them.



                                           V
Article 83.4.a) of the RGPD states the following:
(…)


"4. Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for
the highest amount:


    a) The obligations of the person in charge and the person in charge in accordance with articles 8, 11,
       25 to 39, 42 and 43 ".

Article 83.5.a) of the RGPD, states the following:

(…)

"5. Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the

global total annual business volume of the previous financial year, opting for
the highest amount:



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/14








a) the basic principles for the treatment, including the conditions for the
consent in accordance with articles 5, 6, 7 and 9 ";


Article 76 of the LOPDGDD under the heading "Sanctions and corrective measures",
notes the following:

     1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the
     Regulation (EU) 2016/679 will be applied taking into account the criteria of
     graduation established in section 2 of the aforementioned article.


     1. It will be possible, complementary or alternatively, the adoption, when
     appropriate, of the remaining corrective measures referred to in article 83.2
     of Regulation (EU) 2016/679.


                                            SAW
Article 71 of the LOPDGDD establishes the following under the heading "Infractions":
The acts and conducts referred to in sections 4, 5 constitute offenses.
and 6 of Article 83 of Regulation (EU) 2016/679, as well as those resulting
contrary to the present organic law.


Establishes article 72.1.a) of the LOPDGDD, under the heading "Infractions
considered very serious ”, the following:


"1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned therein and, in particular, the
following:

a) The processing of personal data violating the principles and guarantees

established in Article 5 of Regulation (EU) 2016/679. "

In the present case, the offending circumstances provided for in article
72.1.a) of the LOPDGDD transcribed above.


It establishes article 73 of the LOPDGDD, under the heading “Infractions considered
serious ”the following:

"Based on what is established in article 83.4 of Regulation (EU) 2016/679,

considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:

f) Failure to adopt technical and organizational measures that result

appropriate to ensure a level of security appropriate to the risk of the treatment,
in the terms required by article 32.1 of Regulation (EU) 2016/679.

In the present case, the offending circumstances provided for in article 73 concur
section f) of the LOPDGDD transcribed above.


                                            VII
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/14








Establishes Law 40/2015, of October 1, on the Legal Regime of the Public Sector, in
Chapter III relative to the “Principles of the sanctioning power”, in article 28
under the heading "Responsibility", the following:


"1. They can only be sanctioned for acts constituting an administrative offense.
natural and legal persons, as well as, when a Law recognizes their capacity to
act, the affected groups, the unions and entities without legal personality and the
independent or autonomous patrimonies, who are responsible for them to
title of fraud or guilt "


Lack of diligence in implementing appropriate security measures
with the consequence of the violation of the principle of confidentiality, constitutes the
element of guilt.


                                            VIII
Article 58.2 of the RGPD states the following:

2. Each supervisory authority shall have all the following corrective powers
listed below:
 (…)


b) direct a warning to any person in charge or in charge of the treatment when the
treatment operations have infringed the provisions of this Regulation;


For its part, the Spanish legal system has chosen not to sanction with the
imposition of administrative fine on public entities, such as the SES, such as
indicated in article 77.1. c) and sections 2, 4, 5 and 6 of the LOPDDGG:


<< 1. The regime established in this article will be applicable to the treatments of
who are responsible or in charge:

  c) The General Administration of the State, the Administrations of the communities
autonomous entities and the entities that make up the Local Administration.


2. When the managers or managers listed in section 1 commit
any of the infractions referred to in articles 72 to 74 of this law
organic, the competent data protection authority will issue a resolution
sanctioning them with warning. The resolution will also establish the
measures to be taken to stop the conduct or correct the effects of the

infraction that had been committed.

The resolution will be notified to the person in charge of the treatment, the body of the
that depends hierarchically, where appropriate, and those affected who had the condition
interested party, if applicable.


  4. The data protection authority must be notified of the resolutions that
fall in relation to the measures and actions referred to in the sections
previous.

  5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/14








of the autonomous communities the actions carried out and the resolutions issued
under this article.

  6. When the competent authority is the Spanish Agency for Data Protection,

This will publish on its website with due separation the resolutions referring to
the entities of section 1 of this article, expressly indicating the identity of the
responsible or in charge of the treatment that had committed the infringement. >>


Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection, RESOLVES:

FIRST: IMPOSE EXTREMEÑO DE SALUD SERVICE, with NIF S0611001I,

for the violation of Article 32 of the RGPD typified in Article 83.4.a) of the RGPD the
sanction of APERCIBIMENTO, and for the violation of article 5.1.f) of the RGPD,
typified in Article 83.5.a) of the RGPD, the sanction of APERCIBIMENTO.

SECOND: NOTIFY this resolution to SERVICIO EXTREMEÑO DE

HEALTH.

THIRD: COMMUNICATE this resolution to the Ombudsman, of
in accordance with the provisions of article 77.5 of the LOPDGDD.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency is not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/14













                                                                                                   938-131120

Mar Spain Martí
Director of the Spanish Agency for Data Protection







































































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es