Spain - 20,000 euros fine for breaching a statutory health data retention period

The Spanish DPA (Resolution R/03212/2012 dated March 1, 2013) imposed a €20,000 fine on a company for breaching a health data retention period. That company decided to destroy its employee-health data records stored electronically and manually in its premises, after having terminated a workplace health services provider and engaged a new provider. The fined company adopted such a decision under the impression that this would comply with the data quality principle. The data quality principle generally requires the personal data to be cancelled when the personal data are no longer necessary for the purposes they were collected, but it also requires keeping the personal data for the periods set out in the relevant provisions, e.g., 5 years as of termination of the employment relationship between the employee and the company is the general retention period for employee-health data records. As the volume of retained business records expands, the adoption of document/data retention policies becomes a useful tool to mitigate risks.