IDCQ HOSPITALES Y SANIDAD, S.L.U.: Non-compliance with general data processing principles

The Spanish DPA has imposed a fine of EUR 1,200,000 on IDCQ HOSPITALES Y SANIDAD, S.L.U. The controller offered MRI scans as part of its services, and patients could bring copies or originals of previous scans. However, the controller had established very strict return policies, resulting in data being deleted after a very short amount of time, and data subjects being unable to easily retrieve their data if they had brought it on physical data carriers. Furthermore, the controller only stored data that was necessary for comparison purposes, deleting the rest immediately upon receipt.

GDPR Articles: Art. 6 GDPR, Art. 9 GDPR, Art. 25 GDPR
Industry: Health Care