Spain – Data protection complaints can bypass the controller

The Spanish Supreme Court has decided data subjects can complain directly to a data protection authority without having to first exercise their rights against the relevant controller (STS 3207/2022).

Background

The case arose when a hospital included gender reassignment information about a data subject in a medical report about her foot injury. The data subject lodged a complaint with the Basque Data Protection Agency (“BDPA”) claiming that this information was irrelevant and unrelated to her injury.

After investigating, the BDPA issued a reprimand to the hospital for violating the principle of data minimisation.

Following a number of appeals, the Basque High Court of Justice upheld the decision of the BDPA and concluded that the inclusion of such gender reassignment information in the medical report was excessive considering the accident that motivated the medical assistance.

The hospital appealed to the Spanish Supreme Court. It argued that the data subject should first have exercised her right to restrict the processing of her data (Article 18 GDPR) before lodging a complaint with the BDPA. It alleged this is a procedural prerequisite for the BDPA before it can launch an investigation into the infringement of the principle of minimisation.

Supreme Court Ruling

The Spanish Supreme Court rejected the hospital’s arguments and ruled that neither the GDPR nor the Spanish Data Protection Act set out any procedural prerequisite to lodge a complaint with data protection authorities.

The Spanish Data Protection Act sets out two independent procedures for potential infringements of the data protection legislation. In particular, data subjects can:

  • exercise their rights against the controller; or
  • report a potential infringement of data protection law to a data protection authority.

According to the Spanish Supreme Court, the exercise of the rights granted by the GDPR is independent of the right to lodge a complaint with data protection authorities. Therefore, the data subject may exercise his/her rights alternatively or simultaneously to lodging a complaint.

Principle of data minimisation

The Spanish Supreme Court did not consider or assess the violation of the data minimisation principle, since both the hospital and the BDPA agreed on its application and scope.

In its appeal, the hospital suggested that, in the context of a health care intervention, the data minimisation principle requires that a medical report should only include information that is relevant to the specific intervention. The BDPA agreed on this definition but, on these particular facts, concluded that the hospital violated it by including gender reassignment information in the injury report on the data subject’s foot.

Conclusion

The decision of the Spanish Supreme Court is not especially surprising but serves as a warning to controllers that if they breach data protection law they cannot expect data subjects to first try and resolve the problem with them. Instead, the data subject can bypass them and complain directly to the relevant data protection authority.