The Supreme Court has set a precedent on when data protection regulations begin to apply to information requests directed at a natural person by a company or administration. The ruling establishes that the obligation to comply with the GDPR arises from the very moment the data is requested, even if it is ultimately not delivered.
The resolution stems from the case of a worker at a penitentiary institution who had requested several short-term leaves. His workplace demanded that he provide medical certificates for his illness, with information about the diagnosis and treatment. The official refused to provide this documentation and reported the facts to the Data Protection Agency.
The Supreme Court corrects the criterion of the National High Court
After the complaint, the Agency opened a file on Penitentiary Institutions, an agency dependent on the Ministry of the Interior, and found a violation of the General Data Protection Regulation. However, the National Court ruled in favor of the State Attorney's Office, considering that, if there was no effective collection of data, there was no processing and therefore the GDPR was not applicable.
The Supreme Court has corrected that criterion by admitting the appeal in cassation with the argument that the mere request for personal data, when it occurs within an orderly and organized process to process them, already constitutes the processing of personal data. The ruling adds that from that first moment the principles of the European regulation must be respected.
The limit is in asking only for what is necessary
The Chamber focuses on the data minimization principle set forth in Article 5.1.c) of the GDPR, which requires that the information requested be adequate, relevant, and limited to what is necessary in relation to the purpose pursued.
In this case, the Supreme Court concludes that the Administration went beyond what was necessary by demanding data on diagnosis and treatment when sufficient medical certificates had already been provided to prove the worker's absence. For the magistrates, demanding that content meant accessing especially sensitive data without proportional justification.
The sentence specifies, at the same time, that the control of absenteeism and the fight against fraud are legitimate aims. It also admits that these objectives may justify requests for health data if it is proven that they are adequate and relevant for that specific purpose.
Doctrine with scope for companies and administrations
In the analysis of the case, the high court holds that, in the case of short-term absences due to work absenteeism, it is not relevant for the workplace to know the medical diagnosis or the treatment. It further adds that such access is neither adequate, nor relevant, nor proportional in cases of brief absences.
The general doctrine that sets the resolution is clear. The data controller is subject to compliance with the GDPR principles from the moment they request personal data from a natural person, regardless of whether that data is provided or collected afterwards.
The scope of the ruling goes beyond the specific case and affects both companies and public administrations, which will have to review how they formulate information requests in areas such as human resources, forms, or customer acquisition processes. The resolution was disseminated on April 29, 2026, at 10:13 a.m. and reinforces the idea that data protection does not begin when the information enters a file, but at the very instant it is requested.