Rp: Created page with “{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202408793 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00279-2024.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code…”
|Jurisdiction=Spain
|DPA-BG-Color=background-color:#ffffff;
|DPAlogo=LogoES.jpg
|DPA_Abbrevation=AEPD
|DPA_With_Country=AEPD (Spain)
|Case_Number_Name=EXP202408793
|ECLI=
|Original_Source_Name_1=AEPD
|Original_Source_Link_1=https://www.aepd.es/documento/ps-00279-2024.pdf
|Original_Source_Language_1=Spanish
|Original_Source_Language__Code_1=ES
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Type=Complaint
|Outcome=Upheld
|Date_Started=14.02.2025
|Date_Decided=
|Date_Published=19.02.2026
|Year=
|Fine=100.000
|Currency=EUR
|GDPR_Article_1=Article 5(1)(f) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1f
|GDPR_Article_2=Article 9 GDPR
|GDPR_Article_Link_2=Article 9 GDPR
|GDPR_Article_3=
|GDPR_Article_Link_3=
|GDPR_Article_4=
|GDPR_Article_Link_4=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
|Initial_Contributor=RP
|
}}
The Spanish DPA fined a health service provider €100,000 after medical records of 18 police officers were compromised. The DPA held that the controller breached [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] by failing to ensure data security and confidentiality.
== English Summary ==
=== Facts ===
MEDIOS DE PREVENCIÓN EXTERNOS, S.L. (the controller) is a private company providing occupational risk prevention services. Its activities include workplace health surveillance and medical examinations for employees. The Spanish Directorate-General of Police hired the company to carry out medical examinations for members of the National Police and the Civil Guard as part of its occupational health programme. The controller conducted medical examinations at police facilities. After completing the examinations, staff transferred the paper documentation to the controller’s headquarters in Palma.
A municipal public company in Palma informed the police that it had found a box containing medical documents abandoned on a public street. The documents related to 18 members of the National Police and Civil Guard. They contained identification data and health data. The controller had processed these data in the context of the medical examinations.
On 14 February 2025, the Spanish DPA (AEPD) initiated sanctioning proceedings against the controller for an alleged infringement of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. The controller did not submit observations within the deadline. Under Article 64(2)(f) of the Spanish Law 39/2015 on the Common Administrative Procedure (Ley 39/2015 del Procedimiento Administrativo Común – LPACAP), the initiation decision therefore became a proposed decision.
=== Holding ===
The AEPD held that the controller infringed [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. Under that provision, controllers must process personal data in a manner that ensures appropriate security, including protection against unauthorised disclosure and accidental loss.
AEDP found that the controller had failed to ensure the confidentiality and security of the medical documentation. The exposure of health data on a public street showed that the controller had not implemented appropriate technical and organisational measures during the custody and transport of the documents. The case concerned special categories of personal data under [[Article 9 GDPR|Article 9 GDPR]], which increased the seriousness of the infringement.
When setting the fine, the AEPD considered the nature and gravity of the infringement, the number of affected data subjects, the negligent conduct, and the fact that the controller’s core activity involved regular processing of sensitive data.
The AEPD imposed an administrative fine of €100,000 under [[Article 83 GDPR#5a|Article 83(5)(a) GDPR]]. In addition, they ordered the controller to implement appropriate measures within one month. The controller had to demonstrate that it ensured confidentiality and traceability in the custody, transport, delivery and storage of medical documentation processed outside its premises.
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
<pre>
1/14
• File No.: EXP202408793
RESOLUTION OF SANCTIONING PROCEEDINGS
From the proceedings initiated by the Spanish Data Protection Agency and based on
the following
BACKGROUND
FIRST: The Balearic Islands Police Headquarters (hereinafter, the complainant) filed a complaint with the Spanish Data Protection Agency on May 31, 2024. The complaint was directed against MEDIOS DE PREVENCIÓN EXTERNOS, S.L., with Tax Identification Number B41776360 (hereinafter, MEDIOS DE PREVENCIÓN EXTERNOS). The grounds for the complaint are as follows:
The Balearic Islands Police Headquarters sent a report to this Agency, dated May 31, 2024, stating that on October 4, 2023, following a call from a citizen to the Incidents Department of the entity (…), a box containing, among other items,
documentation with medical examinations performed on officers of the Civil Guard and the National Police was found abandoned on a public street in Palma.
[Address: ***]
The corresponding investigation revealed that these examinations were carried out by the entity MEDIOS DE PREVENCIÓN
EXTERNOS, S.L. and that their location is near the home of an employee of the defendant who participated in the examinations, in her capacity as an employee.
(…)
(…) In the submitted report, they stated that they contacted the aforementioned employee, Ms. A.A.A., holder of ID number ***NIF.1, by telephone. She stated that the procedure was as follows:
“Medical examinations were carried out, and the results were immediately entered into the computer. At the end of each workday, all the forms/medical examinations were collected and taken to the MPE headquarters in Palma. At this headquarters, these documents were received by an administrative assistant whose name she did not know, and she stored them in two locked cabinets (one for the National Police and one for the Civil Guard).”
Finally, she states that she herself was primarily responsible for transporting the medical examinations from the Civil Guard Headquarters and the Police Headquarters to the MPE central office, located at that time at ***ADDRESS 2 in Palma.
On occasion, Dr. B.B.B. also handled the task, and he was the one who transported the urine and blood samples.
They also explain that, after completing all the statements and investigations, they realized that A.A.A.’s registered address is ***ADDRESS.3. This
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 2/14
address coincides with the same street and number where, on October 4th, a cardboard box containing four containers with syringes inside, and a red backpack with documents, was allegedly abandoned, as stated by C.C.C. in their
statement.
Therefore, they attempted to summon A.A.A. but were unable to contact her. In order to notify her of the summons in writing, they made efforts to locate her without success, so they contacted the person listed as her roommate in October
2023, who stated the following:
“That he met A.A.A. met her online, and after four months, he proposed that she live at his home, located at ***ADDRESS.3, intending to rent her a room. She accepted and stayed from October 4th to 14th of last year.
On the first day, she arrived with many bags, cardboard boxes, etc. A neighbor asked her if she had any idea who had left a cardboard box with documents and some yellow containers for syringes in the doorway of her building, ***ADDRESS.3. Initially, she replied that she didn’t know, but after a few hours, she remembered seeing those items in her own house, as A.A.A. had brought them. From this, she deduced that A.A.A. was the one who left them in the doorway.
The following documentation is submitted with the complaint:
– Statement from C.C.C., an employee of (…), dated February 2, 2024, in which he states:
“… on October 4, 2023, the incidents department of (…) received a phone call from a citizen stating that: “at ***ADDRESS.1, there was an abandoned cardboard box containing four containers with syringes inside,
and a red backpack with documents, the type of which could not be specified.”
He went to the indicated address, collected everything, sealed it, and took it to the Son Pacs warehouse, where it was held in storage, and he does not know what happened to the stored items afterward. Provide photos of the items mentioned, attaching them to
your Statement of Facts”
– Statement of D.D.D., Occupational Risk Prevention Technician (…), dated
February 2, 2024, in which, among other things, he states:
“That he traveled to (…) in Son Pacs to retrieve the 18 medical examinations
carried out on as many National Police officers, since he was contacted
(…) because he had received a phone call (…) from (…), Mr.
E.E.E., informing him that he had in his possession some medical examinations carried out
on August 5, 2023, on officers of the Civil Guard and the National Police.”
“That the General Directorate of the Police has outsourced this health surveillance service to the company MPE (…) for about 3 years. Given the seriousness of the events, he contacted the usual contact person at
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 3/14
the company MPE, F.F.F., to request an explanation, receiving the response that she could not provide any answer and could not understand how it could have happened.
-Letter in response to the request for information made by the complainant
regarding the protocols related to medical examinations, the process followed
in the safekeeping of these documents, identification of the custodians of said
medical examinations, the role played in the process, the physical locations of the
storage facilities, and whether they are aware of any incidents in this regard, in which the respondent
indicates the medical personnel responsible for carrying out the medical examinations on the
dates indicated for the National Police and the Civil Guard, and states the following:
“…That said medical examinations were carried out at the facilities
of the National Police in Palma de Mallorca and the Civil Guard in Palma, therefore
the documentation of the medical tests carried out there was kept by
the aforementioned official bodies and their implemented security measures.
That, once the medical examinations were completed, the transfer of all
the collected documentation to our clinical facilities was carried out by Mr.
G.G.G., with National Identity Document (D.N.I.) Mr./Ms. [Name] and Mr./Ms. [Name], with National Identity Document number [Number], … – Email from the complainant dated April 11, 2024, providing the telephone numbers of the personnel involved (doctors and nurses who performed the examinations), previously requested by the complainant.
– Statement of G.G.G., an employee of the company (…), which was purchased by the defendant, dated May 8, 2024, in which he states:
“That in May of last year, his manager, I.I.I., informed him that he had to collect and transport medical supplies from this Police Headquarters to the facilities of the company (…) (which was purchased).
That J.J.J. was responsible for telling him and his colleague, H.H.H., everything they had to transport from the Infirmary of this Headquarters, without him remembering whether it was on the 6th or 7th floor.
That he did not see any list of chain of custody of what they were to take and that the
journey was made directly from point to point without any stops along the way.
Among other things, they loaded open and closed boxes containing papers,
urine tubes, etc. They transported all the packages in two cars, one driven by the
declarant and the other by H.H.H., from this Senior Headquarters to the
headquarters of (…), located on (…) Street in Palma, specifically depositing the entire load
in the basement. It should be noted that he did not see any chain of custody list of what they
were to take and that the journey was made directly from point to point without any
stops along the way.”
-Statement of J.J.J., (…) of the complainant, states:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 4/14
“That the current Manager (…), I.I.I., in May of last year, informed him that he should
go with two people to the Balearic Islands Police Headquarters to
collect all the medical equipment (electrode, folding stretcher, protocols, forms, etc.)
that they had brought to perform the medical examinations.
Therefore, he went to the aforementioned Headquarters with G.G.G. and H.H.H. to
tell them that they had to take the equipment from the infirmary of those Police Stations
to the headquarters of (…). The three of them went directly in two cars, point to point
without stopping.
That there was no control sheet for the material transferred from one place to another.
They only collected the items at the National Police station, without knowing
who was responsible for doing the same at the Civil Guard Headquarters in Palma.
As far as the declarant knows, the collection of documents from the
Civil Guard Headquarters was managed directly from the Central Office in (…).
That there was no chain of custody for documents or medical equipment.
She wants to emphasize that it strikes her as extremely odd that it is impossible
that they could have found documentation from both the National Police and the Civil Guard
in the same box or backpack, since they were clearly separated by police force.
That it must have been someone who did it deliberately and had worked at
both locations (National Police Headquarters and Civil Guard Headquarters).
-Statement from K.K.K., dated May 15, 2024, to provide further information, in which he states:
“That he is unaware of the chain of custody for the documents related to the
medical examinations, as well as the containers with syringes. The aforementioned officials arrived on time. The nurse from the defendant provided them with the
corresponding protocol, which they filled out, and upon entering to undergo the examination,
they returned it to the nurse. That the Management only provided
the physical space occupied by the company during the time the
medical examinations were carried out.
That he did not receive any request for custody of the items mentioned in the previous question from the company MPE (…).
That at no time were they informed of their procedures or their protocol. The personnel from this company entered and left without giving any
explanation.”
At this same event, the Technical Specifications document is presented within the framework of the occupational health surveillance program for the contracting of medical examinations with the external occupational risk prevention service for the public employees of the Directorate General of the Police.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 5/14
The following is transcribed from point number 8. CONFIDENTIALITY CLAUSE:
“The successful bidder will guarantee the confidentiality of the information it receives for the performance of its duties. The purpose of communicating personal data is solely to enable the medical examinations of the public employees of the Directorate General of the Police, who serve in the facilities specified in this document, and to allow them to know, specifically and individually, their state of health.”
“The information, data, or specifications provided by the General Directorate of the Police to the winning bidder and its personnel involved in the execution of the contract must be considered confidential and may not be published, transferred, or loaned, in whole or in part, to third parties.”
“The winning bidder and its personnel undertake the obligation to faithfully and carefully safeguard the data to which they may have access as a result of performing the service, and commit to using said data solely for the purpose of fulfilling the contract.”
The winning bidder and its personnel undertake the obligation to faithfully and carefully safeguard the data to which they may have access as a result of performing the service, and commit to using said data solely for the purpose of fulfilling the contract.”
“For the aforementioned purposes, the successful bidder will apply security measures in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 217 April 2016, applicable to files and automated processing containing personal data) and Organic Law 3/2018 of 5 December on the protection of personal data and the guarantee of digital rights.”
“Bidders must include in their bid a descriptive report of the security measures they will adopt to ensure the availability, confidentiality, and integrity of the data handled and the documentation provided. They must also include in their bid the designation of a person or persons who, without prejudice to the company’s own liability, are authorized to liaise with the Directorate General of the Police for the proper use of the equipment and information to be handled.”
-Technical specifications within the occupational health surveillance program for the contracting of medical examinations with an external occupational risk prevention service for public employees of the Directorate General of the Police.
SECOND: According to the report obtained from the AXESOR tool, the entity MEDIOS DE PREVENCIÓN EXTERNOS, S.L. is a parent company of a group established in 1996, with a turnover of €7,095,892 in 2021.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 6/14
THIRD: On February 14, 2025, the Deputy Director General of Data Inspection, in accordance with Article 10 of the Organic Law of the Directorate General of the Police, issued the following resolution: 48.2 LOPDGDD, due to the vacancy of the position of
President and Deputy President of the Spanish Data Protection Agency, agreed to initiate
disciplinary proceedings against the respondent for the alleged infringement of Article
5.1.f) of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), as defined in Article 83.5 of the GDPR.
FOURTH: The aforementioned initiation agreement having been notified in accordance with the rules established
in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), and the period granted
for submitting allegations having elapsed, it has been verified that no allegations have been received
from the respondent.
Article 64.2.f) of the LPACAP (Law on the Common Administrative Procedure of Public Administrations) – a provision that was communicated to the respondent
in the agreement initiating the proceedings – establishes that if no
objections are submitted within the prescribed period regarding the content of the initiation agreement, when
it contains a precise statement concerning the imputed liability,
it may be considered a proposed resolution. In the present case, the agreement initiating the disciplinary proceedings specified the facts that constituted the
imposition, the GDPR infringement attributed to the respondent, and the sanction that could be
imposed. Therefore, considering that the respondent has not
submitted any objections to the agreement initiating the proceedings and in accordance with the provisions of
Article 64.2.f) of the LPACAP, the aforementioned initiation agreement is
considered a proposed resolution in this case.
In light of all the actions taken by the Spanish Data Protection Agency in this proceeding, the following facts are considered proven:
PROVEN FACTS
FIRST: The National Police received a telephone call from the Environmental Inspection Department of (…) (a municipal public company of the Palma City Council), reporting that they had in their possession a series of documents, apparently medical examinations performed on National Police and Civil Guard officers
in Palma, which were found abandoned in a public place by one of the employees of (…) after being alerted to their existence by a citizen.
SECOND: The documents found abandoned are medical examinations performed on Civil Guard and National Police officers
by the company MEDIOS DE PREVENCIÓN EXTERNOS, S.L. (MPE).
THIRD: According to the statements of the personnel responsible for carrying out these medical examinations, the procedure followed consisted of performing them at the facilities of the Civil Guard and the National Police, and then transferring all the forms and/or medical examinations to the MPE headquarters in Palma.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 7/14
LEGAL BASIS
I
Jurisdiction
In accordance with the powers granted to each supervisory authority by Article 58.2 of the GDPR, and as established in Articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD), the Presidency of the Spanish Data Protection Agency is competent to resolve this procedure.
Likewise, Article 63.2 of the LOPDGDD (Spanish Organic Law on the Protection of Personal Data and Guarantee of Digital Rights) stipulates that: “The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the implementing regulations issued thereunder, and, insofar as they do not contradict them, subsidiarily, by the general rules on administrative procedures.”
II
Preliminary Issues
Article 4.1 of the GDPR defines “personal data” as “any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”
The same article defines “processing” as any operation or set of operations performed on personal data or sets of personal data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
In this case, in accordance with Articles 4.1 and 4.2 of the GDPR, the processing of personal data is established, since MEDIOS DE PREVENCIÓN EXTERNOS carries out, among other processing activities, the collection, recording, organization, and storage of the following personal data of natural persons, such as: name and surname, national identity document, address, data relating to health, etc.
Furthermore, MEDIOS DE PREVENCIÓN EXTERNOS carries out this processing activity
in its capacity as data controller, since it is the one that
determines the purposes and means of such activity, pursuant to Article 4.7 of the GDPR: which
defines it as the natural or legal person, public authority, agency or other body
which, alone or jointly with others, determines the purposes and means of the processing; where the purposes and means of the processing are determined by
Union or Member State law,
the controller or the specific criteria for its appointment may be
laid down by Union or Member State law; C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 8/14
III
Breach of Obligation: “Principle of Integrity and Confidentiality”
Article 5.1.f) “Principles relating to processing” of the GDPR establishes:
“1. Personal data shall be:
(…)
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical and organizational measures (“integrity and confidentiality”).”
In this case, a personal data breach would have occurred, as the medical examination data of police officers and Civil Guard officers were exposed to third parties when a box containing documentation relating to special categories of health data was found in a public place.
The known facts are considered to constitute an infringement attributable to the respondent, for violation of Article 5.1(f) of the GDPR.
IV
Classification of the infringement of Article 5.1(f) of the GDPR and its classification for the purposes of the statute of limitations
Article 83.5 of the GDPR classifies as an administrative infringement the violation of the following articles, which shall be sanctioned, in accordance with paragraph 2, with administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of its total global annual turnover of the preceding financial year, whichever is higher:
(a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9; (…)
(b) the rights of data subjects pursuant to Articles 12 to 22;
(c) transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;
(d) any obligation under Member State law adopted pursuant to Chapter IX;
(e) failure to comply with a decision or a temporary or permanent limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2), or failure to provide access in violation of Article 58(1).
For its part, the LOPDGDD, in its Article 71, Infringements, states that:
“The acts and conduct referred to in paragraphs 4,
5 and 6 of Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this Organic Law, constitute infringements.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 9/14
For the sole purpose of the statute of limitations, Article 72 “Very Serious Infringements” of the LOPDGDD (Spanish Data Protection Law) states:
“1. Pursuant to Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial breach of the articles mentioned therein, and in particular the following, are considered very serious and shall be subject to a three-year statute of limitations:
a) The processing of personal data in violation of the principles and safeguards established in Article 5 of Regulation (EU) 2016/679. (…)”
V
Sanction
In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed. precepts which state:
“1. Each supervisory authority shall ensure that the imposition of administrative fines under this Article for infringements of this Regulation referred to in paragraphs 4, 9 and 6 is, in each individual case,
effective, proportionate and dissuasive.
2. Administrative fines shall be imposed, depending on the circumstances of each individual case, as an additional to or in lieu of the measures provided for in Article 58(2)(a) to (h) and (j). When deciding on the imposition of an administrative fine and its amount in each individual case, due consideration shall be given to:
(a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damage suffered;
(b) the intentionality or negligence of the infringement;
(c) any measures taken by the controller or processor of the processing to
remedy the damage suffered by the data subjects;
(d) the degree of responsibility of the controller or the processor,
taking into account the technical or organizational measures they have implemented pursuant to
Articles 25 and 32;
(e) any previous infringements committed by the controller or the processor;
(f) the degree of cooperation with the supervisory authority with a view to remedying the
infringement and mitigating its possible adverse effects;
(g) the categories of personal data affected by the infringement;
(h) how the supervisory authority became aware of the infringement, in
particularly whether and, if so, to what extent the controller or processor notified the infringement;
(i) where the measures referred to in Article 58(2) have been
previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct pursuant to Article 40 or to mechanisms of
certification approved under section 42, and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 10/14
For its part, Article 76 “Sanctions and Corrective Measures” of the LOPDGDD (Spanish Data Protection Law) stipulates:
“1. The sanctions provided for in paragraphs 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the criteria for determining the severity of the sanction established in paragraph 2 of said article.
2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679,
the following may also be taken into account:
a) The continuing nature of the infringement.
b) The connection between the infringer’s activity and the processing of personal data.
c) The benefits obtained as a result of committing the infringement.
d) The possibility that the data subject’s conduct could have induced the processing of personal data. Commission of the infringement.
e) The existence of a merger by acquisition subsequent to the commission of the infringement, which cannot be attributed to the acquiring entity.
f) The infringement of the rights of minors.
g) The appointment of a data protection officer, when not mandatory.
h) The voluntary submission by the controller or processor to alternative dispute resolution mechanisms in cases where disputes arise between them and any data subject.
This infringement may be sanctioned with a fine of up to €20,000,000 or,
in the case of a company, with an amount equivalent to up to 4% of its total global annual turnover for the preceding financial year, whichever is higher, in accordance with Article 83.5(a) of the GDPR.
In this case, considering the seriousness of the potential infringement,
especially the consequences its commission has on those affected,
the imposition of a fine is warranted, in addition to the adoption of measures.
The fine imposed must be, in each individual case, effective, proportionate,
and dissuasive, in accordance with the provisions of Article 83.1 of the GDPR. To guarantee
these principles, the turnover of MEDIOS
DE PREVENCIÓN EXTERNOS, S.L. (€7,095,892 in 2021) is taken into consideration beforehand.
For the purposes of deciding on the imposition of an administrative fine and its amount,
it is considered appropriate to determine the appropriate sanction in accordance with the
circumstances set forth in the aforementioned provisions.
As a preliminary matter, the following circumstances are considered to exist:
• The nature, seriousness, and duration of the infringement, taking into account the
nature, scope, or purpose of the processing operation in question, as well as
the number of data subjects affected and the level of damage they
have suffered (Article 83.2(a) of the GDPR): having affected 18
members of the security forces and the
breach of confidentiality not being detected until some time later.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 11/14
• Intentionality/Negligence in the infringement (Article 83.2, letter b), of the
GDPR): The Supreme Court has consistently held that negligence exists whenever
a legal duty of care is disregarded, that is, when the infringer does not
act with the required diligence. And in assessing the degree of diligence,
the professionalism of the individual must be given special consideration, and there is no doubt
that, in the case now under examination, when the activity of the accused party
involves the constant and extensive handling of personal data,
the rigor and meticulous care to comply with the legal
precautions in this regard must be emphasized. [Judgment of the National Court of 17/10/2007 (appeal no. 63/2006)].
Not only would a lack of due diligence be found on the part of the person who
collected the medical examinations, but also on the part of the recipients of the
documentation itself.
This circumstance reflects a clear omission by the data controller in their duty of
care to protect their clients’ data, which reinforces and
amplifies the seriousness of the infringement.
• The categories of personal data affected by the
infringement (Article 83.2(g) of the GDPR): the fact that the loss of
confidentiality occurred in relation to medical examinations
makes it a particularly significant breach, since not only
general personal data but also health data of the 18
affected individuals were disclosed.
Furthermore, the following factors are considered as aggravating circumstances:
• The connection of the offender’s activity with the processing of personal data (Article 76.2, letter b), of the LOPDGDD):
MEDIOS DE PREVENCIÓN is a Group that originated in 1996 as an Occupational Risk Prevention Service, whose objective is to ensure the safety and health of workers and contribute to reducing workplace accidents. It has more than sixty offices throughout Spain and is accustomed to processing personal data.
The assessment of the circumstances contemplated in Article 83.2 of the GDPR and Article 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of Article 5.1.f) of the GDPR, allows for the imposition of an administrative fine of €100,000.00.
VI
Corrective Measures
The resolution text sets out the infringements committed and
the facts that led to the breach of data protection regulations, clearly indicating the measures to be adopted.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 12/14
The specific procedures, mechanisms, or instruments for implementing these measures are the responsibility of the sanctioned party, as it is the data controller who fully understands their organization and must decide, based on
proactive responsibility and a risk-based approach, how to comply with the GDPR and the LOPDGDD.
However, in this case, notwithstanding the foregoing, in accordance with the evidence currently available regarding the initiation of disciplinary proceedings, the resolution adopted may require
MEDIOS DE PREVENCIÓN EXTERNOS, S.L. to adopt the following measures within one month from the date the final resolution of these proceedings becomes enforceable:
– Demonstrate the adoption of the necessary measures to guarantee compliance with Article 5.1.f) of the GDPR, in particular to ensure the confidentiality and traceability of documentation relating to medical examinations carried out outside its facilities, regarding the custody, transport, delivery, and storage of said documentation.
The imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided for in Article 83.2 of the GDPR.
It is hereby notified that failure to comply with the order to adopt measures imposed by this
body in the sanctioning resolution may be considered an
administrative infringement in accordance with the provisions of the GDPR, specifically classified as an infringement in
Articles 83.5 and 83.6 thereof, and such conduct may give rise to further
administrative sanctioning proceedings.
Therefore, in accordance with applicable legislation and having assessed the criteria for
graduating the sanctions, the existence of which has been proven,
the Presidency of the Spanish Data Protection Agency RESOLVES:
FIRST: TO IMPOSE on MEDIOS DE PREVENCIÓN EXTERNOS, S.L., with Tax Identification Number
B41776360, for an infringement of Article 5.1.f) of the GDPR, classified in
Article 83.5 of the GDPR, a fine of €100,000.00 (ONE HUNDRED THOUSAND EUROS).
SECOND: ORDER MEDIOS DE PREVENCIÓN EXTERNOS, S.L., with Tax Identification Number (NIF) B41776360, to demonstrate, pursuant to Article 58.2.d) of the GDPR, within one month of this resolution becoming final and enforceable, that it has complied with the measure established herein, which consists of demonstrating the adoption of the necessary measures to guarantee compliance with the provisions of Article 5.1.f) of the GDPR, ensuring, in particular, the confidentiality and traceability of the documentation relating to medical examinations carried out outside its facilities, regarding the custody, transport, delivery, and storage of said documentation.
THIRD: NOTIFY MEDIOS DE PREVENCIÓN EXTERNOS, S.L. of this resolution.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 13/14
FOURTH: This resolution will become enforceable once the deadline for filing the optional appeal for reconsideration (one month from the day following notification of this resolution) has expired without the interested party having exercised this right.
The sanctioned party is advised that they must pay the imposed sanction once this resolution becomes enforceable, in accordance with the provisions of Article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in Article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to Article 68 of the LPACAP. 62 of Law 58/2003, of December 17,
by depositing the fine, indicating the Tax Identification Number (NIF) of the sanctioned party and the procedure number shown in the heading of this document, into the restricted account IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), held in the name of the Spanish Data Protection Agency at CAIXABANK, S.A.
Otherwise, collection will be pursued during the enforcement period.
… Upon receipt of the notification and once it becomes enforceable, if the enforceability date falls between the 1st and 15th of each month, inclusive, the deadline for making the voluntary payment will be the 20th of the following month or the next business day thereafter. If the date falls between the 16th and the last day of each month, inclusive, the payment deadline will be the 5th of the second following month or the next business day thereafter.
In accordance with Article 50 of the LOPDGDD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights), this Resolution will be published once it becomes final through administrative channels.
This resolution, which concludes the administrative process pursuant to Article 50 of the LOPDGDD, may be appealed. 48.6 of the
LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the
interested parties may, optionally, file an appeal for reconsideration with the
Presidency of the Spanish Data Protection Agency within one month from the day following notification of this resolution, or directly
file an administrative appeal with the Administrative Chamber of the
National Court, pursuant to the provisions of Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Administrative Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46.1 of the
said Law.
Finally, it is noted that, in accordance with the provisions of Article 90.3 a) of the LPACAP, a
final administrative decision may be provisionally suspended if the
interested party expresses their intention to file an appeal with the Administrative Court.
If this is the case, the interested party must formally communicate this fact by
submitting a written communication to the Spanish Data Protection Agency through
the Agency’s Electronic Registry [https://sedeaepd.gob.es/sede-electronica-
web/], or through one of the other registries provided for in Article 16.4 of
Law 39/2015, of October 1. They must also provide the Agency with
documentation proving the effective filing of the appeal with the Administrative Court.
If the Agency is not notified of the filing of the appeal within two months from the day following
notification of this resolution, the provisional suspension will be terminated.
938-100325
6 Jorge Juan Street www.aepd.es
28001 – Madrid sedeaepd.gob.es 14/14
Lorenzo Cotino Hueso
President of the Spanish Data Protection Agency
6 Jorge Juan Street www.aepd.es
28001 – Madrid sedeaepd.gob.es
</pre>