AZOP (Croatia) - Decision 13-09-2024
| AZOP - Decision 13-09-2024 | |
|---|---|
 | |
| Authority: | AZOP (Croatia) |
| Jurisdiction: | Croatia |
| Relevant Law: | Article 5(2) GDPR Article 6(1) GDPR Article 13 GDPR Article 28(3) GDPR Article 32(1)(b) GDPR Article 33(1) GDPR Article 38(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 13.09.2024 |
| Fine: | 190,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | Decision 13-09-2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Croatian |
| Original Source: | AZOP (in HR) |
| Initial Contributor: | fb |
The DPA fined a hospital €190,000 after a data breach led to the deletion of the x-ray images stored in its server. The controller did not notify the DPA and did not have a backup of these images.
English Summary
Facts
In July 2019, the controller, a hospital, experienced a data breach in its information radiological system. This led to the deletion of the images of x-ray examinations performed by the controller.
However, the controller did not notify the DPA about this data breach.
Moreover, the controller was recording the telephone conversations via the call centre without informing data subjects.
In September 2022, several data subjects filed access requests, requesting copies of their medical images. Since the controller was not able to provide them with these copies, they filed a complaint with the DPA.
The controller argued that it had not known about the data breach until 2022 and that it had not implemented any measures to ensure the safety of health data because this would have required greater resources and investments in the information system of the hospital.
Holding
First, the DPA noted that it had not been notified about the data breach within the time limits set by Article 33(1) GDPR. It pointed out that the controller cannot be believed when it claims that it learned about the data breach in 2022. On the contrary, the DPA found evidence that the chief radiology engineer noticed the data breach and informed the management of the controller in July 2019. Therefore, the DPA found a violation of Article 33(1) GDPR.
Secondly, the DPA pointed out that the controller had not implemented appropriate technical measures to protect the affected data, i.e. did not create a backup. This failure led to an irreversible loss of personal data. Therefore, the DPA found a violation of Article 32(1)(b) GDPR.
Thirdly, the DPA found that an external company was in charge of the implementation and maintenance of the IT system. However, the controller and this processor did not enter into a Data Processing Agreement and, therefore, violated Article 28(3) GDPR.
As for the recording of the phone calls, the DPA held that the controller was unable to demonstrate it was relying on a valid legal basis to record these calls, in violation of Articles 6(1) and 5(2) GDPR.
Furthermore, the DPA found a violation of Article 12(1) in combination with Article 13 GDPR since the controller did not inform data subject about this recording.
Additionally, the DPA pointed out that the controller did not define the period of retention of these calls and, therefore, violated Article 5(1)(e) GDPR.
Finally, the DPA noted that the controller did not involve the DPO as for this matter, in violation of Article 38(1) GDPR.
On these grounds, the DPA issued a fine of €190,000.
Comment
This summary is based on a press release of the DPA.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Croatian original. Please refer to the Croatian original for more details.
Due to a number of violations of the General Data Protection Regulation, a fine of EUR 190,000 was imposed on the Special Hospital as the controller. The Agency has received several requests to determine the violation of the right to data protection due to the failure to deliver copies of personal data by the Special Hospital in the area of Rijeka, which occurred due to the loss of personal data of the special category (health data) in July 2019. As part of the administrative procedure, the Agency determined that the Special Hospital:
has not implemented appropriate technical measures to protect the information radiological system in relation to image files, i.e. did not create a backup of personal data, medical images of radiological examinations, which is contrary to the provisions of Article 32(1)(b) of the General Data Protection Regulation. The failure to take appropriate technical measures has led to an irreversible loss of personal data (medical images of radiological tests) of patients.
did not inform the Agency about the security incident of the loss of personal data (medical images of patient radiological examinations) from July 2019 within 72 hours of the time of becoming aware of the incident, which is contrary to the provision of Article 33, paragraph 1 of the Treaty on the Functioning of the European Union. General Data Protection Regulation.
has not concluded a contract on the processing of personal data with the company as a processor of personal data, which is contrary to the provision of Article 28(3) of the GDPR. General Data Protection Regulation. It was found that the Special Hospital, as the controller and the company that was in charge of the implementation and maintenance of the new system, as a processor, did not conclude a contract relating to the processing of personal data.
it has not appropriately prescribed the retention periods of personal data from the recordings of telephone conversations, which is contrary to the provision of Article 5, paragraph 1, item e) of the General Data Protection Regulation.
process the data subject's personal data by recording telephone conversations via the call centre without the legal basis referred to in Article 6(1). The General Data Protection Regulation, i.e. did not demonstrate it in relation to Article 5(2) of the GDPR. Namely, the Special Hospital did not know or give an answer which is the legal basis for recording telephone conversations and in no part of the procedure has not proven the existence of a legal basis for such processing of personal data, although the Agency has repeatedly requested the above.
When establishing the call centre, it has not informed the data subjects about the processing of personal data using a clear and simple language, which is contrary to the provision of Article 12(1) of the GDPR. General Data Protection Regulation. Also, the hospital did not provide the data subjects with all the necessary information on the collection of their personal data by recording telephone conversations in the manner prescribed in accordance with the provisions of Article 13, paragraph 1, item c) and paragraph 2, points a) and b) of the General Data Protection Regulation. The privacy policy review found that no part indicated to record phone conversations made at the call center.
did not include the data protection officer in matters related to the development/age of the privacy policy and regarding the recording of telephone conversations and the prescribing of the time limits of the recordings of telephone conversations, which is contrary to the provision of Article 38(1) of the GDPR. General Data Protection Regulation.
In July 2019. The Special Hospital irrevocably lost an indefinite number of personal data of its respondents, namely medical images of radiological tests with basic identification data, and in its observations according to AZOP, she found out that she found out about this loss of data only in September 2022 after the respondents contacted the Special Hospital and requested access to their personal data (medical images of radiological tests) in the form of copies, while the opposite was found in the procedure. In particular, during the procedure, the Agency determined that the chief radiology engineer came to the knowledge on July 23, 2019 that the radiological system server on which patient imaging files are located, and of which the processor informed the management of the Special Hospital. However, the security incident was not reported by the Special Hospital to the Personal Data Protection Agency.
During the procedure, it was found that the Special Hospital does not work back up (security copy) of the image archive from the radiological information system due to the words of the hospital, large amounts of data, which would require greater resources and investments in the information system of the hospital. A special hospital cannot rely on the costs of establishing safety copies, as it is required to ensure the safety of health data and the existence of backups cannot be considered a disproportionate cost in relation to the risk of loss of such data. Precisely because of the failure to take a technical measure of protection, the Special Hospital bears a high degree of responsibility, because the creation of security copies is one of the best preventive tools that ensures the continuous availability and completeness of personal data.
The Personal Data Protection Agency has not received information that the Special Hospital has taken any action to correct the observed irregularities.
