|
|
(2 intermediate revisions by 2 users not shown) |
Line 17: |
Line 17: |
| |Type=Advisory Opinion | | |Type=Advisory Opinion |
| |Outcome= | | |Outcome= |
| |Date_Decided= | | |Date_Decided=19.03.2021 |
| |Date_Published= | | |Date_Published= |
| |Year= | | |Year=2021 |
| |Fine=None | | |Fine=None |
| |Currency= | | |Currency= |
Line 56: |
Line 56: |
| ===Facts=== | | ===Facts=== |
| Question: Is it permissible for a person reading the content of a publicly available blog to disclose to a third party the personal information provided about himself by the author of the blog. Namely, a person writes a personal blog (which includes photos of his or her face) that is publicly available and has written down his or her health information about a particular medical condition. The third party to whom the information is shared via private messages online does not know the author of the blog. They are also interested in whether it is still sensitive personal information if it is only published by the patient. They also believe that freedom of expression is at stake. | | Question: Is it permissible for a person reading the content of a publicly available blog to disclose to a third party the personal information provided about himself by the author of the blog. Namely, a person writes a personal blog (which includes photos of his or her face) that is publicly available and has written down his or her health information about a particular medical condition. The third party to whom the information is shared via private messages online does not know the author of the blog. They are also interested in whether it is still sensitive personal information if it is only published by the patient. They also believe that freedom of expression is at stake. |
|
| |
| ===Dispute===
| |
|
| |
|
| |
| ===Holding=== | | ===Holding=== |
| Generally, it is permissible for an individual to disclose to a third party the blog author's specific health information that the individual lawfully obtained from the author's publicly available website and that the author freely posted. | | Generally, it is permissible for an individual to disclose to a third party the blog author's specific health information that the individual lawfully obtained from the author's publicly available website and that the author freely posted. |
Line 75: |
Line 71: |
|
| |
|
| <pre> | | <pre> |
| <!doctype html><html lang="sl"><head><title>Further disclosure of health information published on the blog - IPRS </title><base href="https://ip-rs.si/" /><meta charset="UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" /><meta name="description" content="" /><meta name="robots" content="index,follow" /><!-- IPRS prenos --><link rel="shortcut icon" href="https://www.ip-rs.si/fileadmin//user_upload/favicon.ico" type="image/x-icon"><!-- <link rel="stylesheet" type="text/css" href="https://www.ip-rs.si/typo3conf/ext/news/Resources/Public/Css/news-basic.css?1578317372" media="all"> --><!-- <link rel="stylesheet" type="text/css" href="https://www.ip-rs.si/typo3temp/assets/css/b5ece644a2.css?1597648248" media="all"> --><!-- <link rel="stylesheet" type="text/css" href="https://www.ip-rs.si/typo3conf/ext/t3colorbox/Resources/Public/Css/1.5.13/example1/colorbox.css?1501572977" media="all"> --><!-- <link rel="stylesheet" type="text/css" href="https://www.ip-rs.si/typo3conf/ext/pxa_survey/Resources/Public/Css/pxa_survey.css?1592208471" media="all"> --><link rel="stylesheet" type="text/css" href="assets/css/styles.min.css?v=1" media="all"><link rel="stylesheet" type="text/css" href="assets/css/fontawesome/css/all.css?v=1" media="all"><link rel="stylesheet" type="text/css" href="assets/css/user.css?v1" media="all"><script src="assets/js/jquery_2.1.3.min.js" type="text/javascript"></script><script src="assets/js/bx.slider.js" type="text/javascript"></script><!-- <script src="https://www.ip-rs.si/typo3temp/assets/js/9d57a8584e.js?1597648248" type="text/javascript"></script> --></head><body id="scheme4"><div class="page-h sub pr" id="scheme1"><header role="banner"><div class="row p pr"><img id="printLogo" src="/assets/images/logo/printLogo.gif" width="174" height="66" alt="" /> <a class="logoIPRS ti pa" href="/">Information Commissioner</a> <span class="logoRS ti pa">Republic of Slovenia</span><div class="pa lang"> <a href="iskalnik-po-strani"><img src="https://www.ip-rs.si/fileadmin/user_upload/jpg/iskalnik.png" height="25" width="25"></a> <a href="priredbe-v-slovenski-znakovni-jezik"><img src="https://www.ip-rs.si/fileadmin/user_upload/jpg/gluhi.png" height="25" width="25"></a></div><nav role="navigation"><ul id="mainNav"><li class="first"> <a href="/">Home</a></li><li > <a href="novice/">News</a></li><li> <a href="zakonodaja/">Legislation</a><ul><li> <a href="zakonodaja/ustava">Constitution</a></li><li> <a href="zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/">Reform of the European legislative framework for the protection of personal data</a></li><li> <a href="zakonodaja/zakon-o-informacijskem-pooblaščencu">Information Commissioner Act</a></li><li> <a href="zakonodaja/zakon-o-varstvu-osebnih-podatkov/">Law on Protection of Personal Data</a></li><li> <a href="zakonodaja/zakon-o-dostopu-do-informacij-javnega-značaja/">Access to Public Information Act</a></li><li> <a href="zakonodaja/zakon-o-inšpekcijskem-nadzoru">Inspection Act</a></li><li> <a href="zakonodaja/zakon-o-splošnem-upravnem-postopku">The Law on General Administrative Procedure</a></li><li> <a href="zakonodaja/zakon-o-varstvu-osebnih-podatkov-na-področju-obravnavanja-kaznivih-dejanj">Personal Data Protection Act in the field of criminal proceedings</a></li><li> <a href="zakonodaja/drugi-zakoni">Other laws</a></li><li> <a href="zakonodaja/pripombe-informacijskega-pooblaščenca-na-predloge-predpisov/">Comments of the Information Commissioner on draft regulations</a></li><li> <a href="zakonodaja/mednarodni-predpisi">International regulations</a></li></ul></li><li> <a href="obrazci/">Forms</a><ul><li> <a href="obrazci/varstvo-osebnih-podatkov/">Protection of personal data</a></li><li> <a href="obrazci/obrazci-s-področja-pacientovih-pravic">Patients' rights</a></li><li> <a href="obrazci/obrazci-s-področja-dostopa-do-informacij-javnega-značaja/">Public information</a></li><li> <a href="obrazci/obrazci-za-medije">Information for the media</a></li></ul></li><li> <a href="publikacije/">Publications</a><ul><li> <a href="publikacije/letna-poročila/">Annual reports</a></li><li> <a href="publikacije/priročniki-in-smernice/">Manuals and guidelines</a></li><li> <a href="publikacije/poročila">Reports</a></li><li> <a href="publikacije/multimedija">Multimedia</a></li><li> <a href="publikacije/infografike">Infographics</a></li></ul></li><li> <a href="o-pooblaščencu/">About the trustee</a><ul><li> <a href="o-pooblaščencu/osebna-izkaznica">ID card</a></li><li> <a href="o-pooblaščencu/zgodovina-informacijskega-pooblaščenca">History</a></li><li> <a href="o-pooblaščencu/pristojnosti/">Responsibilities</a></li><li> <a href="o-pooblaščencu/informacijska-pooblaščenka">Information Commissioner</a></li><li> <a href="o-pooblaščencu/vodstvo">Leadership</a></li><li> <a href="o-pooblaščencu/generalna-sekretarka">Secretary General</a></li><li> <a href="o-pooblaščencu/zaposleni/">Employees</a></li><li> <a href="o-pooblaščencu/informacije-javnega-značaja/">Public information</a></li><li> <a href="o-pooblaščencu/uporabne-povezave">Useful links</a></li><li> <a href="o-pooblaščencu/mednarodno-delovanje-informacijskega-pooblaščenca/">International operation of the Information Commissioner</a></li></ul></li></ul><select id="mobileNav"><option><option class="first"> <a href="/">Home</a></option><option > <a href="novice/">News</a></option><option> <a href="zakonodaja/">Legislation</a><option><option> <a href="zakonodaja/ustava">Constitution</a></option><option> <a href="zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/">Reform of the European legislative framework for the protection of personal data</a></option><option> <a href="zakonodaja/zakon-o-informacijskem-pooblaščencu">Information Commissioner Act</a></option><option> <a href="zakonodaja/zakon-o-varstvu-osebnih-podatkov/">Law on Protection of Personal Data</a></option><option> <a href="zakonodaja/zakon-o-dostopu-do-informacij-javnega-značaja/">Access to Public Information Act</a></option><option> <a href="zakonodaja/zakon-o-inšpekcijskem-nadzoru">Inspection Act</a></option><option> <a href="zakonodaja/zakon-o-splošnem-upravnem-postopku">The Law on General Administrative Procedure</a></option><option> <a href="zakonodaja/zakon-o-varstvu-osebnih-podatkov-na-področju-obravnavanja-kaznivih-dejanj">Personal Data Protection Act in the field of criminal proceedings</a></option><option> <a href="zakonodaja/drugi-zakoni">Other laws</a></option><option> <a href="zakonodaja/pripombe-informacijskega-pooblaščenca-na-predloge-predpisov/">Comments of the Information Commissioner on draft regulations</a></option><option> <a href="zakonodaja/mednarodni-predpisi">International regulations</a></option></option></option><option> <a href="obrazci/">Forms</a><option><option> <a href="obrazci/varstvo-osebnih-podatkov/">Protection of personal data</a></option><option> <a href="obrazci/obrazci-s-področja-pacientovih-pravic">Patients' rights</a></option><option> <a href="obrazci/obrazci-s-področja-dostopa-do-informacij-javnega-značaja/">Public information</a></option><option> <a href="obrazci/obrazci-za-medije">Information for the media</a></option></option></option><option> <a href="publikacije/">Publications</a><option><option> <a href="publikacije/letna-poročila/">Annual reports</a></option><option> <a href="publikacije/priročniki-in-smernice/">Manuals and guidelines</a></option><option> <a href="publikacije/poročila">Reports</a></option><option> <a href="publikacije/multimedija">Multimedia</a></option><option> <a href="publikacije/infografike">Infographics</a></option></option></option><option> <a href="o-pooblaščencu/">About the trustee</a><option><option> <a href="o-pooblaščencu/osebna-izkaznica">ID card</a></option><option> <a href="o-pooblaščencu/zgodovina-informacijskega-pooblaščenca">History</a></option><option> <a href="o-pooblaščencu/pristojnosti/">Responsibilities</a></option><option> <a href="o-pooblaščencu/informacijska-pooblaščenka">Information Commissioner</a></option><option> <a href="o-pooblaščencu/vodstvo">Leadership</a></option><option> <a href="o-pooblaščencu/generalna-sekretarka">Secretary General</a></option><option> <a href="o-pooblaščencu/zaposleni/">Employees</a></option><option> <a href="o-pooblaščencu/informacije-javnega-značaja/">Public information</a></option><option> <a href="o-pooblaščencu/uporabne-povezave">Useful links</a></option><option> <a href="o-pooblaščencu/mednarodno-delovanje-informacijskega-pooblaščenca/">International operation of the Information Commissioner</a> </option></option></option></option></select></nav><!--
| | On 21 February 2021, we received your request from the Information Commissioner (IP) for an opinion on whether it is permissible for a person who reads the content of a publicly accessible blog to disclose to a third party the personal data provided by the author of the blog about himself. . Namely, a person writes a personal blog (this also includes photos of his face), which is accessible to the public and has written down his health information about a certain disease. The third party to whom the information is communicated via private messages online does not know the author of the blog. You are also interested in whether it is still sensitive personal information if it is only published by the patient. You also think that it is about freedom of expression. |
| tplOuter - Meni wrapper
| | |
| tpl - single vrednosti menija
| | On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter: the General Regulation on Data Protection), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP) provides our non-binding opinion on your issue. We further clarify that in the case of IP we are not competent to interpret the right to freedom of expression,however, concrete cases in the field of personal data protection can only be definitively determined in a possible inspection procedure. |
| tplParentRow - vrednosti menija, ki imajo podvrednosti
| | |
| tplInner - Podmeni kontejner
| | Pursuant to point (e) of the second paragraph of Article 9 of the General Data Protection Regulation, it is in principle permissible for a person to disclose to a third party specific health information of a blog author legally obtained on the author's publicly accessible website and published by the author. alone at will. |
| tplInnerRow - vsebina podmeni kontejnerja
| | |
| --></div></header><div class="slider"><div id="heroImage"><img src="assets/images/banners/vop_banner2.jpg" width="1160" height="200" alt="dekorativna slika" title="Legislation" /></div></div><div class="page pr"><div class="row"><nav class="c3 sideNav"><ul class=""><li class="first"> <a href="/" >Home</a></li><li> <a href="novice/" >News</a></li><li> <a href="zakonodaja/" >Legislation</a></li><li> <a href="obrazci/" >Forms</a></li><li> <a href="publikacije/" >Publications</a></li><li class="last"> <a href="o-pooblaščencu/" >About the trustee</a> </li></ul><!--
| | In the case of information that corresponds in content to the definition of health information from point 15 of Article 4 of the General Data Protection Regulation, it is also information on health status if it is published by the person himself. It does not matter where the data comes from, what the purpose of the publication is, whether the data is correct and complete and whether it is properly professionally defined. |
| &selfClass Class for the current document in the menu.
| | |
| &hereClass Class for the active menu item and its parents. Default: active
| | Explanation: |
| &innerClass Class for inner submenu wrappers.
| | |
| &top=`3` Število podmenijou ki je prikazuje
| | If the further disclosure of personal data involves the processing of personal data in the true sense of the word (see point 2 of Article 4 of the General Data Protection Regulation) and the scope of this Regulation (see Article 2 of the General Data Protection Regulation), in a specific case, the appropriate legal basis for the further dissemination of data (e) may be the second paragraph of Article 9 of the General Data Protection Regulation. This stipulates that the processing (eg disclosure, transmission) of specific categories of personal data - including health data, is permissible if the data subject publishes it himself. |
| --></nav><article class="c9"><header class="pr"><h1> Further disclosure of health information published on the blog</h1> <i class="fa fa-font" id="zoomIn">+</i> <i class="fa fa-font" id="zoomOut">-</i><a href="javascript:window.print()"><i class="fa fa-print" id="print"></i></a></header> <b>Date:</b> 19.03.2021<br> <b>Number:</b> 07121-1 / 2021/400<br> <b>Categories:</b> World Wide Web, Health Personal Information<br><p> <em>On 21 February 2021, we received your request from the Information Commissioner (IP) for an opinion on whether it is permissible for a person who reads the content of a publicly accessible blog to disclose to a third party the personal data provided by the author of the blog about himself. . Namely, a person writes a personal blog (this also includes photos of his face), which is accessible to the public and has written down his health information about a certain disease. The third party to whom the information is communicated via private messages online does not know the author of the blog. You are also interested in whether it is still sensitive personal information if it is only published by the patient. You also think that it is about freedom of expression.</em></p><p></p><p> On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter: the General Regulation on Data Protection), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP) provides our non-binding opinion on your issue. We also clarify that in the case of IP, we are not competent to interpret the right to freedom of expression, and we can only definitively define specific cases in the field of personal data protection in a possible inspection procedure. </p><p></p><p></p><p><strong> </strong></p><p> <strong>Pursuant to point (e) of the second paragraph of Article 9 of the General Data Protection Regulation, it is in principle permissible for a person to disclose to a third party specific health information of a blog author legally obtained on the author's publicly accessible website and published by the author. alone at will.</strong> </p><p><strong> </strong></p><p> <strong>In the case of information that corresponds in content to the definition of health data from point 15 of Article 4 of the General Regulation on Data Protection, it is also information on health status if it is published by the person himself. It does not matter where the data comes from, what the purpose of the publication is, whether the data is correct and complete and whether it is properly professionally defined.