

Frequently asked questions about personal data protection
Here you can consult the most frequently asked questions about personal data protection grouped by topic
Exercise of rights
In order to exercise my rights, do I need to provide my ID?
No. In accordance with the form that the Community of Madrid puts at your disposal, only in the event that you object to your query, is when you will have to provide it. However, if the data controller has any doubts regarding your identification, they may request additional information from you.
Can I make a general request to the Community of Madrid requesting the exercise of any right over my personal data?
You cannot make a "general" request to the Community of Madrid, since the requests to exercise rights in personal data protection must be addressed to the person in charge of the treatment to whom you gave your data, who is the one who has them and is treating them. In the Community of Madrid, the Data Controllers are the owners of the General Technical Secretariats and of the different management centers in which it is structured. In the form in which you gave your personal data you have the information on protection of personal data and in this it is informed who is that Responsible. You can also find it in the Record of Processing Activities (RAT) of the ministries of the Community of Madrid.
Can a page that has been published in the Official Gazette of the Community of Madrid (BOCM) in which my name and surname appear be removed from the internet?
No, the personal data published in an Official Gazette cannot be deleted or "deleted", but you can exercise your "right to forget". It means that you can request the data controller to remove links to publications, documents or web pages that contain your personal data from the lists of results obtained after a search based on your name and surnames. Thus, the link to that site will only cease to be visible when the search is made by your first and last name, but the page remains unchanged in its original source, in this case in the BOCM, and will continue to be displayed when the search is made for any other word or term other than your name and surname.
You must bear in mind that the right to be forgotten will be granted as long as these personal data are inadequate, inaccurate, excessive or outdated, and considering the purposes for which they were collected or processed at the time, the time elapsed and the nature and interest information public.
To exercise my right to be forgotten before the data controller, how can I know if the website on which my name and surname appear is the responsibility of the Community of Madrid?
It is important that you check if the address of the web page (URL) on which you want to exercise that right corresponds to a domain, current or already extinct, of the Community of Madrid, being the most frequent community.madrid, madrid.org o bocm.es, although there may be others.
In the event that you have doubts as to whether or not it is a website of the Autonomous Administration, you can contact the Data Protection Delegates (consult here the list) or with the Citizen Information and Attention Service 012 of the Community of Madrid, through its different channels.
Health
Am I required to report whether or not I am vaccinated against COVID-19 when entering a public establishment in the Community of Madrid?
No. Bearing in mind that vaccination is not mandatory, that there are people who for different reasons cannot be vaccinated and to avoid discriminatory effects, you cannot be required to provide this information as a preventive medicine criterion, although you can provide it in a way volunteer.
When suspected or confirmed cases occur in the workplace or education, there are protocols established and directed by the health system that will determine which people must quarantine or continue with their usual activity and it will be the competent health authority who will inform both affected people as well as workplaces.
Is it possible to know which people have accessed my clinical history as a patient in the Community of Madrid?
The right of access granted to the interested party by the Law only covers knowing the information subject to treatment on their own personal data, but does not include being able to provide you with the identification data of the professionals who have accessed your medical history, since, among other reasons , could affect the rights of third parties. Therefore, you should not have access, except with the express consent of the doctor or practitioner, to the subjective notes that appear in your own clinical history.
Is it necessary for me to give my consent when I go as a patient to a health center/hospital managed by the Community of Madrid to receive medical assistance?
No, the health center/hospital is entitled to process this data as long as the patient has been informed. However, the express written consent of the patient must be obtained in the following cases:
- Surgical intervention.
- Invasive diagnostic and therapeutic procedures.
- Application of procedures that pose foreseeable risks to the patient's health.
Can you request the deletion or rectification of personal data contained in a medical record?
Yes, but if they are considered health data, it will be the doctor or practitioner who decides whether to rectify or delete said data.
In the Community of Madrid, can anyone access any medical record?
No, you can only access if there is a justification for it, for example, in the case of healthcare, management of health or social services, public interest or management of a claim.
Can parents who hold parental authority access the medical records of their minor children between the ages of 14 and 18? What about separated or divorced parents?
Yes, but this right of access is limited to the people who hold parental authority, not to other family members.
If the parents are separated or divorced, access depends, it must be verified that there is no situation limiting the parental authority of either parent (for example, that the education of the minors is not endangered, that they are not treats with excessive harshness or that there is no family violence or abandonment of the minor).
I had to accompany a relative to an appointment at a health center managed by the Community of Madrid. Can I request a proof of attendance to justify an absence from work? What personal data of the patient should it contain?
Yes, you can request proof, but you must prove a relationship with the patient to justify that you have a legitimate interest in that treatment. Regarding the content of the receipt, the principle of data minimization must be followed, so the data that is strictly necessary and pertinent for the established purpose (justify your absence from work) will appear. Thus, you can include the identification data of the patient you accompanied (name and surname) and the date and time of admission and discharge. However, you should not specify the disease suffered, nor the admission unit nor the type of surgery, since they are not necessary to justify your absence from your work center.
In the Community of Madrid, is there any way to access my medical history with my personal health data without having to go to the health center/hospital?
Yes, using the system Mi Carpette of Savalanche, which allows you to consult your clinical information, health appointments, analytics, etc.
Education
Data Protection and Transparency
Is access to public information based on transparency the same as the right of access in terms of data protection?
No. The right of access in terms of data protection is a very personal right and requires the accreditation of the person requesting it or their representative, while the right to public information can be exercised by any person, without the need to prove the condition interested, in the terms provided in the Law of Transparency of the Community of Madrid and the rest of the legal system.
What happens if the information I request access to under the Transparency Law contains personal data?
In the cases provided for in the Law of Transparency of the Community of Madrid The information may be provided, if the conditions established therein are met and always taking into account the limits of the right of access to public information provided for in the regulations on the protection of personal data.
If the information contains special protection personal data, it will be necessary a anonymization of the personal data in order to provide them to you. And, in certain cases, the express consent of those affected will also be necessary.
This consent will not be necessary in the case of specially protected personal data that the holder has previously made manifestly public (for example, that he has stood for election or that he is a union representative, in the case of data linked to political ideology, trade union or religious). If it is personal data of special protection other than those that express ideology, union affiliation, religion or beliefs, it is necessary to request the express consent of the affected party.
In any case, it will be necessary to take into account the type of personal data contained in the information to which it is intended to access and its impact on the personal sphere of the owner, as well as the possible public interest in the disclosure of the information and the circumstances of each specific case. That is, you have to make a weighing on a case-by-case basis between data protection and transparency to establish whether or not such personal data should be provided. The State transparency law collects some criteria to carry out this weighting.
Can I access the data of the rest of the candidates in a competitive concurrence process of the Administration of the Community of Madrid?
If you are interested in the procedure, you can access to exercise a fundamental right, such as the right of defense, but the "principle of data minimization" will always be applied, that is, they will be adequate, pertinent and limited to what is necessary for the purposes that are processed. They may not be used for a purpose other than the one you prove in your application (for the defense of your right in the procedure in question or later in court).
if you are not interested, it will be necessary to take into account the limits of the right of access to public information provided for in the regulations on data protection. And if the information contains personal data of special protection, a prior anonymization of said data will be necessary, unless the owner of said data had made it manifestly public beforehand (for example, that it has been presented to an election or that it is union representative, in the case of data linked to political, union or religious ideology). If it is personal data of special protection other than those that express ideology, union affiliation, religion or beliefs, it is necessary to request the express consent of the affected party. In the rest of the cases, weighting will have to be carried out before deciding if these personal data can be provided to you.
Protection of data and audio or image recordings
Are the calls recorded in the citizen services of the Community of Madrid, collecting the data of my voice?
It will depend on the characteristics and operation of each service. However, in those services in which the calls are recorded, a warning will be made of said circumstance and you will be informed of the treatment that your personal data will receive (your voice is personal data) by the agent who answers the call or, in his/her case, through a pre-recorded voiceover containing said information.
Can the Community of Madrid install security cameras to record images in its official buildings?
Yes, for reasons of surveillance and security of facilities and people. But it must be borne in mind that video surveillance should only be used if there is no other means that causes less impact on privacy and should only process personal data (your image is personal data) essential for the purpose pursued. In any case, it is totally prohibited in bathrooms, changing rooms and the like. The number of cameras and the recording will be strictly necessary and the monitors must never be exposed to the public and can only be seen by those who have the mission of controlling the equipment that makes the recordings.
When a video surveillance activity is carried out by data controllers who belong to the Community of Madrid, it must be included in the Treatment Activities Registry.
In addition, such activity should always be reported through a sign located in the video-monitored area and in which the identification of the data controller, the possibility of exercise of your rights on data protection and where you can find more information on the processing of personal data.
Keep in mind that the images will be deleted within a maximum period of one month, except if they must be kept to prove the commission of acts that threaten the integrity of people, goods or facilities.
In general, can I request a copy of a recording of my image obtained by surveillance cameras of official buildings of the Community of Madrid?
Yes, You can request a copy from the person responsible for processing your image. But keep in mind that you can only get a recording of your own image; if third parties appear, their images will be blurred to preserve their privacy.
Can the Community of Madrid communicate my image obtained by surveillance cameras of its official buildings to third parties?
The images of security and surveillance cameras can only be communicated without your consent when the recipients are Judges or Courts or they are Security Forces or Bodies, who request the recordings in the event that they are necessary to guarantee public safety or to prosecute potential criminal offenses.
In addition, they can be communicated to others, whether individuals, legal entities or other Administration bodies, but only if necessary and if it is previously contemplated and declared in the corresponding treatment activity, which must appear in the Treatment Activities Registry.
There may also be cases in which individuals can access recorded images to find out the identity of a third party, in order to exercise certain legal or contractual actions. In these cases, the data controller must evaluate each specific case to determine whether or not to grant access to the images.
Security and data protection
What is the National Security Scheme (ENS), which is referred to in the Register of Personal Data Processing Activities of the Community of Madrid?
El National Security Scheme (ENS) It is a set of rules whose purpose is the creation of the necessary conditions of trust in the use of electronic media, through measures to guarantee the security of systems, data, communications and electronic services, which allows citizens and public administrations the exercise of rights and the fulfillment of duties through these means.
The Community of Madrid, like the rest of the Public Administrations, is obliged to comply with the provisions of the ENS, thus guaranteeing citizens that it meets the necessary security conditions to safeguard their personal data. That is why there is a reference to the ENS in the Treatment Activities Registry.
What security measures should I take if I have to send information containing personal data by email, for example, to a doctor or practitioner from a social or health center in the Community of Madrid?
It's recommended that encrypt the file that contains the information with the personal data. Today many commonly used programs offer the option to encrypt files with password. Likewise, it is recommended that you communicate the password to the requesting doctor or physician by a different means, such as by telephone. This minimizes the chances that an outsider intercepting the file could decrypt it.
Other questions of interest
Is the Physical person to whom these personal data belong and refer. You are the owner of your personal data and sole owner of the same, even if they are in the possession of a person in charge or in charge of their treatment.
Yes, you can publish it, but not the complete NIF/NIE. To preserve your personal data, only certain digits are published, the rest of the characters being replaced by asterisks. This is what is called pseudonymization of personal data.