DSB (Austria) - 2020-0.111.488: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Austria |DPA-BG-Color= |DPAlogo=LogoAT.png |DPA_Abbrevation=DSB |DPA_With_Country=DSB (Austria) |Case_Number_Name=2020-0.111.488 |ECLI=ECLI:A...") |
No edit summary |
||
Line 58: | Line 58: | ||
}} | }} | ||
A medical doctor was fined EUR 600 by the Austrian Data Protection Authority after publishing information on his patients (including health data) on his/her Facebook page. | A medical doctor was fined EUR 600 by the Austrian Data Protection Authority after publishing information on his/her patients (including health data) on his/her Facebook page. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
Between February and June 2020, a medical doctor published information on his/her patients on his/her personal Facebook page. The information | Between February and June 2020, a medical doctor published information on his/her patients on his/her personal Facebook page. The information included special categories of personal data and consisted of the patients' names and social security numbers, excerpts from patient letters, medical records/protocols, medical diagnoses, medication data, data on hospital admissions and discharges and names of of other doctors treating the patients. | ||
===Holding=== | |||
The Austrian Data Protection Authority (Datenschutzbehörde - DSB) held that the doctor had violated Article 5(1)(a) GDPR and Article 9(1) and (2) GDPR as the patients had not given their ecplicit consent to the online publication of their data under Article 9(2)(a) GDPR and there was no other legal basis for the processing under Article 9(2) GDPR. | |||
=== Holding === | |||
The Austrian Data Protection Authority (Datenschutzbehörde - DSB) held that the doctor had violated Article 5(1)(a) GDPR and Article 9(1) and (2) GDPR as the patients had not given their ecplicit consent to the online publication of their data under Article 9(2)(a) GDPR and there was no other legal basis under Article 9(2) GDPR. | |||
Consequently, the DSB issued a fine of EUR 600 under Article 83(5)(a) GDPR | Consequently, the DSB issued a fine of EUR 600 under Article 83(5)(a) GDPR | ||
== Comment == | ==Comment== | ||
''Share your comments here!'' | ''Share your comments here!'' | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the German original. Please refer to the German original for more details. | The decision below is a machine translation of the German original. Please refer to the German original for more details. | ||
Revision as of 16:45, 30 November 2020
DSB - 2020-0.111.488 | |
---|---|
Authority: | DSB (Austria) |
Jurisdiction: | Austria |
Relevant Law: | Article 4(15) GDPR Article 5(1)(a) GDPR Article 9(1) GDPR Article 9(2) GDPR Article 83(5)(a) GDPR § 47(1) VStG (Verwaltungsstrafgesetz - Admininstraitive Penal Act) |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | 19.10.2020 |
Published: | 27.11.2020 |
Fine: | 600 EUR |
Parties: | Dr. P*** K*** (medical doctor) |
National Case Number/Name: | 2020-0.111.488 |
European Case Law Identifier: | ECLI:AT:DSB:2020:2020.0.111.488 |
Appeal: | Not appealed |
Original Language(s): | German |
Original Source: | Rechtsinformationssystem des Bundes (RIS) (in DE) |
Initial Contributor: | Marco Blocher |
A medical doctor was fined EUR 600 by the Austrian Data Protection Authority after publishing information on his/her patients (including health data) on his/her Facebook page.
English Summary
Facts
Between February and June 2020, a medical doctor published information on his/her patients on his/her personal Facebook page. The information included special categories of personal data and consisted of the patients' names and social security numbers, excerpts from patient letters, medical records/protocols, medical diagnoses, medication data, data on hospital admissions and discharges and names of of other doctors treating the patients.
Holding
The Austrian Data Protection Authority (Datenschutzbehörde - DSB) held that the doctor had violated Article 5(1)(a) GDPR and Article 9(1) and (2) GDPR as the patients had not given their ecplicit consent to the online publication of their data under Article 9(2)(a) GDPR and there was no other legal basis for the processing under Article 9(2) GDPR.
Consequently, the DSB issued a fine of EUR 600 under Article 83(5)(a) GDPR
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Decisive authority Data protection authority Decision date October 19, 2020 Business number 2020-0.111.488 Appeal at the BVwG / VwGH / VfGH This penal order is final. text GZ: 2020-0.111.488 from October 19, 2020 (case number: DSB-D550.279) [Note processor: names and companies, legal forms and product names, addresses (incl. URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations can be shortened and / or changed for reasons of pseudonymisation his. Obvious spelling, grammar, and punctuation errors have been corrected.] Penal order Accused: Dr. P *** K ***, [ZIP] [City], [Street, HNr.] As the person responsible within the meaning of Art. 4 No. 7 of Regulation (EU) 2016/679 on the protection of natural persons when processing personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation, hereinafter : "GDPR"), OJ No. L 119 of 04.05.2016 S1, the following administrative offense (s) committed: In any case, from **. February 2020 until anyway **. June 2020 on your personal Facebook page at (https://www.facebook.com/***) Excerpts from patient letters, findings and other medical records / protocols published. The published data include in detail i.a. Patient names, findings data, medical diagnoses, medication data, admission and discharge data from hospitals, social security numbers of patients and the names of the treating doctors. As a result, you have processed personal data - including health data within the meaning of Art. 4 Z 15 GDPR - contrary to the prohibition of Art. 9 Para. 1 GDPR. This is because a) the express consent of all data subjects is not available, and b) the processing cannot otherwise be based on any of the exceptions finally standardized by Art. 9 Para. 2 GDPR. You have thereby violated the following legal provision (s): Art. 5 para. 1 lit. a, Art. 9 Paragraph 1 and Paragraph 2 in conjunction with Art. 83 Paragraph 5 lit. a of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, on the free movement of data and on the repeal of Directive 95/46 / EC (General Data Protection Regulation), ABl. No. L 119 of 4.5.2016, p. 1 (GDPR) Because of these administrative offense (s) you will be subject to the following penalty: Fine of euros if this is irrecoverable, a substitute imprisonment of according to € 600.00 36 hours Art. 83 para. 5 lit. a GDPR in conjunction with Sections 16 and 47 of the Administrative Penal Act 1991 - VStG Any other sayings (e.g. about expiry): Furthermore, you have to pay according to § 64 Abs. 3 of the Administrative Penal Act 1991 - VStG: Euros to replace cash outlays for The total amount to be paid (penalty / cash outlay) is therefore 600.00 Euro Payment term: If you do not raise an objection, this sanction is immediately enforceable. In this case, the total amount is to be paid into the account BAWAG P.S.K., Georg-Coch-Platz 2, 1018 Vienna, IBAN: AT460100000005490031, BIC: BAWAATWW, according to the data protection authority, within two weeks after it becomes legally binding. The transaction number and the completion date should be given as the intended use. If no payment is made within this period, the total amount can be dunned. In this case, a flat fee of five euros has to be paid. If, however, no payment is made, the outstanding amount will be enforced and, in the event that it is uncollectible, the corresponding imprisonment penalty will be enforced. Legal remedies: You have the right to object to this penalty order. The objection must be submitted to us in writing or orally within two weeks after delivery of this penalty order. In the appeal, you can present the evidence useful for your defense. If you raise an objection in good time, we will initiate the due process; In this case, the objection is considered a justification within the meaning of Section 40 of the Administrative Penal Act 1991 - VStG. With the objection, the entire penal order becomes invalid. However, this does not apply if you expressly only challenge the extent of the penalty imposed or the decision on the costs in the objection. No higher penalty may be imposed in the penal decision issued on the basis of the objection than in this penal order. In the criminal verdict issued on the basis of the objection, the punished person is required to contribute to the costs of the criminal proceedings in the amount of 10% of the penalty, but at least in the amount of 10 euros. The objection can be transmitted in any technically possible form, but only by email if no special forms of transmission are provided for electronic communication. Technical requirements or organizational restrictions for electronic traffic are published on the following website: Please note that the sender bears the risks associated with each type of transmission (e.g. loss of transmission, loss of the document). European Case Law Identifier ECLI: AT: DSB: 2020: 2020.0.111.488