Consejeria de Sanidad de la Comunidad de Madrid – Complaint Upheld (Spain, 2022)

Complaint Upheld
Agencia Española de Protección de Datos30 September 2022Spain
final
Complaint Upheld

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Spain's data protection authority found that a third party accessed someone's medical records without permission. The health authority had some security measures but they weren't strong enough to protect sensitive medical data. This case highlights the importance of having robust security measures to protect sensitive information.

What happened

A third party unlawfully accessed medical records due to insufficient security measures.

Who was affected

Patients whose medical records were accessed without authorization.

What the authority found

The authority determined that the health authority was liable for the data breach due to inadequate security measures.

Why this matters

The decision underscores the need for strong security measures to protect sensitive data, especially in healthcare, and serves as a warning to organizations handling such information.

GDPR Articles Cited

Art. 4 GDPR
Art. 24 GDPR
Art. 25 GDPR
Art. 32 GDPR
Art. 5(1)(f) GDPR
Art. 5(2) GDPR
Art. 9(1) GDPR
Art. 57(1) GDPR
Art. 58(2) GDPR
Art. 83(4) GDPR
Art. 83(5) GDPR
Art. 83(7) GDPR

National Law Articles

Article 28(1) LOPDGDD
Article 4 Law 41/2002
Article 47 LOPDGDD
Article 48(1) LOPDGDD
Article 63(2) LOPDGDD
Spain enforcementAgencia Española de Protección de Datos actionsAll Consejeria de Sanidad de la Comunidad de Madrid actions
Full Legal Summary
Detailed

A third party unlawfully accessed the medical files of the data subject. The controller had registries of who accessed medical files, proving that the unlawful access really happened, configuring a data breach. Medical files are part of the special categories of data and the processing of sensitive data has higher risks. The data controller had some means of protection and access control of the data, but not enough. The DPA held that a data breach occurred and that the controller should be considered liable since there were no sufficient measures to avoid unlawful access to the data (Article 5(1)(f) and Article 32 GDPR). Even though some measures were in place, they were not adequate for the protection required for sensitive data (Article 9 GDPR).

Outcome

Complaint Upheld

A data subject complaint that was upheld by the DPA.

Related Enforcement Actions (0)

No other enforcement actions found for Consejeria de Sanidad de la Comunidad de Madrid in ES

This is the only recorded action for this entity in this jurisdiction.

Details

Decision Date

30 September 2022

Authority

Agencia Española de Protección de Datos

GDPRhub ID

gdprhub-7502

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Consejeria de Sanidad de la Comunidad de Madrid - Spain (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: