Spain - Private hospital fined 40,001 Euros for unlawfully subcontracting a diagnostic test This case stems from an alleged patient data breach brought about by an ex officio inspection request from the Director of the Spanish DPA and a consumer protection association's compliant. As a result, the Spanish DPA (Resolution 03053/2015 dated 22 December 2015) began the relevant inspections and sanctioning proceeding which ended with a 40,001-Euro fine being imposed on a private hospital for a patient data disclosure to a third party entity without consent or legal basis, which is deemed a very serious infringement. The private hospital (as processor) was contracted to conduct different patient diagnostic tests on behalf of a public hospital (as controller) under a service agreement, which presumably did not authorize subcontracting. The inspection revealed that the private hospital subcontracted a third party medical center (as sub-processor) to carry out one of the patient diagnostic tests. With that, the private hospital recognized culpability with such subcontracting, which the Spanish DPA took into account in lowering the applicable fine from a very serious infringement (300,001 up to 600,000 Euros) to a serious infringement (40,001 up to 300,00 Euros), and thus imposed a fine of 40,001 Euros on the private hospital. For more information, please contact Jordi Masdevall.