APD/GBA (Belgium) - 127/2022: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(6 intermediate revisions by 3 users not shown)
Line 75: Line 75:
}}
}}


The Belgian DPA fined a laboratory €20,000 for violating Articles 5(1)(f), 12, 13, 14, 24, 25, 32, 35(1), and 35(3) GDPR due to its lack of a secure website, lack of a data protection impact assessment, and lack of a privacy policy on its website.  
The Belgian DPA fined a medical laboratory €20,000 for violating Articles [[Article 5 GDPR|5(1)(f)]], [[Article 12 GDPR|12]], [[Article 13 GDPR|13]], [[Article 14 GDPR|14]], [[Article 24 GDPR|24]], [[Article 25 GDPR|25]], [[Article 32 GDPR|32]], [[Article 35 GDPR|35(1)]], and [[Article 35 GDPR|35(3) GDPR]] due to a lack of security and a privacy policy on its website as well as its nonexistent data protection impact assessment.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject had dealt with a laboratory (the controller) on several occasions. He underwent a medical analysis multiple times.  After hearing that his doctor had remote access to the results, the data subject found out that the website of the laboratory contained a link to a page for access to medical data under the name ‘Cyberplab’, which used an unsafe http-protocol.  
The data subject had dealt with a medical laboratory (the controller) on several occasions. He underwent a medical analysis multiple times.  After hearing that his doctor had remote access to the results, the data subject found out that the website of the laboratory contained a link to a page for access to medical data under the name ‘Cyberplab’, which used an unsafe http-protocol.  
   
   
The data subject filed a complaint at the Belgian DPA against the controller. After receiving the complaint, the DPA initiated an investigation into the matter.  
The data subject filed a complaint at the Belgian DPA against the controller. After receiving the complaint, the DPA initiated an investigation into the matter.  
Line 86: Line 86:
https-protocol.   
https-protocol.   


The controller challenged most findings of the investigation. The controller stated that she thought that she was the processor instead of the controller. She also stated that her processing operation was small before the pandemic but had since then grown into a large processing operation. Before the pandemic, she claimed to have 50 operations a day, but didn’t provide any statistics how much operations were undertaken each day during – and after the pandemic. She also stated that the GDPR doesn’t contain any provision that this information should be provided on a website at all. She also stated that, given the small number of processing before the COVID crisis, a posting of the information in its physical sites was sufficient during that time.  
The controller challenged most findings of the investigation. The controller stated that it thought that it was the processor instead of the controller. The controller also stated that her processing operation was small before the pandemic but had since then grown into a large processing operation. Before the pandemic, it claimed to have 50 operations a day, but didn’t provide any statistics how much operations were undertaken each day during – and after the pandemic. The controller also stated that the GDPR doesn’t contain any provision that this information should be provided on a website at all. The controller also stated that, given the small number of processing before the COVID crisis, a posting of the information in its physical sites was sufficient during that time.  
 
 
 
=== Holding ===
=== Holding ===
<u>The laboratory is the controller</u>
Firstly, the Belgian DPA held that the laboratory was a controller pursuant to [[Article 4 GDPR#7|Article 4(7) GDPR]] because it determined both the purposes and means of processing.


The DPA held that the laboratory was a controller pursuant to [[Article 4 GDPR#7|Article 4(7) GDPR]] because it determined both the purposes and means of processing.
Secondly, the DPA also held that the controller had inadequately secured the health data in its possession. More precisely, the DPA held that the controller violated the principle of integrity and confidentiality ([[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and [[Article 32 GDPR|32 GDPR]]). In particular, the controller had not implemented secure and encrypted login and communication protocols which, in turn, made it possible for an attacker to perform ‘man in the middle attacks’. For the same reasons, the DPA also held that the processor did not take appropriate technical and organizational measures under [[Article 24 GDPR]] and [[Article 25 GDPR|25 GDPR]]. However, the DPA considered that in this case, the violations of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and [[Article 32 GDPR|32 GDPR]] were sufficient in order to sanction the website's lack of security.


<u>Inadequately secured health data: Violation of the principle of integrity and confidentiality (Article 5(1)(f) and 32 GDPR), the responsibilities of the controller (Article 24 GDPR) and data protection by design and default (Article 25 GDPR)</u>
Furthermore, the DPA held that the controller violated [[Article 35 GDPR|Articles 35(1)]] and [[Article 35 GDPR|35(3)]] by not conducting a data protection impact assessment. In determining whether the controller was obliged to do so, the DPA considered that the central issue was whether the processing at hand was large scale or not. The DPA considered the number of data subject, the volume of data, the length in time of processing operation and the geographical scale of the processing to be the relevant factors for this question. Since an external service provider stated in its report that the processing in question was large scale and concerned special categories of data, the DPA held that the controller should have conducted a data protection impact assessment before the processing had started.


The DPA held that the controller violated the principle of integrity and confidentiality (Articles 5(1)(f) and 32 GDPR). The controller didn’t provide adequate protection on the website where doctors had remote access without encryption to the results of medical analyses of their patients.
Finally, the DPA held that the controller had also violated [[Article 12 GDPR|Articles 12]], [[Article 13 GDPR|13]], and [[Article 14 GDPR|14 GDPR]], mainly due to a lack of a privacy policy on its website until the DPA contacted the controller. The DPA held that providing this information at the physical test sites was insufficient. Moreover, the DPA found no evidence that the controller had provided any GDPR-information at the physical locations. It is clear from the decision that the DPA held that the information should also be available on a website, despite any availability at physical locations.  
In its first report during the investigation, the DPA concluded that the ‘Cyberlab’ website was not protected sufficiently enough because of the use of the http-protocol, which should have been https to prevent so called ‘man in the middle attacks’. By using http, logins and passwords are not encrypted and can be intercepted in traffic. After the DPA had made contact, the controller implemented TLS 1.2 on the website. The use of TLS is generally recommended for websites, but should especially be used by sites that process medical data, according to the DPA. The controller didn’t provide this protection until the DPA made contact during the investigation.
The DPA also held that the processor did not take appropriate technical and organizational measures by enabling doctors to access the results of their patients remotely without encryption and hence violated [[Article 24 GDPR|Article 24 GDPR]] and 25 GDPR.
The DPA held that in this case, [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and 32 GDPR were sufficient in order to sanction the lack of security on the website.
 
<u>No data protection impact assessment undertaken by the controller (Article 35(1) and 35(3) of the GDPR)</u>
 
The DPA held that the controller violated Articles 35(1) and 35(3) by not conducting a data protection impact assessment.
In determining whether the controller was obliged to do so, the DPA considered that the central issue was whether the processing at hand was large scale or not. The DPA considered the number of data subject, the volume of data, the length in time of processing operation and the geographical scale of the processing to be the relevant factors for this question.
Since an external service provider stated in its report that the processing in question was large scale and concerned special categories of data, and since the controller failed to assess according to objective criteria whether its processing was large scale or not, the DPA held that the controller should have conducted a data protection impact assessment before the processing had started.
 
<u>Lack of information regarding data processing (Articles 12 to Article 14 of the AVG)</u>
 
The DPA held that the controller had also violated Articles 12, 13, and 14 GDPR, mainly due to a lack of a privacy policy on its website until the DPA contacted the controller. The DPA held that providing this information at the physical test sites was insufficient.  
The DPA held that the controller didn’t provide any evidence that any GDPR-information was available at the physical locations. It is clear from the decision that the DPA held that the information should also be available on a website, despite any availability at physical locations.  


After taking into account several aggravating and mitigating factors, the DPA fined the controller €20,000.  
After taking into account several aggravating and mitigating factors, the DPA fined the controller €20,000.  
== Comment ==
== Comment ==
''Share your comments here!''
''Share your comments here!''

Latest revision as of 14:36, 14 September 2022

APD/GBA - 127/2022
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(f) GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 24 GDPR
Article 25 GDPR
Article 32 GDPR
Article 35(1) GDPR
Article 35(3) GDPR
Type: Investigation
Outcome: Violation Found
Started: 04.10.2019
Decided: 19.08.2022
Published:
Fine: 20,000 EUR
Parties: n/a
National Case Number/Name: 127/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: APD/GBA (Belgium) (in NL)
Initial Contributor: Koen

The Belgian DPA fined a medical laboratory €20,000 for violating Articles 5(1)(f), 12, 13, 14, 24, 25, 32, 35(1), and 35(3) GDPR due to a lack of security and a privacy policy on its website as well as its nonexistent data protection impact assessment.

English Summary

Facts

The data subject had dealt with a medical laboratory (the controller) on several occasions. He underwent a medical analysis multiple times. After hearing that his doctor had remote access to the results, the data subject found out that the website of the laboratory contained a link to a page for access to medical data under the name ‘Cyberplab’, which used an unsafe http-protocol.

The data subject filed a complaint at the Belgian DPA against the controller. After receiving the complaint, the DPA initiated an investigation into the matter. The site was unencrypted with the http-protocol at the time of the first report of the investigation of the DPA. However, after the DPA had made contact with the controller, the controller added TLS 1.2 to the website, a basic protocol which is used for websites since 1999. Because of this, the site used the https-protocol.

The controller challenged most findings of the investigation. The controller stated that it thought that it was the processor instead of the controller. The controller also stated that her processing operation was small before the pandemic but had since then grown into a large processing operation. Before the pandemic, it claimed to have 50 operations a day, but didn’t provide any statistics how much operations were undertaken each day during – and after the pandemic. The controller also stated that the GDPR doesn’t contain any provision that this information should be provided on a website at all. The controller also stated that, given the small number of processing before the COVID crisis, a posting of the information in its physical sites was sufficient during that time.

Holding

Firstly, the Belgian DPA held that the laboratory was a controller pursuant to Article 4(7) GDPR because it determined both the purposes and means of processing.

Secondly, the DPA also held that the controller had inadequately secured the health data in its possession. More precisely, the DPA held that the controller violated the principle of integrity and confidentiality (Article 5(1)(f) GDPR and 32 GDPR). In particular, the controller had not implemented secure and encrypted login and communication protocols which, in turn, made it possible for an attacker to perform ‘man in the middle attacks’. For the same reasons, the DPA also held that the processor did not take appropriate technical and organizational measures under Article 24 GDPR and 25 GDPR. However, the DPA considered that in this case, the violations of Article 5(1)(f) GDPR and 32 GDPR were sufficient in order to sanction the website's lack of security.

Furthermore, the DPA held that the controller violated Articles 35(1) and 35(3) by not conducting a data protection impact assessment. In determining whether the controller was obliged to do so, the DPA considered that the central issue was whether the processing at hand was large scale or not. The DPA considered the number of data subject, the volume of data, the length in time of processing operation and the geographical scale of the processing to be the relevant factors for this question. Since an external service provider stated in its report that the processing in question was large scale and concerned special categories of data, the DPA held that the controller should have conducted a data protection impact assessment before the processing had started.

Finally, the DPA held that the controller had also violated Articles 12, 13, and 14 GDPR, mainly due to a lack of a privacy policy on its website until the DPA contacted the controller. The DPA held that providing this information at the physical test sites was insufficient. Moreover, the DPA found no evidence that the controller had provided any GDPR-information at the physical locations. It is clear from the decision that the DPA held that the information should also be available on a website, despite any availability at physical locations.

After taking into account several aggravating and mitigating factors, the DPA fined the controller €20,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.


1/17
Decision of the
Court of First Instance of 19 August 2022
File number: DOS-2019-05244
Subject: Complaint against a medical analysis laboratory for violating the principles of
integrity, confidentiality and transparency
The Dispute Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,
chairman, and Mr Christophe Boeraeve and Mr Frank De Smet, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of individuals with regard to the processing of personal data and on
the free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation), hereinafter "the AVG";
Having regard to the Act of 3 December 2017 establishing the Data Protection Authority,
hereinafter "WOG";
Having regard to the Rules of Internal Procedure, as approved by the House of Representatives
on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019;
Having regard to the documents in the file;
has taken the following decision on:
Complainant X, hereinafter "the complainant
Defendant: Medical Analysis Laboratory, represented by Sébastien Popijn, hereinafter
"the defendant"
Decision on the merits 127/2022 - 2/17
I. Facts and procedure
1. On 4 October 2019, the complainant filed a complaint against the respondent with the
Data Protection Authority.
2. The complainant suspects that the Medical Analysis Laboratory (hereafter: Medical
Analysis Laboratory) did not carry out a data protection impact assessment, did not
inform individuals correctly and processed special categories of data, in this case health-
related data, through an unsecured website.
The complainant states that he had several dealings with the Medical Analysis Laboratory in
the context of medical analyses. He was told that his doctor had electronic access to his
analysis results. However, he notes that the website of the medical analysis laboratory
contains a page for accessing medical analysis data under the name "Cyberlab" in an
unsecured HTTP protocol.
3. On 29 October 2019, the complaint was declared admissible by the Honours Department
under Sections 58 and 60 of the WOG and was referred to the Dispute Resolution
Chamber under Section 62(1) of the WOG.
4. On 27 November 2019, the Disputes Chamber decides to request an investigation by the
Inspectorate under sections 63, 2° and 94, 1° of the CPC.
5. On 29 November 2019, pursuant to Article 96 § 1 of the WOG, the Dispute Resolution
Chamber's request for an investigation is forwarded to the Inspectorate, together with
the complaint and the inventory of documents.
6. On September 8, 2021, the investigation of the Inspectorate is concluded, the report is
added to the file and the latter is transmitted by the Inspector General to the President
of the Litigation Chamber (art. 91, § 1 and § 2 of the WOG).
The report contains a number of findings relating to the subject matter of the complaint
and reaches the following findings:
1. The defendant may be considered a data controller
2. Insufficiently secure health data in violation of Articles 5.1(f), 24, 25 and 32 of the
AVG.
3. No data protection impact assessment in breach of Articles 35.1 and 35.3 of the
AVG.
4. Lack of information regarding data processing in violation of Articles 12 to 14 of
the AVG.
Decision on the merits 127/2022 - 3/17
7. On 21 September 2021, the Disputes Chamber decides under Article 95, §1, 1° and
Article 98 of the CPC that the case can be heard on the merits.
8. On 21 September 2021, the parties concerned will be notified by registered letter of the
provisions of Article 95 §2 and Article 98 of the CPC. They are also notified of the deadlines
for submitting their defences, in accordance with Article 99 of the CPC.
The deadline for receipt of the defendant's defences of reply is set at 2 November 2021,
that for the complainant's defences of reply at 23 November 2021 and finally that for the
defendant's defences of reply at 14 December 2021.
9. On 27 September 2021, the defendant requested a copy of the file (art. 95, §2, 3° of the
CPC), which was sent to her on 6 October 2021.
10. On 2 November 2021, the Dispute Resolution Chamber received the respondent's defences.
11. On 7 November 2021, the Disputes Chamber receives the complainant's defences to the
reply.
12. On 9 December 2021, the Dispute Resolution Chamber received the respondent's
defences.
13. On 25 July 2022, the Disputes Chamber notified the defendant of its intention to proceed
with the imposition of an administrative fine, as well as its amount in order to give the
defendant an opportunity to defend itself, before the sanction is effectively imposed.
14. On 15 August 2022, the Disputes Chamber received the respondent's response to the
intention to impose an administrative fine and the amount thereof.
II. Reason
II.1. Responsibility for processing
15. In its investigation report, the Inspectorate (hereinafter ID) determines that the
defendant can be considered a data controller. That position is initially disputed by the
defendant, but eventually accepted in its summary conclusions, following the
complainant's defences to its reply.
16. The Disputes Chamber decides that the defendant can be considered a data controller as
it determines the purposes and means of processing.
Decision on the merits 127/2022 - 4/17
17. It recalls, however, that in accordance with the principle of responsibility under Article 24
of the AVG, the defendant itself must be able to determine its responsibilities and
obligations under the AVG. Moreover, the Disputes Chamber adds that the changes in the
defendant's position during the course of the proceedings led to an apparent confusion in
its defence, since it initially argued, for example, that it was not obliged to carry out an
EIO because it is only a processor1 (and processors are not obliged to carry out an EIO)
and then stated that the failure to carry out an EIO was due to the fact that the
processing activities did not initially meet the criteria under which it was required to carry
out an EIO. 2 These views are clearly incompatible.
II.2. Interest of the complainant.
18. The file shows that the complainant's doctor had several medical analyses performed for
his patient by the defendant. Thus, the defendant processes or has processed the
complainant's personal data. The complainant therefore has an interest in appearing in
this file.
II.3. Finding 1: Inadequately secured health data (AVG Articles 5.1(f), 24, 25 and 32)
19. The investigation report shows that the defendant has a website. The homepage of this
website contains another page of the medical analysis laboratory under the heading
"Consult results", which links to the "Cyberlab", the defendant's online results server,
where doctors can consult the results and histories of their patients' analyses in real time.
20. In its first technology investigation report of 14 January 2021 (hereinafter: the first
technology report), the ID found that this website does not contain encryption (the
collected login and password are sent unencrypted), as it uses an "http" protocol instead of
an encrypted "https" protocol.
21. In this regard, ID notes that "Cyberlab's access site is thus not secure and is susceptible to
man-in-the-middle attacks. The login and password collected are transmitted unencrypted
[...]".
22. Following the answers provided by the respondent during the course of the
investigation, a follow-up report to the technological investigation report will be issued
on July 6, 2021
1 Defendants' defences, p. 9
2 Summary conclusion of the defendant, p. 7