Tietosuojavaltuutetun toimisto (Finland) - 8235/154/18: Difference between revisions
(→English Machine Translation of the Decision: fixed translation) |
m (Fred moved page Tietosuojavaltuutetun toimisto (Findland) - 8235/154/18 to Tietosuojavaltuutetun toimisto (Finland) - 8235/154/18: corrected the name) |
||
(One intermediate revision by one other user not shown) |
Latest revision as of 13:07, 3 March 2024
Tietosuojavaltuutetun toimisto - 8235/154/18 | |
---|---|
Authority: | Tietosuojavaltuutetun toimisto (Finland) |
Jurisdiction: | Finland |
Relevant Law: | Article 5(1)(c) GDPR Article 6 GDPR Article 12 GDPR Article 17 GDPR Article 58(2)(c) GDPR Data Protection Act (Tietosuojalaki) 1050/2018 Sosiaali- ja terveysministeriön asetus potilasasiakirjoista 298/2009 |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | |
Published: | 16.02.2021 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 8235/154/18 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Finnish |
Original Source: | Finlex (in FI) |
Initial Contributor: | V |
The Finnish DPA (Tietosuojavaltuutetun Toimisto) ordered a data controller to comply with the customer's request to have their personal data deleted in so far as their processing is not required by Finland's national legislation concerning patient records and the rights of patients.
English Summary
Facts
In November, 2018, a customer (data subject) purchased glasses from an optician (data controller), and later noticed that the optician had stored his personal data in their system. Data subject requested the controller to delete his data, on the basis that he had not given his consent for storing the data. To proceed with his request for deletion, data subject was asked to fill in an online form where data subject had to provide even more personal data. Data subject refused and instead, wrote a public blog post which was accepted by the DPAs as a valid data subject request.
Dispute
Holding
Finnish Data Protection Ombudsman considered that the data controller had a legal basis for processing the data subject' personal data under national law which requires retention of certain personal data of their customers for a period determined by the Patient Data Record Act. Controller also had legal basis to process patient data which were necessary for their identification when data subject wishes to use their rights. However, the controller had not adequately informed the data subject about the processing of requests for deletion, nor about reasons behind rejection of the data subject's request.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.
Customer's request for deletion of personal data and the basis for processing personal data Thing The applicant has asked the optician to delete his information, but has not received a response to his request. Applicant 's claims and reasons The applicant has been in contact with the Office of the Data Protection Commissioner on 19 November 2018 regarding the processing of personal data in the activities of the optician's shop (later also the “registrar”). The applicant has done business with the controller's business and noticed that information about him or her has been stored in the controller's system. The applicant has contacted the registrar on 8 November 2018 and stated that he has not given his consent to the storage of his data. The applicant has asked the controller to delete all his data. The applicant has inquired from the registrar why the online form collects information that the applicant says customers do not want to provide to the company. According to the applicant, the registrar's online form has asked for the first name, surname, e-mail address, address, post office, postal code, personal identity number, as well as information on the store in which the person has done business and what services he has purchased. In addition, the data subject has been asked to indicate freely what his request is about. The applicant has stated that it should be possible to control the rights without filling in all the fields marked as mandatory on that form. The applicant has not received a response to his / her inquiry from the controller and asks the EDPS to assess whether the controller has acted correctly. Statement received from the controller The Office of the Data Protection Commissioner has sent a request for clarification to the optics group's Finnish country company on 1 July 2019, to which the company declared to be the optics group's head office has submitted the report on 13 August 2019. The Office of the Data Protection Commissioner has requested an additional report from the Finnish country company on 23 April 2020, to which the head office of the optics group has submitted the report on 25 May 2020. A report on the online form has been requested from the optics group's head office on October 1, 2020. A report has been requested from the local optician's shop on the exercise of the applicant's right on 1.10.2020. The head office of the Optician Group has submitted a response to the requests for clarification on 9 October 2020. Cross - border nature of the case The local office of the optician's shop is part of an international optician's group, which has made it necessary to determine whether the Data Protection Officer or the data protection authority of another country is the competent supervisory authority. Based on the report received from the head office of the optician group, the local optician's company, the Finnish country company and the company defined as the head office of the optician group are responsible for making decisions on the processing of personal data in the applicant's case. The Registrar shall have its principal place of business in Guernsey. Based on the explanation received, the local store is the registrar when the customer orders the product from the local store. The company, which has been declared the head office of the Optician Group, participates in the processing of personal data as a joint registrar and provides IT, marketing and other support services to local stores. The Group Data Protection Officer is a shared resource of the optician group that supports local entrepreneurs in enforcing the data subject’s rights. The online form is a mechanism by which the data subject's rights can be exercised on behalf of the local movement. The optician group is not headquartered in the EU, so the procedure for cooperation between data protection authorities under Article 56 of the General Data Protection Regulation does not apply. Basis for processing personal data According to the explanation received from the controller, the processing of the applicant's personal data was based on an agreement under Article 6 (b) and a legitimate interest of the controller under Article 6 (f) to continue processing the data in order to provide a service to the customer. Informing data subjects According to the controller's report, data subjects are provided with the information required by Articles 12 to 14 of the General Data Protection Regulation on a sign placed on the counter of the shop and on cards indicating what information is collected, by whom and for what purpose. According to the controller, the customer goes through several privacy clauses at the time of booking and the controller states that he is referring to his data protection policy, which provides customers with additional information in accordance with Articles 12-14 of the General Data Protection Regulation. The data subject's right to have his data deleted According to the statement provided by the registrar, the applicant has ordered reading glasses through the registrar's local store. According to the registrar, the applicant has returned to the circulation and questioned the amount of data collected to execute the order. According to the registrar, the applicant has requested the deletion of his data but has refused to use the online form provided. The applicant has sent the business entrepreneur the message described above in connection with the applicant's claims, in which he requests, among other things, the deletion of his data. According to a report from the registrar, the entrepreneur of the business has told the applicant that health care legislation requires the registrar to keep health records for a certain period of time. Retention of health information enables clients, health care providers, and authorities to evaluate the care they receive if they encounter problems in the future. According to the registrar, the business operator has informed the applicant that, at the request of the applicant, it can only anonymise the applicant's data within the retention period. Based on the report provided by the registrar, the applicant has written a blog post about the incident, to which the Finnish country manager of the optics group has published a response. In his reply, the Finnish Country Director states that the registrar sells spectacles on the basis of a thorough examination carried out by an optician or an optician or ophthalmologist. According to the answer, many customers do not seem to know that dealing with an optician is equivalent to doing business with a healthcare professional. The Finnish country manager of the optician's movement says that opticians have an obligation to collect information that is considered patient data and keep it for the period required by law. According to the writing, it is not possible for customers to sell individual glasses without processing their personal information. In response, the Finnish country manager of the optician's store states that they process personal data as required by the general data protection regulation only for the purposes for which they were collected and about which customers have been informed in the store and on the registrar's website. If customers wish to exercise their rights under the General Data Protection Regulation, such as the right to have their data deleted, the controller has a process set up for this purpose on its website. The reason why the controller collects data again in this process is that the controller has a duty to verify the identity of the data subject. Without this, there could be a risk of data being erased incorrectly. According to the reply, the applicant will be informed of the deletion of the data and the data collected on the online form will also be deleted. Processing of personal data in connection with the online form Based on the report received, not all customers have a default email address, so the registrar needs other information in addition to the email address to ensure customer service. The registrar uses customer data for this purpose. According to the registrar, it requests identifying information on the online form, which it can compare with the information in its possession. Usually, the information used for comparison is name, phone number, and email address. If at least three items of the information provided on the form match the customer data held by the controller, the controller considers this to be a sufficient reason to proceed with the customer's request. If any of the information does not match the customer information, the registrar may call the customer to verify their identity. This