AEPD (Spain) - TD/00261/2020: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=R/001...")
 
No edit summary
(One intermediate revision by one other user not shown)
Line 54: Line 54:
}}
}}


The Spanish DPA (AEPD) admitted a claim against Asturias Healthcare System for not satisfying a data subject's access request to medical data.  
The Spanish DPA (AEPD) admitted a claim against the Asturias Healthcare System for not attending a data subject's access request to medical data.  


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
Due to formal reasons, the Spanish Data Protection Authority (AEPD) decided to admit a claim against Asturias Healthcare System (the controller) for not satisfying a data subject's access request to medical records of data subject’s deceased mother, but without any economic fine nor warning, because, during the AEPD's investigation process, such right of access was finally fulfilled by the public administration.
Due to formal reasons, the Spanish Data Protection Authority (AEPD) decided to admit a claim against Asturias Healthcare System (the controller) for not satisfying a data subject's access request to medical records of data subject’s deceased mother, but without any economic fine nor warning, because, during the AEPD's investigation process, such right of access was finally fulfilled by the public administration.


=== Dispute ===
===Dispute===
Might be a request of access considered as duly fulfilled by the controller when it was not attended in due time and proper course?
Might be a request of access considered as duly fulfilled by the controller when it was not attended in due time and proper course?


=== Holding ===
===Holding===
The Spanish DPA held that the access request was properly fulfilled, in spite of being properly attended after claim admission, so it decided not to impose any fine nor warning to the defendant.  
The Spanish DPA held that the access request was properly fulfilled, in spite of being properly attended after claim admission, so it decided not to impose any fine nor warning to the defendant.  


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.



Revision as of 08:09, 30 March 2021

AEPD - R/00101/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR
Article 15 GDPR
Law 41/2002, of November 14, Basic regulating patient autonomy and rights and obligations in terms of information and clinical documentation
Law 3/2018, 0f 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 22.03.2021
Fine: None
Parties: Asturias Healthcare System
National Case Number/Name: R/00101/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Oscar Jacobo Bacelo

The Spanish DPA (AEPD) admitted a claim against the Asturias Healthcare System for not attending a data subject's access request to medical data.

English Summary

Facts

Due to formal reasons, the Spanish Data Protection Authority (AEPD) decided to admit a claim against Asturias Healthcare System (the controller) for not satisfying a data subject's access request to medical records of data subject’s deceased mother, but without any economic fine nor warning, because, during the AEPD's investigation process, such right of access was finally fulfilled by the public administration.

Dispute

Might be a request of access considered as duly fulfilled by the controller when it was not attended in due time and proper course?

Holding

The Spanish DPA held that the access request was properly fulfilled, in spite of being properly attended after claim admission, so it decided not to impose any fine nor warning to the defendant.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/8










     File Nº: TD / 00261/2020



                              RESOLUTION NO: R / 00101/2021

Considering the claim made on July 27, 2020 before this Agency by Ms. A.A.A. ,
against the HEALTH SERVICE OF THE PRINCIPALITY OF ASTURIAS, for not having been

duly attended to your right of access.

The procedural actions provided for in Title VIII of the Law have been carried out.
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD), the following have been verified



                                       FACTS


FIRST: On October 19, 2019, January 29 and March 5, 2020, Ms.
A.A.A. (hereinafter, the complaining party) exercised the right of access to the record
complete information of his deceased mother in front of the HEALTH SERVICE OF THE PRINCIPALITY
DE ASTURIAS with NIF Q8350064E (hereinafter, the claimed one), without your request
has received the legally established reply.


The complaining party provides various documentation related to the claim made
before this Agency and on the exercise of the right exercised.

SECOND: In accordance with the functions provided for in Regulation (EU)
2016/679, of April 27, 2016, General Data Protection (RGPD),

particularly those that respond to the principles of transparency and responsibility
proactively by the data controller, it has been required to inform
this Agency of the actions that have been carried out to address the claim
raised, without receiving a response within the term conferred by this Agency.


Once the procedure provided for in article 65.4 of the LOPDGDD had been completed, the
the claim was processed and the claimed entity was granted a hearing procedure, to
that within a period of fifteen business days it present the allegations it deems
In summary, the following considerations have been formulated:

The defendant manifests in the allegations made during the processing of the

present procedure that, on all occasions, they were notified to collect the
requested information.

That the complaining party residing in England has been contacted,
to indicate which report could have been pending, sending the

information required from the brother, on November 25, 2020.

Documentation of such extreme is attached.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/8








THIRD: After examining the allegations presented by the respondent, they are subject to
transfer to the complaining party, so that, within fifteen business days, it can formulate
allegations that it deems appropriate:


On December 28, 2020, this Agency, through postal notification, put
at the disposal of the complaining party the allegations presented by the person in charge,
so that within fifteen days the allegations that
consider appropriate, without receiving a response.


                           FOUNDATIONS OF LAW

FIRST: The Director of the Spanish Agency for
Data Protection, in accordance with the provisions of section 2 of article 56 in
in relation to paragraph 1 f) of article 57, both of Regulation (EU) 2016/679 of the

European Parliament and of the Council of April 27, 2016 on the protection of
natural persons with regard to the processing of personal data and the free
circulation of these data (hereinafter, GDPR); and in article 47 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).


SECOND: Article 64.1 of the LOPDGDD, provides that:
"one. When the procedure refers exclusively to the lack of attention of a
request to exercise the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679, will start by agreement of admission for processing, which will be
adopt in accordance with the provisions of the following article.

In this case, the term to resolve the procedure will be six months from
from the date the claimant was notified of the admission agreement to
Procedure. After this period, the interested party may consider their
claim."
In the present case, the claim of the interested party was accepted for processing, giving rise to

the opening of this administrative procedure, regulated in the previous article
aforementioned, which is intended to ensure, if appropriate, the attention of the request
of exercise of rights formulated.

The purging of administrative responsibilities in the framework of the
of a sanctioning procedure, the exceptional nature of which implies that - provided that

possible- opt for the prevalence of alternative mechanisms that have protection
ro in current regulations.

It is the exclusive competence of this Agency to assess whether there are responsibilities
administrative procedures that must be purged in a sanctioning procedure and, in

Consequently, the decision on its opening, there being no obligation to initiate a
procedure before any request made by a third party. Such a decision must
be based on the existence of elements that justify said start of the activity
sanctioning, circumstances that do not concur in the present case, considering
that, in view of the actions carried out, with the present procedure the

guarantees and rights of the affected party are duly restored.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/8








THIRD: Article 12 of Regulation (EU) 2016/679, of April 27, 2016,
General Data Protection (RGPD), provides that:


"one. The person responsible for the treatment will take the appropriate measures to facilitate the
interested party all information indicated in articles 13 and 14, as well as any
communication in accordance with articles 15 to 22 and 34 regarding the treatment, in the form
concise, transparent, intelligible and easily accessible, with a clear and simple language, in
particular any information directed specifically to a child. Information
will be provided in writing or by other means, including, if applicable, by means

electronic When requested by the interested party, the information may be provided
verbally provided that the identity of the interested party is proven by other means.

2. The person responsible for the treatment will facilitate the exercise of their rights to the interested party.
by virtue of articles 15 to 22. In the cases referred to in article 11, paragraph

2, the person in charge will not refuse to act at the request of the interested party in order to exercise
your rights under Articles 15 to 22, unless you can show that you are not
is in a position to identify the interested party.

3. The person responsible for the treatment will provide the interested party with information regarding their
proceedings on the basis of a request pursuant to Articles 15 to 22, and, in

In any case, within one month of receipt of the request. Saying
The term may be extended for another two months if necessary, taking into account the
complexity and number of requests. The person in charge will inform the interested party of
any of said extensions within a period of one month from the receipt of the
request, stating the reasons for the delay. When the interested party presents the

request by electronic means, the information will be provided by electronic means
when possible, unless the interested party requests that it be provided otherwise.

4. If the person responsible for the treatment does not comply with the request of the interested party,
inform without delay, and no later than one month after receipt of the

request, the reasons for not acting and the possibility of submitting a
claim before a control authority and to exercise legal actions.

5. The information provided by virtue of articles 13 and 14 as well as all
communication and any action carried out pursuant to articles 15 to 22 and 34
they will be free of charge. When the requests are manifestly unfounded or

excessive, especially due to its repetitive nature, the person responsible for the
treatment may:
    a) charge a reasonable fee based on the administrative costs incurred
to facilitate information or communication or perform the requested action, or
    b) refuse to act on the request.

