CEDICO, CENTRO DE DIAGNÓSTICO POR LA IMÁGEN, S.L. – €18,000 Fine (Spain, 2021)

The Spanish DPA (AEPD) has imposed a fine on CEDICO, CENTRO DE DIAGNÓSTICO POR LA IMÁGEN, S.L.. The data subject filed a complaint with the AEPD. He had requested an MRI scan of his knee due to an accident at work. In addition, he had contacted his insurance company in order to obtain a sick leave. The insurance company then contacted the controller, who transmitted the data subject's medical records. In doing so, the controller also provided the insurer with the report of a previous MRI scan of the knee that the data subject had undergone due to an event outside of work. In its evaluation, the insurer thus also referred to the MRI report outside working hours and attributed the data subject's incapacity to work to this event. In consequence, no sick leave was granted to the data subject. The DPA considered the disclosure of the earlier MRI report to the insurance company to be a violation of the principle of integrity and confidentiality. The original fine of EUR 30,000 was reduced to EUR 18,000 due to the voluntary payment and admission of guilt.