may be the case, for example, when a customer sends a request online and the email address matches the customer information, but the phone number does not. If the controller is still unable to verify the identity, it may require the customer to present an identity card at the store. According to the registrar, in most cases the identity of the data subject can be easily established without formal identification. The controller shall consider that the information it collects for this purpose is relevant, adequate, necessary and proportionate. The goal of the registrar has been to create an authentication process that is not intrusive to customers. The controller wants to point out that it does not collect information about customers that it does not already have in its register. According to the explanation received, the data subject may make his request orally or in writing. The majority (approx. 99%) of the data subject's requests have been made via the online form. Since May 2018, the controller has reported a total of 12,547 requests across Europe. According to the report provided by the registrar, the online form has changed after 2018. In the current form, the free-form field for specifying the request has been replaced by check boxes and the registrant will be asked to specify his relationship with the controller. In addition, looking at the updated form, it can be seen that instead of a personal identity number, the registrant is asked to fill in the date of birth. The required information is marked with an asterisk. When at least three of the data completed in the request match the customer data, the controller considers this to be a sufficient reason to proceed with the customer's request. Surname, address, e-mail address and date of birth are used for this purpose. Information on the store in which the data subject has transacted and what services the data subject has purchased will help the registrar to link the request to the local optician and the service used to execute the request. The registrar considers that all the mandatory information on the form is necessary and that the form is simple and easy to use. The data subject's rights are exercised by the controller's data protection team and the data is used only to enforce the rights. The information is not available to other teams in the Group. Applicant 's reply The applicant is given the opportunity to respond in the matter. The applicant submitted the defense on 19.11.2020. In his defense, the applicant states that the report sent to the Office by the Data Protection Officer contains a number of errors. The applicant states that he has not received any emails or other contacts from the controller throughout the process, with the exception of the reply received from the controller's employee in October 2020. On 2 September 2020, the applicant has been in contact with the CEO of the optics group in Finland and has inquired about the response to the personal data deletion request made to the data protection officer in November 2018. The applicant has re-inquired on 11.9.2020. The applicant has received a reply from the Finnish CEO on 23.10.2020, regretting that the matter has not been confirmed and stating that the matter will be confirmed separately. According to the applicant, the controller has recorded information without asking the applicant, which the applicant would not have wanted to provide to the controller even with his consent. According to the applicant, that information appears to have been obtained from a prescription written by an ophthalmologist. According to the applicant, the consent of the applicant has not been sought for the recording of the data. On 25 November 202020, the applicant was asked what errors the report submitted by the data controller to the Office of the Data Protection Officer contains. According to the applicant, he orally requested the deletion of his data on his second visit to the store, about a week after the original purchase transaction, i.e. in November 2018. According to the applicant, the movement claimed, numerous times and by several persons, that the data could not be deleted. According to the applicant, no reasons were given for this. According to the applicant, he was instead given a note with the contact details of the data protection officer of the controller. The applicant had sent an e-mail to this party, the content of which has been described above in connection with the applicant's claims. According to the applicant, he has not been advised to use the form on the website. According to the applicant, he has still also sent the request via an electronic form. According to the applicant, the controller has not responded to either request sent by the applicant in a way that the applicant could have detected. According to the applicant, he was never informed of the statutory obligation of opticians and ophthalmologists to draw up and keep patient records. The applicant denies being a patient of the controller. According to the applicant, he is an ordinary customer who has purchased an object from the registrar without receiving, for example, medical measurement services. According to the applicant, he did not know that the controller would set up a document containing information about him. According to the applicant, he was not informed that his data would be stored. Legal issue The Data Protection Officer assesses and decides on the applicant's case on the basis of the General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018). The following issues remain to be resolved: 1) whether there has been a ground for processing the applicant's personal data in accordance with Article 6 of the General Data Protection Regulation; 2) whether the processing of personal data by the controller in connection with the online form has complied with the principle of minimization in accordance with Article 5 (1) (c) of the General Data Protection Regulation; and (3) whether the controller should be ordered in accordance with Article 58 (2) (c) of the General Data Protection Regulation to comply with the applicant's request for his data to be deleted. Decision of the EDPS The EDPS considers that the controller has had the grounds for processing personal data required by Article 6 of the General Data Protection Regulation. The EDPS considers that the processing of personal data by the controller in the context of the online form is not contrary to the principle of minimization set out in Article 5 (1) (c) of the General Data Protection Regulation. The EDPS shall issue a notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation. The EDPS notes that the activities of the controller have not complied with the obligations set out in Article 12 of the General Data Protection Regulation. The controller has not responded to the applicant's request as required by Article 12 (3) and (4) of the General Data Protection Regulation. The EDPS instructs the controller to comply with the applicant's request to have his data deleted in accordance with Article 58 (2) (c) of the General Data Protection Regulation insofar as it does not concern patient records under section 2 of the Patient Status and Rights Act. Reasoning The basis for the processing of personal data The processing of personal data must be subject to the grounds set out in Article 6 of the General Data Protection Regulation. It should be noted that consent is only one of the grounds for processing personal data provided for in Article 6. According to the controller 's explanation, the processing of the applicant' s personal data has been based on an agreement in accordance with Article 6 (b) and a legitimate interest of the controller in accordance with Article 6 (f). If the data subject has used the services of an optician or ophthalmologist, the processing of personal data may also have been based on the data subject's legal obligation under Article 6 (c) of the General Data Protection Regulation. According to a report received from the registrar, the applicant has ordered reading glasses through a local store. It should be noted that the determination of suitable lenses on the basis of an eye examination is a task which requires the professional competence of an optician (Consumer Law Practices in the Optical Sector, p. 5). Pursuant to section 5 of the Health Care Professionals Act (559/1994), an optician is a health care professional. As a health care professional, an optician must, in accordance with section 12 of the Act on the Status and Rights of Patients (785/1992), enter in patient documents the information necessary to ensure the organization, planning, implementation and monitoring of patient care. According to Section 2 (5) of the Act on the Status and Rights of Patients, patient records refer to documents or technical records used, prepared or received for the organization and implementation of patient care, which contain information about his or her state of health or other personal information. The preparation of patient documents, the more detailed content of the information to be recorded in them and the data retention periods are regulated in more detail by the Decree of the Ministry of Social Affairs and Health on Patient Documents (298/2009; later the Patient Document Decree). Section 10 of the Patient Documentation Decree defines the basic information to be defined in patient records. According to subsection 1 (1) of the said section, the information to be retained is the patient's name, date of birth, personal identity number, place of residence and contact information.In accordance with section 23 of the Patient Documentation Decree, the data must be kept for the period referred to in the annex to the said decree. For the reasons set out above, the EDPS considers that the controller has had the basis for the processing of personal data required by Article 6 of the General Data Protection Regulation. On the processing of personal data in connection with the online form In accordance with Article 5 (1) (f) of the General Data Protection Regulation, the controller must ensure the confidentiality of personal data. Therefore, when exercising the data subject's rights, the controller must verify the identity of the requesting person. If the controller has reasonable grounds to doubt the identity of the natural person who made the request, the controller may, in accordance with Article 12 (6), request the provision of additional information necessary to establish the identity. In accordance with Article 5 (1) (c) of the General Data Protection Regulation, the processing of personal data must comply with the principle of minimization. Personal data processed in accordance with the principle of minimization shall be appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Given the principle of minimization of personal data, the controller should not ask the data subject for more information than is necessary to identify him or her. According to the applicant, the registrar's online form has asked for the first name, surname, e-mail address, address, post office, postal code, personal identity number, as well as information on the store in which the person has done business and what services he has purchased. In addition, the data subject has been asked to indicate freely what his request is about. According to the report provided by the registrar, the same information that customers have provided when registering as a customer of an optician is processed in connection with the online form. According to the registrar, it uses the information in the form to verify the registered identity by comparing the information with the information in the customer register. The registrar has also stated that he updated the form used after 2018. The information collected by the registrar on the online form for identification purposes is the same information that the registrar normally processes from registrants in its customer register. The EDPS therefore considers that the processing of personal data by the controller in the context of an online form is not contrary to the principle of minimization set out in Article 5 (1) (c) of the General Data Protection Regulation. The data subject's right to have his data deleted Article 17 of the General Data Protection Regulation provides for the right of the data subject to have his or her personal data deleted. According to this provision, the data subject has the right, under certain conditions, to have the controller delete personal data concerning the data subject without undue delay, and the controller has the obligation to delete personal data without undue delay. Article 12 (3) of the General Data Protection Regulation requires the controller to inform the data subject of the action taken on a request under Articles 15 to 22 without undue delay and in any case within one month of receipt of the request. If the controller does not act on the data subject's request, Article 12 (4) of the General Data Protection Regulation requires the controller to inform the data subject of the reasons without delay and at the latest within one month of receiving the request. In that case, the controller shall also inform about the possibility to lodge a complaint with the supervisory authority and to seek other legal remedies. According to the registrar, the applicant had requested the deletion of his data in the shop, but had refused to use the online form created to make the request. According to the registrar, the applicant had sent a request for deletion to the e-mail address of the optician's entrepreneur. According to the registrar, the business entrepreneur told the applicant that health care legislation requires the registrar to keep health information for the period required by the legislation. According to the registrar, the applicant had written a blog post about the incident, to which the Finnish country manager of the optics group had published a response. In the reply, the Finnish Country Director generally describes the registrar's obligation to collect and store information that is considered to be patient data for the period required by law. According to the applicant, he had requested the deletion of his personal data at a shop where he had been informed that the data could not be deleted. The reason for this was not stated according to the applicant. According to the applicant, he was given a piece of paper with the contact details of the data protection officer of the controller. The applicant sent their removal request to the email address provided to them. According to the applicant, he was not advised to use the form on the website. Nevertheless, the applicant also sent a deletion request to the controller using the online form. According to the applicant, the controller has not responded to either request sent by the applicant in a way that the applicant could have detected. It is still unclear what information was provided to the applicant when he requested the deletion of his information. It is also not clear from the information received whether the applicant's data has been deleted. It is clear, on the other hand, that the applicant has been unaware of the conditions under which healthcare legislation retains data. It should also be noted that the general reply of the Finnish country manager of the optician group published in response to the applicant's blog post cannot be considered as a notification within the meaning of Article 12 (3) and (4) of the General Data Protection Regulation. On the basis of the above, the EDPS will issue a notice to the controller in accordance with Article 58 (2) (b) of the General Data Protection Regulation. In view, in particular, of the controller 's obligation to provide evidence laid down in Article 5 (2) of the General Data Protection Regulation, the controller' s conduct must be considered not to comply with the obligations laid down in Article 12 of the General Data Protection Regulation. In particular, also taking into account the provisions of Article 5 (2) of the General Data Protection Regulation, the controller cannot be considered to have responded to the applicant's request as required by Article 12 (3) and (4) of the General Data Protection Regulation. On the basis of the above, the EDPS orders the controller to comply with the applicant's request for deletion of his data in accordance with Article 58 (2) (c) of the General Data Protection Regulation insofar as it does not concern patient records under Section 2 of the Patient Status and Rights Act. Applicable law Mentioned in the explanatory memorandum. Appeal According to section 25 of the Data Protection Act (1050/2018), this decision may be appealed to an administrative court in accordance with the provisions of the Act on Administrative Proceedings (808/2019). The decision is not yet final.