The Supreme Court has established doctrine on what should be understood by personal data processing when a company or an administration requests information from a natural person. The key to the ruling is that the obligation to comply with the RGPD arises from the very moment the data is requested, even if they are not finally delivered.
The resolution stems from the case of an employee of a penitentiary institution who had requested several short-term leaves. The center demanded that he provide the medical certificates that covered his illness, including information about the diagnosis and the treatment. The official refused to provide that documentation and brought the facts to the attention of the Data Protection Agency.
From the Agency's file to the Supreme Court's criterion
The Agency opened a file on Instituciones Penitenciarias, dependent on the Ministry of Interior, and found a violation of the General Data Protection Regulation. However, the National Court sided with the State Legal Service, understanding that if there was no effective collection of the data, there was no processing and, therefore, the RGPD was not applicable.
The Supreme Court has now corrected that criterion. The Chamber admitted the appeal in cassation with the argument that the mere request for personal data, when it occurs within an ordered and organized process to process them, already constitutes personal data processing. Therefore, it adds, from that first moment the principles of the European regulation must be respected.
The principle of minimization, at the center of the ruling
The judgment focuses on the principle of data minimization, enshrined in Article 5.1.c) of the GDPR. That precept requires that data be adequate, relevant, and limited to what is necessary in relation to the purpose pursued.
In that framework, the Supreme Court concludes that the Administration went beyond what was necessary, because sufficient medical justifications had already been provided to accredit the worker's absence. Demanding additionally the diagnosis and the treatment meant accessing especially sensitive data without a proportional justification.
The magistrates specify that the control of labor absenteeism and the fight against fraud are legitimate ends. They also admit that that objective can cover requests for health data if it is proven that they are adequate and pertinent for that specific purpose.
What a company can ask for and what it cannot
The resolution clearly defines the scope of those requests in cases of short leaves. For short-term work absenteeism, the Supreme Court holds that it is not pertinent for the workplace to know the medical diagnosis or the treatment. It goes a step further and states that such access is not adequate, nor pertinent, nor proportional.
The general doctrine is formulated in broad terms. The data controller is subject to compliance with the principles of the RGPD from the moment they request a natural person to provide personal data, regardless of whether or not that data is eventually provided and collected.
The practical scope of the ruling affects companies and public administrations, which must review how they formulate information requirements in areas such as human resources, forms or customer acquisition processes, since the control of the RGPD is brought forward to the very moment the data is requested.