Osakidetza-Servicio Vasco de Salud – Court Ruling (Spain, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Spanish Supreme Court ruled that Osakidetza-Servicio Vasco de Salud wrongly included sensitive medical information in a report about a patient's foot injury. This decision highlights the importance of only using necessary personal data in medical records. It reinforces that individuals don't need to restrict processing before filing a complaint about excessive data use.
What happened
Osakidetza-Servicio Vasco de Salud included unrelated sensitive medical data in a patient's report.
Who was affected
A patient whose sensitive medical information was unnecessarily included in a report about her foot injury.
What the authority found
The court found that the health service violated the principle of data minimization by including unnecessary sensitive information in the report.
Why this matters
This ruling clarifies that individuals can directly challenge excessive data use without first restricting processing. It emphasizes the need for healthcare providers to strictly limit data use to what's necessary.
GDPR Articles Cited
National Law Articles
The data subject submitted a complaint to the Basque DPA following the inclusion of unrelated sensitive medical data (her gender reassignment) in a report about her injured foot. After investigating, the DPA issued a warning to the controller, Osakidetza-Servicio Vasco de Salud, for violating the principle of data minimisation Article 5(1)(c). The controller appealed the decision to the Administrative Court No. 2 of Vitoria-Gasteiz, which upheld the appeal. The DPA then appealed that court's decision to the Administrative Chamber of the High Court of Justice of the Basque Country, which upheld the DPA's appeal. Finally, the controller appealed the High Court's decision to the Spanish Supreme Court. Before the Supreme Court, the controller argued that, in light of the fact that the personal data had been lawfully collected, the data subject was required to exercise her right of restriction of processing Article 18 GDPR before she could file a complaint with the DPA. As a secondary point, the controller argued that the DPA disregarded relevant circumstances, namely that the medical records were intended only for the data subject. Ultimately, the Court rejected the controller's arguments and dismissed the appeal. The Court first addressed whether, in a case where the controller carries out a processing activity that the data subject considers to be excessive and data has been already collected, the data minimisation principle from Article 5(1)(c) GDPR is directly enforceable, or whether the data subject must first exercise the right to the restriction of processing provided for in Article 18 GDPR. As explained by the Court, Article 18(1) GDPR, in particular in paragraph (d), is linked to Article 21(1) GDPR, which guarantees the right to object to processing. Both rights are of a temporary nature and relate to a disputed deletion of personal data collected on the basis of Article 6(1) (e) or (f). At no point had the data subject sought the deletion of her personal dat
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Osakidetza-Servicio Vasco de Salud in ES
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Osakidetza-Servicio Vasco de Salud - Spain (2022). Retrieved from cookiefines.eu
Last updated: