Helsingin hallinto-oikeus (Finland) - 3620/2023: Difference between revisions

From GDPRhub
mNo edit summary
 

Latest revision as of 10:34, 29 February 2024

Helsingin hallinto-oikeus - 3620/2023
Courts logo1.png
Court: Helsingin hallinto-oikeus (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(a) GDPR
Article 12 GDPR
Article 13 GDPR
Article 15 GDPR
Article 25(1) GDPR
Article 83(1) GDPR
Decided: 16.06.2023
Published: 16.06.2023
Parties: Lääkäriklinikka Estetic Oy
National Case Number/Name: 3620/2023
European Case Law Identifier:
Appeal from: Tietosuojavaltuutetun toimisto (Finland)
8493/161/21
Appeal to: Not appealed
Original Language(s): Finnish
Original Source: Helsingin hallinto-oikeus (in Finnish)
Initial Contributor: fred

The Administrative Court of Helsinki upheld a Finnish DPA decision imposing a fine of €5,000 on a medical clinic for not implementing the data subject's access request and failing to inform data subjects about the processing of personal data.

English Summary

Facts

The controller (Lääkäriklinikka Estetic Oy, a medical clinic) had asked the Administrative Court of Helsinki (the Court) to overturn the €5,000 administrative fine imposed by the Finnish DPA and the DPA's decision, according to which the controller had not implemented the data subject's access request.

The controller filed the appeal claiming that it had already fulfilled the data subject's access request as far as it concerned the personal data it processed. The controller emphasised that it did not have access to the patient records of another company whose surgeon had treated the data subject at the controller's premises.

The controller argued that the DPA should have requested an explanation from the other company as well, because the data subject was not a patient of the controller, but a patient of the other company. The controller also stated that the DPA's actions had not been based on a sufficient and appropriate investigation.

The DPA emphasised that the data subject had received treatment from the controller at the controller's premises and that the controller had not informed the data subject that their patient records are in the possession of another company. The DPA also stated that the controller had not instructed the data subject to request their personal data from another company or otherwise informed the data subject about the matters related to the controllership of their personal data.

Holding

The Court noted that, despite the opportunity reserved for it, the controller had not sufficiently demonstrated that some other entity had acted as a controller of the personal data generated in connection with the treatment that took place on its premises. In its appeal, the controller had not denied that the data subject had received treatment from the controller. Thus, the Court stated that the controller had to be considered as a controller within the meaning of the GDPR.

In light of this, the Court agreed with the DPA that the controller had violated Article 5(1)(a) GDPR, Article 12 GDPR, Article 13 GDPR, Article 15 GDPR and Article 25(1) GDPR by not implementing the data subject's access request and failing to inform data subjects about the processing of personal data. The Court also considered that the administrative fine issued by the DPA had been effective, proportionate and dissuasive in accordance with Article 83(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

HELSINKI ADMINISTRATIVE COURT DECISION

16/06/2023

3620/2023

ID number 1094/03.04.04.04.01/2022

Case A complaint regarding a data protection case

Appellant Lääkäriklinikka Estetic Oy

Decision to be appealed

Deputy data protection commissioner and sanctions panel 16 December 2021 ID number 8493/161/21

In its decision under appeal, the Deputy Data Protection Commissioner has given the data controller (later also Lääkäriklinikka Estetic Oy) an order in accordance with Article 58, paragraph 2, subparagraph c of the General Data Protection Regulation to comply with the initiator's request for access to data insofar as it concerns data whose data controller is Lääkäriklinikka Estetic Oy.

The Deputy Data Protection Commissioner has also given the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing activities into compliance with the provisions of the General Data Protection Regulation regarding procedures related to the exercise of data subjects' rights and information to data subjects. In addition, the Deputy Data Protection Commissioner has given the data controller a notice in accordance with Article 58, paragraph 2, subsection b of the General Data Protection Regulation regarding processing activities that violate the provisions of the General Data Protection Regulation in exercising the data subject's rights and informing data subjects.

In its decision under appeal, the Sanctions Board has ordered the data controller to pay the state an administrative penalty fee of 5,000 (five thousand) euros pursuant to Article 58(2)(i) and Article 83 of the General Data Protection Regulation.

In the case in question, it has been considered that the data controller, by not taking care of the data subject's rights and obligation to inform, has violated Article 5, Section 1, Subsection a (principle of transparency), Article 12, Sections 1-4 (transparent information, communication and detailed rules for exercising the data subject's rights) of the General Data Protection Regulation. , Article 13 paragraphs 1 and 2 (information to be provided when personal data is collected from the data subject), Article 15 paragraphs 1 and 3 (the data subject's right to access data) and Article 25 (built-in and default data protection).

Claims presented in the complaint

The notice given by the Deputy Data Protection Commissioner and the administrative penalty imposed by the Sanctions College must be cancelled. The initiator has already received access to his data insofar as it concerns data for which Lääkäriklinikka Estetic Oy is the data controller. Lääkäriklinikka Estetic Oy has already brought the processing operations into compliance with the General Data Protection Regulation. The state must be ordered to pay the appellant's legal costs.

On February 3, 2021, Lääkäriklinikka Estetic Oy has informed the data protection commissioner that the initiator has been operated on and consulted as a patient of a separate company, Valete Oy, which operated on the premises of Estetic Oy. Valete Oy is owned by a surgeon. The initiator's medical report and related photos are under the control of Valete Oy.

Lääkäriklinikka Estetic Oy has forwarded to the initiator and the data protection officer all information related to the initiator's customer relationship with Lääkäriklinikka Estetic Oy. Lääkäriklinikka Estetic Oy does not have any other information about the initiator, because it does not have access to Valete Oy's patient data. On 14 December 2020, Lääkäriklinikka Estetic Oy submitted the following information about the initiator to the Data Protection Commissioner:

- name
- personal identification number
- phone number
- address
- the date of the call request
- the date of the call
- the date of the reception visit
- the date of the procedure (two different procedure dates)
- the date of the reception visit (two different dates of the reception visit).

Lääkäriklinikka Estetic Oy has taken care of forwarding patient data to the initiator to the extent that it is possible within the framework of the law, and its system corresponds to the EU's general data protection regulations.

Lääkäriklinikka Estetic Oy has also sufficiently informed the data protection commissioner about the matter. The data protection officer should have also requested an explanation from Valete Oy, because the initiator was not a patient of Lääkäriklinikka Estetic Oy, but a patient of Valete Oy. The data protection officer's actions have not been based on a sufficient and appropriate investigation, so the decision is not based on objectively and impartially acquired information.

Case handling and investigation

The Office of the Data Protection Commissioner has issued a statement and submitted a rejection of the complaint and legal costs claim. The statement states, among other things, the following:

The initiator has said that he visited the reception of the owner of Lääkäriklinikka Estetic Oy for, among other things, laser treatment. In the initiator's basic information, a copy of which Lääkäriklinikka Estetic Oy has delivered to the data protection commissioner's office, three reception visits and two procedure times have been recorded. Based on the records, the visits are not limited to the consultation and procedure time of the surgeon (Valete Oy). According to the information available from the central register of healthcare professionals maintained by Valvira, the Social and Health Licensing Agency, she has a professional qualification as a nurse, and there is a blog on Lääkäriklinikka Estetic Oy's website, from which it appears that she receives patients at Lääkäriklinikka Estetic Oy. The Office of the Data Protection Commissioner has clarified the matter specifically with

According to his account, the initiator has not received information from Lääkäriklinikka Estetic Oy that his patient documents are available from Valete Oy, and Lääkäriklinikka Estetic Oy has not presented an explanation in the case that it directed the initiator to request information from Valete Oy or otherwise informed the initiator to the record keeping related matters.

The claim for court costs is not a claim for compensation in accordance with Section 95 of the Act on Litigation in Administrative Matters. It is therefore not necessary to comment on the matter.

The initiator has given an explanation.

Lääkäriklinikka Estetic Oy has given a counter-explanation.

Administrative law solution

The administrative court rejects the appeal and the claim for legal costs.

Reasoning

Applicable legal guidelines

Article 12, paragraph 1 of the General Data Protection Regulation stipulates the obligation of the data controller to take appropriate measures to provide the data subject with the information in accordance with Article 13 and the processing information in accordance with Article 15 in a concise, transparent, easily understandable and accessible form in clear and simple language.

Paragraphs 2 and 3 of Article 12 of the General Data Protection Regulation, on the other hand, provide for the duty of the data controller to facilitate the exercise of the data subject's rights in accordance with Article 15, as well as the time limits within which the data controller must inform the data subject of what measures have been taken in response to the data subject's request to exercise the rights. Furthermore, paragraph 4 of that article provides for the duty of the data controller to inform the data subjects of the reasons if it does not implement measures based on the data subject's request and of the legal remedies available.

Article 13 of the General Data Protection Regulation regulates the information to be provided when personal data is collected from the data subject. This information includes, among other things, information about the identity of the data controller and the data subject's right to request access to personal data concerning him from the data controller.

Article 15 of the General Data Protection Regulation provides for the data subject's right to access his personal data. Paragraph 3 of that article stipulates the obligation of the data controller to deliver the information in electronic form if the data subject submits the request electronically and the data subject has not requested otherwise.

Article 25 of the General Data Protection Regulation provides for built-in and default data protection.

Legal evaluation of the decision of the Deputy Data Protection Commissioner

According to the report presented in the case, the initiator has stated that he visited the reception of the owner of Lääkäriklinikka Estetic Oy for, among other things, laser treatment. Estetic Oy did not dispute this in its appeal to the administrative court, nor did it deny this when the matter was previously discussed at the data protection commissioner's office, and the administrative court has no reason to doubt the notice of the initiator. Furthermore, when Lääkäriklinikka Estetic Oy, despite the opportunity reserved for it, has not notified that another party is in the position of data controller with regard to the personal data generated in connection with the reception visits that take place with its owner, and no other reason has appeared in the matter, the administrative court states that Lääkäriklinikka Estetic Oy must be considered as intended by the data protection regulation as a registrar in connection with the aforementioned reception visits. Considering that Lääkäriklinikka Estetic Oy has not provided the initiator with the actual patient data requested by the initiator in addition to the basic information identified above, nor has it informed the initiator of the reasons why the request could not be implemented in its entirety, it has acted contrary to Article 15, paragraphs 1 and 3 of the General Data Protection Regulation and Article 12, paragraph 4. Furthermore, Lääkäriklinikka Estetic Oy has acted in violation of Article 12, paragraph 3 of the General Data Protection Regulation, when it has not informed the initiator within the deadlines according to the mentioned article, which measures it has taken in response to the latter's request.

Lääkäriklinikka Estetic Oy has informed the data protection commissioner's office that personal patient information can be obtained on site and that it will not be sent by e-mail. The Administrative Court states that Lääkäriklinikka Estetic Oy's procedure in this respect does not correspond to the obligation of the data controller to facilitate the exercise of the data subject's rights set out in Article 12, paragraph 2 of the General Data Protection Regulation, taking into account that the reported method requires the data subject to visit the data controller's office in order to exercise their rights. The Administrative Court also points out that, according to Article 15, Section 3 of the Data Protection Regulation, information about the personal data being processed must be submitted in electronic form when the data subject submits the request electronically.

Lääkäriklinikka Estetic Oy has not presented an explanation of how it informs registered users about matters related to the processing of personal data, such as the identity of the data controller or the data subject's right to request access to personal data concerning themselves from the data controller. Because of this and because the mentioned information could not be found on the company's website either, Lääkäriklinikka Estetic Oy must be considered to have failed to fulfill its obligation to provide data subjects with the information required by Article 13, paragraphs 1 and 2 of the regulation, in accordance with Article 12, Paragraph 1 of the General Data Protection Regulation. In doing so, the company has also acted in violation of the principle of transparency stipulated in Article 5(1)(a) of the General Data Protection Regulation and Article 25(1) of the regulation.

Based on the above, the administrative court considers that Lääkäriklinikka Estetic Oy's procedure regarding the exercise of the registered person's right of inspection and the information provided to the registered person has not met the requirements of the data protection regulation. The Deputy Data Commissioner has thus been able to give the company a notice in accordance with Article 58, Section 2, Subsection b of the General Data Protection Regulation. The Deputy Data Commissioner has been able to further order, on the basis of subparagraph c of the said article, Lääkäriklinikka Estetic Oy to comply with the initiator's request for access to his personal data insofar as the request has concerned information that was generated when the initiator visited the company owner's reception, and to issue an order according to subparagraph d of the article to bring the processing operations under the general data protection in accordance with the provisions of the regulation regarding the procedures related to the exercise of the rights of the registered and the information of the registered.

Legal evaluation of the Sanctions Board's decision

According to introductory paragraph 63 of the General Data Protection Regulation, the data subject's right of inspection includes the data subject's right to access his or her own health information. The administrative court considers that Lääkäriklinikka Estetic Oy's conduct in handling the initiator's request has significantly affected the initiator's right to access his own personal data, which is why the violation cannot be considered minor. As an aggravating factor, it has also been possible to take into account the fact that the violation has targeted health information. Regarding the other violations found in the decision of the Deputy Data Protection Commissioner, it should be noted that they have targeted the essential content of the data controller's obligations and, based on the report on the turnover and operating hours of Lääkäriklinikka Estetic Oy, a large number of people, so the violation cannot be considered minor in this respect either. On the other hand, based on the report presented in the case, the violations have not resulted in financial or other material damage to the initiator or other registered parties.

Regarding the duration of the violations, the administrative court states that no explanation has been presented in the case that the information of the data subjects was taken care of in accordance with the provisions of the data protection regulation or that the data subjects' access to their own personal data was carried out in a different way than stated in the reasons for the decision under appeal. Taking into account that, based on the report presented in the case, Lääkäriklinikka Estetic Oy's operations have already started before the entry into force of the General Data Protection Regulation, the violation must be considered to have continued for quite a long time after the entry into force of the regulation.

Lääkäriklinikka Estetic Oy has also not demonstrated that it has appropriate procedures in place to implement the registrant's right of inspection or processes for properly informing registrants regarding the processing of personal data. The above-mentioned facts can be considered to show disregard for the requirements regarding the protection of registered rights and the transparency of data processing.

Furthermore, the administrative court states that the violations have come to the attention of the supervisory authority first through a registered contact and then during a more detailed investigation of the processing of personal data carried out by Lääkäriklinikka Estetic Oy. The matter has thus not come to the attention of the supervisory authority through the company's own notification. Lääkäriklinikka Estetic Oy has also not responded appropriately to the supervisory authority's requests for clarification, as a result of which the processing of the case has been partly delayed. The company has also not taken steps without delay to implement the registered rights or to bring the procedures related to informing the registered to the provisions of the data protection regulation.

Taking into account the number and seriousness of the violations noted above, the administrative court considers that the fact that similar violations have not previously been discovered in the case of Lääkäriklinikka Estetic Oy and that control measures have not previously been applied to the company's operations, or that it has not come to light, that the violations would have explicitly sought or achieved a financial advantage or avoided losses.

Evaluating the aspects described above as a whole, the administrative court considers that the sanctioning board could have imposed a penalty payment on Lääkäriklinikka Estetic Oy. The company has been ordered to pay a fine of 5,000 euros, which is less than one percent of its 2019–2020 turnover. Taking into account the above, the administrative court considers that the administrative fine imposed by the sanctions panel is proportionate, effective and a warning. There is therefore no reason to overturn the administrative fine.

Claim for reimbursement of court costs

The Administrative Court states that, considering the decision given in the case, it is not unreasonable that Lääkäriklinikka Estetic Oy has to bear its legal costs.

Applied legal guidelines

Mentioned in the justifications and

Data protection regulation article 5 and article 58 paragraph 2 b, c, d and i

Section 24 of the Data Protection Act

Act on proceedings in administrative matters Section 95