Servicio Extremeño de Salud – Complaint Upheld (Spain, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A nurse in Spain accessed a patient's medical records without permission, leading to a complaint upheld by the Spanish DPA. The health service failed to provide necessary assessments, showing gaps in their data protection practices. This case highlights the need for strict access controls in healthcare to protect patient privacy.
What happened
A nurse accessed a patient's medical records without authorization, violating privacy rules.
Who was affected
The affected person was a patient whose medical records were accessed unlawfully by a nurse.
What the authority found
The Spanish DPA found that the nurse's access to the patient's medical records was unauthorized and violated data protection rules.
Why this matters
Healthcare providers must implement strong access controls and conduct regular assessments to prevent unauthorized access to patient data. This case emphasizes the importance of safeguarding sensitive health information.
GDPR Articles Cited
A data subject filed a complaint with the Spanish DPA (AEPD) claiming that a nurse employed by the regional health service of Extremadura (hereinafter “SES”) had unlawfully accessed his/her medical history without an authorisation from the complainant and without having any relation with the data subject that justified such access under national and EU law. As part of the investigation the AEPD requested the following information from the SES: # The causes that enabled the unlawful access from a third party; # Detailed descriptions of the actions taken to halt the undue access to the patient’s information and to minimise the adverse effect on the data subject; # Measures taken to prevent similar occurrences in the future; # A copy of the risks assessment carried out as well as the data protection impact assessment, if any; # Details of the technical and organizational measures adopted to guarantee a level of security appropriate to the risks detected with relation to the access by health personnel to the medical records of the patients and the security policy adopted by the entity in relation to it. The SES replied that the patient's right to access includes “knowing in any case who has accessed your health data, the reason for access and the use that has been made of it". In order to effectively execute this right, the IT system that supports clinical information of patients requires the existence of a relationship that legitimizes the access of the healthcare professional to a specific medical record. Hence, when a healthcare professional requests access to the history of a patient being treated the IT system automatically understand that the relation is “medical care” between a healthcare provider and a patient. The person requesting access must also provide a specific reason. The SES did not provide the risks assessment nor the data protection impact assessment as requested by the AEPD. The AEPD found that the access by the third party unrelated to the claim
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Servicio Extremeño de Salud in ES
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Servicio Extremeño de Salud - Spain (2021). Retrieved from cookiefines.eu
Last updated: