Hospital Recoletas Ponferrada – €20,000 Fine (Spain, 2022)
Hospital Recoletas Ponferrada faced a fine for having pre-ticked boxes on consent forms that misled patients. This matters because it shows that hospitals must be transparent about how they use personal information. Businesses need to ensure that consent is genuinely informed and voluntary.
What happened
Hospital Recoletas Ponferrada had pre-ticked boxes on consent forms that patients had to fill out.
Who was affected
Patients at Hospital Recoletas Ponferrada who were asked to consent to data usage were affected.
What the authority found
The Spanish DPA found that the hospital did not comply with GDPR requirements for obtaining consent.
Why this matters
This ruling serves as a warning to healthcare providers and other businesses about the importance of clear consent. Companies should avoid pre-ticked boxes to ensure compliance.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The data subject went to a hospital (the controller) for some health tests. They noticed that two boxes were pre-ticked when they had to read and consent to (parts of) the privacy notice. The first pre-ticked box referred to commercial communications, and the second one referred to the consent to disclose personal data regarding their stay at the hospital and their room number with third parties upon request. Since it was an electronic consent form on a tablet, the data subject complained to the receptionist who changed the settings and handed the tablet which allowed the data subject to tick the options as they wished. Later, the data subject complained in writing to the controller about the occurence and requested from the controller a copy of the privacy notice signed by them but did not receive it. Therefore, the data subject submitted a complaint before the Spanish DPA, which started an investigation and notified the controller about an alleged violation of Articles 6(1) and 15 in connection with Article 12 GDPR. In his own defense, the controller claimed that the pre-ticked clause about commercial communications was indeed a human error due to the long lines of patients waiting for their test in the morning, which made the receptionists change the settings to save time. Regarding the clause about communication of patients' personal data to third parties, the controller said that it did not apply to the data subject but to other patients who stayed at the hospital. The controller also mentioned that it was based on legitimate interest, and it was initially conceived as an opt-out box, giving to the patients the option to object to it when the privacy policy was in paper format, but the change to the electronic version on the tablet, made the system put it as a pre-ticked box. Additionally, the controller implemented measures, including staff training, in order to prevent such incidents in the future. The controller submitted that the data subject's written com
Violations (1)
Cookie consent checkboxes are pre-selected by default, violating the requirement for active, affirmative consent.
Art. 4(11) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Hospital Recoletas Ponferrada in ES
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
15 December 2022
Authority
Agencia Española de Protección de Datos
Fine Amount
€20,000
GDPRhub ID
gdprhub-5533About this data
Cite as: Cookie Fines. Hospital Recoletas Ponferrada - Spain (2022). Retrieved from cookiefines.eu
Last updated: