HDPA (Greece) - 3/2024: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
 
(2 intermediate revisions by the same user not shown)
Line 69: Line 69:
}}
}}


The Hellenic DPA proceeded to investigate a complaint against a diagnostic centre for breach of confidentiality of the complainant's personal data due to her allegation of a telephone disclosure of health data to her father. The Authority rejected the complaint as unfounded
The DPA dismissed a complaint against a diagnostic centre, finding that the data subject's claims that the controller disclosed medical testing results to a family member without her consent were unsupported by the evidence presented.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 15 December 2022, a data subject filed a complaint with the Hellenic DPA (HDPA) against a diagnostic centre (the controller). The data subject alleged that after conducting tests at the the controller's facility, an employee communicated the results of her tests to the data subject's father by telephone without her consent. Specifically, she alleged that an employee of the controller contacted her father by telephone, informed him of the additional tests that the complainant had to undergo and requested that the data subject call immediately to confirm the additional cost. In the data subject's protest, she claimed that the controller apologized and admitted to the incident by saying "what's done is done, now it's not undone."
On 15 December 2022, a data subject filed a complaint with the Hellenic DPA (HDPA) against a diagnostic centre (the controller). The data subject alleged that after conducting tests at the the controller's facility, an employee communicated the results of her tests to the data subject's father by telephone without her consent. Specifically, she alleged that the employee contacted her father by telephone, informed him of the additional tests that the complainant had to undergo and requested that the data subject call immediately to confirm the additional cost. In the data subject's protest, she claimed that the controller apologized and admitted to the incident by saying "what's done is done, now it's not undone."


On 28 March 2023, the controller confirmed that the data subject had undergone examinations at its facility, where the secretariat informed her about the data protection policy of the complainant and completed the form E3 entitled "DECLARATION OF CONSENT FOR SENDING RESULTS" for sending the results by electronic mail using the encryption method. The controller alleged that the data subject herself provided her telephone number to the secretariat, which was registered in the system, and the secretariat called that telephone number in order to inform her of additional required tests. This call was answered by the data subject's father, who responded that the data subject was absent and who was asked to inform her that she needed to contact the diagnostic center for her personal matter and no health information was disclosed. Furthermore, with regard to the alleged apology, the controller claimed that there was no admission of the incident and apology, but rather that the situation was handled with courtesy and the data subject was informed of the content of the disputed telephone call.
The controller confirmed that the data subject had undergone examinations at its facility. It claimed that an employee informed her about the data protection policy and that the data subject had completed a form entitled "Declaration of Consent For Sending Results" to send the results by electronic mail using encryption. The controller alleged that the data subject herself provided her telephone number to the employee, and that the employee called that telephone number in order to inform her of additional required tests. The call was answered by the data subject's father, who responded that the data subject was absent and who was asked to inform her that she needed to contact the diagnostic center for her personal matter. The controller argued that no health information was disclosed. With regard to the alleged apology, the controller claimed that there was no admission of the incident and apology, but rather that the situation was handled with courtesy and the data subject was informed of the content of the disputed telephone call.


On 28 April 2023, the data subject responded to the allegations of the respondent and noted that she never stated the specific telephone number to the controller and that her number is different. In response, the controller clarified that the complainant's father was not a client and therefore it is impossible that he could have been called in error, insisting on the allegation that the specific telephone number was verbally stated by the complainant and entered into the controller's system.  
The data subject responded to the controller's allegations and noted that she never stated the specific telephone number to the controller and that her number is different. In response, the controller clarified that the complainant's father was not a client and therefore it is impossible that he could have been called in error, insisting on the allegation that the specific telephone number was verbally stated by the complainant and entered into the controller's system.  
 
On 25 January 2024, the HDPA held a hearing before the President of the Authority, during which the parties presented their allegations and were given a deadline to respond. The data subject stressed that she had never given her father's mobile phone number and that the employee of the controller's facility had disclosed sensitive health data during the call to her father, who she claimed was also a client who the employee called by mistake. The controller argued that the contact details were uploaded with patients' verbal declarations and that the complainant's health data had never been disclosed to her father, as registrars did not have access to test results in any case. The controller also mentioned that security measures were taken to ensure the confidentiality of the data, noting that employees were trained in patient confidentiality and that in any case, registrars do not have access to patients' test results. It also noted future measures that would collect patient details by having data subjects directly input their own information into a tablet after their identities are verified. 


=== Holding ===
=== Holding ===
On 25 January 2024, the HDPA held a hearing before the President of the Authority as a single representative body, during which the parties presented their allegations and were given a deadline to respond. The data subject reiterated her allegations, stressing in particular that she had never given her father's mobile phone number herself and that the secretariat of the diagnostic centre had disclosed sensitive health data during the call to her father, who, according to her, was a client of the diagnostic centre and that the call to him had been made by mistake by the secretariat.
The HDPA found that the content of the telephone call could not be established with certainty based on the evidence and that a data breach could not be established, given that the employee who called the data subject's father did not have access to the patients' test results and their health data. It also took into consideration the controller's updating of the facility's procedures by having the patients' communication forms signed via a tablet.
 
The respondent argued that the contact details were updated with the patients' verbal declaration to the registry and that the complainant's health data had never been disclosed to her father, as the registrars did not have access to the test results in any case. Furthermore, they expressed the view that the complaint in question had been lodged as a mean of enriching in relation to the out-of-court settlement she was seeking. With regard to the security measures taken by the diagnostic centre, the respondent informed that it had already been decided to rely on the procedures followed by the centre, in which the patients themselves record their communication details on a tablet during their visit.
 
The Authority, having examined all the information in the file and the allegations made by the complainant and the respondent, considered that the content of the telephone call could not be established with certainty and that no leakage of personal data could be established, given that, as the evidence showed, the diagnostic center's secretariat did not have access to the patients' test results and their health data. It also assessed the updating of the diagnostic centre's procedures by having the patients' communication forms signed by the diagnostic centre via a tablet.


Therefore, it is not established that the respondent has violated the principle of confidentiality of the complainant's data, while it is clear that the Diagnostic center has acted in accordance with the provisions of Articles 32 and 24(2) GDPR. The Authority therefore rejected the complaint as unfounded.
Therefore, the HDPA found no violation of the principle of confidentiality pursuant to [[Article 5 GDPR#1f|Article 5(1)(f)]] and considered the controller to have acted in accordance with [[Article 32 GDPR|Articles 32]] and [[Article 24 GDPR#2|24(2) GDPR]]. The HDPA therefore rejected the complaint as unfounded.


== Comment ==
== Comment ==

Latest revision as of 09:06, 28 May 2024

HDPA - 3/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5 GDPR
Article 24 GDPR
Article 24(2) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Rejected
Started: 15.12.2022
Decided: 15.04.2024
Published: 15.04.2024
Fine: n/a
Parties: Omilos Iatriki Diagnosi
Complianant
National Case Number/Name: 3/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: Hellenic DPA (in EL)
Initial Contributor: Evangelia Tsimpida

The DPA dismissed a complaint against a diagnostic centre, finding that the data subject's claims that the controller disclosed medical testing results to a family member without her consent were unsupported by the evidence presented.

English Summary

Facts

On 15 December 2022, a data subject filed a complaint with the Hellenic DPA (HDPA) against a diagnostic centre (the controller). The data subject alleged that after conducting tests at the the controller's facility, an employee communicated the results of her tests to the data subject's father by telephone without her consent. Specifically, she alleged that the employee contacted her father by telephone, informed him of the additional tests that the complainant had to undergo and requested that the data subject call immediately to confirm the additional cost. In the data subject's protest, she claimed that the controller apologized and admitted to the incident by saying "what's done is done, now it's not undone."

The controller confirmed that the data subject had undergone examinations at its facility. It claimed that an employee informed her about the data protection policy and that the data subject had completed a form entitled "Declaration of Consent For Sending Results" to send the results by electronic mail using encryption. The controller alleged that the data subject herself provided her telephone number to the employee, and that the employee called that telephone number in order to inform her of additional required tests. The call was answered by the data subject's father, who responded that the data subject was absent and who was asked to inform her that she needed to contact the diagnostic center for her personal matter. The controller argued that no health information was disclosed. With regard to the alleged apology, the controller claimed that there was no admission of the incident and apology, but rather that the situation was handled with courtesy and the data subject was informed of the content of the disputed telephone call.

The data subject responded to the controller's allegations and noted that she never stated the specific telephone number to the controller and that her number is different. In response, the controller clarified that the complainant's father was not a client and therefore it is impossible that he could have been called in error, insisting on the allegation that the specific telephone number was verbally stated by the complainant and entered into the controller's system.

On 25 January 2024, the HDPA held a hearing before the President of the Authority, during which the parties presented their allegations and were given a deadline to respond. The data subject stressed that she had never given her father's mobile phone number and that the employee of the controller's facility had disclosed sensitive health data during the call to her father, who she claimed was also a client who the employee called by mistake. The controller argued that the contact details were uploaded with patients' verbal declarations and that the complainant's health data had never been disclosed to her father, as registrars did not have access to test results in any case. The controller also mentioned that security measures were taken to ensure the confidentiality of the data, noting that employees were trained in patient confidentiality and that in any case, registrars do not have access to patients' test results. It also noted future measures that would collect patient details by having data subjects directly input their own information into a tablet after their identities are verified.

Holding

The HDPA found that the content of the telephone call could not be established with certainty based on the evidence and that a data breach could not be established, given that the employee who called the data subject's father did not have access to the patients' test results and their health data. It also took into consideration the controller's updating of the facility's procedures by having the patients' communication forms signed via a tablet.

Therefore, the HDPA found no violation of the principle of confidentiality pursuant to Article 5(1)(f) and considered the controller to have acted in accordance with Articles 32 and 24(2) GDPR. The HDPA therefore rejected the complaint as unfounded.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority examined a complaint against a company for breaching the confidentiality of the complainant's data, by communicating the complainant's test results to her father by telephone. In particular, the complainant stated that she herself did not give her father's mobile phone number to the complained company. From the examination of the case, the reported violation was not established. Regarding the process of collecting the contact details of the customers of the diagnostic center based on their verbal statement on the day of the visit, the Authority was informed that, in the context of updating the procedures of the complained company, from now on the collection will be done with their signed registration by the data subjects using a tablet. The complaint is therefore dismissed as unfounded.