[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxEcVXtk3tRd_bhsbDqV5B2iAlowxJMN-Pv10Lj1TiVo":3},{"article":4,"iocs":42},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"8b0819b1-9cb4-4277-81d3-bf8e232fb477","TS - 1590\u002F2026","ts-1590-2026-fe9b6a","← Older revision Revision as of 09:09, 5 May 2026 Line 74: Line 74: }} }} The court upheld the DPA’s reprimand against an organisation under of the Spanish Ministry of Inner Affairs The court upheld the DPA’s reprimand against an organ under of the Spanish Ministry of Inner Affairs regarding excessive processing of personal data. A penitentiary center demanded a data subject to provide a medical diagnosis or treatment in addition to a medical note to justify their three day sick leave. == English Summary == == English Summary == === Facts === === Facts === Secretaría General de Instituciones Penitenciarias (the controller) is an organisation under the Spanish Ministry of Inner Affairs. The controller is responsible for coordinating and monitoring penitentiary institutions in Spain. In 2019, an employee of a penitentiary center (the data subject) brought a complaint to the DPA. The data subject provided a medical note to justify three days of sick leave, however the controller also demanded them to provide the diagnosis or medical treatment in order to justify the sick leave. The controller later reduced the data subject’s pay in relation to the three days for refusing to provide this information, as it considered that the sick leave was not justified. In 2021, the DPA issued a reprimand for the controller, stating that it had violated the principle of data minimisation (Article 5(1)(c) GDPR). The DPA noted that the controller did not have a legal basis to demand this information under Articles 6(1) and 9 GDPR. The DPA also dismissed the internal appeal filed by the controller, on the grounds that it had not provided any new facts or legal arguments. Secretaría General de Instituciones Penitenciarias (the controller) is an organis under the Spanish Ministry of Inner Affairs. The controller is responsible for coordinating and monitoring penitentiary institutions in Spain. In 2019, an employee of a penitentiary center (the data subject) brought a complaint to the DPA. The data subject provided a medical note to justify three days of sick leave, however the controller also demanded them to provide the diagnosis or medical treatment in order to justify the sick leave. The controller later reduced the data subject’s pay in relation to the three days for refusing to provide this information, as it considered that the sick leave was not justified. In 2021, the DPA issued a reprimand for the controller, stating that it had violated the principle of data minimisation (Article 5(1)(c) GDPR). The DPA noted that the controller did not have a legal basis to demand this information under Articles 6(1) and 9 GDPR. See decision number PS\u002F00088\u002F2020, https:\u002F\u002Fwww.aepd.es\u002Fdocumento\u002Fps-00088-2020.pdf The DPA also dismissed the internal appeal filed by the controller, on the grounds that it had not provided any new facts or legal arguments. See appeal number RR\u002F00103\u002F2021 (same decision number), https:\u002F\u002Fwww.aepd.es\u002Fdocumento\u002Freposicion-ps-00088-2020.pdf The controller appealed the DPA’s decision to the High Court in 2021. According to the controller, the data subject did not inform anyone before taking the sick leave, and did not respond to calls attempting to contact them. The controller argued that demanding additional documentation was justified under suspicions of false illness, as unplanned absences from employees can pose a security risk in the context of managing penitentiary centres. The court stated that the controller did not process personal data, because it had simply requested it from the data subject and not collected it. Therefore, the court upheld the appeal and overturned the decision of the DPA. The controller appealed the DPA’s decision to the High Court in 2021. According to the controller, the data subject did not inform anyone before taking the sick leave, and did not respond to calls attempting to contact them. The controller argued that demanding additional documentation was justified under suspicions of false illness, as unplanned absences from employees can pose a security risk in the context of managing penitentiary centres. The court stated that the controller did not process personal data, because it had simply requested it from the data subject and not collected it. Therefore, the court upheld the appeal and overturned the decision of the DPA. The DPA appealed the decision to the Supreme Court in 2025. The DPA requested the court to overturn the decision of the lower court, and establish in case law that the definition of “processing” under the GDPR is broad and includes situations in which a party requests data in accordance with CJEU case law [see C-175\u002F20, C-34\u002F21, C-659\u002F22, C-548\u002F21]. The DPA appealed the decision to the Supreme Court in 2025. The DPA requested the court to overturn the decision of the lower court, and establish in case law that the definition of “processing” under the GDPR is broad and includes situations in which a party requests data in accordance with CJEU case law. See cases C-175\u002F20 Valsts ieņēmumu dienests (Processing of personal data for tax purposes), [[CJEU - C-175\u002F20 - Valsts ieņēmumu dienests (Processing of personal data for tax purposes)|link to GDPRhub summary]], [https:\u002F\u002Finfocuria.curia.europa.eu\u002Ftabs\u002Faffair?lang=en&sort=AFF_NUM-DESC&searchTerm=%22C-175%2F20%22&publishedId=C-175%2F20 link to Curia]. C-34\u002F21 Hauptpersonalrat der Lehrerinnen und Lehrer, [[CJEU - C-34\u002F21 - Hauptpersonalrat der Lehrerinnen und Lehrer|link to GDPRhub summary]], [https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002F?uri=CELEX:62021CA0034 link to judgment]. C-659\u002F22 Ministerstvo zdravotnictví (COVID19 mobile application), [[CJEU - C-659\u002F22 - Ministerstvo zdravotnictví (COVID19 mobile application)|link to GDPRhub summary]], [https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002F?uri=CELEX:62022CA0659 link to judgment]. C-548\u002F21 Bezirkshauptmannschaft Landeck (Attempt to access personal data stored on a mobile telephone), [https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002F?uri=CELEX:62021CA0548 link to judgment]. === Holding === === Holding === The court first clarified that the controller did process personal data, because the definition of processing under [[Article 4 GDPR|Article 4 GDPR]] is broad. This means that the controller processed personal data when requesting data from the data subject, even if the controller does not receive it. According to the court, the lower court took a literal interpretation of [[Article 4 GDPR|Article 4 GDPR]], and concluded that processing of personal data begins when it is collected. The court argued that this literal interpretation does not align with the intention of the legislator or with CJEU case law [See C-175\u002F20, margins 34, 35, 37 and C-659\u002F22, margins 27, 28, 32]. Furthermore, the court argued that it is only possible to ensure an effective protection of the fundamental right to privacy [art. 8 CFREU and Art. 18 Constitution] and data protection if a controller has the obligation to to comply with the GDPR at the moment of requesting data from a data subject. This includes assessing whether the personal data requested are limited to what is necessary for the purpose(s) for which they are collected. The court first clarified that the controller did process personal data, because the definition of processing under [[Article 4 GDPR]] is broad. This means that the controller processed personal data when requesting data from the data subject, even if the controller does not receive it. According to the court, the lower court took a literal interpretation of [[Article 4 GDPR]], and concluded that processing of personal data begins when it is collected. The court argued that this literal interpretation does not align with the intention of the legislator or with CJEU case law. See C-175\u002F20, margins 34, 35, 37 and C-659\u002F22, margins 27, 28, 32 Furthermore, the court argued that it is only possible to ensure an effective protection of the fundamental right to privacy and data protection (both under the Article 8 CFREU and Article 18 of the Spanish Constitution) if a controller has the obligation to to comply with the GDPR at the moment of requesting data from a data subject. This includes assessing whether the personal data requested are limited to what is necessary for the purpose(s) for which they are collected. The court then stated that the controller must ensure compliance with the principles under the GDPR (Article 5 GDPR) when requesting the data, including the principle of data minimisation. The court noted that national law (Law 41\u002F2002) establishes additional protections related to obtaining clinical information and documentation. The court stated that preventing fraud and employee absenteeism are legitimate aims. However, the controller had enough information to achieve these aims with the medical note from the data subject. For short term sick leave, the court considered it unnecessary for the controller to request additional information, especially information that has additional protections under national law. Therefore, the controller processed this data without a legal basis (Article 6(1) GDPR) and in violation of the principle of data minimisation (Article 5(1)(c) GDPR. The court then stated that the controller must ensure compliance with the principles under the GDPR (Article 5 GDPR) when requesting the data, including the principle of data minimisation. The court noted that national law Ley 41\u002F2002, de 14 de noviembre, básica reguladora de la autonomía del paciente y de derechos y obligaciones en materia de información y documentación clínica, https:\u002F\u002Fwww.boe.es\u002Fbuscar\u002Fact.php?id=BOE-A-2002-22188 establishes additional protections related to obtaining clinical information and documentation. The court stated that preventing fraud and employee absenteeism are legitimate aims. However, the controller had enough information to achieve these aims with the medical note from the data subject. For short term sick leave, the court considered it unnecessary for the controller to request additional information, especially information that has additional protections under national law. Therefore, the controller processed this data without a legal basis (Article 6(1) GDPR) and in violation of the principle of data minimisation (Article 5(1)(c) GDPR. The court overturned the decision of the lower court, and upheld the decision of the DPA. The court overturned the decision of the lower court, and upheld the decision of the DPA.","Spain's Supreme Court affirmed a Data Protection Authority reprimand against the Secretaría General de Instituciones Penitenciarias for violating GDPR Article 5(1)(c) by demanding employees provide medical diagnoses alongside medical notes to justify short-term sick leave. The court clarified that data processing under GDPR occurs at the moment of requesting data, not solely upon collection, establishing that controllers must comply with data minimisation principles even when data is merely requested but not received. The ruling rejected the penitentiary authority's argument that demanding additional clinical information was necessary to prevent fraud and absenteeism, finding a medical note sufficient.","Spanish Supreme Court upholds GDPR data minimisation ruling against penitentiary authority over excessive medical data","Help TS - 1590\u002F2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 08:51, 5 May 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators591 edits Tag: submission [1.0] Latest revision as of 09:09, 5 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators591 editsmTag: Visual edit Line 74: Line 74: }}}} The court upheld the DPA’s reprimand against an organisation under of the Spanish Ministry of Inner AffairsThe court upheld the DPA’s reprimand against an organ under of the Spanish Ministry of Inner Affairs regarding excessive processing of personal data. A penitentiary center demanded a data subject to provide a medical diagnosis or treatment in addition to a medical note to justify their three day sick leave. == English Summary ==== English Summary == === Facts ====== Facts === Secretaría General de Instituciones Penitenciarias (the controller) is an organisation under the Spanish Ministry of Inner Affairs. The controller is responsible for coordinating and monitoring penitentiary institutions in Spain. In 2019, an employee of a penitentiary center (the data subject) brought a complaint to the DPA. The data subject provided a medical note to justify three days of sick leave, however the controller also demanded them to provide the diagnosis or medical treatment in order to justify the sick leave. The controller later reduced the data subject’s pay in relation to the three days for refusing to provide this information, as it considered that the sick leave was not justified. In 2021, the DPA issued a reprimand for the controller, stating that it had violated the principle of data minimisation (Article 5(1)(c) GDPR). The DPA noted that the controller did not have a legal basis to demand this information under Articles 6(1) and 9 GDPR. The DPA also dismissed the internal appeal filed by the controller, on the grounds that it had not provided any new facts or legal arguments.Secretaría General de Instituciones Penitenciarias (the controller) is an organis under the Spanish Ministry of Inner Affairs. The controller is responsible for coordinating and monitoring penitentiary institutions in Spain. In 2019, an employee of a penitentiary center (the data subject) brought a complaint to the DPA. The data subject provided a medical note to justify three days of sick leave, however the controller also demanded them to provide the diagnosis or medical treatment in order to justify the sick leave. The controller later reduced the data subject’s pay in relation to the three days for refusing to provide this information, as it considered that the sick leave was not justified. In 2021, the DPA issued a reprimand for the controller, stating that it had violated the principle of data minimisation (Article 5(1)(c) GDPR). The DPA noted that the controller did not have a legal basis to demand this information under Articles 6(1) and 9 GDPR.\u003Cref>See decision number PS\u002F00088\u002F2020, https:\u002F\u002Fwww.aepd.es\u002Fdocumento\u002Fps-00088-2020.pdf\u003C\u002Fref> The DPA also dismissed the internal appeal filed by the controller, on the grounds that it had not provided any new facts or legal arguments.\u003Cref>See appeal number RR\u002F00103\u002F2021 (same decision number), https:\u002F\u002Fwww.aepd.es\u002Fdocumento\u002Freposicion-ps-00088-2020.pdf\u003C\u002Fref> The controller appealed the DPA’s decision to the High Court in 2021. According to the controller, the data subject did not inform anyone before taking the sick leave, and did not respond to calls attempting to contact them. The controller argued that demanding additional documentation was justified under suspicions of false illness, as unplanned absences from employees can pose a security risk in the context of managing penitentiary centres. The court stated that the controller did not process personal data, because it had simply requested it from the data subject and not collected it. Therefore, the court upheld the appeal and overturned the decision of the DPA.The controller appealed the DPA’s decision to the High Court in 2021. According to the controller, the data subject did not inform anyone before taking the sick leave, and did not respond to calls attempting to contact them. The controller argued that demanding additional documentation was justified under suspicions of false illness, as unplanned absences from employees can pose a security risk in the context of managing penitentiary centres. The court stated that the controller did not process personal data, because it had simply requested it from the data subject and not collected it. Therefore, the court upheld the appeal and overturned the decision of the DPA. The DPA appealed the decision to the Supreme Court in 2025. The DPA requested the court to overturn the decision of the lower court, and establish in case law that the definition of “processing” under the GDPR is broad and includes situations in which a party requests data in accordance with CJEU case law [see C-175\u002F20, C-34\u002F21, C-659\u002F22, C-548\u002F21].The DPA appealed the decision to the Supreme Court in 2025. The DPA requested the court to overturn the decision of the lower court, and establish in case law that the definition of “processing” under the GDPR is broad and includes situations in which a party requests data in accordance with CJEU case law.\u003Cref>See cases C-175\u002F20 Valsts ieņēmumu dienests (Processing of personal data for tax purposes), [[CJEU - C-175\u002F20 - Valsts ieņēmumu dienests (Processing of personal data for tax purposes)|link to GDPRhub summary]], [https:\u002F\u002Finfocuria.curia.europa.eu\u002Ftabs\u002Faffair?lang=en&sort=AFF_NUM-DESC&searchTerm=%22C-175%2F20%22&publishedId=C-175%2F20 link to Curia]. C-34\u002F21 Hauptpersonalrat der Lehrerinnen und Lehrer, [[CJEU - C-34\u002F21 - Hauptpersonalrat der Lehrerinnen und Lehrer|link to GDPRhub summary]], [https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002F?uri=CELEX:62021CA0034 link to judgment]. C-659\u002F22 Ministerstvo zdravotnictví (COVID19 mobile application), [[CJEU - C-659\u002F22 - Ministerstvo zdravotnictví (COVID19 mobile application)|link to GDPRhub summary]], [https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002F?uri=CELEX:62022CA0659 link to judgment]. C-548\u002F21 Bezirkshauptmannschaft Landeck (Attempt to access personal data stored on a mobile telephone), [https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002F?uri=CELEX:62021CA0548 link to judgment]. \u003C\u002Fref> === Holding ====== Holding === The court first clarified that the controller did process personal data, because the definition of processing under [[Article 4 GDPR|Article 4 GDPR]] is broad. This means that the controller processed personal data when requesting data from the data subject, even if the controller does not receive it. According to the court, the lower court took a literal interpretation of [[Article 4 GDPR|Article 4 GDPR]], and concluded that processing of personal data begins when it is collected. The court argued that this literal interpretation does not align with the intention of the legislator or with CJEU case law [See C-175\u002F20, margins 34, 35, 37 and C-659\u002F22, margins 27, 28, 32]. Furthermore, the court argued that it is only possible to ensure an effective protection of the fundamental right to privacy [art. 8 CFREU and Art. 18 Constitution] and data protection if a controller has the obligation to to comply with the GDPR at the moment of requesting data from a data subject. This includes assessing whether the personal data requested are limited to what is necessary for the purpose(s) for which they are collected. The court first clarified that the controller did process personal data, because the definition of processing under [[Article 4 GDPR]] is broad. This means that the controller processed personal data when requesting data from the data subject, even if the controller does not receive it. According to the court, the lower court took a literal interpretation of [[Article 4 GDPR]], and conclude","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=TS_-_1590\u002F2026&diff=51560&oldid=51559","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-05-05T09:09:25+00:00","2026-05-05T10:00:07.148068+00:00",7,[18],{"name":19,"type":20},"Secretaría General de Instituciones Penitenciarias","vendor","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":21,"icon":23,"name":24,"slug":25},null,"GDPR","gdpr",[27,32,37],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":33},{"id":34,"icon":23,"name":35,"slug":36},"614132b8-5837-4952-b8b5-c6c9a32a1d85","Privacy","privacy",{"category":38},{"id":39,"icon":23,"name":40,"slug":41},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",[]]