    The data controller will bear the burden of proving the character
manifestly unfounded or excessive of the request.

6. Without prejudice to the provisions of article 11, when the person responsible for the treatment
have reasonable doubts in relation to the identity of the natural person taking the

application referred to in articles 15 to 21, you may request that the
additional information necessary to confirm the identity of the interested party.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/8








7. The information that must be provided to the interested parties by virtue of articles 13
and 14 may be transmitted in combination with standard icons that allow
provide in an easily visible, intelligible and clearly legible way a suitable

overview of the planned treatment. Icons presented in the format
electronic will be machine readable.

8. The Commission is empowered to adopt delegated acts in accordance with the
Article 92 in order to specify the information to be submitted through
icons and procedures for providing standard icons. "


FOURTH: Article 12 of the LOPDGDD determines the following:

1. The rights recognized in articles 15 to 22 of Regulation (EU) 2016/679,
They may be exercised directly or through a legal or voluntary representative.
2. The person responsible for the treatment will be obliged to inform the affected party about the

means at your disposal to exercise the rights that correspond to you. The media
They must be easily accessible to the affected person. The exercise of the right may not
be denied for the sole reason of choosing the affected by another means.

3. The person in charge may process, on behalf of the person in charge, requests for exercise
formulated by those affected by their rights if this is established in the contract or
legal act that binds them.

4. Proof of compliance with the duty to respond to the request to exercise their
rights formulated by the affected party will fall on the person responsible.

5. When the laws applicable to certain treatments establish a regime
that affects the exercise of the rights provided for in Chapter III of the
Regulation (EU) 2016/679, the provisions of those will be followed.

6. In any case, the holders of parental authority may exercise on behalf of and
representation of minors under fourteen years of age the rights of access, rectification,
cancellation, opposition or any others that may correspond to them in the

context of this organic law.
7. The actions carried out by the person responsible for the treatment will be free
to meet requests for the exercise of these rights, without prejudice to the

provided in articles 12.5 and 15.3 of Regulation (EU) 2016/679 and in the
sections 3 and 4 of article 13 of this organic law. "


FIFTH: Article 15 of the RGPD provides that:

"one. The interested party will have the right to obtain from the person responsible for the treatment
confirmation of whether or not personal data concerning you is being processed and, as such

case, right of access to personal data and the following information:
    a) the purposes of the treatment;
    b) the categories of personal data in question;
    c) the recipients or categories of recipients to whom they were communicated or
personal data will be communicated, in particular recipients in third parties or
international organizations;

    d) if possible, the expected period of conservation of personal data or,
if possible, the criteria used to determine this period;

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/8








    e) the existence of the right to request the person responsible for rectification or deletion
of personal data or the limitation of the processing of personal data related to
interested party, or to oppose said treatment;

    f) the right to file a claim with a supervisory authority;
    g) when the personal data have not been obtained from the interested party, any
information available on its origin;
    h) the existence of automated decisions, including profiling, to
referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information
significant on the applied logic, as well as the importance and consequences

provided for said treatment for the interested party.
2. When personal data is transferred to a third country or to an organization
international, the interested party will have the right to be informed of the guarantees
appropriate under Article 46 relating to the transfer.
3. The person responsible for the treatment will provide a copy of the personal data object of

treatment. The person in charge may receive for any other copy requested by the
interested a reasonable fee based on administrative costs. When the
interested party submit the request by electronic means, and unless he requests
otherwise provided, the information will be provided in an electronic format of
Common use.
4. The right to obtain a copy mentioned in section 3 shall not negatively affect

to the rights and freedoms of others. "

SIXTH: The right of access in relation to medical records is regulated
specifically in article 18 of Law 41/2002, of November 14, basic
regulating the Autonomy of the Patient and Rights and Obligations in the Matter of

Information and Clinical Documentation (hereinafter LAP), whose literal wording expresses:
"one. The patient has the right of access, with the reservations indicated in section 3
of this article, to the documentation of the medical history and to obtain a copy of the

data contained in it. The health centers will regulate the procedure that
guarantee the observance of these rights.

