Spain: AEPD fines HM Hospitales €48,000 for GDPR violations
The Spanish data protection authority ('AEPD') issued, on 25 February 2020, a resolution ('the Resolution') in proceedings PS/00187/2019, fining HM Hospitales 1989, S.A. €48,000 for violating Articles 5(1)(a) and 6(1)(a) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the Resolution outlines that a complainant argued that at the moment of his admission in the hospital he had to fill a form including a checkbox indicating that, in case he did not tick the same, he agreed to the transfer of his data to third parties. In addition, the Resolution highlights that the form provided by HM was not compliant with the GDPR since consent was obtained through the inaction of the data subject. As a consequence, the Resolution imposes a fine of €48,000 against HM.
You can read the Resolution, only available in Spanish, here.