AEPD - PS/00269/2019

From GDPRhub
AEPD - PS/00269/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 83(5) GDPR
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: n/a
Fine: None
Parties: n/a
National Case Number/Name: PS/00269/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) held that the circulation of a report among other employees detailing the reasons for an employee's temporary assignment, and why they failed to meet the conditions for a job application among the professionals was a breach of the data confidentiality principle in Article 5(1)(f) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant applied for a position as a medical coordinator at a health centre. They were rejected in an email from the legal department of the Castilla La Mancha Health Service, which attached a report stating that the complainant did not meet the requirements for the job. The report, which also included information on others, was then sent in identical emails to the rest of the professionals at the health centre.

Dispute[edit | edit source]

Did the enclosure of the report in the emails constitute a violation of the GDPR?

Holding[edit | edit source]

The AEPD held that the senders of the email violated the principle of data confidentiality under Article 5(1)(f) GDPR, by revealing the reasons for the applicant's failure to be selected for the position, along with revealing the reasons why the applicant had been assigned to that health centre for a temporary requirement. The AEPD also noted that the duty to respect this principle of data confidentiality was not only incumbent on processors and controllers, but also "on all those who intervene in any stage of the processing". The DPA issued the Health Service with a reprimand under Article 83(5) and required them to bring their processing in line with the requirements in Article 5(1)(f) GDPR in order to prevent the recurrence of incidents such as the one giving rise to the claim.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Procedure 
NO.: PS/00269/2019
DECISION ON DISCIPLINARY PROCEEDINGS
From the procedure instructed by the Spanish Data Protection Agency and based on the following FIRST BACKGROUND: Mr. A.A.A.  (hereinafter, the claimant) dated 18/02/2019 filed a complaint with the Spanish Data Protection Agency. The claim is directed against SERVICIO DE SALUD DE CASTILLA-LA MANCHA with NIF Q4500146H (hereinafter, SSCM). The reasons on which the claim is based are, in summary:- That on 25/01/2019 he presents an application for a position of Medical Coordinator for the La Solana Health Centre, called by the Integrated Care Management of the Health Area of Talavera de la Reina (Toledo), which depends on the Castilla La Mancha Health Service. That by means of electronic mail the Medical Subdirector of this Management encloses the report made by the Legal Services in which it is indicated that it does not meet the conditions set in the call on the basis that I have a temporary assignment in this health centre for reasons of occupational health. - An identical email is then sent to the corporate emails of the La Solana and Rio Tajo Health Centres, so that, following the established protocol, it is sent to all the members of the teams, so that all the workers at the Health Centre (45 people, including myself) receive an email from the Integrated Care Management of Talavera de la Reina (Medical Sub-directorate), in which this information is sent and all of them are informed of their work situation and that it is conditioned by health reasons. The following information was provided by the claimant: -Copy of his ID card -Copy of the e-mail sent by the Integrated Care Management of the Healthcare Area of Talavera de la Reina (Toledo), which is part of the Healthcare Service of Castilla La Mancha.  Copy of the e-mail sent by the Rio Tajo Health Centre to the addresses of its workers. SECOND: After receiving the complaint, the Subdirectorate General for Data Inspection carried out the following actions: On 18/02/2019, reiterated on 12/04/2019, the complaint submitted was transferred to the SSCM for analysis and communication to the complainant of the decision taken in this regard. The complainant was also required to send the Agency certain information within one month: 
- Copy of the communications, of the decision adopted that has been sent to the complainant regarding the transfer of this complaint, and accreditation that the complainant has received the communication of this decision. On the same date, the claimant was informed of the receipt of the complaint and its transfer to the entity complained of. On 23/05/2019 SSCM sent a letter in which it stated, among other things, in its e-mail of 29/01/2019, that it informed and motivated the professionals of the Rio Tajo Primary Care Team of the current administrative situation and the cause for exclusion or non-admission of the candidate, the complainant, in the regulated process for the provision and selection of the post of Medical Coordinator of the aforementioned Team, for the purpose of determining the cause for exclusion. THIRD: On 18/06/2019, in accordance with article 65 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit the claimant's complaint against the respondent. FOURTH: On November 22, 2019, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent, in accordance with Articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure for Public Administrations (hereinafter, LPACAP), for the alleged infringement of Article 5.1(f) of the RGPD, sanctioned in accordance with Article 77.2 of the LOPDGDD. FIFTH: Once the aforementioned agreement was notified, in a letter dated 10/12/2019, the claimant presented a brief of allegations in which, in summary, he stated the following: that SSCM had not infringed the duty of confidentiality of the data and that all the recipients of the e-mail were public employees of SESCAM; that the information contained in the e-mail had been used within the limited scope of the statutory obligation of those professionals, so that the information provided cannot be considered excessive; that the management and access to the email account is carried out by the administrative staff of the health centre and is always accessed with a specific profile and, in the same way, that the other professionals receive this information subject to a coded system where they can only access it by means of a password; that the email that the claimant claims is informed within the scope of the Primary Care Team of Talavera 3 Rio Tajo to the professionals registered to this team of the cause of exclusion and non-admission of the candidate in question within the regulated procedure called on 14/01/2019; that the professionals of this team are the only recipients of the email; that once the documentation available in the processing of this complaint has been analysed, the treatment of the same is adapted to the regulatory support in the exercise of the functions of participation of the professionals and public employees of the aforementioned primary care team; that there has been no violation of the regulations on the protection of personal data, given that no information has been provided on clinical aspects of the claimant's state of health, the fact that this person was assigned to the provisional procedure for health reasons was appropriate and relevant within the aforementioned provision procedure, given that their assignment to the TalaveraRío Tajo Health Centre was subject to the scheduled occupational health reviews and the recipients of the information were the professionals involved in the participation and proposal of resolution of the provision procedure. SIXTH: On 11/02/2020, a period of probationary practice was opened, and the following were agreed upon: To consider the complaint filed by the complainant and its documentation, the documents obtained and generated by the Inspection Services forming part of file E/02128/2019, as reproduced for evidential purposes. To consider as reproduced, for evidential purposes, the allegations to the agreement of initiation presented by the claimant and the documentation that accompanies them. To request from the claimant a copy of all the documentation that is in its possession related to the sanctioning procedure that for any reason were not provided at the time of the complaint or any other demonstration in relation to the reported facts. SEVENTH: On 04/06/2020 a Proposal for a Resolution was dictated in the sense that a warning was issued to the claimant for violation of article 5.1.f) of the RGPD, typified in article 85.5.a) of the aforementioned RGPD, in accordance with article 77. 2 of the LOPDGDD. Once the term established for this purpose had elapsed, the respondent did not present written negotiations at the time of issuing the present resolution. EIGHTH: Of the actions carried out in the present procedure, the following have been accredited, 
FIRST PROVEN FACTS.  
On 12/02/2019, the claimant submitted a written statement to the AEPD stating that on 25/01/2019 he had applied for a position as Medical Coordinator at the La Solana and Rio Tajo Health Centre, convened by the Integrated Care Management of the Talavera de la Reina Health Area (Toledo), which is part of the Castilla La Mancha Health Service; By e-mail, the Deputy Medical Director of said Management attached a report prepared by the Legal Services indicating that she did not meet the conditions set out in the call for applications, due to her situation of temporary assignment in said health centre for reasons of occupational health; subsequently, identical mail was sent to the rest of the professionals in the health centre, in which said information was transferred and all of them were informed of their occupational situation and that it was conditioned by health reasons. 
SECOND: The claimant provides a copy of his ID card at ***NIF.1 .
THIRD: A copy of the e-mail sent on 29/01/2019 by the Deputy Medical Director of the Integrated Care Management of the Healthcare Area of Talavera de la Reina (Toledo), with the same content as the one received by the rest of the professionals of the Healthcare Centre, has been provided:From: "B.B.B. <***EMAIL.1>To: "A.A.A." ***EMAIL.2CC: "C.C.C." ***EMAIL.3Submitted: Tuesday 29 January 2019 11:45Addendum: Resolution A.A.A. Adequacy.pdf; A.A.A. - REVISION ***DATE.1-INTERNAL NOTE. PDF Subject: RV: RIO TAJO COORDINATION PROCEDURE "Regarding the request submitted on January 25 by the claimant, to participate in the procedure for the election of medical coordinator, I hereby inform you that: The aforementioned professional is assigned to the Talavera Rio Tajo Health Center for occupational health reasons (a copy of the resolution is attached), effective January 26, 2018. The assignment of the claimant is temporary, being his position the corresponding to the CIAS XXXXXXXXXXX, position of the Talavera-La Algodonera Team, in which he maintains his right to reserve. The assignment for occupational health reasons is temporary, as long as the recommendations for adaptation established by the Occupational Risk Prevention service are maintained by virtue of the appropriate reviews (or in connection with the incorporation of permanent staff into the post). The last review was carried out on 25 September 2018, establishing the following review after six months, without the review having been carried out.  By virtue of the powers that article 58.2 of the RGPD recognises to each control authority, and in accordance with that established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.  account to the e-mail addresses of the professionals of the aforementioned Health Centre, containing the causes for exclusion and non-admission of the claimant within the procedure called for on 14/01/2019
selection and provision of a Medical Coordinator for your Team, in violation of the duty of confidentiality. Such processing could constitute a breach of Article 5, Principles relating to processing, of the RGPD which states that: "1. Personal data shall be:(...)f) processed in such a way as to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, through the application of appropriate technical or organisational measures ("integrity and confidentiality"). (...) "Article 5, Duty of confidentiality, of the new Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), states that: "1. The persons responsible for and in charge of the processing of data, as well as all the persons who intervene in any phase of the processing, shall be subject to the duty of confidentiality referred to in Article 5.1.f) of Regulation (EU) 2016/679.2. The general obligation indicated in the previous section shall be complementary to the duties of professional secrecy in accordance with the applicable regulations.3 The obligations established in the previous sections shall be maintained even when the relationship of the party responsible with the person in charge of the processing has ended".III The documentation in the file offers evidence that the claimant has violated Article 5 of the RGPD, principles relating to processing, in relation to Article 5 of the LOPGDD, duty of confidentiality, by revealing the reasons for the employment assignment as well as the causes for exclusion and non-admission of the claimant in the procedure for the election of the medical coordinator, which are considered excessive. This duty of confidentiality, previously a duty of secrecy, must be understood to be aimed at preventing leaks of data that have not been agreed to by the holders. Therefore, this duty of confidentiality is not only incumbent upon the person responsible for and in charge of the processing, but also upon all those who intervene in any phase of the processing and who complement the duty of professional secrecy. In accordance with what has been expressed previously, the processing of data requires the existence of a legal basis that legitimizes it, as a guarantee of adequate security for the integrity and confidentiality of the data by means of appropriate measures. The complaint that we examined is caused by the content of the email that informed the professionals of the Primary Care Team of Talavera 3 Rio Tajo of the administrative situation and cause for exclusion or non-admission that concurred in the claimant, in the regulated process for the provision and selection of the position of Medical Coordinator of that Team, dated 29/01/2019 that reproduces some fragments in the proven third fact. The above-mentioned letter was sent by the Deputy Medical Director who initially attached the report drawn up by the Legal Services indicating that she did not meet the conditions set out in the call for applications for temporary assignment to the said health centre for occupational health reasons. Subsequently, mail identical to the rest of the corporate mail is sent to all the workers of the Health Centre (45 people, including me), who receive an e-mail from the Integrated Care Management of Talavera de la Reina (Medical Sub-direction), in which this information is transferred and all of them are informed of their employment situation and that it is conditioned by health reasons. f) the processing of personal data must guarantee adequate security, including protection against unauthorised or unlawful processing and against loss, destruction or accidental damage, through the application of appropriate technical or organisational measures. In short, the processing of the claimant's personal data by the Medical Sub-Directorate by sending the email that was forwarded to all the professionals of the centre on 29/01/2019, will be lawful if there is a legal basis for it. In the first place, that the processing is necessary to satisfy a legitimate interest pursued by the data controller; which, transferred to the case in question, implies that the processing of personal data carried out via the email of 29/01/2019 was intended to satisfy the legitimate interest of the data controller, although such processing would require that "the interests pursued do not prevail over the interests or fundamental rights and freedoms of the data subject that require the protection of personal data". Determining whether the processing of the complainant's data by the e-mail sent to the health care professionals is unlawful requires a balancing of the interests at stake in order to conclude whether or not the complainant's right to suppression should prevail over the right to freedom of association. As regards the legitimate interest as a legal basis for the processing of personal data of third parties, Recital 47 of the RGPD states: 'The legitimate interest of a controller, including a controller to whom personal data may be disclosed, or of a third party, may constitute a legal basis for the processing, provided that the interests or the rights and freedoms of the data subject do not prevail, taking into account the reasonable expectations of the data subjects based on their relationship with the controller. Such a legitimate interest could, for example, exist where there is a relevant and appropriate relationship between the data subject and the controller, such as in situations where the data subject is a customer or is in the service of the controller. In any case, the existence of a legitimate interest would require a careful assessment, including whether a data subject can reasonably foresee, at the time and in the context of the collection of personal data, that processing may take place for that purpose. In particular, the interests and fundamental rights of the data subject could prevail over the interests of the controller when personal data are processed in circumstances where the data subject does not reasonably expect further processing. Since it is for the legislator to establish by law the legal basis for the processing of personal data by public authorities, this legal basis should not apply to processing by public authorities in the exercise of their duties. The processing of personal data strictly necessary for the prevention of fraud also constitutes a legitimate interest of the controller concerned. The processing of personal data for direct marketing purposes can be considered as being carried out for legitimate interest.>> Moving on to the facts at hand, it must be concluded that the Deputy Medical Director, through the e-mail she sent to forty-five professionals of the Health Centre, provided information that was not relevant to the purposes pursued but, on the contrary, the data provided must be qualified as excessive in relation to such purposes as the one of informing the result of the call. The processing of certain data concerning the complainant is not lawful, since it was not covered by Article 6.1.f of the RGPD. This processing constitutes a violation of the principle of confidentiality that presides over the processing of personal data of third parties (article 5.1.f, of the RGPD). And although it is true that the call for applications established that the group of professionals of the team to which it was addressed, the Primary Care Team, would have the right to participate and to be heard in the selection procedure and the provision of a Medical Coordinator for their team, giving them a certain weight or evaluation of the proposal that could be made by the professionals assigned to the Team, and being heard before the appointment of the Coordinator, it is no less true that this does not imply that the reasons for excluding a candidate should be revealed, especially if these reasons are related to health. In addition, in the development of the selection process, it is indicated that the Commission will submit to Management the proposal of the person it deems most appropriate once the procedure has been carried out and that the Management Directorate will issue a resolution that will be published on the Management intranet containing the scores obtained by the candidates and, if applicable, those excluded. However, what is considered relevant is that information that could be considered excessive in the light of the aforementioned bases is revealed, such as the fact that the participant/applicant is assigned to the centre for reasons of occupational health, that his/her assignment is temporary as long as the recommendations for adaptation established by the Occupational Risk Prevention service are maintained by virtue of the appropriate reviews, etc. In consideration of the above, taking into account that in the e-mail certain personal data of the claimant were treated in an illegal manner and that they were unrelated to the interests at stake and were revealed to forty-five persons, recipients of the e-mail sent on 29/01/2019, it is concluded that the claimant is responsible for an infringement of article 5.1.f), in relation to article 6.1, of the RGPD. The infringement of article 5.1.f) of the RGPD is typified in article 83.5.a) of the RGPD. The LOPDGDD, for prescription purposes, in its article 72.1.a) qualifies this infringement as very serious.
IV
Article 83.5(a) of the RGPD considers that the infringement of "the basic principles for processing, including the conditions for consent under Articles 5, 6, 7 and 9" is punishable, in accordance with the aforementioned Article 83.5 of the RGPD. On the other hand, the LOPDGDD in its Article 71, Infractions, establishes that: "The acts and conducts referred to in paragraphs 4, 5 and 6 of Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this Organic Law, constitute infringements". Article 72 of the LOPDGDD states, for the purposes of the statute of limitations: "Infringements considered to be very serious:1. In accordance with the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that substantially violate the articles mentioned therein are considered to be very serious and shall be subject to the statute of limitations after three years, in particular the following: a) Processing of personal data in violation of the principles and guarantees established in Article 5 of Regulation (EU) 2016/679. (...) "Notwithstanding, the LOPDGDD in its article 77, applicable regime to certain categories of persons responsible or in charge of the processing, establishes the following: "1. The regime established in this article will be applicable to the processing of those who are responsible or in charge of: a) The constitutional bodies or those with constitutional relevance and the institutions of the autonomous communities analogous to them.b) The jurisdictional bodies. c) The General State Administration, the Administrations of the Autonomous Communities and the entities that make up the Local Administration. d) Public bodies and public law entities linked to or dependent on the Public Administration. e) Independent administrative authorities. f) The Banco de España. g) Public law corporations when the purposes of the processing are related to the exercise of public law powers. h) Public sector foundations. i) Public universities. j) Consortiums.
k) The parliamentary groups of the Cortes Generales and the Autonomous Legislative Assemblies, as well as the political groups of the Local Corporations.2. When the persons responsible or in charge listed in paragraph 1 commit any of the infringements to which Articles 72 to 74 of this Organic Law refer, the competent data protection authority shall issue a ruling sanctioning them with a warning. The resolution shall also establish the measures that should be adopted so that the conduct ceases or the effects of the infringement committed are corrected. The resolution shall be notified to the data controller or person responsible for the processing, the body on which he depends hierarchically, if appropriate, and to the data subjects who are data subjects, if appropriate.3. Without prejudice to the provisions of the previous section, the data protection authority shall also propose the initiation of disciplinary proceedings when there is sufficient evidence to do so. In this case, the procedure and the sanctions to be applied shall be those established in the legislation on the disciplinary or sanctioning regime that is applicable. Likewise, when the infringements are attributable to authorities and managers, and the existence of technical reports or recommendations for the processing that have not been duly attended to is accredited, the resolution in which the sanctions are imposed shall include a warning with the name of the responsible position and publication in the corresponding Official State or Autonomous Community Gazette shall be ordered.4 The resolutions that are passed in relation to the measures and actions referred to in the previous sections shall be communicated to the data protection authority.5 The actions carried out and the resolutions passed under this article shall be communicated to the Ombudsman or, as appropriate, to the analogous institutions of the Autonomous Communities. When the competent authority is the Spanish Data Protection Agency, it shall publish on its website with due separation the resolutions referred to the entities of paragraph 1 of this Article, with express indication of the identity of the person responsible for or in charge of the processing that has committed the infringement. However, the RGPD, without prejudice to the provisions of article 83, provides in the article transcribed for the possibility of resorting to the sanction of a warning to correct the processing of personal data that does not comply with its provisions, when the persons responsible or in charge listed in paragraph 1 commit any of the offences referred to in articles 72 to 74 of this organic law.
Therefore, in accordance with the applicable legislation and having assessed the criteria for the downgrading of the penalties whose existence has been accredited, The Director of the Spanish Data Protection Agency RESOLVES:FIRST: TO IMPOSE ON THE CASTILLA LA MANCHA HEALTH SERVICE. GERENCIA ATENCION INTEGRADA DE TALAVERA DE REINA, with NIF Q4500146H, for an infringement of article 5.1.f) of the RGPD, typified in article 83.5 of theRGPD, a warning sanction. INTEGRATED ATTENTION MANAGEMENT OF TALAVERA DE REINA, with NIF Q4500146H, so that within one month from the notification of this resolution, it accredits: the adoption of the appropriate technical and organisational measures to guarantee the treatment of the data to the regulations in the matter of protection of data of a personal nature in order to avoid that in the future incidents such as those that have given rise to the formulation of the claim object of the procedure and its adaptation to the requirements contemplated in article 5. 1.f) of the RGPD.THIRD: TO NOTIFY this resolution to the DECASTILLA LA MANCHA HEALTH SERVICE. INTEGRATED ATTENTION MANAGEMENT OF TALAVERA DEREINA, with NIF Q4500146H.FOURTH: TO COMMUNICATE the present resolution to the Ombudsman, in accordance with the provisions of article 77.5 of the LOPDGDD.In accordance with the provisions of article 50 of the LOPDGD, the present resolution will be made public once it has been notified to the interested parties. . 6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this resolution or the address of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46. Finally, it is noted that in accordance with the provisions of article 90.3 a) of the LPACAP, the final resolution may be suspended in administrative proceedings if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of 1 October. It must also send to the Agency the documentation that proves the effective lodging of the contentious-administrative appeal. If the Agency were not aware of the lodging of the contentious-administrative appeal within the period of two months following the notification of the present resolution, it would terminate the precautionary suspension.