The Supreme Court has confirmed the sanction imposed by the Spanish Data Protection Agency on Prison Institutions. The ruling of the National High Court is annulled, which had previously ruled in favor of the prison authority in this litigation.
The legal controversy was born from a medical indisposition suffered by Carlos Caraduje. This official from the Lanzarote Penitentiary Center was absent from his job in April 2019.
The center's management demanded that the employee provide the specific diagnosis and the medical treatment applied during his absences. The worker flatly refused to provide that detailed clinical information.
"This data belongs to your personal privacy" - Carlos Caraduje, prison official
Given the official's refusal to reveal his medical history, the administration deducted the days of absence directly from his payroll. This disciplinary measure triggered the intervention of data protection authorities.
The request constitutes data processing
The Spanish Data Protection Agency sanctioned the General Secretariat of Penitentiary Institutions in June 2020. It considered that there was a clear infringement of the principles relating to the processing of sensitive information.
The State Attorney defended before the courts that any administrative management unavoidably requires the prior obtaining of personal data. This thesis was initially accepted by the Contentious-Administrative Chamber of the National High Court in May 2024.
The AEPD appealed this decision alleging that the ruling was contrary to the established doctrine of the Court of Justice of the European Union. The high Spanish court has ended up siding with the regulatory agency.
"Contrary to the doctrine established by the CJEU" - Spanish Data Protection Agency
The magistrates of the Supreme Court have established that data processing exists from the very instant the Administration requests their delivery. It is not necessary to store or analyze them for a violation to be configured.
The ruling highlights that the request affects personal data because it reveals essential information about health status. It violates the minimization principle of the GDPR to demand more details than strictly necessary.
The court argues that the workplace could control absenteeism through standard medical certificates. These documents certify the leave without needing to know the specific treatment or diagnosis.
Seven magistrates sign the ruling
The resolution has the unanimous signature of the seven members of the chamber. José Manuel Bandrés Sánchez-Cruzat, Eduardo Calvo Rojas, Diego Córdoba Castroverde, José Luis Gil Ibáñez, Berta María Santillán Pedrosa, Juan Pedro Quintana Carretero and Margarita Beladiez Rojo make up the judicial panel.
The ruling confirms the warning originally imposed by the AEPD on the General Secretariat of Penitentiary Institutions. The agency's legal victory reinforces the limits on business access to employees' medical records.
Justice has resolved the conflict without imposing costs on any of the opposing parties. The official managed to protect his privacy against administrative interference in his most sensitive medical matters.