Hospital Recoletas Ponferrada – €20,000 Fine (Spain, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Hospital Recoletas Ponferrada was fined €20,000 for using pre-ticked boxes on consent forms. A patient noticed that they were automatically signed up for marketing communications and sharing their data with third parties without their explicit consent. This ruling stresses the importance of clear and voluntary consent in data processing.
What happened
The hospital used pre-ticked boxes for consent on a patient's electronic form.
Who was affected
The patient who was automatically signed up for marketing and data sharing without clear consent.
What the authority found
The authority found that the hospital violated data protection rules by not obtaining explicit consent for marketing and data sharing.
Why this matters
This case highlights that consent must be clear and voluntary. Businesses should avoid pre-ticked boxes and ensure users actively choose to consent to data processing.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject went to a hospital (the controller) for some health tests. They noticed that two boxes were pre-ticked when they had to read and consent to (parts of) the privacy notice. The first pre-ticked box referred to commercial communications, and the second one referred to the consent to disclose personal data regarding their stay at the hospital and their room number with third parties upon request. Since it was an electronic consent form on a tablet, the data subject complained to the receptionist who changed the settings and handed the tablet which allowed the data subject to tick the options as they wished. Later, the data subject complained in writing to the controller about the occurence and requested from the controller a copy of the privacy notice signed by them but did not receive it. Therefore, the data subject submitted a complaint before the Spanish DPA, which started an investigation and notified the controller about an alleged violation of Articles 6(1) and 15 in connection with Article 12 GDPR. In his own defense, the controller claimed that the pre-ticked clause about commercial communications was indeed a human error due to the long lines of patients waiting for their test in the morning, which made the receptionists change the settings to save time. Regarding the clause about communication of patients' personal data to third parties, the controller said that it did not apply to the data subject but to other patients who stayed at the hospital. The controller also mentioned that it was based on legitimate interest, and it was initially conceived as an opt-out box, giving to the patients the option to object to it when the privacy policy was in paper format, but the change to the electronic version on the tablet, made the system put it as a pre-ticked box. Additionally, the controller implemented measures, including staff training, in order to prevent such incidents in the future. The controller submitted that the data subject's written com
Violations (1)
Cookie consent checkboxes are pre-selected by default, violating the requirement for active, affirmative consent.
Art. 4(11) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Hospital Recoletas Ponferrada in ES
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
15 December 2022
Authority
Agencia Española de Protección de Datos
Fine Amount
€20,000
GDPRhub ID
gdprhub-5533About this data
Cite as: Cookie Fines. Hospital Recoletas Ponferrada - Spain (2022). Retrieved from cookiefines.eu
Last updated: