HDPA (Greece) - 3/2024: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=3/2024 |ECLI= |Original_Source_Name_1=Hellenic DPA |Original_Source_Link_1=https://www.dpa.gr/el/enimerwtiko/prakseisArxis/exetasi-kataggelias-kata-diagnostikoy-kentroy-gia-parabiasi-tis |Original_Source_Language_1=Greek |Original_Source_Language__Code_1=EL |Original_Source_Name_2= |Original_Source_Li...")
 
mNo edit summary
(2 intermediate revisions by the same user not shown)
Line 69: Line 69:
}}
}}


The Hellenic DPA proceeded to investigate a complaint against a diagnostic centre for breach of confidentiality of the complainant's personal data due to her allegation of a telephone disclosure of health data to her father. The Authority rejected the complaint as unfounded
The DPA dismissed a complaint against a diagnostic centre, finding that the data subject's claims that the controller had called the incorrect phone number and disclosed medical testing results to a family member were unsupported by the evidence presented.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 15.12.2022 the complainant proceeded to file a complaint against a Diagnostic centre. The complainant alleged that after conducting tests at the diagnostic centre, an employee of the diagnostic centre communicated the results of her tests to the complainant's father by telephone without her consent. Specifically, she alleged that an employee of the diagnostic center contacted her father by telephone, informed him of the additional tests that the complainant had to undergo and requested that the complainant call immediately to confirm the additional cost. In the complainant's protest, she claimed that the diagnostic center apologized and admitted the incident by saying "what's done is done, now it's not undone."
On 15 December 2022, a data subject filed a complaint with the Hellenic DPA (HDPA) against a diagnostic centre (the controller). The data subject alleged that after conducting tests at the the controller's facility, an employee communicated the results of her tests to the data subject's father by telephone without her consent. Specifically, she alleged that an employee of the controller contacted her father by telephone, informed him of the additional tests that the complainant had to undergo and requested that the data subject call immediately to confirm the additional cost. In the data subject's protest, she claimed that the controller apologized and admitted to the incident by saying "what's done is done, now it's not undone."


On 28.03.2023, the respondent diagnostic centre replied to the Authority as follows: it confirmed that the complainant had undergone examinations at the diagnostic centre, where the secretariat informed her about the data protection policy of the complainant and completed the form E3 entitled "DECLARATION OF CONSENT FOR SENDING RESULTS" for sending the results by electronic mail using the encryption method. Furthermore, according to the diagnostic center's allegations, the complainant herself provided her telephone number to the secretariat, which was registered in the system, and the secretariat called that telephone number in order to inform her of additional required tests. This call was answered by the complainant's father, who responded that the complainant was absent and who was asked to inform her that she needed to contact the diagnostic center for her personal matter and no health information was disclosed. Furthermore, with regard to the center's apology, the respondent claimed that there was no admission of the incident and apology, but rather the situation was handled with courtesy and the complainant was informed of the content of the disputed telephone call.
On 28 March 2023, the controller confirmed that the data subject had undergone examinations at its facility. It alleged that an employee informed her about the data protection policy and that the data subject had completed a form entitled "Declaration of Consent For Sending Results" to send the results by electronic mail using encryption. The controller alleged that the data subject herself provided her telephone number to the employee, and that the employee called that telephone number in order to inform her of additional required tests. The call was answered by the data subject's father, who responded that the data subject was absent and who was asked to inform her that she needed to contact the diagnostic center for her personal matter. The controller argued that no health information was disclosed. With regard to the alleged apology, the controller claimed that there was no admission of the incident and apology, but rather that the situation was handled with courtesy and the data subject was informed of the content of the disputed telephone call.


On 28.04.2023, the complainant responded to the allegations of the respondent and noted that she never stated the specific telephone number to the diagnostic centre and that her number is different and she stands by the allegations of her complaint. In response, the respondent clarifies that the complainant's father is not a client of the diagnostic centre and therefore it is impossible that he could have been called in error, insisting on the allegation that the specific telephone number was verbally stated by the complainant and entered into the diagnostic centre's system. At the same time, it submits that the complaint is unproven, unfounded and constitutes an attempt by the complainant to obtain a pecuniary advantage, which has submitted an extrajudicial statement to the company proposing an out-of-court settlement of the incident in return for compensation.
The data subject responded to the allegations of the respondent and noted that she never stated the specific telephone number to the controller and that her number is different. In response, the controller clarified that the complainant's father was not a client and therefore it is impossible that he could have been called in error, insisting on the allegation that the specific telephone number was verbally stated by the complainant and entered into the controller's system.  
 
On 25 January 2024, the HDPA held a hearing before the President of the Authority, during which the parties presented their allegations and were given a deadline to respond. The data subject reiterated her allegations, stressing in particular that she had never given her father's mobile phone number and that the employee of the controller's facility had disclosed sensitive health data during the call to her father, who, according to her, was also a client who the employee called by mistake. The controller argued that the contact details were uploaded with patients' verbal declarations and that the complainant's health data had never been disclosed to her father, as registrars did not have access to test results in any case. The controller also mentioned that security measures were taken to ensure the confidentiality of the data, noting that employees were trained in patient confidentiality and that in any case, registrars do not have access to patients' test results. It also noted future measures that would collect patient details by having data subjects directly input their own information into a tablet after their identities are verified.


=== Holding ===
=== Holding ===
On 25.01.2024, the Hellenic DPA summoned the complainant and the respondent to a hearing before the President of the Authority as a single representative body. During the hearing, they presented their allegations and were given a deadline to respond. The complainant reiterated her allegations, stressing in particular that she had never given her father's mobile phone number herself and that the secretariat of the diagnostic centre had disclosed sensitive health data during the call to her father, who, according to her, was a client of the diagnostic centre and that the call to him had been made by mistake by the secretariat.
The HDPA found that the content of the telephone call could not be established with certainty based on the evidence and that a data breach could not be established, given that the employee who called the data subject's father did not have access to the patients' test results and their health data. It also took into consideration the controller's updating of the facility's procedures by having the patients' communication forms signed via a tablet.
The respondent argued that the contact details were updated with the patients' verbal declaration to the registry and that the complainant's health data had never been disclosed to her father, as the registrars did not have access to the test results in any case. Furthermore, they expressed the view that the complaint in question had been lodged as a mean of enriching in relation to the out-of-court settlement she was seeking. With regard to the security measures taken by the diagnostic centre, the respondent informed that it had already been decided to rely on the procedures followed by the centre, in which the patients themselves record their communication details on a tablet during their visit.
 
The Authority, having examined all the information in the file and the allegations made by the complainant and the respondent, considered that the content of the telephone call could not be established with certainty and that no leakage of personal data could be established, given that, as the evidence showed, the diagnostic center's secretariat did not have access to the patients' test results and their health data. It also assessed the updating of the diagnostic centre's procedures by having the patients' communication forms signed by the diagnostic centre via a tablet.


Therefore, it is not established that the respondent has violated the principle of confidentiality of the complainant's data, while it is clear that the Diagnostic center has acted in accordance with the provisions of Articles 32 and 24(2) GDPR. The Authority therefore rejected the complaint as unfounded.
Therefore, the HDPA found no violation of the principle of confidentiality pursuant to Article 5(1)(f) and considered the controller to have acted in accordance with Articles 32 and 24(2) GDPR. The HDPA therefore rejected the complaint as unfounded.


== Comment ==
== Comment ==

Revision as of 14:18, 27 May 2024

HDPA - 3/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5 GDPR
Article 24 GDPR
Article 24(2) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Rejected
Started: 15.12.2022
Decided: 15.04.2024
Published: 15.04.2024
Fine: n/a
Parties: Omilos Iatriki Diagnosi
Complianant
National Case Number/Name: 3/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: Hellenic DPA (in EL)
Initial Contributor: Evangelia Tsimpida

The DPA dismissed a complaint against a diagnostic centre, finding that the data subject's claims that the controller had called the incorrect phone number and disclosed medical testing results to a family member were unsupported by the evidence presented.

English Summary

Facts

On 15 December 2022, a data subject filed a complaint with the Hellenic DPA (HDPA) against a diagnostic centre (the controller). The data subject alleged that after conducting tests at the the controller's facility, an employee communicated the results of her tests to the data subject's father by telephone without her consent. Specifically, she alleged that an employee of the controller contacted her father by telephone, informed him of the additional tests that the complainant had to undergo and requested that the data subject call immediately to confirm the additional cost. In the data subject's protest, she claimed that the controller apologized and admitted to the incident by saying "what's done is done, now it's not undone."

On 28 March 2023, the controller confirmed that the data subject had undergone examinations at its facility. It alleged that an employee informed her about the data protection policy and that the data subject had completed a form entitled "Declaration of Consent For Sending Results" to send the results by electronic mail using encryption. The controller alleged that the data subject herself provided her telephone number to the employee, and that the employee called that telephone number in order to inform her of additional required tests. The call was answered by the data subject's father, who responded that the data subject was absent and who was asked to inform her that she needed to contact the diagnostic center for her personal matter. The controller argued that no health information was disclosed. With regard to the alleged apology, the controller claimed that there was no admission of the incident and apology, but rather that the situation was handled with courtesy and the data subject was informed of the content of the disputed telephone call.

The data subject responded to the allegations of the respondent and noted that she never stated the specific telephone number to the controller and that her number is different. In response, the controller clarified that the complainant's father was not a client and therefore it is impossible that he could have been called in error, insisting on the allegation that the specific telephone number was verbally stated by the complainant and entered into the controller's system.

On 25 January 2024, the HDPA held a hearing before the President of the Authority, during which the parties presented their allegations and were given a deadline to respond. The data subject reiterated her allegations, stressing in particular that she had never given her father's mobile phone number and that the employee of the controller's facility had disclosed sensitive health data during the call to her father, who, according to her, was also a client who the employee called by mistake. The controller argued that the contact details were uploaded with patients' verbal declarations and that the complainant's health data had never been disclosed to her father, as registrars did not have access to test results in any case. The controller also mentioned that security measures were taken to ensure the confidentiality of the data, noting that employees were trained in patient confidentiality and that in any case, registrars do not have access to patients' test results. It also noted future measures that would collect patient details by having data subjects directly input their own information into a tablet after their identities are verified.

Holding

The HDPA found that the content of the telephone call could not be established with certainty based on the evidence and that a data breach could not be established, given that the employee who called the data subject's father did not have access to the patients' test results and their health data. It also took into consideration the controller's updating of the facility's procedures by having the patients' communication forms signed via a tablet.

Therefore, the HDPA found no violation of the principle of confidentiality pursuant to Article 5(1)(f) and considered the controller to have acted in accordance with Articles 32 and 24(2) GDPR. The HDPA therefore rejected the complaint as unfounded.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority examined a complaint against a company for breaching the confidentiality of the complainant's data, by communicating the complainant's test results to her father by telephone. In particular, the complainant stated that she herself did not give her father's mobile phone number to the complained company. From the examination of the case, the reported violation was not established. Regarding the process of collecting the contact details of the customers of the diagnostic center based on their verbal statement on the day of the visit, the Authority was informed that, in the context of updating the procedures of the complained company, from now on the collection will be done with their signed registration by the data subjects using a tablet. The complaint is therefore dismissed as unfounded.