The Spanish Data Protection Agency has reprimanded the Extremadura Health Service for not attending to the request of a citizen who asked to access the clinical history of her minor son. The supervisory authority has also opened a sanctioning procedure against it for disregarding the initial resolution and two subsequent requirements.
The core of the case is not just the lack of response to the mother. The Agency maintains that the Extremadura Health Service first breached the right of access recognized in the General Data Protection Regulation and, afterwards, ignored the express order to correct it within the established deadline.
The Agency gave ten business days to respond to the mother
The lack of response to the access request constitutes, for the supervisory authority, an infringement of Article 15 of the General Data Protection Regulation, which recognizes the right of any person to access their personal data.
After analyzing the complaint, the Agency ordered the Extremadura Health Service to send a certification within 10 business days. In that response, it had to attend to the citizen's request or deny it with justification.
The body did not comply with that initial resolution. Nor did it respond to two subsequent requirements sent by the Agency itself within the same file.
The file includes a very serious offense for disobeying the supervisory authority
That second non-compliance has led to the opening of a sanctioning procedure for violation of Article 58.2 of the General Data Protection Regulation. The Agency classifies this conduct within the regime of very serious infringements provided for in Article 83.6.
The file thus distinguishes between two aspects. On the one hand, the lack of response to the request for access to the minor's clinical history. On the other hand, the non-compliance with the resolution issued by the supervisory authority and the silence maintained in the face of two additional requirements.
The applicable regulations provide for sanctions of up to 20,000,000 euros or 4% of the total global annual turnover of the previous financial year for this type of infringement, applying the higher amount.