2. The patient's right of access to the medical record can also be exercised by
duly accredited representation.

3. The patient's right of access to the documentation of the medical record does not
can be exercised to the detriment of the right of third parties to confidentiality

of the data contained in it collected in the therapeutic interest of the patient, or in
prejudice to the right of the professionals participating in its preparation, who
They can oppose the right of access to the reservation of their subjective annotations.

4.Health centers and individual practitioners will only facilitate the
access to the medical history of deceased patients to people linked to him,

for family or factual reasons, unless the deceased had prohibited it
expressly and thus accredited. In any case, the access of a third party to the story
clinic motivated by a risk to your health will be limited to the relevant data. I dont know
provide information that affects the privacy of the deceased or the annotations
subjective of the professionals, nor that it harms third parties. "

SEVENTH: In this sense, article 15 of the LPA that includes the

minimum content of the medical history:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/8








 "one. The medical history will incorporate the information that is considered transcendental for
accurate and up-to-date knowledge of the patient's health status. All patient or
User has the right to be recorded, in writing or in the technical support more

adequate, of the information obtained in all their care processes, carried out
by the health service both in the field of primary care and care
specialized.

2. The main purpose of the medical record will be to facilitate health care, leaving
constancy of all those data that, under medical criteria, allow the knowledge
truthful and updated of the state of health.


     The minimum content of the medical history will be the following:
     a) The documentation related to the clinical-statistical sheet.
     b) The entry authorization.

     c) The emergency report.
     d) Anamnesis and physical examination.
     e) Evolution.

     f) Medical orders.
     g) The consultation sheet.
     h) Complementary examination reports.
     i) Informed consent.

     j) The anesthesia report.
     k) The operating room report or birth record.
     l) The pathological anatomy report.

     m) The evolution and planning of nursing care.
     n) The therapeutic application of nursing.
     ñ) The graph of constants.
     o) The clinical discharge report.

     Paragraphs b), c), i), j), k), I), ñ) and o) will only be required upon completion
     of the clinical history in the case of hospitalization processes or so
     arrange.


3. The completion of the clinical history, in the aspects related to the
direct patient care, it will be the responsibility of the professionals who
intervene in it.

4. The clinical history will be kept with unit and integration criteria, in each
care institution as a minimum, to facilitate the best and most timely
knowledge by the physicians of the data of a certain patient in each

care process ”(the underlining is from the Spanish Data Protection Agency).

EIGHTH: Before going into the merits of the questions raised, it should be noted that,
the LAP establishes a series of obligations to professionals and health centers, in
its article 15 contains the minimum content of the clinical history, it also states
an obligation to preserve the medical record for the health center

established in its article 17. The regulations on data protection, put into relation
with articles 17, 18 and, especially article 15 of the LAP, recognizes a right
of access to the entire clinical history by its owner or representative.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/8








Specifically, article 18.1 of the LAP establishes that “The patient has the right to
access, with the reservations indicated in section 3 of this article, to the
documentation of the medical record and to obtain a copy of the data contained in it.

The health centers will regulate the procedure that guarantees the observance of
these rights. " Consequently, the respondent has the legal obligation to deliver to
the complaining party copies their entire medical record.

In the case analyzed here, the complaining party exercised its right of access to its
clinical history, and that, after the period established in accordance with the rules before

indicated, your request did not obtain the legally required response, since the access
granted was incompletely produced.

However, the foregoing, once the claim raised by the
complaining party, the complained party provides the documentation proving the communication

sent to the interested party taking into account the right of access, said allegation being
object of transfer to the complaining party, by postal notification, without there being any
presented any allegation against it, therefore, with the measures adopted
by the person in charge, the rights of the affected party are duly restored.


Consequently, the present claim must be upheld for formal reasons at
the response has been issued extemporaneously without requiring the completion of
additional actions by the person responsible for the file.


Considering the cited precepts and others of general application,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: ESTIMATE for formal reasons, the claim made by Ms. A.A.A.,
against the HEALTH SERVICE OF THE PRINCIPALITY OF ASTURIAS. However, no
the issuance of a new certification by said entity proceeds, as it has
the response was issued extemporaneously, without requiring the completion of

additional actions by the person in charge.

SECOND: NOTIFY this resolution to Ms. A.A.A. and at the SERVICE OF
HEALTH OF THE PRINCIPALITY OF ASTURIAS.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/8













                                                                                                   1037-100919

Mar Spain Martí
Director of the Spanish Agency for Data Protection







































































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es