Secretaría General de Instituciones Penitenciarias – Court Ruling (Spain, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Spanish DPA reprimanded the Secretaría General de Instituciones Penitenciarias for demanding unnecessary medical information from an employee on sick leave. The agency reduced the employee's pay for not providing this information, which was deemed a violation of data protection rules. This case highlights the importance of only collecting necessary information from employees.
What happened
The Secretaría General de Instituciones Penitenciarias demanded excessive medical information from an employee who was on sick leave.
Who was affected
An employee of the Secretaría General de Instituciones Penitenciarias who was asked to provide unnecessary medical details to justify sick leave.
What the authority found
The DPA found that the agency violated data minimization principles by requesting information that was not legally justified under GDPR.
Why this matters
This case emphasizes that organizations should only collect information that is necessary for their operations. Businesses must review their data collection practices to ensure compliance with privacy laws.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Secretaría General de Instituciones Penitenciarias (the controller) is an organ under the Spanish Ministry of Inner Affairs. The controller is responsible for coordinating and monitoring penitentiary institutions in Spain. In 2019, an employee of a penitentiary center (the data subject) brought a complaint to the DPA. The data subject provided a medical note to justify three days of sick leave, however the controller also demanded them to provide the diagnosis or medical treatment in order to justify the sick leave. The controller later reduced the data subject’s pay in relation to the three days for refusing to provide this information, as it considered that the sick leave was not justified. In 2021, the DPA issued a reprimand for the controller, stating that it had violated the principle of data minimisation (Article 5(1)(c) GDPR). The DPA noted that the controller did not have a legal basis to demand this information under Articles 6(1) and 9 GDPR.See decision number PS/00088/2020, https://www.aepd.es/documento/ps-00088-2020.pdf The DPA also dismissed the internal appeal filed by the controller, on the grounds that it had not provided any new facts or legal arguments.See appeal number RR/00103/2021 (same decision number), https://www.aepd.es/documento/reposicion-ps-00088-2020.pdf The controller appealed the DPA’s decision to the High Court in 2021. According to the controller, the data subject did not inform anyone before taking the sick leave, and did not respond to calls attempting to contact them. The controller argued that demanding additional documentation was justified under suspicions of false illness, as unplanned absences from employees can pose a security risk in the context of managing penitentiary centres. The court stated that the controller did not process personal data, because it had simply requested it from the data subject and not collected it. Therefore, the court upheld the appeal and overturned the decision of the DPA. The DPA appealed the de
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Secretaría General de Instituciones Penitenciarias in ES
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Secretaría General de Instituciones Penitenciarias - Spain (2026). Retrieved from cookiefines.eu
Last updated: