HM HOSPITALES 1989 – €200,000 Fine (Spain, 2024)

The data subject filed a complaint against the controller, a hospital group, with the Spanish DPA (AEPD) on 29 August 2022. The data subject exposed several security deficiencies in the maintenance of the software which the controller used in all of its hospitals. On the 19 September 2022 the DPA urged the Subdirectorate General for Data Inspection to initiate an investigative procedure as per Article 57(1) and Article 58(1) GDPR. The software called “Doctoris” was used by the controller and held all patient related data ranging from e-mail addresses to sensitive data such as laboratory results as well as political opinions and race. The controller had contracted with a processor to host the databases, storage and backup servers. The investigation found that although an impact evaluation had taken place in 2023, the auditing company did not have access to all of the data concerned and the report only briefly references IT security. On 26 April 2024, the controller stated that it had carried out audits in some but not all data centres in accordance with its half-year audit plan. The DPA recognized that the controller had implemented the required minimum level of encryption necessary for the processing. However, this encryption only protected the system if there was a physical loss of control. It provided no barrier at all in the case of improper access to the data. The court pointed out that the mere fact that the encryption system had to be improved in 2023 shows that the system was, at the time, insufficient. The court highlighted that Article 32 GDPR sets out a proactive obligation on the controller to periodically review the technical and organisational measures in place. It found that the controller had failed to ensure the effectiveness of its measures through the lack of comprehensive audits across all its hospitals. As aggravating factors, the DPA listed the controller’s negligence regarding the infringement as well as the link between the controller’s