</strong> </p><p><strong> </strong></p><p><strong> </strong></p><p> <strong>Explanation:</strong></p><p></p><p> If the further disclosure of personal data involves the processing of personal data in the true sense of the word (see point 2 of Article 4 of the General Data Protection Regulation) and the scope of this Regulation (see Article 2 of the General Data Protection Regulation), in a specific case, the appropriate legal basis for the further dissemination of data (e) may be the second paragraph of Article 9 of the General Data Protection Regulation. This stipulates that the processing (eg disclosure, transmission) of specific categories of personal data - including health data, is permissible if the data subject publishes it himself.</p><p></p><p> In assessing the admissibility of the further dissemination of such data, it must be taken into account, inter alia, whether the individual did publish the data without restrictions on the purpose of their use and whether the individual did publish the data in a more accessible public place.</p><p></p><p> Although this is not a narrow area of personal data protection, it may also be important in the further dissemination of information whether it is a fake blog created by "identity theft" and with what content the information is further disseminated (eg whether it is interpreted differently, additional information from other sources, additional comments that may affect the individual's personal rights).</p><p></p><p> According to point 15 of Article 4 of the General Data Protection Regulation, data on health status are broadly defined and mean data relating to the physical or mental health of an individual, including the provision of health services, and disclose information on his health status. A similarly broad definition is contained in the first paragraph of Article 45 of the Patients' Rights Act (ZPacP). Even if the information does not come directly from the healthcare provider or does not come directly from the classic health documentation, it can still be information about the health condition.</p><p></p><p> Kind regards,</p><p></p><p> Prepared:<br /> mag. Urban Brulc, Univ. dipl. right.</p><p> independent IP consultant</p><p></p><p></p><p> Mojca Prelesnik, B.Sc. dipl. right.<br /> Information Commissioner</p><p></p><p></p></article></div></div><footer><div class="row"><address class="c3"> <strong class="title">ABOUT US</strong><p class="bodytext"> <strong>Information Commissioner</strong></p><p class="bodytext"> <strong>Dunajska cesta 22</strong></p><p class="bodytext"> <strong>1000 Ljubljana, Slovenia</strong></p><p class="bodytext"></p><p class="bodytext"> <a href="https://zemljevid.najdi.si/podjetje/1867571000/informacijski-pooblascenec" title="Initiates file download">Map</a> (source: najdi.si)</p><p class="bodytext"> T: 01 230 97 30<br /> F: 01 230 97 78</p><p class="bodytext"> E-mail: <a href="javascript:linkTo_UnCryptMailto('iwehpk6cl:elWel9no:oe');">gp.ip (at) ip-rs.si</a><br /> Reporting violations: <a href="zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/ključna-področja-uredbe/prijava-kršitev-varnosti" target="_blank">instructions and form</a></p></address><div class="c3"> <strong class="title">OFFICE HOURS</strong><p class="bodytext"> <strong>MON - FRI</strong></p><p class="bodytext"> 10.00 - 12.00 and 14.00 - 15.00</p><p class="bodytext"></p><p class="bodytext"> A personal visit is only possible with prior notice to the above e-mail address or telephone number.</p></div><div class="c3 h1"> <strong class="title">LINKS</strong><!-- CONTENT ELEMENT, uid:1350/html [begin] --><div id="c1350" class="csc-frame csc-frame-default"><!