Commissioner (Cyprus) - 11.17.001.007.251: Difference between revisions
m (Panayotis.Yannakas moved page Comissioner - 11.17.001.007.251 to Commissioner - 11.17.001.007.251: Bug) |
m (Ar moved page Commissioner - 11.17.001.007.251 to Commissioner (Cyprus) - 11.17.001.007.251) |
||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
{{DPAdecisionBOX | {{DPAdecisionBOX | ||
| Line 55: | Line 54: | ||
}} | }} | ||
A patient after her | A patient, after her hospitalisation thought that a detailed medical report is part of her personal data which have been collected by the Hospital, and for that reason, claimed that she shall receive the medical report under the veil of GDPR. The Cypriot Office of the Commissioner for Personal Data Protection disagreed. | ||
==English Summary== | ==English Summary== | ||
===Facts=== | ===Facts=== | ||
According to the | According to the Hospital's policy on its discharges procedure, the patient receives only an attestation form and a digital copy of MRI scans. The complainant was hospitalised for several days back in 2016. In September 2019, she asked for her full medical report for which the hospital has asked her to pay administrative fees. | ||
Furthermore, some days after the discharge from the hospital, her employer | Furthermore, some days after the discharge from the hospital, her employer fired her. She thought that the firing was on the grounds of the health incident, and the only possible source to her employer was the very same Hospital's employee. | ||
===Dispute=== | ===Dispute=== | ||
The | The central part of the decisions dealing the question of whether the Article 15 activates in advance any "''ex-ante right''" of the data-subject to access his or her personal data and/or information, even when these data have not been prepared, drafted, and/or assembled yet. | ||
===Holding=== | ===Holding=== | ||
With regard to the leak of the complainant's health information, the Cypriot | With regard to the leak of the complainant's health information, the Cypriot Office of the Commissioner for Personal Data Protection has not been convinced of the substance of relevant complaints. It appears that a complainant for any allegation shall provide some evidence compatible with a minimum burden and standard of proof. Nevertheless, Cypriot DPA has not specified yet the minimum level of the required proof. | ||
Regarding the primary concern, Cypriot | Regarding the primary concern, Cypriot DPA started her reasoning with the fact that state health require command a health facility to prepare a medical report only upon request from the patient and only if (s)he pays the regulated fee. Hence, before the patient's request, the desired information and data did not exist at all. That means the right of access, as the GDPR describes, it entirely incompatible under such circumstances. | ||
The secondary allegation from the Complainant was her belief that the medical report has been lost due to negligence of the Hospital's employees. The Cypriot Commissioner for Personal Data Protection was satisfied with the security measures that the health facility has adopted, while had considered not only these measures of that sort was mentioned as part of the defence’s reply. On the contrary, the Cypriot Commissioner for PDP also considered all measures, which already have been the brought to Commissioner's notice by previous DPA's initiative enquiries and activities. | |||
==Comment== | ==Comment== | ||
| Line 86: | Line 85: | ||
</pre> | </pre> | ||
Latest revision as of 16:52, 6 December 2023
| Commissioner - 11.17.001.007.251 | |
|---|---|
 | |
| Authority: | Commissioner (Cyprus) |
| Jurisdiction: | Cyprus |
| Relevant Law: | Article 15 GDPR Article 32(1)(b) GDPR Article 32(1)(d) GDPR Article 32(4) GDPR |
| Type: | Complaint |
| Outcome: | Rejected |
| Started: | |
| Decided: | 25.05.2020 |
| Published: | |
| Fine: | None |
| Parties: | Nicosia General Hospital |
| National Case Number/Name: | 11.17.001.007.251 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Greek |
| Original Source: | Commissioner for Personal Data Protection (Cyprus) (in EL) |
| Initial Contributor: | Panayotis Yannakas |
A patient, after her hospitalisation thought that a detailed medical report is part of her personal data which have been collected by the Hospital, and for that reason, claimed that she shall receive the medical report under the veil of GDPR. The Cypriot Office of the Commissioner for Personal Data Protection disagreed.
English Summary
Facts
According to the Hospital's policy on its discharges procedure, the patient receives only an attestation form and a digital copy of MRI scans. The complainant was hospitalised for several days back in 2016. In September 2019, she asked for her full medical report for which the hospital has asked her to pay administrative fees.
Furthermore, some days after the discharge from the hospital, her employer fired her. She thought that the firing was on the grounds of the health incident, and the only possible source to her employer was the very same Hospital's employee.
Dispute
The central part of the decisions dealing the question of whether the Article 15 activates in advance any "ex-ante right" of the data-subject to access his or her personal data and/or information, even when these data have not been prepared, drafted, and/or assembled yet.
Holding
With regard to the leak of the complainant's health information, the Cypriot Office of the Commissioner for Personal Data Protection has not been convinced of the substance of relevant complaints. It appears that a complainant for any allegation shall provide some evidence compatible with a minimum burden and standard of proof. Nevertheless, Cypriot DPA has not specified yet the minimum level of the required proof.
Regarding the primary concern, Cypriot DPA started her reasoning with the fact that state health require command a health facility to prepare a medical report only upon request from the patient and only if (s)he pays the regulated fee. Hence, before the patient's request, the desired information and data did not exist at all. That means the right of access, as the GDPR describes, it entirely incompatible under such circumstances.
The secondary allegation from the Complainant was her belief that the medical report has been lost due to negligence of the Hospital's employees. The Cypriot Commissioner for Personal Data Protection was satisfied with the security measures that the health facility has adopted, while had considered not only these measures of that sort was mentioned as part of the defence’s reply. On the contrary, the Cypriot Commissioner for PDP also considered all measures, which already have been the brought to Commissioner's notice by previous DPA's initiative enquiries and activities.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
