When an employee notifies their workplace of an absence due to illness, the expectation is typically that a simple medical certificate will suffice to justify the time away from professional duties without further intrusion. However, a significant legal battle in Spain has recently highlighted the fine line between an employer’s right to manage its workforce and an individual’s fundamental right to medical privacy under the General Data Protection Regulation. The Spanish Supreme Court issued a definitive ruling backing the Spanish Data Protection Agency in a landmark case regarding the privacy rights of public employees, confirming that demanding specific medical diagnoses is a violation of established law. This decision effectively overturned a previous ruling by the National High Court, which had initially favored the government administration’s push for greater transparency in employee health records. By siding with the worker, the court has sent a powerful message across the European Union about the limits of administrative oversight in the modern workplace environment. This case serves as a critical benchmark for 2026 and beyond, illustrating that the protection of sensitive personal data remains a non-negotiable priority for judicial systems tasked with interpreting privacy statutes.
The Conflict: Lanzarote Penitentiary Center Case
The legal conflict originated when Carlos Caraduje, an official at the Lanzarote Penitentiary Center, missed work due to a medical indisposition and faced an unprecedented demand for his private clinical history. Center management did not merely request a standard doctor’s note; instead, they insisted on a detailed account of his specific diagnosis and the treatments prescribed by his healthcare provider. Caraduje rightfully refused to comply, asserting that his medical details were private and protected from such invasive inquiries by his superiors. In a controversial move, the administration responded by penalizing him and deducting the missing days from his paycheck as if the absence were unauthorized. This disciplinary action prompted the Spanish Data Protection Agency to intervene, eventually leading to a sanction against the prison authority for mishandling sensitive information and attempting to coerce an employee into revealing protected health data. The situation highlights the potential for administrative overreach when internal policies conflict with broader legal protections.
This specific instance serves as a cautionary tale for human resources departments that prioritize administrative convenience over legal compliance with data protection statutes. The initial ruling by the National High Court suggested that the administration had a legitimate interest in knowing the details of an employee’s condition to ensure the integrity of the public service. However, this perspective failed to account for the inherent power imbalance between an employer and an employee, especially in a high-stakes environment like a correctional facility. The subsequent intervention by the Spanish Data Protection Agency highlighted that even government entities are bound by the strictures of the GDPR, which classifies health data as a special category of sensitive information requiring enhanced protection. This case illustrates that the mere act of requesting such data, coupled with financial penalties for non-disclosure, constitutes an overreach that undermines the trust necessary for a functional working relationship while inviting significant legal liability for the organization involved.
Legal Precedent: Defining Data Processing and Minimization
A central theme of the Supreme Court’s ruling is the clarification of what constitutes “data processing” within the context of employer-employee interactions. The court established that the act of processing begins the moment an employer requests sensitive personal data, regardless of whether that information is eventually stored, analyzed, or shared with third parties. By demanding more clinical detail than is strictly necessary to justify an absence, the administration violated the GDPR’s core principle of data minimization, which mandates that only the minimum amount of data required for a specific purpose should be collected. The magistrates argued that workplace absenteeism can be adequately monitored through standard medical certificates that confirm a leave of absence without revealing the underlying medical condition or specific treatments. This interpretation ensures that the purpose of the inquiry—verifying an absence—is met without infringing upon the employee’s personal dignity or their right to keep their medical history confidential from their bosses.
The ruling, signed by a panel of seven magistrates, aligned Spanish judicial practice with the established doctrine of the Court of Justice of the European Union. It underscored a clear consensus that administrative management does not grant employers an unrestricted right to access an employee’s private health records under any circumstances. Moving forward, organizations must audit their internal protocols to ensure that sick leave documentation requests do not exceed the boundaries of basic verification of inability to work. Human resources departments should implement training programs that emphasize the “need to know” principle, ensuring that managers do not inadvertently solicit sensitive health information during informal check-ins or formal reviews. Furthermore, employees should be educated on their rights to refuse diagnostic disclosure, knowing that legal precedents now firmly protect them from retaliatory measures such as pay deductions or disciplinary actions. This landmark decision served as a vital victory for data protection and reinforced the necessity of maintaining clear boundaries between professional obligations and personal health.
