According to a decision of the Spanish Supreme Court (Tribunal Supremo) of July 2022, filing a request to exercise the data subject rights with the data controller is not a prerequisite for filing a complaint to the relevant Supervisory Authority for an alleged breach of the GDPR.
The decision was issued after a complaint of a data subject regarding a report including health related data provided by a public health institution.
A data subject involved in an accident complained at the Basque Supervisory Authority (SA) because an unnecessary category of personal health data was included by the Basque public health service institution – Osakidetza-Servicio Vasco de Salud (OSVS) – in the report about her injury. This, according to the complainant, was breaching the data minimization principle stated by the GDPR at Art. 5.1 (c). Following the relevant investigations on the complaint, the Basque SA issued a warning against the public health institution, that was the controller of the data.
The decision of the SA was taken by the OSVS to the relevant local Administrative Court and after an escalation of appeals and upholds of the appeals between OSVS and the SA to the relevant Courts, the decision ended up to the table of the Spanish Supreme Court for examination. In the appeal the controller argued that before filing a complaint to the SA, the data subject should have exercised the right of restriction of processing, provided at Art. 18 GDPR. Furthermore, the category of personal data questioned by the data subject was intended for her exclusive use and it was already lawfully collected by the public authority in previous circumstances. Eventually the appeal of the controller was dismissed by the Court.
The basis for the decision of the Spanish Supreme Court
Art. 18 GDPR (in particular lit. d as mentioned in the argument of the controller) is linked to Art. 21 GDPR (right to object to the processing granted to the data subjects) and provides that processing can be restricted for a limited period of time with the purpose to allow the controller to reply to an objection request, but no objection was raised by the data subject in this case.
Art. 5.1 (c) GDPR – the data minimisation principle – cannot be restricted to one phase (collection or storage) of processing of personal data, but it shall be applicable to each specific purpose of processing, as stated by the article itself: Personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. Therefore, the personal data category identified as not necessary for the specific purpose, should not have been processed, even if previously collected in other instances for legitimate purposes.
The interpretation of the controller of an alleged prerequisite for the data subject to initiate a data subject request before lodging a complaint to a SA seemed to be inaccurate according to the Court, since neither the GDPR nor the Spanish Data Protection Act (LOPDGDD) include this provision.
Finally, in relation to the last point argument by the controller (that the report was intended solely to the data subject), the Court noted that although an infringement of confidentiality was not identified by the Basque SA, this would not have an impact on the minimisation principal infringement.
The decision of the Supreme Court reveals, among different things, that data subjects may lodge a complaint directly to the relevant Supervisory Authority and they shall not feel compelled to refer to the data controller by filing a data subject request before presenting their case to the SA against an alleged breach of the GDPR.