Generalitat Valencia – €500,000 Fine (Spain, 2025)

The Ministry of Health and Public Health of Valencia (controller) has engaged the services of Marina Salud (processor) since 2009. The processor is a health organisation providing public health services under a contract. On 19 January 2023, the controller performed an inspection on the processor’s premises. During this inspection, it was revealed that the processor was using a 3rd party health information system software, and refused to provide the controller with the contract in place between the processor and the 3rd party. The inspection revealed that the 3rd party software was being used for laboratory and pathological management, the management of anticoagulation treatment, human resources and the management of logistics in the hospital. Two further unauthorised sub-processors had been engaged by the processor, one for IT systems, and one for a laboratory information system. On 27 January 2023, the controller reaffirmed their instructions to the processor for the processing, access and use of the health data, as well as mandating that the processor cannot engage any sub-processors without authorisation. On 31 January 2023, the controller informed the processor that they were not going to extend the contract for the provision of services between them past its expiration (31 January 2024). On 16 May 2023, the controller filed a complaint with the AEPD (Spanish DPA). During the DPA’s investigation, the processor argued that they held a general authorisation from the controller to engage sub-processors. The DPA rejected the processor’s claim in respect of having a general authorisation to engage sub-processors. The DPA referenced both an agreement between the controller and processor requiring the controller’s assent before a sub-processor could be engaged, as well as the processor’s obligation in Article 28(2) GDPR. The DPA found that the processor had infringed Article 28(2) GDPR for engaging a sub-processor without the controller’s authorisation. In deci