-- Raw HTML content: [begin] --><p> <a href="informacije-javnega-značaja/">Public information</a></p><p> <a href="publikacije/priročniki-in-smernice/" title="In the guidelines, personal file managers can find answers to the most frequently asked questions in each area of personal data protection. The guidelines also provide quick guides, checklists, and examples of good and bad practice.">Manuals and guidelines</a></p><p> <a href="obrazci/varstvo-osebnih-podatkov/" title="Forms">Forms</a></p><p> <a href="o-pooblaščencu/informacije-javnega-značaja/o-spletni-strani" title="About the website">Privacy policy</a></p><p> <a href="o-pooblaščencu/informacije-javnega-značaja/informacije-o-obdelavi-osebnih-podatkov" title="About the website">Information on the processing of personal data</a></p><p> <a href="o-pooblaščencu/informacije-javnega-značaja/izjava-o-dostopnosti" title="Accessibility statement">Accessibility statement</a></p><p> <a href="https://www.upravljavec.si" target="_blank">Support for small businesses</a></p><p> <a href="https://www.tiodlocas.si" target="_blank">Rights of individuals</a> </p><!-- Raw HTML content: [end] --></div><!-- CONTENT ELEMENT, uid:1350/html [end] --></div><div class="c3 pr"><div class="h1"><strong class="title"></strong><div class="cb-textpic" id="cb1351"><a name="c1351"></a><div class="cb-center cb-ic2 layout0"></div><p class="bodytext"> Telephone counseling in the field of personal data protection takes place within the project "Justice, Equality and Citizenship Program 2014-2020", funded by the European Union. </p><p class="bodytext"><img height="44" src="https://www.ip-rs.si/fileadmin/_processed_/d/7/csm_iDecide_Logo_breznapisa_nogastrani_e14a48342f.png" width="220" /></p></div></div></div></div></footer></div><script src="assets/js/scripts.min.js" type="text/javascript"></script><!-- <script src="https://www.ip-rs.si/typo3conf/ext/t3colorbox/Resources/Public/JavaScript/jquery.colorbox-1.5.13.min.js?1501572991" type="text/javascript"></script> --><!-- <script src="https://www.ip-rs.si/typo3conf/ext/pxa_survey/Resources/Public/JavaScript/Survey.js?1573637584" type="text/javascript"></script> --><!-- <script src="https://www.ip-rs.si/typo3conf/ext/pxa_survey/Resources/Public/JavaScript/pxa_survey.js?1573637584" type="text/javascript"></script> --><!-- <script src="https://www.ip-rs.si/typo3temp/assets/js/2619955b93.js?1597648248" type="text/javascript"></script> --></body></html>
| | |
| | In assessing the admissibility of the further dissemination of such data, it must be taken into account, inter alia, whether the individual did publish the data without restrictions on the purpose of their use and whether the individual did publish the data in a more accessible public place. |
| | |
| | Although this is not a narrower area of personal data protection, it may also be important in the further dissemination of information whether it is a fake blog created by “identity theft” and with what content the information is further disseminated (eg whether it is otherwise interpreted data, additional information from other sources, additional comments that may affect the individual's personal rights). |
| | |
| | According to point 15 of Article 4 of the General Data Protection Regulation, data on health status are broadly defined and mean data relating to the physical or mental health of an individual, including the provision of health services, and disclose information on his health status. A similarly broad definition is contained in the first paragraph of Article 45 of the Patients' Rights Act (ZPacP). Even if the information does not come directly from the healthcare provider or does not come directly from the classic health documentation, it can still be information about the health condition. |
| | |
| | Kind regards, |
| </pre> | | </pre> |
IP - 07121-1/2021/400
|
|
Authority: |
IP (Slovenia)
|
Jurisdiction: |
Slovenia
|
Relevant Law: |
Article 4(15) GDPR Article 9 GDPR
|
Type: |
Advisory Opinion
|
Outcome: |
n/a
|
Started: |
|
Decided: |
19.03.2021
|
Published: |
|
Fine: |
None
|
Parties: |
n/a
|
National Case Number/Name: |
07121-1/2021/400
|
European Case Law Identifier: |
n/a
|
Appeal: |
n/a
|
Original Language(s): |
Slovenian
|
Original Source: |
IP (in SL)
|
Initial Contributor: |
GDPR plus
|
The Slovenian DPA decided that it is permissible for an individual to disclose to a third party the blog author's specific health information. Information whose content meets the definition of health data in point 15 of Article 4 GDPR is health information even if it is published by the person himself.
English Summary
Facts
Question: Is it permissible for a person reading the content of a publicly available blog to disclose to a third party the personal information provided about himself by the author of the blog. Namely, a person writes a personal blog (which includes photos of his or her face) that is publicly available and has written down his or her health information about a particular medical condition. The third party to whom the information is shared via private messages online does not know the author of the blog. They are also interested in whether it is still sensitive personal information if it is only published by the patient. They also believe that freedom of expression is at stake.
Holding
Generally, it is permissible for an individual to disclose to a third party the blog author's specific health information that the individual lawfully obtained from the author's publicly available website and that the author freely posted.
Information whose content meets the definition of health data in point 15 of Article 4 of the General Regulation on Data Protection is health information even if it is published by the person himself. It does not matter where the data come from, what the purpose of the publication is, whether the data are correct and complete and whether they are defined in a technically correct way.
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Slovenian original. Please refer to the Slovenian original for more details.
On 21 February 2021, we received your request from the Information Commissioner (IP) for an opinion on whether it is permissible for a person who reads the content of a publicly accessible blog to disclose to a third party the personal data provided by the author of the blog about himself. . Namely, a person writes a personal blog (this also includes photos of his face), which is accessible to the public and has written down his health information about a certain disease. The third party to whom the information is communicated via private messages online does not know the author of the blog. You are also interested in whether it is still sensitive personal information if it is only published by the patient. You also think that it is about freedom of expression.
On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data Directive 95/46 / EC (hereinafter: the General Regulation on Data Protection), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette of the Republic of Slovenia, No. 94/07-UPB1, hereinafter ZVOP-1) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP) provides our non-binding opinion on your issue. We further clarify that in the case of IP we are not competent to interpret the right to freedom of expression,however, concrete cases in the field of personal data protection can only be definitively determined in a possible inspection procedure.
Pursuant to point (e) of the second paragraph of Article 9 of the General Data Protection Regulation, it is in principle permissible for a person to disclose to a third party specific health information of a blog author legally obtained on the author's publicly accessible website and published by the author. alone at will.
In the case of information that corresponds in content to the definition of health information from point 15 of Article 4 of the General Data Protection Regulation, it is also information on health status if it is published by the person himself. It does not matter where the data comes from, what the purpose of the publication is, whether the data is correct and complete and whether it is properly professionally defined.
Explanation:
If the further disclosure of personal data involves the processing of personal data in the true sense of the word (see point 2 of Article 4 of the General Data Protection Regulation) and the scope of this Regulation (see Article 2 of the General Data Protection Regulation), in a specific case, the appropriate legal basis for the further dissemination of data (e) may be the second paragraph of Article 9 of the General Data Protection Regulation. This stipulates that the processing (eg disclosure, transmission) of specific categories of personal data - including health data, is permissible if the data subject publishes it himself.
In assessing the admissibility of the further dissemination of such data, it must be taken into account, inter alia, whether the individual did publish the data without restrictions on the purpose of their use and whether the individual did publish the data in a more accessible public place.
Although this is not a narrower area of personal data protection, it may also be important in the further dissemination of information whether it is a fake blog created by “identity theft” and with what content the information is further disseminated (eg whether it is otherwise interpreted data, additional information from other sources, additional comments that may affect the individual's personal rights).
According to point 15 of Article 4 of the General Data Protection Regulation, data on health status are broadly defined and mean data relating to the physical or mental health of an individual, including the provision of health services, and disclose information on his health status. A similarly broad definition is contained in the first paragraph of Article 45 of the Patients' Rights Act (ZPacP). Even if the information does not come directly from the healthcare provider or does not come directly from the classic health documentation, it can still be information about the health condition.
Kind regards,