Generalitat Valencia – €500,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Generalitat Valencia was fined €500,000 for allowing a health service provider to use unauthorized sub-processors for handling sensitive health data. This case is significant because it shows that organizations must strictly control how their data is processed and who has access to it. Health organizations should ensure they have proper agreements in place to protect patient information.
What happened
The Generalitat Valencia allowed Marina Salud to engage unauthorized sub-processors for health data management.
Who was affected
Patients whose health data was managed by Marina Salud and its unauthorized sub-processors.
What the authority found
The Spanish DPA ruled that Marina Salud violated GDPR by engaging sub-processors without the necessary authorization from the Generalitat Valencia.
Why this matters
This ruling underscores the importance of compliance with data processing agreements. Organizations must ensure that any third parties handling sensitive data are properly authorized to do so.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
The Ministry of Health and Public Health of Valencia (controller) has engaged the services of Marina Salud (processor) since 2009. The processor is a health organisation providing public health services under a contract. On 19 January 2023, the controller performed an inspection on the processor’s premises. During this inspection, it was revealed that the processor was using a 3rd party health information system software, and refused to provide the controller with the contract in place between the processor and the 3rd party. The inspection revealed that the 3rd party software was being used for laboratory and pathological management, the management of anticoagulation treatment, human resources and the management of logistics in the hospital. Two further unauthorised sub-processors had been engaged by the processor, one for IT systems, and one for a laboratory information system. On 27 January 2023, the controller reaffirmed their instructions to the processor for the processing, access and use of the health data, as well as mandating that the processor cannot engage any sub-processors without authorisation. On 31 January 2023, the controller informed the processor that they were not going to extend the contract for the provision of services between them past its expiration (31 January 2024). On 16 May 2023, the controller filed a complaint with the AEPD (Spanish DPA). During the DPA’s investigation, the processor argued that they held a general authorisation from the controller to engage sub-processors. The DPA rejected the processor’s claim in respect of having a general authorisation to engage sub-processors. The DPA referenced both an agreement between the controller and processor requiring the controller’s assent before a sub-processor could be engaged, as well as the processor’s obligation in Article 28(2) GDPR. The DPA found that the processor had infringed Article 28(2) GDPR for engaging a sub-processor without the controller’s authorisation. In deci
Related Enforcement Actions (0)
No other enforcement actions found for Generalitat Valencia in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
10 April 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€500,000
GDPRhub ID
gdprhub-9122About this data
Cite as: Cookie Fines. Generalitat Valencia - Spain (2025). Retrieved from cookiefines.eu
Last updated: